July 16, 2012 archive

US Government Releases Updated IPv6 Roadmap

Last week the US Federal CIO Council released an updated version of their IPv6 planning guide/roadmap. Available as a PDF download from cio.gov, the 73-page document provides a wealth of IPv6 information to both US government agencies and also to operators, enterprises and others seeking to understand exactly what the US government is doing with IPv6.

This July 2012 document updates and replaces the 2009 version of the roadmap.  It does not specifically list what has been updated, but provides this note:

This document is the latest version of the Roadmap, and is the key guidance document for supporting Federal agencies in their achievement of the 2012 and 2014 objectives, as well as the strategic vision for beyond 2014. This document has the same foundational elements instituted in the original Roadmap, and has been updated to reflect the three years of experience (from both the public and private sectors) since original publication. The sections of the document comprise all aspects of a successful transition and now include practical experience from those directly engaged in IPv6 activities, combining programmatic (including Clinger-Cohen Act compliance), technical, cybersecurity, and Federal acquisition elements, as well as the suggested interactions with other Federally mandated technical efforts such as the Trusted Internet Connection (TIC).

True to that statement, updated references can be found throughout the document.  I found it particularly interesting to see section 1.4, “Our Business Situation,” at the beginning of the document that provided a list from a competitive point of view of what other countries around the world are doing with regard to IPv6.

The sample transition timelines starting at the bottom of page 12 may be of interest to many readers, as they lay out examples of how agencies can meet upcoming September 2012 and September 2014 deadlines. Section 4 on page 22 also outlines where US federal agencies should be in 2012 and 2014.

Readers may also find Section 6 on page 32 very useful with the ideas for transition steps. Obviously, some steps are specific to US government agencies, but the ideas behind those steps could be equally useful in other context.

All in all a very useful document for US government agencies and for others seeking to understand what a large entity needs to do to make the transition.

How To Write A DNSSEC Practice Statement (DPS)

Are you planning to start using DNSSEC with your domain – and are you planning to start signing your domain yourself? In other words, are you going to be doing all the signing on your own server and/or in your own facilities?  (Versus using a service at a DNS hosting provider that does all the DNSSEC-signing for you.)

If you are, then a good place to start your planning is with the creation of what is called a “DNSSEC Practice Statement” or more simply a “DPS”.  A DPS is a document that outlines how you are implementing DNSSEC for your domain – and what security measures you are putting in place.

Basically, it is a statement that can help other people understand whether they can trust the security you put in place.

Typically the DPS documents created so far are for Top-Level Domains (TLDs) as they have been the focus of much of the DNSSEC deployment efforts to date.  For second-level domains, very often you may be able to use the services of your DNS hosting provider to sign your domains and so a full DPS may not be needed. But if you sign your own domain, a DPS can be a useful way to plan out the security for your signing.

Regardless of what you do, the existing DPS documents make for great reading to help you understand the security you may or may not need to put in place to ensure the security and integrity of our DNSSEC operations.

The place to begin for many of you may be to take a look at this Internet-Draft that explains the rationale for creating a DPS and provides a sample framework:

http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-dps-framework

Some of you who like to simply dive into examples to see how a DPS is written may want to start looking through the examples we’ve added to this page:

DNSSEC Practice Statements

In particular you may want to start with the “.SE” DPS as the folks from .SE have been very involved with creating the entire DPS framework.  As you look through the examples, you’ll see a variety of different styles and lengths, from the very simple to the very complex.

If you have 15 minutes to spare, this video from 2010 offers Anne-Marie Eklund-Löwinder from .SE explaining the value of a DPS and what should be included:

The important aspect of a DNSSEC Practice Statement is to capture in one document how you are implementing DNSSEC and how you are securing the tools, servers and other components involved with DNSSEC.  Even if you are an enterprise who might never publicly publish a DPS, writing such a document can be a very useful exercise to ensure you are planning for all the necessary aspects of using DNSSEC to sign your domain.

P.S. If you create and publish a DPS, we’re always looking for more examples to add to our DPS page. Please let us know where your DPS is located online so that we can consider adding it to the page.