September 2013 archive

Sep 19

Two Years At The Internet Society

Deploy360 300It rather staggers my mind that it was two years ago today, on September 19, 2011, that I began work for the Internet Society (a.k.a. "ISOC"). Longtime readers and friends may remember my impassioned (and naturally long) post at the time, "Ch-changes - Taking A New Job At The Internet Society To Join The Fight For The Open Internet".

Two years later that passion has only grown stronger! The events of recent months with the massive Internet surveillance disclosures have only reinforced the need for organizations like the Internet Society to be out there doing what they can to preserve the open character of the Internet.

Whether it is the excellent work on leading Internet technologies - and support for the IETF... the incredible work of our public policy team ... or the great work going on to to expand access to the Internet in regions where there is limited connectivity... or the global work of our chapters helping at a local and regional level... or the programs to develop the next generation of Internet leaders... or the many, many other activities going on around the globe... it's been an absolute pleasure to be a staff member for the Internet Society and I look forward to many more years ahead!

For me, being involved with the creation of the Deploy360 Programme has been an amazing experience. Working on Deploy360 has enabled me to unite my writing and communication skills with my passion for and knowledge of technologies such as DNS, IPv6 and routing technologies - as well as my enjoyment of social media as a way of distributing content and engaging in conversations. Plus, I've had a chance to continue my work with WordPress and so many other social tools.

I've had the opportunity to work with an outstanding team ... and I've had a chance to meet some of the most amazing people all around the world. With Deploy360 our goal is to find out what challenges people are having with deploying IPv6, DNSSEC and routing technologies - and then find or create the appropriate resources to answer those challenges and help people overcome those issues. To do that, you have to go out and meet people... to talk to to them... to hear their questions and to ask them questions.

And so there is this exquisite irony that someone who works for the Internet Society winds up spending an insane amount of time on airplanes traveling to places all around the world to meet with people responsible for deploying these open Internet protocols. And sometimes it's admittedly a bit absurd... such as the trip to Singapore where I spent more time in airplanes traveling there and back then I did actually on the ground in Singapore! (I was only there about 36 hours.)

But it's the people that make the travel worth it! I've met incredible people doing great work to keep the Internet open in so many different places... and in places that quite honestly I would never have even imagined that I'd wind up going! Sure, I've traveled through North America and Europe, but I mean... Russia? (see also: my thoughts on walking in Red Square) China? South Africa? India? Colombia? Poland? Singapore? Brazil? It's been a privilege to be in those places and meet these people doing such great work.

I hope that in some small way I've been able to help them with their efforts. I've certainly learned from what they are doing... and that's been fed directly back into what we're doing within the Deploy360 Programme.

Two years into the role there is still a great amount of work to do... we have content roadmaps that outline MANY documents we want to either find or create... we have new topics that we want to add to the site... we have code we want to help get created... we have new best current operational practices to help document... we have other groups we want to engage with...

The two years seem to have flown by rather quickly - it's been rather a whirlwind ... but I'm looking forward to where the next two years go. Lots to do - and the challenges ahead for the open nature of the Internet are only going to get tougher and more demanding!

I know I haven't been writing here on DisruptiveTelephony as much as I used to... but I'm hoping to do a bit more in the time ahead. Much of my writing these days is on the Deploy360 blog and sometimes over on CircleID. You can always track my writing via my danyork.me site... or of course follow me on any of the social networks.

Thanks for all the support and help that so many of you have given me over these past two years - and I look forward to working with so many more of you in the months and years ahead!

P.S. One great way you can help is to join the Internet Society to stay up-to-date on current issues affecting the Internet - membership is free for individuals. You can also subscribe to my infrequent email newsletter where I hit many of these topics.

Audio commentary related to this post can be found at:

If you found this post interesting or useful, please consider either:

Sep 19

TDYR #037 – Two Years At The Internet Society

Two years ago today I started work at the Internet Society (ISOC). In this episode I briefly look back at the two years and what it has all meant to me. More info in this post: http://www.disruptivetelephony.com/2013/09/two-years-at-the-internet-society.html My work at the Internet Society can be found at http://www.internetsociety.org/deploy360/

Sep 19

TDYR #036 – Consistency Is The Key To Online Content Creation / Blogging / Podcasting

Starting to create content online is EASY... keeping it *going* is the challenge. In this episode I talk about how *consistency* is the key to success in online communication and online content creation, whether that is blogging, podcasting, video, audio, social media such as Twitter or Facebook... or just posting content to your website

Sep 18

6 TLDs for Honduras, East Timor And Multiple Islands Are Now Signed With DNSSEC

dnssecWe were delighted to learn from Garth Miller, the administrative contact for the .CX top-level domain (TLD), that 6 more TLDs have been signed with DNSSEC and now have DS records in the root zone.  This means that people and businesses with domains registered in these TLDs can now receive the higher level of security possible with DNSSEC:

If you have a domain registered in those TLDs, your registrar should now be able to pass the required DS record up to the TLD registry. (See our page about registrars and DNSSEC for more information about this process with some registrars.)  If your registrar does not yet support the uploading of DNSSEC information, now would be a great time to start asking them! :-)

Congratulations to Garth Miller and the teams associated with the various TLDs for making these signed TLDs happen.  Per ICANN’s TLD Report, there are now 111 out of 318 TLDs signed which is excellent progress.  (These new signed TLDs are also visible on the DNSSEC deployment maps we recently published.)

P.S. Bonus points if you know where all the islands are!  I had to pull out a map for a couple of them.

Sep 17

4 More Days To Submit Speaking Ideas For DNSSEC Workshop At ICANN 48

icann48Will you be attending the ICANN 48 meeting in Buenos Aires, Argentina, in November 2013? If so, you have four more days to submit a speaking proposal for the DNSSEC Workshop planned for Wednesday, November 20, 2013.  I wrote about the call for speakers earlier but since that time the program committee decided to extend the proposal deadline to this Friday, September 20, 2013.  (We received feedback that people were still returning from summer holidays and our original deadline was too close to that.

We have a great line up of speakers so far, including some excellent folks to give us updates on DNSSEC in Latin America, but we still have room for a few more proposals.  The Call For Participation is included again below, along with the email address to which to send your ideas.

Thanks – and we’ll see you in Buenos Aires!

The DNSSEC Workshop program committee, of which I am a member, is seeking speakers for sessions on:

  • DNSSEC activities in Latin America
  • The operational realities of running DNSSEC
  • DNSSEC and enterprise activities
  • When unexpected events occur
  • Preparing for root key rollover
  • DANE and other DNSSEC applications
  • DNSSEC automation
  • Guidance for registrars in implementing DNSSEC
  • APIs between registrars and DNS hosting operators

In this session, we are particularly interested in hearing from people who have found (or developed) solutions for automating their implementation of DNSSEC. We are also very interested in hearing from registrars given that the 2013 Registrar Accreditation Agreement (RAA) with ICANN will require ICANN-accredited registrars to at the very least support the acceptance of DNSSEC records from registrants.

The full “Call for Participation” is below that provides more details. If you have an idea for a presentation, please send a brief 1 or 2 sentence description to dnssec-buenosaires@shinkuro.com which will reach the whole program committee. (Please send email rather than leave a comment here.)

We already have some solid speakers who have indicated their interest and so we’re very much looking forward to another excellent session. I’ll also note that the ICANN meetings are free to attend – you have to register but there is no cost. You just have to pay for your travel and expenses to get to Buenos Aires. The DNSSEC Workshop will also be streamed live over the Internet for those wishing to watch/listen and will be archived for later viewing.

These workshops are really excellent technical sessions. I would encourage you to attend if at all possible and I would definitely encourage you to submit a proposal to speak. We’re always interested in hearing new perspectives.

Call for Participation — ICANN DNSSEC Workshop 20 November 2013

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), is planning a DNSSEC Workshop at the ICANN meeting in Buenos Aires, Argentina on 20 November 2013. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Durban, South Africa on 17 July 2013. The presentations and transcripts are available at: http://durban47.icann.org/node/39749.

We are seeking presentations on the following topics:

1. DNSSEC Activities in Latin America:
For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Latin America, but also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implement DNSSEC or not?

2. The Operational Realities of Running DNSSEC
Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What’s best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

3. DNSSEC and Enterprise Activities
DNSSEC has always been seen as a huge benefit to organizations looking to protect their identity and security on the Web. Large enterprises are an obvious target for DNS hackers and DNSSEC provides an ideal solution to this challenge. This session aims to look at the benefits and challenges of deploying DNSSEC for major enterprises. Topics for discussion:
* What is the current status of DNSSEC deployment among enterprises?
* What plans do the major enterprises have for their DNSSEC roadmaps?
* What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
* What are the challenges to deployment for these organizations? Do they foresee raising awareness of DNSSEC with their customers?

4. When Unexpected DNSSEC Events Occur
What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

5. Preparing for Root Key Rollover
For this topic we are seeking input on issues relating to root key rollover. In particular, we are seeking comments from vendors, ISPs, and the community that will be affected by distribution of new root keys.

6. DANE and Other DNSSEC Applications
The DNS-based Authentication of Named Entitites (DANE) protocol is an exciting development where DNSSEC can be used to provide a strong additional trust layer for traditional SSL/TLS certificates. There is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:
* What are some of the new and innovative uses of DANE in new areas or industries?
* What tools and services are now available that can support DANE usage?
* How soon could DANE become a deployable reality?
* How can the industry used DANE as a mechanism for creating a more secure Internet?

7. DNSSEC Automation:
For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. Topics for which we would like to see presentations include:
* What tools, systems and services are available to help automate DNSSEC key management?
* Can you provide an analysis of current tools/services and identify gaps?
* Where in the various pieces that make up DNSSEC signing and validation are the best opportunities for automation?
* What are the costs and benefits of different approaches to automation?

8. Guidance for Registrars in Supporting DNSSEC:
The 2013 Registrar Accreditation Agreement (RAA) for Registrars and Resellers requires the support of DNSSEC beginning on January 1, 2014. We are seeking presentations discussing:
* What are the specific technical requirements of the RAA and how can registrars meet those requirements?
* What tools and systems are available for registrars that include DNSSEC support?
* What information do registrars need to provide to resellers and ultimately customers?

We are particularly interested in hearing from registrars who have signed the 2013 RAA and have either already implemented DNSSEC support or have a plan for doing so.

9. APIs Between the Registrars and DNS Hosting Operators:
One specific area that has been identified as needing focus is the communication between registrars and DNS hosting operators, specifically when these functions are provided by different entities. Right now the communication, such as the transfer of a DS record, occurs primarily by way of the domain name holder copying and pasting information from one web interface to another. How can this be automated? We would welcome presentations by either registrars or DNS hosting operators who have implemented APIs for the communication of DNSSEC information – or from people with ideas around how such APIs could be constructed.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence)
description of your proposed presentation to dnssec-buenosaires@shinkuro.com by **Friday, 06 September 2013**

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Steve Crocker, Shinkuro
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Russ Mundy, Sparta/Parsons
Ondřej Surý, CZ.NIC
Lance Wolak, .ORG, The Public Interest Registry
Yoshiro Yoneya, JPRS
Dan York, Internet Society

Sep 16

Google Confirms Having IPv6 And IPv4 Will NOT Cause Duplicate Content Issues For Search Ranking

Great to see Google’s Matt Cutts formally confirming what many have us have assumed all along – that making a website available over both IPv6 and IPv4 would not bring about a “duplicate content” issue that would incur penalties in search engine ranking.  The question Matt answers is:

As we are now closer than ever to switching to IPv6, could you please share info on how Google will evaluate websites. One website being in IPv4, exactly the same one in IPv6 – isn’t it considered duplicate content?

Here’s Matt’s response saying that there won’t be an issue:

If this was a reason you were hearing for NOT moving to IPv6, consider it addressed… why not get started today with making your sites available over IPv6?  We’ve got a number of IPv6 resources available for you, including these:

and many more!  (And if you can’t find what you need, please let us know!  We’re here to help you make the move to IPv6!)

Sep 16

FIR #721 – 9/16/13 – For Immediate Release

FIR app for Windows 8 available; FIR Interview with Chris Muccio is up; FIR on Strategy with Andrea Vascellari is coming soon; Quick News: Mondelez partners with Twitter, Vodaphone's best-practice use of Twitter for customer service, in-bound marketing takes a back seat in agencies, Telegraph hires PBS exec in transition to digital; Ragan promo; News That Fits: the Twitter IPO, Michael Netzley's Asia report, McKinsey study shows execs are bullish on digital, Media Monitoring Minute from CustomScoop, listener comments, don't hide behind a Chief Digital Officer, Dan Yor's report, companies doing a lousy job explaining social purpose; how to comment; music from Tasherra Project; and more.

Sep 16

FIR #721 – 9/16/13 – For Immediate Release

FIR app for Windows 8 available; FIR Interview with Chris Muccio is up; FIR on Strategy with Andrea Vascellari is coming soon; Quick News: Mondelez partners with Twitter, Vodaphone's best-practice use of Twitter for customer service, in-bound marketing takes a back seat in agencies, Telegraph hires PBS exec in transition to digital; Ragan promo; News That Fits: the Twitter IPO, Michael Netzley's Asia report, McKinsey study shows execs are bullish on digital, Media Monitoring Minute from CustomScoop, listener comments, don't hide behind a Chief Digital Officer, Dan York's report, companies doing a lousy job explaining social purpose; how to comment; music from Tasherra Project; and more.

Sep 13

Watch LIVE Now – Jan Zorz at UKNOF Talking About Best Current Operational Practices (BCOP)

UKNOF26Curious to learn about efforts to capture best current operational practices (BCOPs) from network operators around the world?  In the next 15-30 minutes, our colleague Jan Zorz will be speaking on this topic at the UK Network Operators Forum.  The live stream can be viewed at:

http://uknof.bogons.net/uknof26.html

Jan’s slides are also available online.  From the UKNOF 26 agenda, here is the abstract of what Jan will be speaking about:

There is an opportunity to better identify, capture, and promote best current operational practices documents emerging from various regional network operators’ groups. We believe sharing these documents across the globe would benefit the wider Internet community and help more operators deploy new technologies like IPv6 and DNSSEC faster and easier.

In addition, there is an opportunity to improve communications between the Internet Engineering Task Force (IETF) standards making process and operators around the globe. We believe standards could be better designed and implemented if more operators that actually use them in their real-world networks agreed on what they need and provided more feedback into the RFC process within the IETF.

In this presentation, Jan Zorz from the Internet Society Deploy360 Programme will discuss options on how to start answering three specific questions:

  • Would operators benefit from documenting the best current operational practices in different regions and globally?
  • What might be the best path forward to closing these communication gaps and creating such a document repositories?
  • Do you agree that there is a communication gap between the IETF and real-world network operators?

Many operators need down-to-earth information on how to fix their current issues and how to implement new technologies coming out of the IETF. How can the Internet Society help facilitate this work?

Sep 12

FreeBSD 10 To Include OpenSSH With DNSSEC Support (for SSHFP records)

freebsd-logoVery cool news out of the FreeBSD team yesterday… the upcoming FreeBSD 10 will include support in OpenSSH for DNSSEC. The key point is this:

This means that OpenSSH will silently trust DNSSEC-signed SSHFP records.

What this means is this: when you go to ssh into an unknown system (i.e. one that is not in your “known_hosts” file), OpenSSH will do a query for a SSHFP record and use DNSSEC validation to ensure that the SSHFP record is indeed the one that the domain operator wants you to use.

This process of using a SSHFP record was defined in RFC 4255 back in 2006.  If you are familiar with how ssh (a.k.a. “secure shell“) works, when you connect to an unknown system for the first time you are presented with the “fingerprint” of the public key of the server to which you are connecting.  In theory you could verify this fingerprint through some out-of-band mechanism (perhaps seeing it on a web page or having received it separately in an email).  In practice, the vast majority of people just hit enter/return or type “yes” or something like that.

In the RFC 4255 mechanism, the operator of the server would publish a SSHFP record in DNS that would have the fingerprint of the SSH public key.  This is the same key fingerprint that would normally be presented to a user.  By using DNSSEC to sign the DNS zone that includes the SSHFP record, the server operator can provide a method for a DNSSEC-validating SSH client to verify that the SSH fingerprint is in fact the one that should be used to connect to the server.

This creates a higher level of trust and security in SSH connections.

It’s great to see this added to FreeBSD 10, which, according to the FreeBSD Release Engineering page, should be available sometime in November 2013.

For those curious, the SSHFP record is similar to what was defined six years later in RFC 6698 for the DANE protocol, which is really no surprise as they share a common author, Jakob Schlyter.  DANE’s TLSA record is a bit more complex and, for instance, allows for the inclusion of a complete SSL/TLS certificate rather than just a fingerprint.  In both cases, though, the idea is the same – use a DNS record to provide a means to verify a public key, and use DNSSEC to provide integrity protection so you know that you can trust the DNS record.

Great to see this being rolled out in an enabled state. Kudos to the FreeBSD team for doing this!