February 10, 2012 archive

U.S. Curling Championships Start Rocking Philadelphia This Weekend!

UscurlingchampionshipsFor those folks lucky enough to live in the Philadelphia area, or who can travel there, this weekend begins eight days of the US national curling championships! The best men's and women's teams will be in Philly vying for their chance to qualify in a slot for the 2012 World Championships and the 2014 U.S. Olympic Trials.

Expect to see some outstanding curling happening this week!

More on the story:

A local Philadelphia country music station also seems to have helped produce a video with interviews and shots of what is going on there:

Looks like fun, and if you are in the Philadelphia area, this is your chance to get to see some of the best curlers in the nation!

ENISA: Good Practices Guide For Deploying DNSSEC

In March 2010, the European Network and Information Security Agency (ENISA) issued their “Good Practices Guide For Deploying DNSSEC” with the abstract:

Deploying DNSSEC requires a number of security details and procedures to be defined and followed with specific requirements as to timing. This guide addresses these issues from the point of view of information security managers responsible for defining a policy and procedures to secure the DNS services of a company or an organisation, and from the point of view of competent authorities defining or regulating requirements for deployment.

While the document was created prior to the signing of the root zone in July 2010, the concise 29-page guide still provides a good overview of what is involved with working with DNSSEC and provides good guidelines for using and implementing DNSSEC.

The Table of Contents for the document is:

  • DNSSEC practices statement
  • Signing your zone
    • Value of a signed zone
    • Designing a signing system
    • Signing in a test environment
    • Checking the DNS servers
    • Key generation and management
    • Physical security
    • Use of NSEC3
    • Key rollovers
    • Performance issues
    • Publication of keys
    • Change of registrar
    • Change a zone from signed to unsigned
    • Change of domain holder (registrant)
  • Selecting a product
  • Outsourcing
  • Change of DNS provider
  • Validating DNS queries
    • Configure trust anchors
    • Routers, firewalls and other network equipment
  • Conclusions
  • ANNEX 1: Contents of a TAR’s policy and practices
  • ANNEX 2: Support of DNSSEC on commonly used nameservers
  • Reference

The document is available for free download in PDF form from the ENISA website.

DNSSEC Training: Internet Systems Consortium (ISC)

The Internet Systems Consortium (ISC), authors and maintains of the BIND DNS server, have been providing DNSSEC-related training for several years at both conferences and in training centers all over the world. Their latest schedule of courses can be found at:

http://www.isc.org/support/training

ISC offers focused classes on DNSSEC and also includes DNSSEC as a component of other DNS-related classes. Note that ISC also provides IPv6 training classes.


The Internet Society Deploy360 Programme does not recommend or endorse any particular commercial providers of training. The information provided here is to assist people in finding training providers and is part of a larger effort to list all known providers of DNSSEC-related training. If you know of an additional training providers we should include, please contact us.


DNSSEC Training: NLnet Labs Course Materials (Slides)

In February 2012, Olaf Kolkman from NLnet Labs taught a 2-day DNSSEC “Train-The-Trainer” workshop and nicely made all his course materials available online at:

http://www.dns-school.org/Slides/index.html

Olaf made all his courseware available as PDF, PowerPoint and Keynote files under a Creative Commons license that allows the course materials to be copied, modified and even used for commercial purposes – provided that an attribution link is maintained.

It’s great to see this kind of material being made available and we thank Olaf and NLnet Labs for making this material available to the broader community at no cost.

For quick reference, here are the sections of the NLnet Labs course materials (links go directly to the NLnet Labs site):

DNS vulnerabilities PDF KEY PPT
Unbound PDF KEY PPT
DNSSEC Theory PDF KEY PPT
Troubleshooting PDF KEY PPT
Practicalities PDF KEY PPT
DNSSEC Key Rollover PDF KEY PPT
OpenDNSSEC PDF KEY PPT
DNS in a Workflow PDF KEY PPT

Friday Comic: XKCD on IPv6 and Nanobot Swarms…

Yes, this XKCD comic came out in February of last year, but I still find it amusing (click on the image to see a larger version):

For those not following IPv6, the joke here is that the nanobot swarm (ex. grey goo) wound up having to stop their proliferation – and destruction of earth – because they ran out of IPv6 addresses!  This was, of course, mathematically debated in an XKCD forum along with other discussion.

Thankfully, since we haven’t yet made the full migration to IPv6, we’re nowhere near needing to worry about their exhaustion!

P.S. Speaking of IPv6, are you ready for World IPv6 Launch on June 6?

DNSSEC And The Challenge Of Modern Websites

queries of modern websitesGiven that modern websites often pull content from a variety of different sites to build a single page, what impact does that have on DNSSEC and providing the security that it does?

That was one of the questions raised in a recent post by the DNSSEC Deployment Initiative titled “Are You Secure?” This key point was emphasized in this paragraph:

It shouldn’t come as a surprise to you that your browser was trying to load content from badsign-a.testsub.dnssec-deployment.org although you had not typed that in the address bar. More generally, it shouldn’t be surprising that it requires more than a single DNS lookup to fill the contents of a page. In fact, as the query trace from loading a relatively simple page such as www.dnssec-deployment.org illustrates below, an un-primed resolver easily performs in excess of a hundred lookups before the browser renders the complete page. Some of these queries are not even for names under the dnssec-deployment.org domain. For more content-packed sites the number of names looked up is even higher.

The way we build websites today does very often involve pulling in content from a variety of different sites.  Sometimes it is something as simple as the latest jquery JavaScript library.  Sometimes it is images or advertisements.  Sometimes it is the latest tweets or other content from social networks.

The article goes on to talk about the value of moving DNSSEC validation directly into the application, such as the web browser, so that all DNS queries can be properly validated. The author ends on this note:

It is also important, given that web pages are typically composed of a number of discrete elements, that validation be performed for all lookups initiated by the browser and not just for the name typed in the address bar. Many browser plugins for DNSSEC support will validate only the latter; while that capability is certainly useful, the real benefit of local validation is realized only when the browser (or the OS) completely integrates DNSSEC validation capability into its internal resolver library and enables validation for all queries.

The good news is that browser vendors (and their user communities) have been showing increased interest in seeing DNSSEC capability extended to the end-applications. Proof-of-concept implementations of browsers with DNSSEC validation support (e.g., the DNSSEC-Tools Firefox patch) have been available for a while, and with DNSSEC validation capability being continuously extended to new platforms and devices, there is hope that DNSSEC capability in browsers will eventually become more commonplace.

We certainly share that hope that DNSSEC capability in browsers and other applications will become more commonplace. A goal of this entire Deploy360 Programme is to help bring that widespread availability about.

Application developers… have you checked out the developer libraries available now to help add DNSSEC support to your applications?   Have you looked at what is available in the DNSSEC Tools project?

What else can we do to help you build DNSSEC into your applications?

P.S. In my case, I did see the correct image on the DNSSEC Deployment Initiative web pages, but that is because I’m running a local DNSSEC-validating DNS resolver on my MacBook Pro laptop.  I’m using the excellent DNSSEC-Trigger tool from NLnet Labs – it’s available for Mac OS X, Windows or Linux.