October 2012 archive

In Moscow for ENOG 4 Oct 23 & 24? We’ll Be There Talking About DNSSEC

ENOG LogoWill you be in Moscow this coming week (Oct 23-24, 2012) at the Eurasia Network Operators’ Group (ENOG) 4 meeting? If so, I (Dan York) will be there to speak about DNSSEC and how it applies to network operators. My talk, titled “DNSSEC – Why Network Operators Should Care And How To Accelerate Deployment “, has the description:

Why should network operators care about DNSSEC? What advantages and opportunities can it provide? What are the best first steps an ISP can do to support DNSSEC? What are the current best operational practices for DNSSEC?

In this presentation, Dan York of the Internet Society’s Deploy360 Programme will answer these questions, discuss some new DNSSEC-related technologies such as DANE and provide some key steps that can help accelerate DNSSEC deployment within networks.

I’m very much looking forward to the event and speaking with network operators to understand how we can help them get more DNSSEC-validating DNS resolvers deployed out there.  The ENOG 4 agenda is packed with good presentations so I’m looking forward to learning a good bit. Currently showing 451 attendees, too, so the opportunity is there to get some great feedback!

Thankfully, there will also be a simultaneous translation service during the sessions. I have been learning some Russian in preparation but so far only really have the very basic traveler survival phrases down. :-)

Should be a great event – if you are there, please do say hello!

P.S. I’m also pleased to be able to meet up with my Internet Society colleague Andrei Robachevsky as he is one of the organizers of the event (and is also fluent in Russian).

Walking Through Setting Up A TLSA Record for DNSSEC/DANE

In a post titled “DNSSEC and Certificates” today, Shumon Huque provides a nice walk-through of the steps needed to get set up with a TLSA record in DNS to tie a SSL/TLS certificate into the global chain-of-trust created by DNSSEC. First, though, he explains very succinctly why we should care about security issues related to current certificate authorities (CAs) and how the new DANE protocol helps address this.

He then steps through what he had to do with openssl to create the appropriate TLSA record for his existing SSL certificate (and points out the availability of Paul Wouters hash-slinger tool to make this even easier).

It’s good to see posts like this explaining the process and we’ll be looking to add tutorials like this to our site as we continue to expand our DANE coverage in the weeks and months ahead.

By the way, Shumon will be one of the speakers at our ION San Diego conference on December 11th.  If you want to learn about DNSSEC and IPv6 topics and can get to San Diego, we’d definitely suggest you consider attending!

P.S. We’ve added Shumon’s site to the list of DANE test sites that developers can use to test out new DANE applications.

Youth Curling League Starts This Saturday at Petersham CC

Youth curlingYea! This Saturday is the first day of the youth curling league at the Petersham Curling Club down in Petersham, Massachusetts (about 45 minutes south of where I live in Keene, NH).

It will also be the start of my second year coaching as I'm helping out with the "Little Rockers" who are between the ages of 7 and 11. (Including my now 10-year-old daughter, pictured in the photo accompanying this article.) I helped out last year and didn't realize how much fun it would be to do! On a certain level it shouldn't have been a surprise given my love of teaching, but I didn't expect how much I would enjoy it.

I'm looking forward to getting back on the ice this weekend and seeing what we can do this year with the kids.

If you are interested in learning more about the youth curling league and live in the area of north central Mass. or southwest NH, you can check out the web page about the youth curling or you can contact me directly. The Little Rockers curl every Saturday from 9:30-10:30 from now through the end of March.

We'll probably be having an Open House soon where people can come and check it out... stay tuned for more info!

Code Examples: Checking the DNSSEC Status Of A Large Number of Domains

SIDN LabsDo you want to check the DNSSEC status of a large number of domains?  To know whether they are signed or unsigned? Or perhaps if any of the domains are failing validation?

Yesterday at the DNSSEC Deployment Workshop at ICANN 45 in Toronto I learned that the good folks at SIDN Labs in the Netherlands have created a service that allows you to do just that… and they are offering it for free public usage.

They provide two ways to use the service: 1) a web interface where you upload a file; or 2) a RESTful API you can query.  The web interface is in Dutch, but for non-Dutch-speakers it’s not hard to figure out (or translate via browsers):


You just upload a file and the service will give you back the results of whether the domains are secure, insecure or failing validation (‘bogus’).

What was more interesting to me, though, was the RESTful API allowing you to query the status of a domain by simply connecting to:


as in:


The comma-separated results that come back are:


with the third field being either “secure”, “insecure” or “bogus”.

My immediate thought was how I could use this to create a simple little program to help me remember which of my domains I have signed and which ones I still need to sign.  After playing around with it for a few minutes in python, I decided that others might find my experiments useful or interesting, so I uploaded them to a Github repository at:


I included one very simple example that does no error checking and simply issues queries based on a list in the program.  I then added a second example that you could use from a command line to query for one or more domains:

python dnssec-check.py internetsociety.org ietf.org dnssec-failed.org

(Omitting the ‘python’, of course, if you change ‘dnssec-check.py’ to be executable.)  An obvious extension would be to make the program accept the name of a file containing domain names.  You could also change it so that “bogus” entries come out on top or have big “Danger! Danger!” warnings of some type. I may make a web page that when I go to it shows me visually which of my domains are signed and which aren’t.  There’s a hundred other things you could do with it.  My purpose was just to try it out and see how the API worked.

Feel free to use those examples in whatever way you want… and thanks to SIDN Labs for making this service available for any of us to use!

ICANN45 DNSSEC Deployment Workshop Streaming Live NOW From Toronto

ICANN TorontoWant to hear case studies about DNSSEC deployment all around North America? To hear about new DNSSEC tools?  To learn about what has and has not worked for encouraging DNSSEC deployment?

If so, you can listen live right now to the DNSSEC Deployment Workshop happening at the ICANN 45 meeting in Toronto.  More info at:


You can either listen to an audio stream or use Adobe Connect to listen and see the slides.

That link also includes the agenda for the full session as well as all the slides.  The titles include:

  • Introduction and Presentation: DNSSEC Deployment Around the World
  • Panel Discussion: DNSSEC Activities in North America
  • Panel Discussion: DNSSEC in the Wild
  • The Great DNSSEC Quiz (Version 2)
  • Panel Discussion: Encouraging DNSSEC Adoption, What Has Worked and What Hasn’t
  • Panel Discussion: Solutions to Help People Implement DNSSEC
  • Presentation: Next Steps in Accelerating DNSSEC Deployment(my presentation)
  • Panel Discussion: DNSSEC and the New gTLD Program

I’ll be speaking at 2:00pm US Eastern on “Next Steps in Accelerating DNSSEC Deployment” where I’ll be outlining some of what we’ve learned in building out the DNSSEC part of Deploy360 and where we think the industry should be heading.

There are some great case studies and information being presented here.  If you can’t listen live it will also be available as a recording.

FIR #673 – 10/15/12 – For Immediate Release

Neville records solo today; FIR nominated for European Podcast Award; discount for FIR listeners to Social Media Marketing 2012 conference; Quick News: Ford and PeerIndex influencer outreach programme in Europe; Evernote Smart Notebook from Moleskin; Kickstarter UK launch October 31; Google Wallet for Content; Ragan promo; News That Fits: Is there any point in blogging?; Dan York reports from Mumbai, India; the Media Monitoring Minute with CustomScoop; Flipboard is the publishing tool of the future; listener comments; TemboSocial promo; no report from Michael Netzley this week; tips for using LinkedIn's new Endorsement feature; music from May Stands Still; and more.

Hypervoice – The Fundamental Flaw In The Proposal

MartingeddesI am a huge fan of Martin Geddes, but he and I disagree fundamentally on one key part of what he is now calling "hypervoice".
NOTE: Today's VUC call at 12noon US Eastern will be with Martin discussing his ideas. If you'd like to weigh in on the issue, please join the call. (Unfortunately, I'll be waiting to board a plane home from Mumbai and can't make it... hence this blog post.)

To back up a bit, Martin has always been one of the "big thinkers" in realm of VoIP and telephony/telecom. Way back in mid-2000s when a number of us all started writing about VoIP, Martin's Telepocalypse blog was brilliant. He was always thinking about the "big picture" and drawing connections where they were not already apparent. His work with "Telco 2.0" was excellent and it was no surprise when he went to work for BT looking at their strategy. Now that he is back out on his own as a consultant, I'm a subscriber to his "Future of Communications" email newsletter (subscribe on the sidebar to his site) and enjoy reading his frequent issues.

Recently he gave a closing keynote presentation at the Metaswitch Forum titled "A presentation about Hypervoice" that is available via Slideshare or PDF.

The presentation itself is very well done. In typical Martin style it nicely lays out the history of both telecom and the web and brings them together to talk about what comes next.

I actually agree with almost all of what Martin writes. Much of what he talks about as "hypervoice" I see already happening in so many ways.

But here is where we fundamentally disagree... this slide early on:


That includes the text:

"However, the Internet cannot and never will carry society's real-time communications needs. It is fundamentally unsuited to the job."

Martin's argument, which he has made multiple times before, including in a comment he wrote in response to my post about how WebRTC will disrupt real-time communications, is that the Internet as it exists today cannot provide the level of service that is truly needed for real-time communications. He believes we need to have different classes of service on the Internet and separate "flows" of communications. He comes back to this point later in his "Hypervoice" slide deck:

Hypervoice polyservicenetworks 1

This is where he and I part ways. As I said in my own response to Martin's comment to my earlier post:

Martin, yes, I've read your newsletters on this point and while I understand the concern I'm not ready to say that the plain old Internet can't deal with the contention. Back in the early 2000's I was the product manager for Mitel's "remote teleworker" product and there was great concern from the traditional telecom folks within Mitel about this idea that we were going to put an IP phone out at some random point on the Internet where there was no QoS or anything. In fact, some folks wanted us to say that it had "cell-phone voice quality" so that we wouldn't set high expectations about voice quality. The reality was that through appropriate codecs, jitter buffers and other technologies the connections almost always worked and almost always had outstanding quality (usually FAR better than cellphones).

The other reality is that we've seen OTT providers like Skype and others providing excellent services that work the vast majority of the time. We're seeing new and improved codecs coming into the market. We're seeing new traffic shaping technologies. The list goes on...

If the (brief) history of the Internet has shown us anything, it is that the Internet's capacity to adapt and change is boundless. We'll see what happens in the time ahead.

And no, I haven't written off the telcos as having a role in real-time comms. I just don't know that the "role" they may have will necessarily be the one they would like to have! ;-)

I believe fundamentally that the "open" Internet can and will adapt to the needs of carrying real-time communications. I would argue that it already has in so many ways... and it will change even more as we continue to move more and more real-time comms onto the Internet, particularly with WebRTC and other emerging technology.

And yes, you might expect me to say this as a passionate advocate for an open Internet, but I firmly believe this:

We do NOT need separate layers of the Internet based on class of service.

That, to me, is a dangerous path. I want to continue to see an Internet where all nodes are treated equally ... and where real-time communications can work for all.

Martin and I will probably have to agree to disagree on this. It's doubtful he can convince me nor I can convince him.

What do you think? Do we need different layers of the Internet? Or can the Internet adapt without that? Leave a comment here... or join in to today's VUC call and comment there.

If you found this post interesting or useful, please consider either:

21 Sites You Can Use To Test DANE Support (DNSSEC + SSL/TLS)

Have you been working on an application that uses the new DANE protocol to combine the encryption of SSL/TLS with the strong integrity protection of DNSSEC? Have you been looking for a way to test your application with a variety of different test cases? If so, we’ve started compiling a list of sites that are currently publishing the TLSA records used by DANE. You can find the list at:


As you’ll see on that page, we currently have sites listed for the following protocols and situations:

  • HTTP – Valid TLSA Record With Valid CA-signed TLS Certificate
  • HTTP – Valid TLSA Record With Valid Self-signed TLS Certificate
  • HTTP – Valid TLSA Record With Invalid CA-signed TLS Certificate
  • HTTP – Invalid TLSA Record
  • HTTP – Valid TLSA Record With Invalid DNSSEC Signature
  • SMTP
  • XMPP/Jabber

If you are currently publishing TLSA records, please do let us know and we’ll be glad to add your site to the list. In these early days we’d like to make it as easy as possible for developers to find sites with which they can test their apps.

Thanks – and we’re looking forward to seeing the wide deployment of DANE enabling a much more secure Internet!


FIR #672 – 10/08/12 – For Immediate Release

Shel records solo today; discount for FIR listeners to Our Social Times conference; Quick News: QR codes top direct mail, promoted tweets surveys, Instagram beats Twitter, promoted Facebook posts for individuals, LinkedIn announcements, searching GMail attachments; Ragan promo; News That Fits: reports on content strategies, Michael Netzley's Asia report, Media Monitoring Minute from CustomScoop, socializing the enterprise, listener comments, the role of convergence in content marketing, TemboSocial promo, Dan York's report; music from Spicehouse; and more.

Video: The DANE Protocol – What It Is And How It Helps Make The Internet More Secure (via DNSSEC and TLS/SSL)

What is the DANE protocol all about?  How does it help make the Internet more secure?  How does it work with DNSSEC and TLS/SSL certificates?  What added security does DANE provide?

In this interview at IETF 84 in Vancouver this summer, I spoke with Warren Kumari, co-chair of the DANE Working Group within the IETF, about all these questions and also what the future holds for DANE:

To learn more about DANE and how to get involved, you can:

We will also be updating our page about the DANE protocol with additional resources, tutorials, tools, test sites and more information in the weeks ahead. There are some great tools under development, including plugins for browsers and tools to generate TLSA records.