Want to hear case studies about DNSSEC deployment all around North America? To hear about new DNSSEC tools? To learn about what has and has not worked for encouraging DNSSEC deployment?
If so, you can listen live right now to the DNSSEC Deployment Workshop happening at the ICANN 45 meeting in Toronto. More info at:
You can either listen to an audio stream or use Adobe Connect to listen and see the slides.
That link also includes the agenda for the full session as well as all the slides. The titles include:
Introduction and Presentation: DNSSEC Deployment Around the World
Panel Discussion: DNSSEC Activities in North America
Panel Discussion: DNSSEC in the Wild
The Great DNSSEC Quiz (Version 2)
Panel Discussion: Encouraging DNSSEC Adoption, What Has Worked and What Hasn’t
Panel Discussion: Solutions to Help People Implement DNSSEC
Presentation: Next Steps in Accelerating DNSSEC Deployment(my presentation)
Panel Discussion: DNSSEC and the New gTLD Program
I’ll be speaking at 2:00pm US Eastern on “Next Steps in Accelerating DNSSEC Deployment” where I’ll be outlining some of what we’ve learned in building out the DNSSEC part of Deploy360 and where we think the industry should be heading.
There are some great case studies and information being presented here. If you can’t listen live it will also be available as a recording.
Neville records solo today; FIR nominated for European Podcast Award; discount for FIR listeners to Social Media Marketing 2012 conference; Quick News: Ford and PeerIndex influencer outreach programme in Europe; Evernote Smart Notebook from Moleskin; Kickstarter UK launch October 31; Google Wallet for Content; Ragan promo; News That Fits: Is there any point in blogging?; Dan York reports from Mumbai, India; the Media Monitoring Minute with CustomScoop; Flipboard is the publishing tool of the future; listener comments; TemboSocial promo; no report from Michael Netzley this week; tips for using LinkedIn's new Endorsement feature; music from May Stands Still; and more.
I am a huge fan of Martin Geddes, but he and I disagree fundamentally on one key part of what he is now calling "hypervoice".
NOTE: Today's VUC call at 12noon US Eastern will be with Martin discussing his ideas. If you'd like to weigh in on the issue, please join the call. (Unfortunately, I'll be waiting to board a plane home from Mumbai and can't make it... hence this blog post.)
To back up a bit, Martin has always been one of the "big thinkers" in realm of VoIP and telephony/telecom. Way back in mid-2000s when a number of us all started writing about VoIP, Martin's Telepocalypse blog was brilliant. He was always thinking about the "big picture" and drawing connections where they were not already apparent. His work with "Telco 2.0" was excellent and it was no surprise when he went to work for BT looking at their strategy. Now that he is back out on his own as a consultant, I'm a subscriber to his "Future of Communications" email newsletter (subscribe on the sidebar to his site) and enjoy reading his frequent issues.
Recently he gave a closing keynote presentation at the Metaswitch Forum titled "A presentation about Hypervoice" that is available via Slideshare or PDF.
The presentation itself is very well done. In typical Martin style it nicely lays out the history of both telecom and the web and brings them together to talk about what comes next.
I actually agree with almost all of what Martin writes. Much of what he talks about as "hypervoice" I see already happening in so many ways.
But here is where we fundamentally disagree... this slide early on:
That includes the text:
"However, the Internet cannot and never will carry society's real-time communications needs. It is fundamentally unsuited to the job."
Martin's argument, which he has made multiple times before, including in a comment he wrote in response to my post about how WebRTC will disrupt real-time communications, is that the Internet as it exists today cannot provide the level of service that is truly needed for real-time communications. He believes we need to have different classes of service on the Internet and separate "flows" of communications. He comes back to this point later in his "Hypervoice" slide deck:
Martin, yes, I've read your newsletters on this point and while I understand the concern I'm not ready to say that the plain old Internet can't deal with the contention. Back in the early 2000's I was the product manager for Mitel's "remote teleworker" product and there was great concern from the traditional telecom folks within Mitel about this idea that we were going to put an IP phone out at some random point on the Internet where there was no QoS or anything. In fact, some folks wanted us to say that it had "cell-phone voice quality" so that we wouldn't set high expectations about voice quality. The reality was that through appropriate codecs, jitter buffers and other technologies the connections almost always worked and almost always had outstanding quality (usually FAR better than cellphones).
The other reality is that we've seen OTT providers like Skype and others providing excellent services that work the vast majority of the time. We're seeing new and improved codecs coming into the market. We're seeing new traffic shaping technologies. The list goes on...
If the (brief) history of the Internet has shown us anything, it is that the Internet's capacity to adapt and change is boundless. We'll see what happens in the time ahead.
And no, I haven't written off the telcos as having a role in real-time comms. I just don't know that the "role" they may have will necessarily be the one they would like to have! ;-)
I believe fundamentally that the "open" Internet can and will adapt to the needs of carrying real-time communications. I would argue that it already has in so many ways... and it will change even more as we continue to move more and more real-time comms onto the Internet, particularly with WebRTC and other emerging technology.
We do NOT need separate layers of the Internet based on class of service.
That, to me, is a dangerous path. I want to continue to see an Internet where all nodes are treated equally ... and where real-time communications can work for all.
Martin and I will probably have to agree to disagree on this. It's doubtful he can convince me nor I can convince him.
What do you think? Do we need different layers of the Internet? Or can the Internet adapt without that? Leave a comment here... or join in to today's VUC call and comment there.
If you found this post interesting or useful, please consider either:
Have you been working on an application that uses the new DANE protocol to combine the encryption of SSL/TLS with the strong integrity protection of DNSSEC? Have you been looking for a way to test your application with a variety of different test cases? If so, we’ve started compiling a list of sites that are currently publishing the TLSA records used by DANE. You can find the list at:
As you’ll see on that page, we currently have sites listed for the following protocols and situations:
HTTP – Valid TLSA Record With Valid CA-signed TLS Certificate
HTTP – Valid TLSA Record With Valid Self-signed TLS Certificate
HTTP – Valid TLSA Record With Invalid CA-signed TLS Certificate
HTTP – Invalid TLSA Record
HTTP – Valid TLSA Record With Invalid DNSSEC Signature
SMTP
XMPP/Jabber
If you are currently publishing TLSA records, please do let us know and we’ll be glad to add your site to the list. In these early days we’d like to make it as easy as possible for developers to find sites with which they can test their apps.
Thanks – and we’re looking forward to seeing the wide deployment of DANE enabling a much more secure Internet!
Shel records solo today; discount for FIR listeners to Our Social Times conference; Quick News: QR codes top direct mail, promoted tweets surveys, Instagram beats Twitter, promoted Facebook posts for individuals, LinkedIn announcements, searching GMail attachments; Ragan promo; News That Fits: reports on content strategies, Michael Netzley's Asia report, Media Monitoring Minute from CustomScoop, socializing the enterprise, listener comments, the role of convergence in content marketing, TemboSocial promo, Dan York's report; music from Spicehouse; and more.
What is the DANE protocol all about? How does it help make the Internet more secure? How does it work with DNSSEC and TLS/SSL certificates? What added security does DANE provide?
In this interview at IETF 84 in Vancouver this summer, I spoke with Warren Kumari, co-chair of the DANE Working Group within the IETF, about all these questions and also what the future holds for DANE:
To learn more about DANE and how to get involved, you can:
We will also be updating our page about the DANE protocol with additional resources, tutorials, tools, test sites and more information in the weeks ahead. There are some great tools under development, including plugins for browsers and tools to generate TLSA records.
The following sites support the DANE protocol by publishing TLSA records. If you are developing software that supports the DANE protocol, you can visit these sites to test your DANE support. Note that we use the term “TLS certificate” here for what is commonly referred to as a “SSL certificate”.
HTTP – Valid TLSA Record With Valid CA-signed TLS Certificate
The following site has a valid TLSA record and a valid CA-signed TLS certificate, but the domain is not tied into the global DNSSEC chain-of-trust, i.e. there is no DS record for huque.com in the .COM TLD:
The following sites support using DANE for email by publishing TLSA records associated with MX records:
jhcloos.com
nlnetlabs.nl (for ports 25, 465, 587)
nlnet.nl (for ports 25, 465, 587)
XMPP / Jabber
The following sites support using DANE for TLS connections to their XMPP/Jabber server:
jabber.nlnetlabs.nl
Adding More Sites
If you support DANE with your site and would like to add it to this list, please contact us. Eventually, of course, we would like to hope that DANE is so widely deployed that this list of test sites will no longer be needed.
For anyone interested in how to better secure the Internet, the DANE protocol (“DNS-Based Authentication of Named Entities“) provides a mechanism for using DNSSEC to specify precisely which SSL/TLS certificate you want people to use to connect to your web server or other Internet service. This provides a mechanism for ensuring that you are in fact using the correct certificate and your connection is not being intercepted by anyone in your network path. DANE is defined in RFC 6698 at:
Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain’s TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software.
Please view our page on the DANE protocol for more information about how the protocol can be used and how it helps make the Internet more secure.
If you connect to a website using a “secure” connection over TLS/SSL, how do you know you are using the correct TLS/SSL certificate?
You may see the “lock” icon in your web browser, but are you sure that you are connecting all the way to the website using the correct TLS certificate? It is in fact quite possible – and quite common – for a firewall or other device in your network path to terminate your TLS connection with a website and then re-create a TLS connection from the device to your browser. You think you have a secure, encrypted connection to your bank, for instance, but in fact your connection has been intercepted and the firewall or other device is able to see, and potentially record, all your interaction with the web site.
With DNSSEC now being deployed, a new protocol has emerged called “DANE” (“DNS-Based Authentication of Named Entities“) that allows you to securely specify exactly which TLS/SSL certificate a browser should use to connect to your site. If a web browser supporting DANE detects that it is NOT using the specified certificate, it can warn you that your connection is insecure… even though you see a “lock” icon.
DANE is defined in RFC 6698 and over the next few months we will be adding more tutorials and document to this site to help you understand both how DANE helps make the Internet more secure and also how you can get started either publishing TLSA records for your domain – or using DANE within your application. Note that DANE is not just for websites. People are already looking at how DANE can be used to secure email, VoIP and other web services.
For an explanation of the DANE protocol, watch this interview with Warren Kumari, co-chair of the DANE Working Group within the IETF:
[Additional screencast to be inserted here explaining how DANE works.]
Another good introduction to DANE is an IETF Journal article published in October 2011 titled “DANE: Taking TLS Authentication to the Next Level Using DNSSEC“. In the article, Richard Barnes explains why DANE is needed, outlines how it works, digs into some of the challenges with DANE implementation and provides a good number of links for more information.
Content Providers
[This section will explain to website owners/operators and providers of other services how they can publish TLSA records to make their sites more secure.]
Application Developers
The following libraries are in the process of adding support for the DANE protocol:
ldns – an upcoming release of ldns will provide support for DANE (this page will be updated when the release occurs).
Other resources for developers:
DANE Test Sites – If you are adding DANE support to your application and wish to test out how well it works, the sites on this page are early supporters of the protocol and can be used in your testing.
Getting More Involved
If you would like to get more involved in the development of the DANE protocol and supporting documentation, you can:
Want to hear case studies about DNSSEC deployment all around North America? To hear about new DNSSEC tools? To learn about what has and has not worked for encouraging DNSSEC deployment?