March 2013 archive

Video: What are “Negative Trust Anchors” for DNSSEC?

What are “negative trust anchors” for DNSSEC? What function do they perform? Why do we need them? In this video, Dan York interviews Jason Livingood about his Internet-Draft on this topic and answers these and other questions:

The Internet-Draft can be found at:

http://tools.ietf.org/html/draft-livingood-negative-trust-anchors

Jason and his co-author are seeking comment and would appreciate feedback from people about this draft – does it make sense? Would you use it? Do you see any ways to improve their ideas? Their email addresses can be found at the end of the document and they are definitely open to feedback.

Jason Livingood is Vice President of Internet & Communications Engineering at Comcast and is one of the co-authors of this draft.

More information about DNSSEC can be found at the Deploy360 website at:
http://www.internetsociety.org/deploy…

This interview was recorded at the 86th meeting of the Internet Engineering Task Force (IETF) in March 2013 in Orlando, Florida, USA.

Skip Tuesday and Go Directly To Wednesday

Skip Tuesday and Go Directly To Wednesday by Dan York

Slides: DANE, the next big thing after DNSSEC

What is the DANE protocol all about? How does it protect Internet communication? How does it relate to SSL/TLS certificates? What is wrong with the Web’s public key infrastructure (PKI), anyway?

At a recent cybersecurity conference in the Netherlands, Marco Davids of SIDN gave a presentation titled, “DANE, the next big thing after DNSSEC,” that covers these and other questions – and does so with a good degree of detail. His slides are available:

DANE presentation by SIDN

We, too, agree that DANE has a great potential to make the Internet much more secure by marrying the strong integrity protection of DNSSEC with the confidentiality of SSL/TLS certificates. We would encourage you to look at our DANE resources and start looking at what you can do today!

Video: The Mobile Business Case for IPv6

At the World IPv6 Congress in Paris last week, Cisco’s Mark Townsley gave this great interview about the business case for IPv6 in mobile networks:

It was great to hear his mention that Verizon is sending 30% of its traffic to Google over IPv6 as well as the mention of IPv6 growth on other mobile networks.

Hat tip to Cisco’s blog, where we first spotted mention of this video.

FIR #696 – 3/25/13 – For Immediate Release

Steve Rubel interview coming; FIR discount to London conference; Neville on March 27 panel; Quick news: Klout opens business dashboard, implications of AP's win vs. Meltwater, NYT attempts structured comments, Amazon launches Send to Kindle button; Ragan promo; News that Fits: 5 seconds to tell your story, Michael Netzley's Asia report, Coca-Cola asserts buzz doesn't affect short-term sales, Media Monitoring Minute from CustomScoop, how social media improved writing, Dan York's report, PR content in a mobile world; how to comment; music from the David Nelson Band; and more.

Google Clarifies DNSSEC Support – Opt In Now, Full Validation Coming Soon

Google logoAfter Google’s announcement earlier this week of DNSSEC validation support in their Public DNS service, there was some concern and discussion in various DNSSEC mailing lists about the fact that DNSSEC validation was not being performed by default and required a client to request validation.  Folks at Google clarified that this was just part of their initial rollout and that providing full validation is in their plans.

They have now also updated their FAQ about DNSSEC support in Google Public DNS and most importantly updated these two questions (my emphasis added):

Does Google Public DNS support the DNSSEC protocol?
Yes. Google Public DNS is a validating, security-aware resolver. Currently this is an opt-in feature: for queries coming from clients requesting validation (the AD and/or DO flag is set), Google Public DNS verifies that response records are correctly authenticated. Validation by default (i.e. for all queries) will be enabled soon.

Which client resolvers currently enable DNSSEC?
Unfortunately, most standard client stub resolvers do not enable full DNSSEC checking and cannot be easily reconfigured to do so. We have decided to make our initial launch only cover resolvers that explicitly ask for DNSSEC checking so that we become aware of any problems before exposing our users to possible large-scale DNS failures due to DNSSEC misconfigurations or outages. Once we are happy that we can safely enable DNSSEC for all users except those who explicitly opt out, we will do so.

It’s great to see Google responding to questions and adding these clarifications – and from the point of view of advocacy for DNSSEC deployment, it is great to have Google out there endorsing and promoting DNSSEC as a way to increase Internet security.

(And you can easily get started with DNSSEC if you haven’t already.)

For those of you who enjoy listening to audio, I recorded some audio commentary on our SoundCloud channel about why I view this news from Google as incredibly important:

On Forgetting My Phone And Being Completely Disconnected…

On Forgetting My Phone And Being Completely Disconnected... by Dan York

Any Tips On How To Recover Data From An External Disk on Mac OS X?

Any Tips On How To Recover Data From An External Disk on Mac OS X? by Dan York

“Introduction To DNSSEC” Animated Videos Uploaded To YouTube

With the buzz over Google’s news about DNSSEC yesterday, we’ve seen a large surge of visitors to our DNSSEC-related resources and in the midst of that someone pointed out that the excellent introduction to DNSSEC video from Shinkuro, Inc., was no longer available on YouTube. Given that we work well with the Shinkuro team, we reached out to them and found out that while they maintain a copy of the video on their site, they had not been responsible for the YouTube version.  With their permission, we have now uploaded the video to our Deploy360 YouTube channel and can make it available for embedding and viewing:

The silent animated video was created back in 2006 but continues to be an excellent illustration of how the DNSSEC process works and the threats it protects again.  Thanks again to Shinkuro for making the video available.

As we note on our resource page about the video, there is also a second version that doesn’t include the text narration on the right side that some of you may find useful if you want to show a video about DNSSEC and provide your own narration.  (In fact… it might be an interesting exercise to take this second video and create versions with voice-overs in a number of different languages – if you do that and create a version, let us know and we’ll look at linking to your video.)

 

Video – DNSSEC Deployment: From End-Customer To Content (ION San Diego)

What do we need to do to get DNSSEC widely deployed? How can we help accelerate the deployment? What is the benefit to network operators and content providers?  These were among the questions answered in a highly interactive panel at the ION Conference San Diego on December 11, 2012. There was a good dialogue between the panelists and many questions asked by the attendees.  As a moderator, it was one of the most fun and interesting panels I’ve done in a while as we had no slides and just engaged in a conversation among people with a deep amount of experience with DNSSEC.

You can watch the video on YouTube or embedded here:

Moderator: Dan York (Internet Society)
Panelists: Jim Galvin (Afilias); Richard Lamb (ICANN); Cricket Liu (Infoblox); Roland M. van Rijswijk — Deij (SURFnet)

To get started with DNSSEC, you may want to view our DNSSEC Basics page.