October 2013 archive
In about 15 minutes, at 1:00pm US EDT, you can watch live as members of the DNS/DNSSSEC community engage in a “Key Signing Ceremony” that will result in the generation of new keys used for managing DNSSEC at the root of the Domain Name System (DNS). The live stream will be at:
The schedule, list of attendees and other information can be found at:
The ceremony begins at 1:00pm and is scheduled to end at 4:00pm US EDT. The script that is being followed during the ceremony is available at:
These documents may also be helpful in understanding what happens:
- Root Zone DNSSEC KSK Ceremonies Guide (a general guide, see the specific “key ceremony XV script” for what is happening today)
- DNSSEC Practice Statement for the Root Zone KSK Operator
- DNSSEC Practice Statement for the Root Zone ZSK Operator
Essentially what is going on is the creation and signing of new “zone-signing keys (ZSKs)” that are being signed by ICANN’s “key-signing key (KSK)” and then deployed by the ZSK operator.
As you will see if you watch, there is a very specific process that is used to ensure the integrity and security of the key signing process. It is all documented and then archived so that there is full transparency about what goes on.
If you are interested in understanding how DNSSEC works at an operational level, you may find watching today quite informative. If you are unable to watch the stream live, it will be recorded and made available from the archive link for this 15th key signing ceremony. (And as these key signing ceremonies happen quarterly, the next will be along in just a few months.)
Yesterday was a big day for the Domain Name System (DNS). After a long process, ICANN formally delegated the first four of the “new generic top-level domains (newgTLDs)”, marking the beginning of the largest expansion of the domain name space ever. In addition to the existing “generic TLDs” like .com, .org, .net, etc., and the existing “country code TLDs (ccTLDs)” like .nl, .cz, .tv, etc., over the months and years ahead there are some 1,400 newgTLDs that are expected to be launched.
These first four newgTLDs are interestingly not English-language names like “.shop” or “.bank”, but instead what are called “Internationalized Domain Names (IDNs)” in non-Latin alphabets:
- شبكة (xn--ngbc5azd) – Arabic for “web/network”
- онлайн (xn--80asehdb) – Cyrillic for “online”
- сайт (xn--80aswg) – Cyrillic for “site”
- 游戏(xn--unup4y) – Chinese for “game(s)”
Yesterday’s “delegation” means that these TLDs now appear in the root zone of the DNS and the registries who operate these TLDs can now begin the process of selling domain names underneath these TLDs. There is a formal process the registries have to go through to get started, but soon we should see these TLDs available as options for registration at the registrars who are supporting these TLDs.
Now, the exciting aspect of this news from a Deploy360 point of view is simply this:
All of these newgTLDs MUST be signed with and use DNSSEC!
From the very beginning of their operation these newgTLDs are already starting out with more security enabled than many of the existing country-code TLDs (ccTLDs). If you look at ICANN’s “TLD DNSSEC Report” you can see that pretty much all of the existing major “generic TLDs” (ex. .com, .org, .net, .edu) are signed with DNSSEC. Similarly over 100 of the existing ccTLDs are signed with DNSSEC. These four newgTLDs can also be found in that report, with a nice green bar showing that they are all signed with DNSSEC.
The key point here is that these new registries must:
1. Keep the TLD signed with DNSSEC from an operational point of view.
2. Accept DNSSEC records (DS/DNSKEY) from registrars (or domain registrants depending upon the business model).
One important point:
Support of DNSSEC by a newgTLD does NOT mean that ALL domains registered under the newgTLD will be secured with DNSSEC!
But it means that all domain names registered under the newgTLD CAN be secured with DNSSEC – and that is a great step forward!
Furthermore, the new ICANN Registrar Accreditation Agreement (RAA) will require all “ICANN-accredited registrars” to support the passing of DNSSEC records from a domain name registrant up to the TLD registry. This means we should be seeing a great amount more of DNSSEC support from within the registrars. Hopefully the DNS operators (which are sometimes part of registrars) will follow with making it easy for domain name holders to sign their domains.
All in all this newgTLD launch is great news for those of us looking at add more security to the Internet through the use of DNSSEC. From here on out all the newgTLDs will be launched with DNSSEC – and hopefully this will also put some competitive pressure on the lagging ccTLDs (and a few lagging gTLDs) to join the rest of the TLDs that have already signed their domains.
And in the end, we’ll have a more secure Internet protecting users from attackers and also enabling new an innovative forms of security such as DANE’s protection of SSL/TLS certificates.
Congratulations to all the teams at these four registries (and their operators) and also at ICANN on this launch of the first new – and secure – gTLDs!
P.S. Want to understand DNSSEC and how (or why?) you can get started? Check out our DNSSEC Basics page…
Working in a home office, I often like having music playing softly (or sometimes loudly!) in the background. In the interest of hearing more music than just what I have in my own collection, I've been trying various streaming services and a while back started paying the $10/month for Spotify Premium. I've been generally rather pleased and have enjoyed discovering some new artists through both what friends are listening to as well as Spotify's "Discover" tab. (And yes, I've actually purchasedsome music via iTunes as a result of hearing it on Spotify.)
With Apple promoting their new "iTunes Radio" I naturally had to try it out. I listened to a couple of the default "stations" and was pleased by what I heard.
And then this...
My nice stream of background music was interrupted by an ad for a new album available for purchase in the iTunes Store.
It's not this particular album being advertised that annoyed me... it was that there was an advertisement. I have background music playing that is, well, music, not people speaking. Music fades into the background and I find it strangely helps me concentrate. Speaking interrupts my concentration.
Looking into iTunes Radio more I noticed that the option to go "ad-free" is there if I want to subscribe to iTunes Match. Now at $25/year this is chaeper than Spotify Premium, but requires that I give Apple access to my entire iTunes library to store it up in "iCloud".
I'm not sure I really want to do this.
The paranoid-about-privacy side of me is leery of what information I'm giving to the big corporations out there, and I'm not sure I'm ready to embrace the convenience of having "all my music with me everywhere" while sacrificing the privacy of the info about all my music.
Of course, who knows... I may have already done this some time in the past with some various iTunes terms of service that perhaps said all my data would be sent to Apple. I don't honestly know.
In some digging around online, though, it appears that even if I gave Apple access to all my music, I'd still have a less-than-stellar user experience. As Alex Heath writes over at Cult of Mac about his disappointment with the service:
Apple still told me what station I was listening to over and over. I know I’m listening to the “Pure Pop” station, Apple. You don’t need to play a 9-second clip in between songs telling me so. What purpose does that serve the listener when they already know what station they chose?
When Katy Perry’s new “Dark Horse” single (which isn’t that good, by the way) came on for the first time, a 3-second chime played telling me that it was an official iTunes Radio “pick.” Okay. Why not just put that information in text form next to the album artwork? Do I really need my listening experience interrupted with that audio blurb?
I’ve been a Spotify Premium subscriber for over a year now, and I love it because it I hear nothing but the music I want playing.
That's it in a nutshell.
I want music... pure, uninterrupted music.
(And obviously I'm willing to pay for it.)
So for now I'll stick with Spotify... maybe in some future release I'll give iTunes Radio another try if they ever get to more of an "all music" experience.
What has your experience been? Obviously, based on stats from Apple's recent event that said over 1 billion songs have been played on iTunes Radio, people are using the service!
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- following me on App.net;
- subscribing to my email newsletter; or
- subscribing to the RSS feed.
Are you interested in learning about DNSSEC and live near Dhaka, Bangladesh? (or can get there?) If so, the folks at APNIC are offering a day of DNS/DNSSEC trainingon November 8, 2013. From the abstract:
This course will discuss the concept of DNS Security in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties.
The outline looks quite interesting:
- DNS concepts
- Forward and Reverse DNS
- DNS Security concepts
- DNS Protocol Vulnerabilities
- Transaction Signatures (TSIG)
- DNS security extensions (DNSSEC)
- Setting up secure zones
- DNSSEC Key management
- DNS and IPv6
(I like that bit at the end about “DNS and IPv6″! )
For more information such as location and fees, as well as the link for registration, please visit the APNIC web page for this class.
How can we raise the bar in home networking? How can we make home network configuration simpler and easier? How can we more effectively route packets in a home network? How can we do this in an environment when the IPv4 address pool is declining?
In this great presentation at RIPE67, Mark Townsley talks about the efforts in the “Homenet” working group within the IETF with these goals in mind:
- Networks shall have ample IP address space
- Routers shall know where to send packets
- Names resolve to addresses
- Human touch is not required
Mark walks through the problems Homenet is trying to solve in terms of home routing, how it relates to IPv6, and how this all works. Mark is an enjoyable presenter and I think you’ll find this presentation quite educational and useful!