March 2014 archive

Free DNSSEC Training May 22-23, 2014, in Stockholm, Sweden

OpenDNSSEC logoAre you in Stockholm, Sweden, (or can easily get there) and interested in learning more about DNSSEC? If so, we’ve learned that the great folks at OpenDNSSEC will be offering a free two-day training class on May 22-23, 2014.  More info can be found at:

The agenda is online as are the study materials. This training is obviously aimed at people who will use OpenDNSSEC as a means of signing their DNS zones and if you haven’t considered that option before you may want to do so.

Given that this is a hands-on workshop, it is not available for remote participants.  As the web page notes, the OpenDNSSEC team is open to bringing this training to other locations.

For other training options, please visit our DNSSEC Training page.

TDYR #135 – Why Curling Is So Awesome For Kids

TDYR #135 - Why Curling Is So Awesome For Kids by Dan York

Facebook’s Extremely Impressive Internal Use of IPv6

Wow!  At the v6 World Congress this week in Paris (where Chris and Jan were), Facebook’s Paul Saab gave a very impressive presentation about what Facebook has gone through to convert its internal network over to IPv6.  Paul has now posted his presentation online (in the IPv6 Group on Facebook, of course) and the story he relays with all the bumps and issues is great to see.  Here’s the key slide at the end showing where they are at:

fb-internal-ipv6Those statistics are:

  • 100% of  hosts they care about respond on IPv6  (Hosts that are not IPv6 ready are going away.)
  • 75% of internal traffic is now IPv6 with a goal to be at 100% by Q3 2014 or earlier
  • 98% of traffic in and out of HHVM is IPv6
  • 100% of our memcache traffic is IPv6
  • A goal of being 100% IPv6-only in 2-3 years

VERY impressive!   Paul’s entire presentation is worth a read as he outlines a good number of the challenges they ran into, from vendors equipment not supporting IPv6 to engineers always writing in IPv6 to some of the problems they had with software.  It’s all great info and good to have out there as a case study and for others to learn from.

I love that he ends noting that engineers are asking if they can start writing IPv6-only code today!  (I also enjoy that the “solution” to stopping engineers from writing IPv4-only code was simple: take away IPv4 on development systems! :-) )

So… Facebook is going to be out in front of most other companies with having made the transition over to IPv6. What are you waiting for?  Check out our IPv6 resources and let us know if there is anything more we can do to help you!

TDYR #134 – Heading To Singapore For ICANN 49 To Talk DNSSEC

I'm heading to Singapore for the ICANN 49 meeting happening there. My focus is on the technical side related to making the Internet more secure via DNSSEC ... but a great focus of the meeting will be all about Internet governance issues... More on what I am doing there at:

Turkey’s Ban On Twitter Will Inadvertently Cause A Rise In DNSSEC Validation

turkey-google-dnsToday the media is buzzing with the news of the Turkish government banning Twitter and even more with the fact that citizens are figuring out ways around that.  ”The Internet routes around censorship“, as the saying goes (or close to that). There are predictably MANY tweets out there on hashtags like #TurkeyBlockedTwitter and #TwitterBlockedInTurkey.

And many photos like the one I’m inserting here are appearing not only on Twitter but across the web and other media.   As The Verge notes, it seems the Turkish government is just using a simple DNS block, presumably at all Internet service providers (ISPs) in Turkey, to prevent people from connecting to Twitter.

As the people in Turkey have discovered, this block can be easily circumvented simply by changing your device’s network settings to use public DNS servers such as those operated by Google.

Leaving the politics aside, my first reaction as a DNSSEC advocate was “Cool! Now we’ll see an uptick in DNSSEC-validated DNS queries!

The reason, of course, is that Google’s Public DNS service performs DNSSEC validation by default on ALL DNS queries.  So, not only are all those Turkish citizens getting around the ban on Twitter, but they are also getting more security and ensuring that the responses they get back from DNS for a domain are indeed the correct information entered by the operator of that domain (for companies/organizations that have signed their domain).

Hopefully the situation there in Turkey will stabilize and the ban will be lifted. In the meantime, though, I suspect those people doing DNSSEC measurements will see a burst in DNSSEC validation happening from that region.

P.S. As I pointed out at the bottom of the earlier post about Google Public DNS turning on DNSSEC validation that I reference above, the use of a public DNS resolver performing DNSSEC validation does not completely ensure the security of the results you receive back.  There is still an opportunity for an attacker to inject or modify DNS packets on the path between your device and the distant DNS resolver.  That is why we ideally want to see DNSSEC validation happening at a much closer level such as on the edge of your local network or perhaps even in your actual device.  However, having it happen on public DNS resolvers is a great first step toward making DNS results more secure.

Google Is Now Always Using TLS/SSL for Gmail Connections

Gmail logoWe were pleased today to read that Google is now changing their Gmail service to always use TLS-encrypted connections. As they note in their announcement blog post:

Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet. 

The key point is the one I emphasized in bold in the text: attackers cannot listen in on your messages as they go between your mail client (which could be your web browser) and Gmail’s servers.   Obviously the messages could still be potentially viewed either on your client device or on Gmail’s servers… but this step is removing the ability for the messages to be viewed “on the wire”.

This is a great example of the kind of action we’d like to see to make communication over the Internet more secure- and why we launched our new “TLS for Applications” section of this site.  We want to encourage more application providers and developers to make the steps that Google has done here.

Kudos to the Google/Gmail team for taking this step!

Last Day To RSVP For ICANN 49 DNSSEC Implementers Gathering March 26 in Singapore

ICANN 49 SingaporeWill you be at ICANN 49 in Singapore next week?  And are you deploying  DNSSEC and interested in meeting with others who are also doing so?

As we mentioned earlier this week, there are three sessions at ICANN 49 focused on DNSSEC and one of those is  an “informal gathering of DNSSEC implementers” on the evening of March 26 from 19:30-21:30 (or later). This is a time to share experiences, exchange information and just generally interact with other people involved with deploying DNSSEC.  As ICANN’s Julie Hedlund wrote in a note to various email lists:

This is a unique opportunity to meet with and talk to key implementers, such as CNNIC, JPRS, NZNIC, CIRA, CZNIC, Nominet UK, SIDN, and others. We do ask that in order to participate you should come prepared to say a few words about your experiences.

It’s a great chance to meet people working with DNSSEC.  If you will be in Singapore and interested in joining us,  please RSVP by the close of business TODAY (21 March 2014) so that we can have accurate information for the location of the event.   Details and location information will be sent via email to all those who have RSVP’d.

See (some of) you in Singapore!

Microsoft Publishes Guide To Deploying DNSSEC In Windows Server 2012

Microsoft DNSSEC GuideDo you work in an enterprise using Microsoft Windows Server 2012 and are interested in either deploying DNSSEC validation to provide better security to your users – and/or securing your own DNS zones using DNSSEC?

If so, the good folks at Microsoft just recently released a new guide “DNSSEC in Windows Server 2012” that guides you through what you need to do to deploy DNSSEC in Windows Server 2012 and Windows Server 2012 R2.  I’d note that it covers both the validation and signing sides of DNSSEC.

The document has four major sections:

  • Overview of DNSSEC
  • DNSSEC in Windows
  • DNSSEC Deployment Planning
  • Deploy DNSSEC with Windows Server 2012

as well as few appendices.  The document goes into quite a deep level of detail with how DNSSEC is integrated into various aspects of Windows Server 2012.  The “Deployment Planning” section seemed quite useful, too, as it explored some of the performance requirements and also suggested a process for staging a deployment.

In reading through the document, I was quite impressed by the “Deploy DNSSEC with Windows Server 2012″ section that includes many different checklists to help administrators know precisely what they need to be doing.  While I don’t personally work with a Windows Server 2012, the checklists seemed to be covering the areas that I would want them to cover.

As we look to get more enterprises doing DNSSEC validation and also signing their own zones, it is great to see this document come out of Microsoft!    If you work with Microsoft Windows Server 2012, definitely do give it a look – and start deploying DNSSEC today!


Flying Around The Globe (Literally)

As someone who enjoys maps, globes and all things related to geography, I found it kind of cool this morning to realize that my travel this weekend to ICANN 49 in Singapore (to be involved with activities related to DNSSEC (DNS Security)) will take me "around the world" in a somewhat literal manner. I will start off flying east from Boston to London and on to Singapore - and then will return flying east to Hong Kong and then to Chicago and back to Boston.

Of course, as the "Great Circle Mapper" site reminded me, my "circle" may not be quite as round as I was thinking it would be because the flights will probably take the northern route shown on this awesome image below: Great Circle Mapper 2

Still, it is rather fun to see that this trip will go in some kind of loop around the world.

I talked about this in one of my "The Dan York Report" podcasts this morning:

I mentioned a "write-on" globe that I use to show where I will be traveling for my kids. While I bought it at the headquarters of Delorme Maps up in Freeport, Maine, the globe itself turns out to be made by Replogle as the "Geographer Globe". You can probably find it in stores that sell globes or on various online sites. Here is one link to buy it on[1], although you may be able to find it at other places for less.

It's been fun to use that globe to give my family a sense of where I am going.

It also serves to remind me of just how long I'm going to be in airborne metal tubes! :-(

[1] In full disclosure, this link to Amazon is an "associate" link. If you were to actually purchase the globe, I would make a tiny amount of money for the referral. If you think that has any influence on my writing about it, you obviously don't know me well. :-)

TDYR #133 – Flying A Circle Around The World To/From Singapore

This morning I realized that with my upcoming travel to Singapore I'm going to be traveling completely around the world with my particular flights. Being a lover of maps, globes and geography, I just found this kind of cool... Here is what I'm doing in Singapore: And the "write-on" globe I mentioned turns out to be the Replogle "Geographer" Globe that can be found in many online sites. Here is a link to buy it at Amazon: