October 9, 2014 archive

A Great Amount Of DNSSEC/DANE Activity At ICANN 51 In L.A. Next Week

ICANN 51 Los AngelesStarting in just a few days there is going to be a great amount of activity related to DNSSEC and DANE happening in conjunction with the ICANN 51 meeting in Los Angeles from October 12-16, 2014.

As usual, there will be the large DNSSEC Workshop on Wednesday, October 15 that always happens with ICANN meetings, as well as the “DNSSEC for Everybody” and “DNSSEC Impelementer’s Gathering” on Monday.

However, at ICANN 51 there will be three other activities:

Due to some schedule conflicts I will be unfortunately missing the DNS-OARC meetings but I’ll be out there on Monday afternoon and look forward to seeing many of you there!

To walk through the activities, let me break it down day by day.

Saturday and Sunday, October 11-12

DNS-OARC will be holding its 2014 Fall Workshop and Annual General Meeting this weekend.  Saturday the 11th is primarily focused on organizational matters but on Sunday the 12th the group gets into detailed technical discussions.  Some of the sessions that may be of interest to Deploy360 readers include:

  • Measuring the cost of DNSSEC
  • Improved NSEC3 performance in DNSSEC
  • NSEC5: Provably Preventing DNSSEC Zone Enumeration
  • A Survey of Current DANE/TLSA Deployment

Many of the other sessions look quite fascinating as well (to a “DNS geek” such as myself!). Per the Overview page, you can participate remotely using these means:

Monday, October 13

10:30 – 17:00 PDT – Tech Day (combined ccNSO/DNS-OARC)

On every Monday of an ICANN week the ccNSO (for country-code top-level domains (ccTLDs)) holds a “Tech Day” full of technical presentations on a wide range of topics. For ICANN 51 they have combined with DNS-OARC and the result is an excellent session full of DNS and DNSSEC talks.  Remote participation info is available at:

http://la51.icann.org/en/schedule/mon-tech

although the actual agenda is on the DNS-OARC site.  Some of the sessions that may be of interest to Deploy360 readers include:

  • DNSViz – powerful and extensible DNS analysis
  • Low-Cost Threshold Cryptography HSM for OpenDNSSEC
  • DNS Bake-off

This last “bake-off” session I mention is one in which the different vendors/organizations behind various DNS servers all get up in front of the room and talk about what is new or different in their latest software. When this panel has happened before at Tech Day it’s been a great way to learn what is new with the different DNS software implementations.

A number of other sessions will probably be quite interesting and the opening keynote at 11:00 by Paul Mockapetris should be quite educational as well.

17:00 – 18:30 PDT – DNSSEC for Everybody: A Beginner’s Guide

In this session we’ll once again go back to the caveman days and talk about blue smoke in a light-hearted session aimed at helping people understand DNSSEC.  We’ll also do our “skit” acting out DNS and DNSSEC again… and typically answer a great number of questions from people.  You can participate remotely and view the handout at:

http://la51.icann.org/en/schedule/mon-dnssec-everybody

19:30 – 21:30 (or later) PDT – DNSSEC Implementers Gathering

After that session is over there will be a smaller informal gathering at a nearby restaurant where people who are actually involved in deploying DNSSEC and/or creating the tools to deploy DNSSEC will gather together for food, drinks and conversation to explore what more can be done to accelerate DNSSEC deployment. These sessions have created strong connections and usually generated new projects and ideas for further work.

Alas, there is no way that anyone can participate remotely. :-)  We would like to thank Comcast, NBC Universal and the MPAA for providing sponsorship money so that we could hold this gathering and make it accessible to all who will attend.  (Attendance has now been closed due to space limitations.)

Wednesday, October 15

08:30 – 14:45 PDT – DNSSEC Workshop

This is the BIG session of the week related to all things about DNSSEC and DANE.  The full agenda, slides and remote participation information can be found at:

http://la51.icann.org/en/schedule/wed-dnssec

(Slides and detailed agenda are not online yet but should be soon.)

The bulk of the session includes 5 panels for which we have assembled an excellent collection of speakers:

  • DNSSEC Activities in North America
  • Impact of Root Key Rollover
  • DNSSEC Deployment in Operating Systems
  • DNS/DNSSEC Monitoring
  • DANE and Email Services

Additionally I’ll be providing some DNSSEC deployment statistics and the beginning and wrapping it up with a “How You Can Help” session at the end.

These DNSSEC Workshop sessions bring together an outstanding group of technical people involved with DNS and DNSSEC and are well worth attending either in person or remotely.

09:00 – ? – Root KSK Rollover Interoperability Testing

At the same time as the public DNSSEC Workshop is taking place, there will be a private meeting of service providers, vendors, application developers and others who will be focused on performing some actual interoperability testing to determine what exactly will be some of the technical issues when we as a community roll (or change) the “Root Key Signing Key (KSK)” that is at the top of the global “chain of trust” in DNSSEC.

This closed interop workshop will then lead to…

Thursday, October 16

09:00 – 12:00 DNSSEC Key Rollover Workshop

ICANN Chief Technology Officer (CTO) David Conrad is organizing a public discussion about issues related to changing the Root KSK.  This will be a chance to publicly discuss what we collectively see as potential issues when the Root KSK is rolled or changed and what we need to do about those issues.  This is a critically important topic and so it is great to see ICANN holding this session.  Information about how to participate remotely can be found at:

http://la51.icann.org/en/schedule/thu-dnssec-key-rollover

(Note: the times on that page have not yet been updated.  The workshop will only be from 09:00-12:00.)

I would expect some of the discussion will involve the results of the interop testing happening on Wednesday but the intent is to have it be a wider discussion during this workshop.  If you are interested in this topic, you can join ICANN’s “ksk-rollover” mailing list and read the archives.

It is also worth noting that ICANN’s Security and Stability Advisory Committee (SSAC) will hold its public meeting from 08:00 – 09:00 immediately prior to this workshop.  The SSAC public meetings usually include topics of interest to those of us working with DNSSEC and “DNS security” in general.


And… after all of that we’ll all make our journeys home rather exhausted from so much conversation about DNSSEC! :-)

Seriously, though, it will be an excellent week full of DNSSEC and DANE conversations.  If you are out at ICANN 51 please do find me at one of the events and say hello, or drop me an email message and we can arrange a time to connect.  You will of course find info on our Deploy360 social media channels during the events next week.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

See (some of) you in L.A.!

Join The Monthly “DNSSEC Coordination” Calls To Help Advance DNSSEC

If you are interested in helping advance the deployment of DNSSEC, there are a group of us that gather in a conference call on the first Thursday of each month to exchange information, share ideas and develop plans to accelerate more usage and deployment of DNSSEC.  This is a group focused more on the advocacy and promotion of DNSSEC and DANE, rather than focused on technical deployment issues. (There are other email lists and groups for that.)  It is not a formal group but just a group of people interested in coordinating our activities so that we can we can learn from each other and work together to make thing happen quicker.

These “DNSSEC coordination” calls are hosted by the Internet Society and open to anyone interested in helping.  Please simply join the “dnssec-coord” mailing list to be connected to others and learn about the upcoming calls and events.

P.S. While you are at it, you may want to join in to some of the other lists and forums that make up the “DNSSEC community”.