October 2014 archive

DPRIVE – New IETF Working Group On DNS Privacy

IETF LogoHow can we ensure the confidentiality of DNS queries to protect against pervasive monitoring?  What kind of mechanisms can be developed to increase the privacy of an individual’s DNS transactions?

After holding a BOF session (DNSE) at an earlier IETF meeting, the IETF has now chartered a new Working Group called DPRIVE (DNS PRIVate Exchange) to dig into this matter. Part of the WG charter states:

The set of DNS requests that an individual makes can provide an
attacker with a large amount of information about that individual.
DPRIVE aims to deprive the attacker of this information. (The IETF
defines pervasive monitoring as an attack [RFC7258])

The primary focus of this Working Group is to develop mechanisms that
provide confidentiality between DNS Clients and Iterative Resolvers,
but it may also later consider mechanisms that provide confidentiality
between Iterative Resolvers and Authoritative Servers, or provide
end-to-end confidentiality of DNS transactions. Some of the results of
this working group may be experimental. The Working Group will also
develop an evaluation document to provide methods for measuring the
performance against pervasive monitoring; and how well the goal is met.
The Working Group will also develop a document providing example
assessments for common use cases.

The group has adopted its first document for consideration, Stephane Bortzmeyer’s “DNS privacy considerations”, draft-bortzmeyer-dnsop-dns-privacy, and discussion has already begun on the “dns-privacy” mailing list.  This list is open to anyone to join. You can subscribe at:

https://www.ietf.org/mailman/listinfo/dns-privacy

and the archives are available at:

http://www.ietf.org/mail-archive/web/dns-privacy/current/maillist.html

While this group does not directly relate to the work we do here at Deploy360 related to DNSSEC, it is part of the overall effort to increase the security of the DNS, and so I thought it would be of interest to our readers.

If you are interested in monitoring what is being discussed about DNS privacy, or contributing to those discussions, I would definitely encourage you to subscribe and join in the conversations and the work to make the Internet more secure!

Interesting IPv6 Address Planning Discussion on NANOG Mailing List

IPv6 BadgeEarlier this month there was an interesting discussion on the public NANOG mailing list about IPv6 subnetting that I thought might be of interest to our readers.

The very lengthy discussion thread began back on October 9, 2014, when Erik Sundberg asked this question:

I am planning out our IPv6 deployment right now and I am trying to figure out our default allocation for customer LAN blocks. So what is everyone giving for a default LAN allocation for IPv6 Customers. I guess the idea of handing a customer /56 (256 /64s) or a /48 (65,536 /64s) just makes me cringe at the waste. Especially when you know 90% of customers will never have more than 2 or 3 subnets. As I see it the customer can always ask for more IPv6 Space.

/64
/60
/56
/48

Small Customer?
Medium Customer?
Large Customer?

The ensuing discussion makes for interesting reading to see what many network operators do and why they suggest doing things in the way that they do.

For our part, we have a page about IPv6 Address Planning that links to several resources that can help guide people in what to do:

http://www.internetsociety.org/deploy360/resources/ipv6-address-planning/

Of particular interest (and was mentioned in the discussion thread) may be the Best Current Operational Practice (BCOP) document developed by NANOG on this particular topic and available at:

http://bcop.nanog.org/index.php/IPv6_Subnetting

It was a great to read the discussion on the NANOG list. One of the hardest things to understand when thinking about IPv6 address planning is the need to adjust your mind from living with the scarcity of IPv4 addresses to where we have a world of abundance of IPv6 addresses.  With that abundance we now have the freedom and flexibility to think about network addressing in a much different manner!

If you would like to get started with IPv6, please do visit our Start Here page to find resources tailored for your type of organization or role!

New DNSSEC Deployment Maps – Now Corrected And Updated

DNSSEC Deployment Map - Oct 14, 2014If you have been receiving our DNSSEC deployment maps by email or just using the maps from our web page, you need to know an important fact:

The maps we’ve been publishing recently have had the incorrect status set for several countries.

The maps published last week on October 14, 2014, (and the ones distributed via email today) have now been fully verified to have the correct status of all country-code top-level domains (ccTLDs).

The maps are correct today!

To explain a bit more, in preparation for last week’s DNSSEC Workshop at ICANN 51 I was puzzled by something that didn’t seem right with we were publishing.  Specifically, Australia was showing up in a September map as having a “DS in Root” when I knew for a fact that .AU did not (and could easily confirm using “dig” at the command-line).  Diving into the issue more, I discovered what happened.

One of the strengths of our set of DNSSEC deployment maps is that we track 5 stages of DNSSEC deployment versus simply showing whether they are publishing a DS in the root zone.  This allows us to do some forward projection to what we think the state of DNSSEC deployment may be in the future based on statements made by various ccTLDs about their plans for DNSSEC deployment.

But what if those plans don’t work out exactly right?

Our database contains records for each ccTLD based on both factual data (such as whether they have a DS record in the root zone) and observed information that could be from announcements, presentations at industry conferences, blog posts, email messages, etc.

In this case, there were forward-looking records for a number of ccTLDs that had been entered into the database but then had not actually happened on the projected dates.  For whatever reasons, various plans and public statements did not hit their target dates.

I spent my plane flight out to Los Angeles going through the tedious exercise of comparing our database with a list of TLDs that had a DS in the root zone, and then followed that up with further confirmations once I had Internet access in L.A.  The end result is that I identified the forward-looking records that needed to be changed and updated our database in time to generate the maps I needed for last Wednesday’s workshop.

I also identified a hole in our process where I was not routinely checking the forward-looking records to be sure that they were in fact happening.  This is all part of the learning process after we took on maintenance of these maps from Shinkuro, Inc., earlier in 2014.  Now we’ll be sure to check this in the future.

I do apologize if anyone used these maps in recent presentations over the past few months.  We’ll be working to make sure they stay updated in the time ahead.

By the way, if you do want to receive these DNSSEC deployment maps by email each week, you can subscribe to the public email list.  The maps are distributed via email each Monday morning, along with comma-separated value (CSV) files containing the DNSSEC status of all the ccTLDs and the generic TLDs (gTLDs).

And… if you want to get started with DNSSEC yourself, please visit our Start Here page to find resources aimed at your type of organization or role.

TDYR 176 – The Aftermath Of The Keene Pumpkin Festival Riots

We had an awesome day at the Keene Pumpkin Festival this past Saturday, October 18, 2014. It was an amazing, wonderful event... but you wouldn't know that from the media coverage that focused on the rioting of a large mass of college students and other young people a few streets away from where the Pumpkin Festival was happening.

FIR #778 – 10/20/14 – For Immediate Release

Millennials interview coming; Quick News: McDonald's addresses food questions, BBC's WhatsApp Ebola service, Marketers flee from YouTube to Facebook for video, UK trolls face prison; Ragan promo; News That Fits: Digital Naturals, Dan York's Tech Report, CEOs don't want to hear about intranets, Media Monitoring Minute from CustomScoop, listener comments, Google will connect you with a doctor, Igloo Software promo, last week on the FIR Podcast Network, travel tech industry connects staff with customers; how to comment; music from Holly Denton; and more.

Root DNSSEC KSK Rollover Workshop Streaming Live Today From ICANN 51

ICANN 51 Los Angeles

Today (Oct 16, 2014) from 9:00 am to 12 noon US Pacific, a special public workshop about implications of a “rollover” of the “Root Key Signing Key (KSK)” that serves as the ultimate “trust anchor” for DNSSEC will be streamed live from ICANN 51 in Los Angeles. Information about how to participate remotely can be found at:

http://la51.icann.org/en/schedule/thu-dnssec-key-rollover

(Note: the times on that page have not yet been updated.  The workshop will be from 09:00-12:00, although it may extend later if discussions continue.  It will definitely conclude by no later than 13;30 PDT.)

ICANN Chief Technology Officer (CTO) David Conrad has organized this public discussion about issues related to changing the Root KSK.  This will be a chance to publicly discuss what we collectively see as potential issues when the Root KSK is rolled or changed and what we need to do about those issues.  This is a critically important topic and so it is great to see ICANN holding this session.

The public workshop is aimed to be a discussion forum to collect guidance from a wide range of people.  An adhoc program committee was established of Joe Abley, Duane Wessels, Roy Arends, Jakob Schlyter, David Conrad and myself.  I was asked to act as a moderator to ensure that the flow moves appropriately and that all get to contribute.  The proposed agenda is:

1. INTRODUCTION

A brief level setting of why the workshop has been called, where we are at in the process (ICANN public consultation in early 2013, SSAC report, ICANN Board resolution in Nov 2013), and what we hope to do in the workshop.  (See my recent “Background Information” post for links for more info.)

2. HOW a Root KSK Rollover might occur

We would like to discuss how an automated (RFC5011) would occur as well as non-5011 roll options and options for a staggered roll.  Joe Abley will discuss a couple of relevant Internet Drafts.

3. WHAT a Root KSK Rollover might involve

We would like to discuss what changes might be made during a Root KSK Rollover. Specifically two points:

  a. ALGORITHM CHANGE – Geoff Huston will give a presentation about potential impacts of a change of the algorithm. (Geoff also presented this information about the DNS-OARC meeting this past weekend.)

  b. Length of KSK – There has been some discussion about changing the length of ZSKs and KSKs and moving to longer key sizes.  We would like a discussion around this idea and the potential impacts.

4. IMPLICATIONS

Discussion of additional implications beyond those discussed earlier.  For instance, issues around response sizes.

5. POTENTIAL TIMELINE (unanchored)

We would like to discuss what a potential timeline might look like for the entire process.  The intent is NOT to establish a fixed date but rather to establish what a timeline might look like for the full process to take place.

6. NEXT STEPS

We want to spend the end of the session identifying specific steps and actions that will occur coming out of this workshop.

If you are interested in this topic, you can join ICANN’s “ksk-rollover” mailing list and read the archives.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

 

Watch LIVE Today – DNSSEC Workshop at ICANN 51

ICANN 51 Los AngelesStarting in just a few minutes will be the large DNSSEC Workshop from 08:30-14:45 PDT in the Pacific Palisades room at ICANN 51.  This is the BIG session of the week related to all things about DNSSEC and DANE.  The full agenda, slides and remote participation information can be found at:

http://la51.icann.org/en/schedule/wed-dnssec

(Slides and detailed agenda are not online yet but should be soon.)

The bulk of the session includes 5 panels for which we have assembled an excellent collection of speakers:

  • DNSSEC Activities in North America
  • Impact of Root Key Rollover
  • DNSSEC Deployment in Operating Systems
  • DNS/DNSSEC Monitoring
  • DANE and Email Services

Additionally I’ll be providing some DNSSEC deployment statistics and the beginning and wrapping it up with a “How You Can Help” session at the end.

These DNSSEC Workshop sessions bring together an outstanding group of technical people involved with DNS and DNSSEC and are well worth attending either in person or remotely.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

 

DNSSEC Workshop Streaming Live From ICANN 51 On Wednesday, Oct 15 (Featured Blog)

Want to learn about the state of DNSSEC usage in North America? Or what is new in DNS monitoring? Or where DNSSEC fits into the plans of operating systems? Or how DANE is being used to bring a higher level of security to email? All those questions and much more will be discussed at the DNSSEC Workshop at ICANN 51 happening on Wednesday, October 15, 2014, from 8:30 am to 2:45 pm Pacific Daylight Time (PDT, which is UTC-7). More...

Watch LIVE Today – DNSSEC For Everybody: A Beginners Guide (ICANN51)

ICANN 51 Los AngelesAs we mentioned last week, in just a few hours you’ll be able to watch and listen live to this event coming out of ICANN 51 in Los Angeles:

17:00 – 18:30 PDT – DNSSEC for Everybody: A Beginner’s Guide

In this session we’ll once again go back to the caveman days and talk about blue smoke in a light-hearted session aimed at helping people understand DNSSEC.  We’ll also do our “skit” acting out DNS and DNSSEC again… and typically answer a great number of questions from people.  You can participate remotely and view the handout at:

http://la51.icann.org/en/schedule/mon-dnssec-everybody

It’s usually always a good time with many great questions.  I’ll be there doing the introduction and then helping with the answering of questions.

Please do look at our larger list of DNSSEC activities happening at ICANN 51 this week – MANY great activities going on!

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

See (some of) you in L.A.!

FIR #777 – 10/13/14 – For Immediate Release

People use social media when business activity is low, teens are leaving Facebook again, Comedy club in Spain charges per laugh using facial recognition, Snapchat breech shouldn't deter marketers, the Millennial you're targeting deosn't exist, Michael Netzley's Asia Report, journalism's competitors don't look like journalism, linear measurement doesn't work in social media, Dan York's Tech Report, B2B purchase decisions happen before buyers even contact your company, music from Chris Nelson, and more.