October 2014 archive

Rough Guide To ICANN 51: DNSSEC And The Root KSK Rollover

How do we increase the security of the Domain Name System (DNS)? How can we expand the usage of DNS Security Extensions (DNSSEC) and use it to create a higher level of trust on the Internet? How do we make the Internet more secure?

Most of us probably don't think all that much about DNS but yet we use it for almost every interaction we have on the Internet. Whether we are reading the latest news, buying something online, sending email to a friend or joining into whatever the latest social network is, domain names are the tool we use to connect to sites without having to remember long numerical IP addresses. We just expect it to work and take it for granted.

Dan York

Background Information For The DNSSEC Root KSK Rollover Workshop At ICANN51

ICANN 51 Los AngelesAs I mentioned yesterday, there is a great amount of DNSSEC-related activity happening at ICANN 51 in Los Angeles next week.  One of the new items is the Root KSK Rollover Workshop on Thursday, October 16, 2014, from 9:00-12noon US Pacific time (UTC-7).  This workshop will be accessible remotely from links off of this page:

http://la51.icann.org/en/schedule/thu-dnssec-key-rollover

The point of this session is to publicly discuss what potential impact we see might happen with a change of the Root Key Signing Key (KSK) that is at the heart of the DNSSEC “global chain of trust”. What impacts might there be on people using DNSSEC validation in their daily operations?  And how do we help mitigate those potential issues?

If we change the Root KSK, all the DNSSEC-validating DNS resolvers out there might update their local trust anchors to the new Root KSK and everything will be perfectly fine.  Or… they might not and so when the old Root KSK disappears those DNS resolvers might start failing to return valid DNSSEC-signed records… effectively breaking Internet usage for many people and giving DNSSEC a very bad reputation (and slowing/reducing deployment).  How do we prevent that?

It is a very important discussion!

ICANN Public Consultation

For some background on this whole issue, you can go back to the public consultation ICANN performed about the KSK rollover back in early 2013:

https://www.icann.org/public-comments/root-zone-consultation-2013-03-08-en

A report summarizing the public comments is available here:

https://www.icann.org/en/system/files/files/report-comments-root-zone-consultation-08apr14-en.pdf

That document also contains the list of “ICANN Recommendations” that were given to the ICANN Board.

The public comments themselves are available individually here:

http://forum.icann.org/lists/comments-root-zone-consultation-08mar13/

They include the comments that Andrei Robachevsky and I submitted on behalf of the Internet Society which could effectively be summarized as: we believe the Root KSK should be rolled as soon as possible and as frequently as possible.

SSAC Report

Additionally, SSAC released SAC063 with their advice on DNSSEC Key Rollover in November 2013:

https://www.icann.org/en/system/files/files/sac-063-en.pdf

All of these documents  (the comments and the SSAC report) do provide some background information into the views of various people and organizations into the implications of a KSK rollover and also motivation for the views of most that we need to roll the KSK sooner rather than later.

ICANN Board Resolution

I would also note that on November 21, 2013, the ICANN Board adopted a resolution directing ICANN’s President and CEO to evaluate the SSAC advice and provide a recommendation to the board regarding the acceptance of that advice within 90 days:

https://features.icann.org/board-advice#advice-to-board_f=dnssec%20key%20rollover&advice-to-board_d=false&advice-to-board_e=18

That process started… but then stalled when the larger “IANA Transition” issue was injected by the NTIA last year.  This workshop next week, as well as the private interop testing, is, in my view, an effort by ICANN’s new CTO, David Conrad, to try to get this effort back on track and make some actions happen.

Going Forward

A key point about this workshop on Thursday, October 16, is that most people are not talking about IF the Root KSK will be rolled, but rather HOW the Root KSK can be rolled most effectively and how we can mitigate any potential issues that arise.  It is also interesting to note that some of the discussion has changed from the need to roll the key for cryptographic/security reasons to talking about the need to change the Root KSK to, for instance, utilize a better and faster encryption algorithm.

Ksk-rollover Mailing List

Much of this discussion is happening on the ksk-rollover mailing list hosted by ICANN. This list is open to the public and anyone can join.  The ksk-rollover list archives provide additional background info for the meeting on Thursday.

This public workshop should be an interesting discussion next Thursday.  I do encourage anyone interested in this important issue to join in and participate.

2-Page IPv6 Fact Sheet Now Available In English, French and Spanish

DNSSEC Fact SheetHave you ever wished that there was a simple “2-page” document that you could give people explaining IPv6 and what it is all about?  Would you like a IPv6 “handout” that you can distribute at events or send to colleagues or vendors?

If so, we’ve now added a “IPv6 Fact Sheet” to our site in the following languages:

We’ll be adding versions in Arabic,  Chinese and Russian soon.

Please feel free to download these and use them in whatever way you wish.  Email them to people.  Print them out and pass them out at a meeting.  Distribute them on a conference USB drive… do whatever you want with them!

Because we may update the fact sheets from time to time, we would encourage you to direct people to this simple URL to find the fact sheets:

http://www.internetsociety.org/deploy360/ipv6/factsheet/

And please let us know any feedback you have on these documents.  We’re here to help you get IPv6 more widely deployed and want to be as helpful as possible.  How can we help you get the information you need?

Finally, please do direct people to our Start Here page at https://www.internetsociety.org/deploy360/start/ so that they can find IPv6 resources targeted at their role or type of organization.

P.S. Please also check out our DNSSEC Fact Sheet.

A Great Amount Of DNSSEC/DANE Activity At ICANN 51 In L.A. Next Week

ICANN 51 Los AngelesStarting in just a few days there is going to be a great amount of activity related to DNSSEC and DANE happening in conjunction with the ICANN 51 meeting in Los Angeles from October 12-16, 2014.

As usual, there will be the large DNSSEC Workshop on Wednesday, October 15 that always happens with ICANN meetings, as well as the “DNSSEC for Everybody” and “DNSSEC Impelementer’s Gathering” on Monday.

However, at ICANN 51 there will be three other activities:

Due to some schedule conflicts I will be unfortunately missing the DNS-OARC meetings but I’ll be out there on Monday afternoon and look forward to seeing many of you there!

To walk through the activities, let me break it down day by day.

Saturday and Sunday, October 11-12

DNS-OARC will be holding its 2014 Fall Workshop and Annual General Meeting this weekend.  Saturday the 11th is primarily focused on organizational matters but on Sunday the 12th the group gets into detailed technical discussions.  Some of the sessions that may be of interest to Deploy360 readers include:

  • Measuring the cost of DNSSEC
  • Improved NSEC3 performance in DNSSEC
  • NSEC5: Provably Preventing DNSSEC Zone Enumeration
  • A Survey of Current DANE/TLSA Deployment

Many of the other sessions look quite fascinating as well (to a “DNS geek” such as myself!). Per the Overview page, you can participate remotely using these means:

Monday, October 13

10:30 – 17:00 PDT – Tech Day (combined ccNSO/DNS-OARC)

On every Monday of an ICANN week the ccNSO (for country-code top-level domains (ccTLDs)) holds a “Tech Day” full of technical presentations on a wide range of topics. For ICANN 51 they have combined with DNS-OARC and the result is an excellent session full of DNS and DNSSEC talks.  Remote participation info is available at:

http://la51.icann.org/en/schedule/mon-tech

although the actual agenda is on the DNS-OARC site.  Some of the sessions that may be of interest to Deploy360 readers include:

  • DNSViz – powerful and extensible DNS analysis
  • Low-Cost Threshold Cryptography HSM for OpenDNSSEC
  • DNS Bake-off

This last “bake-off” session I mention is one in which the different vendors/organizations behind various DNS servers all get up in front of the room and talk about what is new or different in their latest software. When this panel has happened before at Tech Day it’s been a great way to learn what is new with the different DNS software implementations.

A number of other sessions will probably be quite interesting and the opening keynote at 11:00 by Paul Mockapetris should be quite educational as well.

17:00 – 18:30 PDT – DNSSEC for Everybody: A Beginner’s Guide

In this session we’ll once again go back to the caveman days and talk about blue smoke in a light-hearted session aimed at helping people understand DNSSEC.  We’ll also do our “skit” acting out DNS and DNSSEC again… and typically answer a great number of questions from people.  You can participate remotely and view the handout at:

http://la51.icann.org/en/schedule/mon-dnssec-everybody

19:30 – 21:30 (or later) PDT – DNSSEC Implementers Gathering

After that session is over there will be a smaller informal gathering at a nearby restaurant where people who are actually involved in deploying DNSSEC and/or creating the tools to deploy DNSSEC will gather together for food, drinks and conversation to explore what more can be done to accelerate DNSSEC deployment. These sessions have created strong connections and usually generated new projects and ideas for further work.

Alas, there is no way that anyone can participate remotely. :-)  We would like to thank Comcast, NBC Universal and the MPAA for providing sponsorship money so that we could hold this gathering and make it accessible to all who will attend.  (Attendance has now been closed due to space limitations.)

Wednesday, October 15

08:30 – 14:45 PDT – DNSSEC Workshop

This is the BIG session of the week related to all things about DNSSEC and DANE.  The full agenda, slides and remote participation information can be found at:

http://la51.icann.org/en/schedule/wed-dnssec

(Slides and detailed agenda are not online yet but should be soon.)

The bulk of the session includes 5 panels for which we have assembled an excellent collection of speakers:

  • DNSSEC Activities in North America
  • Impact of Root Key Rollover
  • DNSSEC Deployment in Operating Systems
  • DNS/DNSSEC Monitoring
  • DANE and Email Services

Additionally I’ll be providing some DNSSEC deployment statistics and the beginning and wrapping it up with a “How You Can Help” session at the end.

These DNSSEC Workshop sessions bring together an outstanding group of technical people involved with DNS and DNSSEC and are well worth attending either in person or remotely.

09:00 – ? – Root KSK Rollover Interoperability Testing

At the same time as the public DNSSEC Workshop is taking place, there will be a private meeting of service providers, vendors, application developers and others who will be focused on performing some actual interoperability testing to determine what exactly will be some of the technical issues when we as a community roll (or change) the “Root Key Signing Key (KSK)” that is at the top of the global “chain of trust” in DNSSEC.

This closed interop workshop will then lead to…

Thursday, October 16

09:00 – 12:00 DNSSEC Key Rollover Workshop

ICANN Chief Technology Officer (CTO) David Conrad is organizing a public discussion about issues related to changing the Root KSK.  This will be a chance to publicly discuss what we collectively see as potential issues when the Root KSK is rolled or changed and what we need to do about those issues.  This is a critically important topic and so it is great to see ICANN holding this session.  Information about how to participate remotely can be found at:

http://la51.icann.org/en/schedule/thu-dnssec-key-rollover

(Note: the times on that page have not yet been updated.  The workshop will only be from 09:00-12:00.)

I would expect some of the discussion will involve the results of the interop testing happening on Wednesday but the intent is to have it be a wider discussion during this workshop.  If you are interested in this topic, you can join ICANN’s “ksk-rollover” mailing list and read the archives.

It is also worth noting that ICANN’s Security and Stability Advisory Committee (SSAC) will hold its public meeting from 08:00 – 09:00 immediately prior to this workshop.  The SSAC public meetings usually include topics of interest to those of us working with DNSSEC and “DNS security” in general.


And… after all of that we’ll all make our journeys home rather exhausted from so much conversation about DNSSEC! :-)

Seriously, though, it will be an excellent week full of DNSSEC and DANE conversations.  If you are out at ICANN 51 please do find me at one of the events and say hello, or drop me an email message and we can arrange a time to connect.  You will of course find info on our Deploy360 social media channels during the events next week.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

See (some of) you in L.A.!

Join The Monthly “DNSSEC Coordination” Calls To Help Advance DNSSEC

If you are interested in helping advance the deployment of DNSSEC, there are a group of us that gather in a conference call on the first Thursday of each month to exchange information, share ideas and develop plans to accelerate more usage and deployment of DNSSEC.  This is a group focused more on the advocacy and promotion of DNSSEC and DANE, rather than focused on technical deployment issues. (There are other email lists and groups for that.)  It is not a formal group but just a group of people interested in coordinating our activities so that we can we can learn from each other and work together to make thing happen quicker.

These “DNSSEC coordination” calls are hosted by the Internet Society and open to anyone interested in helping.  Please simply join the “dnssec-coord” mailing list to be connected to others and learn about the upcoming calls and events.

P.S. While you are at it, you may want to join in to some of the other lists and forums that make up the “DNSSEC community”.

Watch LIVE Today – INET Trinidad and Tobago – IPv6, DNSSEC, More

INET Trinidad and TobagoAs we mentioned earlier this week,  the INET Trinidad and Tobago event starts TODAY bringing great Internet infrastructure information to the Caribbean region. Some of the presentations today covering IPv6 and DNSSEC include:

  • IPv6: What Is It? Why Is It Needed?
  • IPv6 Deployment: Business Cases and Development Options (in the Caribbean)
  • Securing the DNS and Internet Routes

The event continues tomorrow, Thursday, October 9, with a range of sessions related to Internet Exchange Points (IXPs), cybersecurity and trends in the overall industry.

You can watch the event live at:

http://new.livestream.com/internetsociety/inet-trinidad-and-tobago

The agenda can be found at:

http://www.internetsociety.org/events/inet-trinidad-and-tobago

Note that Trinidad and Tobago use Atlantic Standard Time (AST) which is UTC-4 and right now the same as US Eastern Daylight Time.

Our colleague Shernon Osepa has more information about the INET Trinidid and Tobago event in a post on our Internet Technology Matters (ITM) blog earlier this week.

CloudFlare Publishes Excellent Introduction To DNSSEC

CloudFlare logoThe team over at CloudFlare published an excellent introduction to DNSSEC today that is well worth a read.  CloudFlare has developed a reputation for writing blog posts that provide a solid level of technical depth and this one certainly does.  Nick Sullivan starts by walking through the basics of DNS and including some packet captures and nice illustrations. Then he gets into man-in-the-middle (MITM) attacks and provides a great graphic that very succinctly shows a MITM attack against DNS:

CloudFlare MITM example

Even better, Sullivan nicely explains the “Kaminsky Attack” and the situation that makes the attack possible.    He then plunges into DNSSEC, explains RRsets and RRSIGs, ZSKs and KSKs, and touches on the value of NSEC/NSEC3 to prove that records don’t exist.

All in all it is an excellent introduction and we’re very pleased to see CloudFlare publishing this piece.  Thanks to Nick Sullivan and his team for getting this out there!

As we’ve written about before, CloudFlare has been saying since the ICANN 50 DNSSEC Workshop back in July that they would have DNSSEC available for their customers by the end of 2014.  Their post today says “in the next six months”… but we’ll hope it comes in on the sooner side of that. :-)  It was also great to see the official announcement that CloudFlare has hired Olafur Gudmundsson, one of the developers of the first DNSSEC implementation many, many years ago and currently one of the co-chairs of the DANE Working Group within the IETF.  We’ve been working with Olafur over the past few years through our partnership with Shinkuro, Inc., where he worked before, and we’re delighted that he’s now working on DNSSEC at CloudFlare.

All great to see – and this will only help get DNSSEC much more widely deployed!

If you want to get started with DNSSEC today, please visit our Start Here page to find resources targeted at your role or type of organization. Help us make the Internet more secure today!

Simple DNSSEC Fact Sheet Now Available In English, French and Spanish

DNSSEC Fact SheetHave you ever wished that there was a simple “2-page” document that you could give people explaining DNSSEC and what it is all about?  Would you like a DNSSEC “handout” that you can distribute at events or send to colleagues or vendors?

If so, we’ve now added a “DNSSEC Fact Sheet” to our site in the following languages:

We’ll be adding versions in Arabic,  Chinese and Russian soon.

Please feel free to download these and use them in whatever way you wish.  Email them to people.  Print them out and pass them out at a meeting.  Distribute them on a conference USB drive… do whatever you want with them!

Because we may update the fact sheets from time to time, we would encourage you to direct people to this simple URL to find the fact sheets:

http://www.internetsociety.org/deploy360/dnssec/factsheet/

And please let us know any feedback you have on these documents.  We’re here to help you get DNSSEC more widely deployed and want to be as helpful as possible.  How can we help you get the information you need?

Finally, please do direct people to our Start Here page at https://www.internetsociety.org/deploy360/start/ so that they can find DNSSEC resources targeted at their role or type of organization.

P.S. You can expect to see a fact sheet for IPv6 coming soon…

Chris Grundemann At NANOG62 This Week Talking BCOP

NANOG 62 LogoAre you at NANOG 62 in Baltimore, MD, this week?  If so, look for our Chris Grundemann (see team photo) who is there all week.

Chris is primarily at NANOG for the Best Current Operational Practices (BCOP) Track happening today from 4:30 to 6:00pm US EDT in the “Maryland Suites” room.   Chris was very active with this BCOP work in NANOG before joining the Internet Society and remains closely connected to what is going on.  As we’ve written about in the past, our team here is working to help facilitate the creation of regional BCOP documentation efforts around the globe and a good bit of what Chris expects to be doing at NANOG 62 is speaking with operators about what other BCOP documents could be written.

He’ll also be speaking with people about all the work we’re doing here to promote IPv6, DNSSEC, TLS and technologies to secure BGP.  If you’d like to meet up with him, please drop an email to deploy360@isoc.org and he can connect with you there at the show.

Beyond the BCOP session today, which is unfortunately not being webcast, there is an outstanding agenda of presentations this week, many of which will be webcast / live streamed for remote viewing.  Some of the sessions that hit the topics we cover here at Deploy360 include (slides are available for sessions that are already over, and the video recordings should be available soon):

Monday, October 6, 2014

  • Detecting and Quantifying IPv6-based SMTP Abuse
  • Project Turris  (an IPv6-capable and DNSSEC-validating home gateway/router from CZ.Nic)
  • Single Pass Load Balancing with Session Persistence in IPv6 Network

Tuesday, October 7, 2014

  • DNS Track (unfortunately not webcast)

Wednesday, October 8, 2014

  • Adventures in RPKI (non)Deployment

There are a great range of other talks on the NANOG 62 agenda that may be of interest, too.  I’m personally interested in the talk on Thursday (right before the RPKI talk) from Tim Stronge at TeleGeography about submarine cables as I just find that whole area intriguing.

All in all it should be a great event – and if you want to learn more about what we are doing and want to provide some feedback about what you could use help with to get started with IPv6, DNSSEC and other technologies, please do find Chris and say hello!

INET Trinidad and Tobago To Cover IPv6, DNSSEC, IXPs and more

INET Trinidad and TobagoThis Wednesday and Thursday the INET Trinidad and Tobago event will bring a great amount of technical presentations to the Caribbean region. Starting on October 8, 2014, some of the presentations covering IPv6 and DNSSEC include:

  • IPv6: What Is It? Why Is It Needed?
  • IPv6 Deployment: Business Cases and Development Options (in the Caribbean)
  • Securing the DNS and Internet Routes

The event continues on Thursday, October 9, with a range of sessions related to Internet Exchange Points (IXPs), cybersecurity and trends in the overall industry.  It looks like a great event and the excellent news is that you can watch it all live at:

http://new.livestream.com/internetsociety/inet-trinidad-and-tobago

Note that Trinidad and Tobago use Atlantic Standard Time (AST) which is UTC-4 and right now the same as US Eastern Daylight Time.

Our colleague Shernon Osepa has more information about the INET Trinidid and Tobago event in a post on our Internet Technology Matters (ITM) blog earlier today.