February 2015 archive

ICANN Announces DNSSEC Root KSK Rollover Design Team

ICANN.jpgAfter soliciting statements of interest back in December, ICANN announced this week the people who had been selected for the DNSSEC Root Key Signing Key (KSK) Rollover Design Team. They are:

  • Joe Abley, Snake Hill Labs/DyN, CA
  • Jaap Akkerhuis, NLNetLabs, NL
  • John Dickinson, Sinodun Internet Technologies, UK
  • Geoff Huston, APNIC, AU
  • Ondrej Sury, CZ.NIC, CZ
  • Paul Wouters, No Hats/Red Hat, NL
  • Yoshiro Yoneya, JPRS, JP

We’ve written before about how important we believe the rollover of the Root KSK of DNSSEC is, and we are pleased to see this next step in the process.  All of the people selected have been extremely involved in the DNS / DNSSEC community for many years and have contributed in many ways to the ongoing deployment of DNSSEC.

We look forward to hearing the next steps taken by this team to move forward on rolling the Root KSK.  I suspect there will be some discussion at ICANN 52 next week in Singapore, but I also expect much more to happen after that event in the months ahead.

P.S. If you want to get started with DNSSEC, please visit our Start Here page to begin!

CloudFlare Wants To Update DNS Registration Model To Automate DNSSEC

CloudFlare logoOver on the CloudFlare blog today, Olafur Gudmundsson wrote a lengthy post titled “Updating the DNS Registration Model to Keep Pace with Today’s Internet” where he outlines a critical challenge that CloudFlare has run into on their path to implementing DNSSEC for their customers.

Essentially, the issue is this – on the signing side of DNSSEC, the process works like this:

  1. A “DNS Operator” may host your DNS records and sign them with DNSSEC keys.  As part of doing this, they will generate a “Delegation Signer” or “DS” record that must be provided to the parent zone (typically a top-level domain (TLD)) to complete the “global chain of trust”.
  2. The DNS Operator has to communicate this DS record to the Registrar for the domain.
  3. The Registrar then provides this DS record to the Registry that operates the TLD.

This needs to be done initially when the domain is first signed with DNSSEC – and then the process needs to be performed every time the Key Signing Key (KSK) for the domain is rolled over.  Typically this might be done once each year but could be done more or less frequently.  The key point is that every time there is a key rollover, the new DS record must be communicated up to the TLD.

Here’s one way that I show the process graphically:

DNSSEC Signing Steps

Notice the role of the Registrar here. They are in the middle of the process.

And THAT is CloudFlare’s problem.  They say they are hosting 2 million domains for customers.  In order for CloudFlare to automate DNSSEC signing to be as simple as a clicking/tapping a button in their user interface (as they have done for IPv6), they need to be able to interact easily with the registries for all those domains – and in the current system that means interacting with all the registrars!  Making it more challenging, some registrars have a clue about DNSSEC – and many others still don’t.

It’s a challenging issue.  As Olafur notes, there are now DNS records such as CDS and CDNSKEY, defined in RFC 7344, that can help with this, but they will require registrars to do some work to look for those records. But there are larger issues here that get into business processes, too.  For instance, many registrars are also DNS operators who will gladly host your DNS records for you for a fee – they have very little incentive to help make it easy for other DNS operators to host your domain.   There are a number of other issues.

Olafur began talking about this back at IETF 91 in Hawaii and this will be a big panel discussion at next week’s DNSSEC Workshop at ICANN 52 in Singapore (which will be streamed live and also recorded).

There is also a public mailing list set up for anyone who is interested in helping work on this issue.  You can join the effort and subscribe at:

https://elists.isoc.org/mailman/listinfo/dnssec-auto-ds

This work will be ongoing for quite some time and probably wind up in the DNSOP Working Group within the IETF.  It’s a critically important challenge we need to address to bring further automation to DNSSEC deployment and help many more people secure their domains.

Your feedback on all of this is definitely welcome!  Please do leave a comment here… or on Olafur’s blog post… or on social media… or contact Olafur directly.

And… if you want to get started with DNSSEC, please do visit our Start Here page to begin!

Anthem Data Breach Highlights The Critical Role We Each Play In Cybersecurity

Anthem logoToday brings us yet another massive data breach, this time of Anthem, the second-largest provider of health insurance in the United States. Various media reports are indicating that the personal information of 70 million or more customers may have been compromised. Anthem has set up a web site focused on the information, stating:

Dan York

Many DNSSEC and DANE Activities At ICANN52 Next Week In Singapore

ICANN 52 - SingaporeWhat is happening with DNSSEC in the Asia-Pacific region?  What are DNSSEC and DANE  all about, anyway?  What challenges are large DNS operators encountering when deploying DNSSEC?   All of these questions and many more will be discussed next week at ICANN 52 in Singapore.  Here is the quick guide – please note that all times are Singapore Time which is UTC+8.  (So, for instance, the 8:30 am SGT start time of the DNSSEC Workshop on Wednesday, 11 Feb, will be 1:30am Wednesday in Central European Time and 7:30pm Tuesday evening in US Eastern time.)


DNSSEC For Everybody: A Beginner’s Guide

The week starts off on Monday, 9 February, 2015, with the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 17:00 – 18:30 SGT where we’ll be explaining what DNSSEC is all about and also putting on our “skit” dramatizing what happens with DNS and DNSSEC.  I don’t know if we’ll be awarded an Emmy anytime soon for our performance… but we have a good bit of fun with it and people have commented that it has really helped them understand how DNS and DNSSEC work.

You can follow along remotely (or watch it later) at:

http://singapore52.icann.org/en/schedule/mon-dnssec-everybody

Oh, and you get to see me talk about DNSSEC and blue smoke…


DNSSEC Implementers Gathering

As we noted previously, on Monday evening from 19:30-21:30 some number of us will be heading to a nearby pub for the “DNSSEC Implementers Gathering” where we’ll be talking informally amongst ourselves and figuring out how we can work together to accelerate DNSSEC and DANE adoption.  For perhaps obvious reasons, there is no remote participation available, but if you are in Singapore you are welcome to join us – we just ask for your RSVP by the end of the day tomorrow, Thursday, February 6, 2015.  Thanks to Comcast, NBC Universal and the MPAA for making this gathering possible, as they also did at ICANN 51 in L.A.


DNSSEC Workshop

The BIG event for the week is of course the DNSSEC Workshop on Wednesday, 11 February 2015, starting at 8:30 and ending at 14:45 SGT.  It will be streamed live and you can join in at this address:

http://singapore52.icann.org/en/schedule/wed-dnssec

The slides and other information will be up soon, but I can tell you the agenda will be this:

  1. Introduction and DNSSEC Deployment Around the World
  2. 10th Anniversary of DNSSEC Workshops
  3. DNSSEC Deployment in the Asia Region
  4. Reverse DNS and DNSSEC in Japan
  5. ccTLD Deployment Experiences
  6. The Operational Realities of Running DNSSEC
  7. When Unexpected DNSSEC Events Occur
  8. DNSSEC and DNS Operators

As a member of the Program Committee, I am very pleased with the presentations and speakers we have and I’m very much looking forward to the event.  The last panel, in particular, is of interest to me as it will involve a number of DNS operators, including CloudFlare, talking about challenges they have encountered while rolling out large-scale DNSSEC and looking to identify solutions within the community.  It should be a very interesting session.   I also always enjoy the DNSSEC case studies from the regional panels.


There will be a number of other side meetings and other discussions going on, but these are the main sessions.  I also understand there will be some DNSSEC activity happening at Tech Day on Monday, 9 February, but the agenda has not yet been posted.  We’ll publish an update once we know more.

If you are at ICANN 52 in Singapore please do find me at one of the events and say hello, or drop me an email message and we can arrange a time to connect.  You will of course find info on our Deploy360 social media channels during the events next week.  You can also follow along with our ICANN 52 blog posts as we publish them next week.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

We Don’t Know How Much Time We Have Left

Time's up!  (It's the End of the World As We Know It)We don't know how much time we have left in our lives. We don't know when the lives of those around us may end.

It could be today.

It could be tomorrow.

It could be twenty years from now.

It could be in some dramatic fashion such as an explosion or an airplane crash.

Or it could be in some more mundane way like slipping on ice and hitting one's head... or being in a car accident... or being hit by a car while crossing a street... or just... simply... having... one's... heart... s..t..o..p.....

We don't know.

We will never know.

Until the time runs out... and a life is gone.

At which point... it's too late to say all those things we wish we would have said.

It's too late for that extra "I love you" that you wish you could have said, or the hug you wish you would have given.

It's too late.

We need to realize that each day could be our last... or could be the last of those around us.

What do we want those last memories of us to be?

Do we want people to remember us as kind and helpful? Or mean and angry? Or somewhere in between?

Do we want the last words people heard from us to be ones of anger? Or dismissal? or hatred? Or do we want them to be words of love and kindness?

Do we want to live our life regretting that we didn't tell someone how much they meant to us before they passed on? Or regretting that the last words they heard from us where those in anger?

In our every action, we choose whether to build people up... or tear people down. It's our choice.

We don't know how much time we have left. We don't know when the lives of those around us may end.

We will never know.

Image credit: elycefeliz on Flickr

FIR On Technology Episode 3 – Understanding Markdown

Firontechnology 300What is the Markdown language all about? How is it being used on sites like Ello, Github and in the Jetpack plugin for WordPress? Why should communicators and others involved in PR or marketing careabout Markdown? How can it help more rapidly create content for the web?

Those are all questions I sought to answer in episode 3 of FIR On Technology with Dan York that I published last Friday. The podcast is now available for listening directly on the FIR website or in iTunes or the podcast RSS feeds.

On the episode web page I also provided a list of links for people wanting to know more about Markdown, which I'm reprinting here: 

I've found using Markdown to be extremely helpful in rapid content creation. I've naturally been using it on Ello (where I also wrote about this FIR On Technology episode) and on Github, but I'm also starting to use it for some posts on a couple of my WordPress sites courtesy of the Jetpack plugin. As I note in the episode, Markdown is not something necessarily new... after all it first came out in 2004... but it has seemed to attract more interest in recent years.

One point I forgot to make in the episode is that Markdown is not the only "lightweight markup language" out there. There are definitely other similar languages, each with their own take on how to make markup simple. An example I've used on several sites in the past is Textile. However, my interest these days has been in Markdown, and there seems to be a good bit of momentum behind the language... and so hence this podcast.

Anyway... I hope you find it useful and helpful. If you do, or if you have other comments or ideas or suggestions about Markdown, please do leave a comment here - or over in the FIR Podcast Community on Google+.

Enjoy!


P.S. I also recorded a The Dan York Report episode providing a preview of this FIR On Technology episode:


If you found this post interesting or useful, please consider either:


TDYR 221 – Explaining Markdown in FIR On Technology Episode 3

TDYR 221 - Explaining Markdown in FIR On Technology Episode 3 by Dan York

Two Great Articles In ArsTechnica And Light Reading About ION Conferences, IPv6, DNSSEC

Ars Technica articleWe were pleased to see two great articles out today about our ION Conferences and our efforts to accelerate the deployment of IPv6 and DNSSEC.  The articles followed on our news release about the 2015 ION conferences and were:

and

Both articles do a great job of explaining what we’re trying to do.  I enjoyed that both writers liked the “broccoli” angle. Here was  Carol Wilson:

“It’s a little like getting people to eat their broccoli,” Grunderman admits. Network operators can’t charge more for services after deploying these standards, but their deployment makes the entire Internet experience better for everyone by adding security and resiliency.

Exactly!

Many thanks to both writers for taking the time to understand what we are doing and to write about it on their respective sites.

And if you would like to get started with IPv6 or DNSSEC, please visit our Start Here page to begin!

Congratulations To Alec Saunders On His Move To Microsoft

Alec saundersCongratulations to Alec Saunders on his new role working with Microsoft Ventures in Canada! Alec's been a long-time friend and fellow blogger dating way back to the mid-2000's when he was proposing his "Voice 2.0 Manifesto". When he was leading Iotum a group of us were doing the daily "Squawk Box" podcast that was a lot of fun. Alec and I used to see each other all the time on the VoIP / Unified Communications conference circuit (which is where I took the photo that he now uses on his blog). Back in September 2011 I wrote about his joining Blackberry and then a year later when he made rock music videos with Blackberry.

And now he's returning to his roots! He was one of the first product managers for Internet Explorer at Microsoft... and now he's back at Microsoft again! As he says in his post:

As of last Monday, I’ve rejoined Microsoft in the role of Principal Technical Evangelist. My beat is Canada – not just Kitchener-Waterloo. My boss is Microsoft Chief Evangelist and Corporate Vice President for Developer Experience, Steven “Guggs” Guggenheimer. I’m part of the global Microsoft Ventures team. And we run programs, like the Microsoft Ventures Accelerators, that are focused on helping early stage companies achieve their full potential.

I've long been skeptical about Microsoft and frustrated with many of their products and services. In particularly I haven't been pleased at all with the lackluster evolution of Skype (or really lack thereof) under Microsoft's watch... but the list of other products that have frustrated me can go on.

BUT... I'll admit that they've been doing some interesting things lately - and their new leadership seems like they have a clue. It's probably a great time for dynamic people like Alec to re-join Microsoft. The role sounds perfect for him... using so many of his different strengths!

I'm looking forward to seeing what he does in that role ... and if my travels bring me back up to Canada I'll look forward to catching up with him somewhere in all the madness.

Congrats, Alec!


If you found this post interesting or useful, please consider either:


FIR #793 – 2/2/15 – For Immediate Release

Nominate FIR for Podcast Awards and write a review for iTunes; Quick News: Facebook owns social sharing, British Army sets up brigade to win the Information Age, Uber's models come to the workplace, PR firm launches WhatsApp information service; Ragan promo; News That Fits: Pros and cons of microchipped employees, Dan York's Tech Report, 7 scientific reasons to use emoticons, Media Monitoring Minute from CustomScoop, listener comments, online reputation becomes more valuable than money or power, Igloo Software promo, the last week on the FIR Podcast Network, designing for mobile-only and Snapchat's new Discover service; how to comment; music from Keller Williams; and more.