Oct 30
DNS privacy will be the main topic at IETF 94 in Yokohama related to the overall theme of "DNS security". The DPRIVE Working Group will be meeting on Monday afternoon to dive into what look like some lengthy discussions about DNS over TLS and DNS over DTLS. Stateless DNS encryption will also be discussed and there will be a general discussion of how to move the DPRIVE work forward.
Oct 30
If you are interested in learning more about the current state of DNSSEC and DANE technologies, tools and deployment, the slides and videos are now available from the ICANN 54 DNSSEC activities that happened this month in Dublin, Ireland.
The first session was the “DNSSEC For Everybody: A Beginner’s Guide” that includes a skit where DNS and DNSSEC interactions are acted out. It may or may not win a Tony award… but it was fun to do and people have generally told us that it helps them understand DNS and DNSSEC. The basic page for the DNSSEC For Everybody session that includes the slides and handout can be found at:
https://meetings.icann.org/en/dublin54/schedule/mon-dnssec-everybody
The video recording is available online and is embedded here:
The second session was the 6-hour DNSSEC Workshop on Wednesday, 21 October 2015. You can see the agenda and download all the slides at:
https://meetings.icann.org/en/dublin54/schedule/wed-dnssec
The session was recorded in two video segments due to the lunch break:
There were some great discussions about DNSSEC deployment around Europe, around challenges getting ISPs to start validating, about new mechanisms to automate DNSSEC signing – and a lengthy session at the end about using DNSSEC and DANE to secure email, complete with some live demos that sadly didn’t work out so well. (But hey, we appreciated the speakers’ trying live demos!)
Morning session:
Afternoon session:
Thank you to all involved for what turned out to be a great day of interesting sessions!
Watch for the Call for Presentations for ICANN 55 in Marakech – coming soon!
And if you want to get started with DNSSEC and DANE now, please visit our Start Here page to begin.
Oct 30
The video and slides are now available from the 6-hour DNSSEC Workshop at ICANN 54 in Dublin this month. You can see the agenda and download all the slides at:
https://meetings.icann.org/en/dublin54/schedule/wed-dnssec
The session was recorded in two video segments due to the lunch break:
Both videos are embedded below the agenda for those wanting to play them right here while seeing the agenda.
The agenda for the session was:
0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
|
0915-1045 – Panel Discussion: DNSSEC Activities in the European Region
|
| 1045-1100 – Break |
1100-1215 – Panel Discussion: DNSSEC On The Edge
|
1215-1230 – Great DNS/DNSSEC Quiz
|
| 1230-1315 – Lunch Break |
1315-1430 – Demonstrations and Presentations: DNSSEC and Applications
|
1430-1500 – Presentation: Stimulating DNSSEC Validation for .NL
|
1500-1515 – Presentation: DNSSEC – How Can I Help?
|
The video for the morning session is:
The video for the afternoon session is:
Thank you to everyone involved session – we’ll look forward to doing it again at ICANN 55 in Marakech!
WATCH FOR THE ICANN 55 DNSSEC WORKSHOP CALL FOR PRESENTATIONS – COMING SOON!
And if you want to get started with DNSSEC, check out the Deploy360 Start Here page as a place to begin.
Oct 30
Want to see the “skit” that explains DNS and DNSSEC? At the recently completed ICANN 54 meeting in Dublin, we recorded the skit and the other introductory slides and questions in a video available on the Deploy360 YouTube channel. The basic page for the DNSSEC For Everybody session that includes the slides and handout can be found at:
https://meetings.icann.org/en/dublin54/schedule/mon-dnssec-everybody
The video recording is available online and embedded here:
Thank you to everyone involved in the skit and session – we’ll look forward to doing it again at ICANN 55 in Marakech!
And if you want to get started with DNSSEC, check out the Deploy360 Start Here page as a place to begin.
Oct 29
DNS privacy will be the main topic at IETF 94 in Yokohama related to the overall theme of “DNS security”. The DPRIVE Working Group will be meeting on Monday afternoon to dive into what look like some lengthy discussions about DNS over TLS and DNS over DTLS. Stateless DNS encryption will also be discussed and there will be a general discussion of how to move the DPRIVE work forward.
All of this DPRIVE work is focused on securing the connection between DNS clients and the recursive resolvers that people use (such as those typically at an Internet Service Provider (ISP) or on the edge of a network) to add a layer of confidentiality. We see this as an important part of the overall encryption work being done by the IETF to protect against the pervasive monitoring that we’ve seen on the Internet. Mechanisms such as what DPRIVE is developing will raise the overall amount of trust in Internet-based communication.
DNSSEC will be a major topic in the DNS Operations (DNSOP) Working Group on Thursday. First will be a review of the “DNSSEC Roadblock Avoidance” draft, draft-ietf-dnsop-dnssec-roadblock-avoidance. This is an important document that is capturing the challenges found in networks today that get in the way of DNSSEC validation – and also suggesting solutions to ensure DNSSEC validation can occur.
Second, DNSOP will discuss draft-ogud-dnsop-maintain-ds, a document seeking to improve the usage of the CDS and CDNSKEY records to communicate a DS record from a child to a parent to maintain the global chain-of-trust used by DNSSEC. In particular this draft is proposing a fix to an omission in RFC 7344 where no mechanism to delete DS records was stated.
Finally, a new draft-wessels-edns-key-tag will be brought to DNSOP where Duane Wessels is proposing a new way for resolvers to signal to a DNS server which DNSSEC keys are in their chain-of-trust. This is useful for monitoring key rollovers.
The DBOUND Working Group will meet on Tuesday and while no agenda has been posted yet, the list of documents shows the topics likely to be covered. We monitor this WG primarily because the “boundaries” of how you look at domain names can impact other security mechanisms such as TLS certificates. The DBOUND problem statement gives a good view into what the group is trying to do.
Another group we don’t always monitor but will this time is the TRANS WG focused on “certificate transparency” (CT), a mechanism for tracking changes in TLS certificates. The TRANS agenda includes some potential new work on logging of DNSSEC key changes in draft-zhang-trans-ct-dnssec.
The DANE Working Group is not meeting due to some scheduling challenges with some key participants and a couple of the working groups that sometimes have DNS security items (such as EPPEXT) have completed their work and so are on to other matters. The DNS-SD WG is meeting, but the agenda does not appear to intersect with the work we are focused on here at the Internet Society. We’ll also of course be monitoring the TLS WG (because of the connection to DANE), the Security Area open meeting and other similar sessions.
It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!
On a personal note, I’ll mention that I will not be in Yokohama… but I’ll be monitoring the activities from afar!
Please see the main Rough Guide to IETF 94 page to learn about more of what we are paying attention to in Yokohama.
P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:
TRANS (Public Notary Transparency) WG
Monday, 2 November 2015, 1300-1500 JST, Room 4ll/412
Agenda: https://datatracker.ietf.org/meeting/94/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: http://tools.ietf.org/wg/trans/charters/
DPRIVE (DNS PRIVate Exchange) WG
Monday, 2 November 2015, 1710-1910 JST, Room 304
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/
DBOUND (Domain Boundaries) WG
Tuesday, 3 November 2015, 1710-1840 JST, Room 303
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dbound/
Documents: https://datatracker.ietf.org/wg/dbound/
Charter: http://tools.ietf.org/wg/dbound/charters/
DNSOP (DNS Operations) WG
Thursday, 4 November 2015, 0900-1130 JST, Room 304
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/
There’s a lot going on in Yokohama, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://www.internetsociety.org/rough-guide-ietf94.
The post Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security appeared first on Internet Society.
Oct 29
Last month the first Request For Comments (RFC) was published where I was one of the co-authors. Ironically, this RFC 7649 had nothing to do with SIP, VoIP, telecom, IPv6, DNSSEC, security... or any of the other open Internet standards I've been working on in recent years!
In fact, it's not a "standard" at all but rather an "informational" document.
This document collects together a series of best practices for how someone can fill the role of the "jabber scribe" at IETF meetings, such as the IETF 94 meeting about to happen in Yokohama, Japan, starting this weekend. (Which I will not be attending due to scheduling challenges.) You can read RFC 7659 at:
As the abstract states:
During IETF meetings, individual volunteers often help sessions run more smoothly by relaying information back and forth between the physical meeting room and an associated textual chatroom. Such volunteers are commonly called "Jabber scribes". This document summarizes experience with the Jabber scribe role and provides some suggestions for fulfilling the role at IETF meetings.
The document came about because over the years that I've been involved with the Internet Engineering Task Force (IETF) I've come to both value the critical role the "jabber scribe" can play - and I've also tried to do the best I can to perform that role when I'm in working group sessions at IETF meetings. I typically volunteer as a jabber scribe in any of the sessions I'm in and try to make the experience as good as possible for remote participants.
Largely my interest is because I spent many IETF meetings as a remote participant and I knew how poor that experience can be.
A few years ago after one of the IETF meetings, I made a comment to a couple of people that we ought to write down some of the suggestions and best practices so that people could easily get some ideas for how they could help out in the role. If they were new to the idea... or even if they had been around but were interested in doing the role better.
I kept track of some ideas ... and a small group of us kept occasionally bouncing ideas around... but none of us had the cycles to write the actual document.
Then last year at, I think, the Toronto IETF meeting in July, Peter St. Andre and I were talking about it again - and this time we actually got it off the ground! More precisely, Peter kicked it off and then he and I went through several rounds of revisions and comments.
Given that Peter's authored 35+ RFCs and countless Internet-Drafts (I-Ds), he knows the IETF process inside and out and so was able to guide the document through the publishing process, including having it move through the "independent submission" stream of RFC documents. I've written a number of Internet-Drafts over the years, but none have yet progressed to an RFC. I learned a great bit from Peter through the process and look forward to using that knowledge in the future.
I greatly appreciate Peter's leadership on this - and I hope that this document will be helpful to many folks out there who are helping involve more people remotely in the IETF's standards process.
Given the timezone difference with Japan, I'm not sure how many of the IETF 94 working group sessions I'll actually be able to attend remotely... but if I do, I'll be hoping that whomever is acting as the Jabber scribe will help include those of us who are remote.
Meanwhile, it is kind of fun to have my name on an RFC, even if it's an Informational one. I look forward to being able to play even more of a role in the IETF standards process in the years ahead...
Oct 29
Oct 29
With IETF 94 starting this weekend in Yokohama, Japan, I realized that I had not posted the results of the great work that the “DNS team” did at the IETF 93 Hackathon back in July in Prague. Here’s a slideshow that outlines the results:
Slide 2 really shows the different aspects of “DNS security” that the team worked on:
Perhaps the more important fact was that we had actual code released publicly. Here were the releases:
And yes, this last one was a little experiment in playing with JSON and python that I did.
To our amazement, our DNS team (which grew from the time we first started talking about it) received the “Best in Show” award based on the judges’ view of what we did. Here was a photo of some of the team and some of the judges (when the winners were announced some team members had already gone to other meetings):
There will be another “DNS team” at the IETF 94 Hackathon this weekend and while I won’t be there myself, I do hope they have a great time!
P.S. If you want to get started with DNSSEC and DANE yourself, please visit our Start Here page!
Oct 29
Oct 29
