October 29, 2015 archive

Oct 29

Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security

DNS privacy will be the main topic at IETF 94 in Yokohama related to the overall theme of “DNS security”. The DPRIVE Working Group will be meeting on Monday afternoon to dive into what look like some lengthy discussions about DNS over TLS and DNS over DTLS.  Stateless DNS encryption will also be discussed and there will be a general discussion of how to move the DPRIVE work forward.

All of this DPRIVE work is focused on securing the connection between DNS clients and the recursive resolvers that people use (such as those typically at an Internet Service Provider (ISP) or on the edge of a network) to add a layer of confidentiality.  We see this as an important part of the overall encryption work being done by the IETF to protect against the pervasive monitoring that we’ve seen on the Internet.  Mechanisms such as what DPRIVE is developing will raise the overall amount of trust in Internet-based communication.

DNS Operations (DNSOP)

DNSSEC will be a major topic in the DNS Operations (DNSOP) Working Group on Thursday.  First will be a review of the “DNSSEC Roadblock Avoidance” draft, draft-ietf-dnsop-dnssec-roadblock-avoidance. This is an important document that is capturing the challenges found in networks today that get in the way of DNSSEC validation – and also suggesting solutions to ensure DNSSEC validation can occur.

Second, DNSOP will discuss draft-ogud-dnsop-maintain-ds, a document seeking to improve the usage of the CDS and CDNSKEY records to communicate a DS record from a child to a parent to maintain the global chain-of-trust used by DNSSEC. In particular this draft is proposing a fix to an omission in RFC 7344 where no mechanism to delete DS records was stated.

Finally, a new draft-wessels-edns-key-tag will be brought to DNSOP where Duane Wessels is proposing a new way for resolvers to signal to a DNS server which DNSSEC keys are in their chain-of-trust. This is useful for monitoring key rollovers.

Domain Boundaries (DBOUND)

The DBOUND Working Group will meet on Tuesday and while no agenda has been posted yet, the list of documents shows the topics likely to be covered. We monitor this WG primarily because the “boundaries” of how you look at domain names can impact other security mechanisms such as TLS certificates. The DBOUND problem statement gives a good view into what the group is trying to do.

Public Notary Transparency (TRANS)

Another group we don’t always monitor but will this time is the TRANS WG focused on “certificate transparency” (CT), a mechanism for tracking changes in TLS certificates.  The TRANS agenda includes some potential new work on logging of DNSSEC key changes in draft-zhang-trans-ct-dnssec.

Other Working Groups

The DANE Working Group is not meeting due to some scheduling challenges with some key participants and a couple of the working groups that sometimes have DNS security items (such as EPPEXT) have completed their work and so are on to other matters. The DNS-SD WG is meeting, but the agenda does not appear to intersect with the work we are focused on here at the Internet Society.  We’ll also of course be monitoring the TLS WG (because of the connection to DANE), the Security Area open meeting and other similar sessions.

It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!

On a personal note, I’ll mention that I will not be in Yokohama… but I’ll be monitoring the activities from afar!

Please see the main Rough Guide to IETF 94 page to learn about more of what we are paying attention to in Yokohama.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 94:

TRANS (Public Notary Transparency) WG
Monday, 2 November 2015, 1300-1500 JST, Room 4ll/412
Agenda: https://datatracker.ietf.org/meeting/94/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: http://tools.ietf.org/wg/trans/charters/

DPRIVE (DNS PRIVate Exchange) WG
Monday, 2 November 2015, 1710-1910 JST, Room 304
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DBOUND (Domain Boundaries) WG
Tuesday, 3 November 2015, 1710-1840 JST, Room 303
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dbound/
Documents: https://datatracker.ietf.org/wg/dbound/
Charter: http://tools.ietf.org/wg/dbound/charters/

DNSOP (DNS Operations) WG
Thursday, 4 November 2015, 0900-1130 JST, Room 304
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

Follow Us

There’s a lot going on in Yokohama, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://www.internetsociety.org/rough-guide-ietf94.

The post Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security appeared first on Internet Society.

Oct 29

My First RFC – 7649 On "The Jabber Scribe Role at IETF Meetings"

Rfc7649 jabber scribe role 660px

Last month the first Request For Comments (RFC) was published where I was one of the co-authors. Ironically, this RFC 7649 had nothing to do with SIP, VoIP, telecom, IPv6, DNSSEC, security... or any of the other open Internet standards I've been working on in recent years!

In fact, it's not a "standard" at all but rather an "informational" document.

This document collects together a series of best practices for how someone can fill the role of the "jabber scribe" at IETF meetings, such as the IETF 94 meeting about to happen in Yokohama, Japan, starting this weekend. (Which I will not be attending due to scheduling challenges.) You can read RFC 7659 at:

http://tools.ietf.org/html/rfc7649

As the abstract states:

During IETF meetings, individual volunteers often help sessions run more smoothly by relaying information back and forth between the physical meeting room and an associated textual chatroom. Such volunteers are commonly called "Jabber scribes". This document summarizes experience with the Jabber scribe role and provides some suggestions for fulfilling the role at IETF meetings.

The document came about because over the years that I've been involved with the Internet Engineering Task Force (IETF) I've come to both value the critical role the "jabber scribe" can play - and I've also tried to do the best I can to perform that role when I'm in working group sessions at IETF meetings. I typically volunteer as a jabber scribe in any of the sessions I'm in and try to make the experience as good as possible for remote participants.

Largely my interest is because I spent many IETF meetings as a remote participant and I knew how poor that experience can be.

A few years ago after one of the IETF meetings, I made a comment to a couple of people that we ought to write down some of the suggestions and best practices so that people could easily get some ideas for how they could help out in the role. If they were new to the idea... or even if they had been around but were interested in doing the role better.

I kept track of some ideas ... and a small group of us kept occasionally bouncing ideas around... but none of us had the cycles to write the actual document.

Then last year at, I think, the Toronto IETF meeting in July, Peter St. Andre and I were talking about it again - and this time we actually got it off the ground! More precisely, Peter kicked it off and then he and I went through several rounds of revisions and comments.

Given that Peter's authored 35+ RFCs and countless Internet-Drafts (I-Ds), he knows the IETF process inside and out and so was able to guide the document through the publishing process, including having it move through the "independent submission" stream of RFC documents. I've written a number of Internet-Drafts over the years, but none have yet progressed to an RFC. I learned a great bit from Peter through the process and look forward to using that knowledge in the future.

I greatly appreciate Peter's leadership on this - and I hope that this document will be helpful to many folks out there who are helping involve more people remotely in the IETF's standards process.

Given the timezone difference with Japan, I'm not sure how many of the IETF 94 working group sessions I'll actually be able to attend remotely... but if I do, I'll be hoping that whomever is acting as the Jabber scribe will help include those of us who are remote.

Meanwhile, it is kind of fun to have my name on an RFC, even if it's an Informational one. I look forward to being able to play even more of a role in the IETF standards process in the years ahead...

Oct 29

Open Source and The Global Disruption Of Telecom: What Choices Will We Make?


I gave the opening keynote at AstriCon 2015 in Orlando on Oct 14, 2015. You can read more at: http://www.disruptivetelephony.com/2015/09/keynote-at-astricon-on-oct-14-open-source-and-the-global-disruption-of-telecom-what-choices-will-we-make.html and http://www.asterisk.org/community/astricon-user-conference/sessions/keynote-address-open-source-and-global-disruption The abstract is: There is a battle raging for the global future of telecommunications and the Internet. Taking place in networks, board rooms and legislatures, the battle will determine how we all communicate and what opportunities will exist. Will telecom support innovation? Will it be accessible to all? Will it give us the level of security and privacy we need to have the open, trusted Internet? Or will it be restricted and limited by corporate or government gatekeepers? The rise of voice-over-IP has fundamentally disrupted the massive global telecommunications industry, infrastructure and policies. Open source software such as Asterisk has been a huge driver of that disruption and innovation.. but now what? What role do platforms such as Asterisk play in this space? And what can be their role in a telecom infrastructure that is now mobile, increasingly embedded (Internet of Things) and more and more using proprietary walled gardens of communication? Join the Internet Society’s Dan York in an exploration of what the future holds for telecom infrastructure and policy - and how the choices we make will determine that future.

Oct 29

Links To DNS / DNSSEC / DANE / DPRIVE Projects From IETF 93 Hackathon

With IETF 94 starting this weekend in Yokohama, Japan, I realized that I had not posted the results of the great work that the “DNS team” did at the IETF 93 Hackathon back in July in Prague.  Here’s a slideshow that outlines the results:

Slide 2 really shows the different aspects of “DNS security” that the team worked on:

Summary of DNS work at IETF 93 hackathon

Perhaps the more important fact was that we had actual code released publicly. Here were the releases:

And yes, this last one was a little experiment in playing with JSON and python that I did.

To our amazement, our DNS team (which grew from the time we first started talking about it) received the “Best in Show” award based on the judges’ view of what we did.  Here was a photo of some of the team and some of the judges (when the winners were announced some team members had already gone to other meetings):

DNS team at IETF 93 hackathon

There will be another “DNS team” at the IETF 94 Hackathon this weekend and while I won’t be there myself, I do hope they have a great time!

P.S. If you want to get started with DNSSEC and DANE yourself, please visit our Start Here page!

Oct 29

Open Source and The Global Disruption Of Telecom: What Choices Will We Make?


I gave the opening keynote at AstriCon 2015 in Orlando on Oct 14, 2015. You can read more at: http://www.disruptivetelephony.com/2015/09/keynote-at-astricon-on-oct-14-open-source-and-the-global-disruption-of-telecom-what-choices-will-we-make.html and http://www.asterisk.org/community/astricon-user-conference/sessions/keynote-address-open-source-and-global-disruption The abstract is: There is a battle raging for the global future of telecommunications and the Internet. Taking place in networks, board rooms and legislatures, the battle will determine how we all communicate and what opportunities will exist. Will telecom support innovation? Will it be accessible to all? Will it give us the level of security and privacy we need to have the open, trusted Internet? Or will it be restricted and limited by corporate or government gatekeepers? The rise of voice-over-IP has fundamentally disrupted the massive global telecommunications industry, infrastructure and policies. Open source software such as Asterisk has been a huge driver of that disruption and innovation.. but now what? What role do platforms such as Asterisk play in this space? And what can be their role in a telecom infrastructure that is now mobile, increasingly embedded (Internet of Things) and more and more using proprietary walled gardens of communication? Join the Internet Society’s Dan York in an exploration of what the future holds for telecom infrastructure and policy - and how the choices we make will determine that future.

Oct 29

DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon


This shows the results of the DNS team at the IETF 93 Hackathon in Prague on July 18-19, 2015. It includes links to the public repositories where code may be found.

Oct 29

DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon


This shows the results of the DNS team at the IETF 93 Hackathon in Prague on July 18-19, 2015. It includes links to the public repositories where code may be found.

Oct 29

TDYR 270 – 2015 Freedom on the Net Report

Freedom House released their 2015 Freedom on the Net report yesterday and it paints a disturbing picture of a continued decline in freedom of expression / speech online. Read more at http://freedomhouse.org See also https://www.internetsociety.org/blog/public-policy/2015/10/freedom-internet-where-does-your-country-stand