August 2016 archive

Conectando Lo Desconectando: La Historia de la Visita A Una Escuela Agua Azul, México

¿Cómo llevas el internet a un pueblo remoto en México donde ni siquiera hay servicio telefónico? En junio de 2016, salimos en viaje a fin de responder esta pregunta. Fue el día antes del inicio del OECD Ministerial Meeting en el Digital Economy en Cancun y nuestro ISOC Mexico Chapter arregló la visita.

Nuestro grupo era pequeño: Internet Society President & CEO Kathy Brown, Regional Bureau Director para América Latina Sebastián Bellagamba, Alejandro Pisanty del ISOC Mexico Chapter y yo.

Dan York

Want to Share Info with the DNSSEC Community? ICANN57 DNSSEC Workshop Seeking Proposals by Sept 15 (Featured Blog)

Do you have information or an idea you would like to share with members of the broader DNS / DNSSEC community? Have you developed a new tool that makes DNSSEC or DANE deployment easier? Have you performed new measurements? Would you like feedback about a new idea you have? Would you like to demonstrate a new service you have? If so, we're seeking proposals for the DNSSEC Workshop to be held at ICANN57 in Hyderabad, India, in early November 2016. More...

Want to share info with the DNSSEC community? ICANN57 DNSSEC Workshop seeking proposals by Sept 15 (Featured Blog)

More...

Call for Participation – DNSSEC Workshop at ICANN57 in Hyderabad, India

ICANN 57 logoThe DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN57 meeting held from 03-09 November 2016 in Hyderabad, India. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Helsinki, Finland on 27 June 2016. The presentations and transcripts are available at: http://sched.co/7NCj and http://sched.co/7NCk

At ICANN57 we are particularly interested in live demonstrations of uses of DNSSEC or DANE. Examples might include:

  • Email clients and servers using DNSSEC, OPENPGPKEY, or S/MIME for secure email.
  • Tools for automating the generation of DNSSEC/DANE records.
  • Services for monitoring or managing DNSSEC signing or validation.
  • Tools or services for using DNSSEC/DANE along with other existing protocols and
    services such as SSH, XMPP, SMTP, S/MIME or PGP/GPG.
  • Innovative uses of APIs to do something new and different using DNSSEC/DANE.
  • S/MIME and Microsoft Outlook integration with active directory.

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-hyderabad@isoc.org by **15 September 2016**.

We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE. Examples of the types of topics we are seeking include:

1. DNSSEC activities in Asia

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Asia and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. Preparation for Root Key Rollover

In preparation for the Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3. Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:

  • Can you describe your experiences with negative Trust Anchors and operational realities?
  • What does an ISP need to do to prepare its network for implementing DNSSEC validation?
  • How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
  • What measurements are available about the degree of DNSSEC validation currently deployed?
  • What tools are available to help an ISP deploy DNSSEC validation?
  • What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

4. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

5. DANE and DNSSEC application automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • Where are the best opportunities for automation within DNSSEC signing and validation processes?
  • What are the costs and benefits of different approaches to automation?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?
  • How soon could DANE and other DNSSEC applications become a deployable reality?
  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6. When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

7. DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:

  • What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
  • What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
  • How should an enterprise best prepare its IT staff and network to implement DNSSEC?
  • What tools and systems are available to assist enterprises in the deployment of DNSSEC?
  • How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

8. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-hyderabad@isoc.org by **15 September 2016**.

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

Do you have an idea? Call for Participation – DNSSEC Workshop at ICANN57 in Hyderabad, India

ICANN 57 Hyderabad logo

Have you created a new tool that makes DNSSEC or DANE deployment easier? Would you like to share a case study of implementing DNSSEC within your enterprise or network? Do you have an idea to help with preparing for the Root Key Rollover?  Have you performed new measurements of DNSSEC adoption?

If you have any ideas along those lines and will be in Hyderabad, India, for ICANN 57 (or can get there), we are currently seeking proposals for talks in the DNSSEC Workshop.  The full “Call for Participation” is included below with ideas for what we are seeking.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-hyderabad@isoc.org by **15 September 2016**.

This is a great opportunity to share your information with the larger DNSSEC community. If you are seeking feedback on ideas, many people are glad to help. These sessions provide a great amount of technical detail and an opportunity to learn more.

Please consider sending in a proposal!

Call for Participation — ICANN DNSSEC Workshop at ICANN57 at Hyderabad, India

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN57 meeting held from 03-09 November 2016 in Hyderabad, India. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Helsinki, Finland on 27 June 2016. The presentations and transcripts are available at: http://sched.co/7NCj and http://sched.co/7NCk

At ICANN57 we are particularly interested in live demonstrations of uses of DNSSEC or DANE. Examples might include:

  • Email clients and servers using DNSSEC, OPENPGPKEY, or S/MIME for secure email.
  • Tools for automating the generation of DNSSEC/DANE records.
  • Services for monitoring or managing DNSSEC signing or validation.
  • Tools or services for using DNSSEC/DANE along with other existing protocols and
    services such as SSH, XMPP, SMTP, S/MIME or PGP/GPG.
  • Innovative uses of APIs to do something new and different using DNSSEC/DANE.
  • S/MIME and Microsoft Outlook integration with active directory.

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.

We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE. Examples of the types of topics we are seeking include:

1. DNSSEC activities in Asia

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Asia and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. Preparation for Root Key Rollover

In preparation for the Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3. Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:

  • Can you describe your experiences with negative Trust Anchors and operational realities?
  • What does an ISP need to do to prepare its network for implementing DNSSEC validation?
  • How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
  • What measurements are available about the degree of DNSSEC validation currently deployed?
  • What tools are available to help an ISP deploy DNSSEC validation?
  • What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

4. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

5. DANE and DNSSEC application automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • Where are the best opportunities for automation within DNSSEC signing and validation processes?
  • What are the costs and benefits of different approaches to automation?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?
  • How soon could DANE and other DNSSEC applications become a deployable reality?
  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6. When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

7. DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:

  • What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
  • What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
  • How should an enterprise best prepare its IT staff and network to implement DNSSEC?
  • What tools and systems are available to assist enterprises in the deployment of DNSSEC?
  • How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

8. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-hyderabad@isoc.org by **15 September 2016**.

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

A Nice Interactive Map of Visited Countries (That Doesn’t Require a Login or Tracking)

Visited countries amcharts oct2016

Recently a friend on a social network posted a map of the countries where he'd traveled. Being someone who loves maps, I had to check it out. Created by the people at Amcharts, presumably to showcase what their Javascript libraries could do, what *I* like about it is something very simple:

Using the map doesn't require me to login or deal with any tracking info.

All that is required is to add the country codes on to the URL. Here's what I mean - this is my list of visited countries (as of August 2016):

https://www.amcharts.com/visited_countries/#AT,BE,BG,CH,CZ,DE,DK,FI,FR,GB,IE,IT,ME,NL,PL,UA,RU,CA,CR,GL,MX,US,AR,BR,CO,DJ,EG,MA,ZA,CN,IN,SG

You can see there all the country codes.

But that's it. I can bookmark that URL. I can copy and paste it. I can modify it.

There's no other login or anything required.

Over the years, I've tried a few other map sites like this one, but often they seem to require you to login to copy the map. Or they had a cryptic URL that basically made it so you had to post it to Facebook using their particular code ... or something like that.

(Now, this site does have sharing buttons out to social media, but I can choose NOT to use them and just share the URL directly.)

Kudos to the Amcharts team for making this available - and making it easy to have a URL you can use and share.

And yes, clearly you can see that I haven't visited a whole lot of the Southern Hemisphere ...

P.S. They also have a "Visited (US) States" map, but mine would be boring as I've been to all 50 states...

Facebook, Akamai Pass Major Milestone: Over 50% IPv6 from US mobile networks

Wednesday was a major milestone for Facebook. For the first time, more people connected over IPv6 than IPv4 from the four major US mobile networks! Facebook’s Paul Saab wrote about this on (where else?) Facebook:

facebook-ipv6-50percent-mobilenetworks

His text:

Today marks the first day that more people used IPv6 to access Facebook than IPv4 from the 4 major USA mobile networks. This is a huge milestone in just 4 short years since World IPv6 Launch in 2012.

Similarly, Erik Nygren at Akamai updated an earlier post last week with a similar view:

As an update as of August 10th, there has been significant growth over the past three months and deployment has crossed a major milestone: over half of requests to dual-stacked sites on Akamai from the top-4 US mobile networks now use IPv6! IPv6 is used around 70% of the time for Android and over 30% of the time for iPhones, up 10% each from May. We have also seen T-Mobile start to deploy IPv6 to iOS devices as well in a dual-stacked configuration.

Today over on the World IPv6 Launch blog, Mat Ford wrote that he is seeing this same milestone in the World IPv6 Launch measurements. The four major US mobile networks of Verizon Wireless, T-Mobile USA, Sprint Wireless and AT&T are seeing a combined measurement of close to 55% IPv6.  His chart:

World IPv6 Launch statistics

All of this shows the very real progress being made in IPv6 deployment.  If you have not started your plans to make your networks, applications and services available over IPv6, what are you waiting for?

To get started, please visit our Start Here page to find resources to help!

Video: Interview with Jari Arkko at IETF 96 in Berlin (Featured Blog)

Would you like to understand the major highlights of the 96th meeting of the Internet Engineering Task Force (IETF) last month in Berlin? What were some of the main topics and accomplishments? How many people were there? What else went on? If so, you can watch a short video interview I did below with IETF Chair Jari Arkko. More...

Video: Interview with Jari Arkko at IETF 96 in Berlin (Featured Blog)

More...

Ello Introduces a "Buy Button", allowing creators to sell their work

Ello buy button 660

Remember Ello? The social network whose beta version happened to launch in September 2014 when everyone was upset with Facebook? With a commitment to not selling your data and not having advertising, it was a breath of fresh air coming out of Vermont and Colorado.

For a few months, many people jumped on board and tried it out.

And then the "directory dilemma" took over ... people found that the people they regularly communicate weren't on Ello... and so many people drifted back to Facebook, despite the advertising and other concerns.

However, a strong community of people did stay (and continue to join) and Ello evolved over time to position itself as "the creator's network" with a strong emphasis on art, graphic design, photography and more. (In full disclosure, I do occasionally post to my account on Ello, although not as often as I once did.)

To help support that creative community - and ultimately to hopefully help support Ello as a platform - the Ello team introduced the "Ello Buy Button" that anyone can use to sell their products through Ello. As noted in their introduction post, usage is a few easy steps:

  • Upload an image of your product
  • Click the $ icon
  • Add a link to the product in your store
  • Publish

Once you do that your image will have a green "$" icon that, when clicked/tapped, will take the viewer over to your site where they can purchase the product.

In scrolling through my feed on Ello, I do see a few of these buttons starting to appear from a few users.

In conjunction with that news, Ello also announced a "Shop" category of the Discover section of the site where you can now see and search the products for sale. (If you are logged in to Ello it is at the easy URL of https://ello.co/discover/shop.)

I am intrigued by this move, particularly because there seem to be no restrictions on the URLs you use. You seem to be able to point to any site from the image.

Now, I think this will only really work for the artists / designers / photographers who have built up a following on Ello. I've seen some beautiful artwork displayed on Ello, and this now gives people the option to obtain that artwork for themselves.

We'll have to see... the question will really be to check back in after a number of months and find out how many purchases were actually made. (Although that might be hard to gather...) Meanwhile, kudos to the Ello team for introducing this option as a way to potentially help support those who create art.