Dan York

Just a guy in Vermont trying to connect all the dots...

Author's posts

Jul 03

Report on ICANN50 DNSSEC Workshop: CloudFlare, HSMs, OTR Demos and more…

ICANN 50 logoWe had an outstanding DNSSEC Workshop last Wednesday, June 25 ,2014, at ICANN 50 in London.  This was the “big” session of the DNSSEC activities at ICANN 50 and had a big turnout!  I counted around 120 people in the room at one point, many of whom stayed for most of the day, and we seemed to have 20-25 remote participants in the Adobe Connect room for much of the day.  It was great to have so many people there and there was an excellent amount of interaction and engagement throughout the day – lots of questions and lots of discussions!

The schedule, slides and archived video and audio can be found at:

http://london50.icann.org/en/schedule/wed-dnssec

In the section below, I’ll walk through a bit of what happened during the day.  First, though, here is one photo of what the room looked like:

ICANN 50 DNSSEC Workshop

… and there were more people sitting behind where I took the photo and on the sides.  I have many more photos that at some point I’ll try to get into our Flickr account or somewhere.

Introduction and Challenges/Opportunities for DNSSEC

I (Dan York) began the session with the normal introduction session and review of the latest DNSSEC deployment statistics.  Much of this is drawn from the weekly DNSSEC deployment maps we now generate but we also had a good discussion about how we’d like to go to the next level and start generating more second-level statistics.

I followed that with a 2014 view into the Challenges and Opportunities in DNSSEC Deployment and Usage where I looked back on a presentation I gave in 2012 and assessed how far we’ve come in the time since then. I also covered newer issues that have emerged since that time.

DNSSEC Activities in the European Region

We then had the first panel of the day with Cath Goulding of NominetUK moderating a set of presentations from country-code top-level-domain (ccTLD) operators from across Europe:

I think many of us were taking copious notes because these were really case studies of how different ccTLDs were deploying DNSSEC… what they’d done, what they hadn’t done… the success they’d had – or not.   Lots of great info ranging from .CZ’s YouTube videos to Afnic’s deployment guide to .AT’s “bump-in-the-wire” signing service and much, much more.  You can expect to see some of this info turn up in blog posts here on the Deploy360 site!  The discussion was great and the sharing among participants was quite good to see.

DNSSEC Key Rollovers and Transfers

Next up Jim Galvin of Afilias talked about the challenges that with ensuring that a DNSSEC-signed domain remains valid during the transition from one DNS hosting provider to another.  In particular he pointed out the challenge of the “5 day grace period” that comes into play with registrars.  This is a critical challenge  that we will continue to be discussing until we can collectively agree on a solution to make this work.

CloudFlare – DNSSEC and DNS Proxying

Following Jim was the presentation that many of us were very much looking forward to. John Graham-Cumming of CloudFlare spoke about the challenges of using DNSSEC in an environment such as a content-distribution network (CDN) where DNS proxying and redirection plays such a pivotal role. This is important as the lack of DNSSEC support in CDNs is one of the major blockages right now for many content providers to sign their websites with DNSSEC.  John provided some solid information about the challenges they’ve seen, the tools they’ve developed and their plans for the future.

He very clearly stated that CloudFlare will support DNSSEC by the end of 2014 and is aiming to make it as easy for their customers as they have made IPv6 (which initially was a toggle button and now is on by default).

We certainly hope they will follow through on this – and doing so will immediately help secure a great number of web sites… and bring pressure on other CDN providers to follow suit.

Hardware Security Modules (HSMs) Benefits and Challenges

Next up we dove a bit down into crypto geekery and explored different options for the HSMs that are used by some to generate keys for DNSSEC. Roy Arends of NominetUK moderated and the presenters included:

Rick Lamb kicked off the panel with an overview of why you might want to consider HSMs and what risk they are protecting against.  Mark Southam followed with some info about his Keyper HSM product and then Roland van Rijswijk-Deij talked about the SoftHSM project aimed at letting you do all of this in software without requiring any specific hardware.

Operational Realities of Running DNSSEC

The final presentation before lunch was from Haya Schulman of the Technische Universität Darmstadt. She actually had two presentations although both were in a single slide deck.  Her first presentation focused on measurements of recursive authoritative name servers and the methods that she undertook in her research.  Given that a number of people in the audience were also involved with DNSSEC measurement her presentation generated some good discussion and questions.  Her second presentation was on “Cipher-Suite Negotiation for DNSSEC” and presented ideas around how DNSSEC clients could know a servers algorithms and priorities.  This again generated some good discussion.

Lunch Break

After Haya’s presentations we had lunch in the room, thanks to the generous sponsors of the event (THANK YOU!):

  • Afilias
  • CIRA
  • Dyn
  • Microsoft
  • .SE
  • SIDN

Having the food right there enabled many great conversations to continue – and allowed us to not have to find our way back to the room that was tucked in an odd part of the hotel.

DANE and DNSSEC Applications

After lunch we had our large panel session that involved multiple demos and running code!  I was the moderator and the panelists included:

Guido Witmond started off providing an overview of the DANE protocol and how it could be used to add a layer of trust to TLS certificates. He then went into a specific use case where he sees DANE and DNSSEC helping prevent phishing.  Next Willem Toorop gave an overview of the getDNS API – this is really an important area and I would strongly encourage people to both view Willem’s slides and also view the getDNS API web site. I think this new API has some real promise to make it much easier for applications to interact with DNS and DNSSEC.

Willem continued with a second presentation around measuring DNSSEC validation using the RIPE Atlas probe network.  This is important as we continue to search for meaningful ways to measure ongoing DNSSEC deployment.  With Geoff Huston of APNIC Labs there in the room, who also does some DNSSEC measurements, there was some good discussion about how best to measure DNSSEC validation.

Paul Hoffman then took us back into application development with his presentation about DNSharness, a framework for testing name server implementations.  While most people in the room were not aware of this open source work funded by VeriSign Labs, a good number expressed their interest in using the test framework when they returned to their regular organizations.

We then entered into that ever-risky segment of live demos with Iain Learmonth going first with a demo of a “Off-the-Record” (OTR) private instant messaging app based on draft-wouters-dane-otrfp. Iain used the dnskeys library for python in a modified version of Gajim’s OTR plugin to have a secure encrypted chat session with Willem sitting right next to him.  It was very cool to see and while the demo was live Iain did provide some slides with screenshots so you can get a sense of what he was doing.

Joost van Dijk of SURFnet closed out the session with a live demo of how they integrated DANE into their service portal for their customers to automatically generate DANE’s TLSA record.  Again, the demo was live but Joost provided a few slides that talk about what they did and some of the challenges they found.

All in all it was a great afternoon session with lots of technical meat for developers!  Always great when you have running code inside of a workshop!

Wrapping Up

Finally, I ended the day thanking the participants and talking about how people in the session can help get DNSSEC deployed in different environments.

And then… after over 6.5 hours of intense focus on DNSSEC… we left the room to go back into all the other madness of a typical ICANN meeting!

On Toward ICANN 51 in Los Angeles on October 15…

With ICANN 51 behind us, the ICANN DNSSEC Workshop Program Committee is already looking forward to the next DNSSEC Workshop that will take place on Wednesday, October 15, 2014, at ICANN 51 in Los Angeles.  The call for participation will be out soon, but I can see that in particular we are going to be looking for people who want to present on:

  • NewgTLDs and DNSSEC – case studies, implementation details and more
  • Email/SMTP and DANE/DNSSEC – we are seeing a great amount of interest in DANE from email providers and want to bring together people operating email services using DANE and also those involved with developing email servers and applications
  • Root Key Rollover Potential Impacts – many of us are very concerned about the need to have a Root Key Rollover happen and want to talk more about potential impacts and also mitigation strategies.

Plus we are always looking for great DNSSEC or DANE case studies, measurements, cool tools or demos and other similar topics.  Stay tuned for the announcement… but in the meantime start thinking about what YOU would like to present at ICANN 51 in LA!

P.S. If you haven’t yet started using DNSSEC, please check our “Start Here” page to find resources to help you out!

Jul 03

Google IPv6 Stats Pass 4% Globally, 20% in Belgium, 8% in USA, 11% in Switzerland

It seems that Belgium is beating the USA in more than just World Cup Soccer (What an amazing game!)… they are also doing it in IPv6 deployment! In looking at Google’s latest IPv6 statistics, my colleague Phil Roberts noted that IPv6 deployment globally has doubled in 9 months and is now over 4%.  It’s great to see a chart that goes up and to the right like this one:

google-4percent

But while Google is measuring 4% IPv6 availability globally, I like looking at Google’s “Per-Country IPv6 adoption” page that gives a view into how diverse the IPv6 deployment really is.  Here’s the global map (click/tap the map to go to the site) as of today:

ipv6-google-global-4percent

And if you hover over the green spots you can easily see some of the various numbers:

  • 8.09% – United States
  • 4.59% – Peru
  • 5.14% – France
  • 8.69% – Germany
  • 5.67% – Romania

If you click on the “Europe” link at the bottom of the image you can zoom in a bit more and see these great stats (you could get this from the global map, too, if your hand is good enough to hover over the smaller countries):

  • 20.07% – Belgium
  • 10.68% – Switzerland
  • 7.99% – Luxembourg

VERY cool to see this high level of IPv6 availability in Belgium and indeed in all these countries!

Obviously these are just one set of measurements from Google, but there are a range of other IPv6 statistics sites, including the World IPv6 Launch measurements site, that also continue to show the increased global growth of IPv6 – great to see!

P.S. if you want to get started with IPv6, please visit our “Start Here” page to find resources targeted at your type of organization so that you can get started today!

Jul 02

No, DNSSEC Would NOT Help Prevent Microsoft’s Seizure Of Domains

DNSSEC badgeWith a great bit of the tech media’s attention this week on Microsoft’s court-sanctioned seizure of 23 domains from dynamic DNS provider No-IP.com, multiple people have asked me if deploying DNSSEC would have helped prevent this seizure of domains by Microsoft. Knowing my advocacy of DNSSEC the people asking the question have seemed to want me to be able to say that yes, they would be protected.  They express the concern that a court somewhere in the world could issue a ruling transferring their domain to someone else – and are seeking some form of technical protection. But the answer is:

No, DNSSEC would NOT help prevent this kind of domain seizure.

DNSSEC does one task extremely well – but it does only this one task:

DNSSEC ensures that the information the operator of a domain[1] put into DNS is the exact same information that a user gets out of DNS when they request info for a domain.

To provide a bit more concrete of an example:

If I enter “www.internetsociety.org” into my web browser, my browser will ask the DNS resolver on my computer for the IP address of “www.internetsociety.org”.  My DNS resolver will query DNS and get back the IP address. Because my local DNS resolver validates with DNSSEC, and because internetsociety.org is signed with DNSSEC, my resolver will verify that the IP address I receive is in fact the one that was entered into DNS by the operator of the “internetsociety.org” domain. If the IP address fails DNSSEC validation, I will not be able to get to the website. With this system, I can be sure that I am indeed reaching the correct web server at that IP address.

The beautiful thing about DNSSEC is that it ensures that I am reaching the correct addresses.  It protects me from being redirected to phishing websites or to other sites that are seeking to do “man-in-the-middle” attacks to, for instance, monitor all my traffic or insert targeted advertising or steal my information.  (This animated video may help explain a bit more.)

DNSSEC allows me to trust that the information entered into DNS for a domain is the same information I am receiving.  Communication can be even more secure by using the DANE protocol with DNSSEC to include in DNS information about the TLS (SSL) certificate that a domain operator wants to use.  This can ensure that when I am connecting to a web server or email server I am using the exact TLS certificate that the domain operator wants me to use.  DANE with DNSSEC adds an extra layer of trust to TLS that can make the Internet much more secure – and people are already using DANE in email, IM, VoIP and more services.

For all of these reasons, DNSSEC is a much needed upgrade to DNS to allow us to trust the information we are receiving back from DNS.  It is critical and will strengthen the Internet and make our communication more secure.

BUT…

… let us go back to my original statement about what DNSSEC does:

DNSSEC ensures that the information the OPERATOR of a domain put into DNS is the exact same information that a user gets out of DNS when they request info for a domain.

Note my emphasis on the “operator” of a domain. This is the key point.

Whoever operates the domain controls the security via DNSSEC of the domain.

And by “operates” I mean that they provide the “authoritative name servers” for the domain.  They ultimately answer all queries for information about that domain.  The entity operating as the DNS authority for a domain controls what IP addresses are provide – and controls what DNSSEC signatures are provided. The operator of a domain can even remove DNSSEC if the domain was previously signed.

The operator of the authoritative name servers for a domain has total control over that domain.

Now, let’s jump to Microsoft’s statement about the domain name seizures where I want to highlight one critical piece:

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

See what happened there?  The court ordered that Microsoft be the operator of the domains in question.  I don’t know the precise mechanics of what happened, but my assumption is that the court ordered the registrars of the 23 domains to change the name servers (“NS records” in DNS-speak) to point to Microsoft’s servers.  They may have in fact transferred ownership of the domains to Microsoft – I don’t know the specifics.

Microsoft Is In Control

The key point is that Microsoft now operates the authoritative name servers for the 23 domains. They control whatever information is put into DNS  for those domains.  This is how they can redirect all traffic to those domains to their own infrastructure where they can scan it and perform other actions.

If the domains were signed with DNSSEC, DNSSEC would ensure that I was getting the correct information for the domains out of DNS.

But it would be the information that Microsoft put into DNS for those domains, because the control has been transferred to them.

DNSSEC secures the integrity of the information coming out of DNS.  It protects the  information from modifications by attackers in the middle.  It does not protect against modifications by the operator of the domain.

The Larger Issue Of DNS Insecurity

This recent case is not alone. Here Microsoft obtained a court order that legally allowed them to seize the domains from the current operators.  But there have been any number of “domain name hijackings” over the past few years that have had a similar mode of operation – someone has obtained control of the operation of a domain name and has redirected requests to a different site.  Sometimes this control has been obtained by attacking the name servers at a DNS hosting providing and compromising the systems. Once the attackers are in the name servers they can modify information for a domain (“zone files”) and cause this new information to be published.  Sometimes the control has been obtained by “social engineering” – tricking the DNS hosting operator into letting the attacker login to the account, or tricking the registrar for the domain into believing that the attacker is now the operator of the domain and transferring control.

Believe me, as a DNSSEC advocate I have jumped every time I see “domain hijacking” in media / social media to see if the new incident might show a solid example of where DNSSEC can help.

Almost always… it is not.   It’s something like a system administrator didn’t update software on a web server and an attacker compromised the system.  Or the attackers convinced the registrar to transfer the operation of the domain to them.

It is attacks on the “weak points” of the DNS: the humans reading the email and granting requests, the servers that aren’t updated, etc.

How DNSSEC Could Help

Now, deploying DNSSEC potentially could help against some of these attacks – specifically the ones where attackers break into systems at a DNS hosting provider.  If the attackers convince the registrar to transfer the domain to them, then they are in total control of the operations of the domain, but if the attackers break into name servers there are a couple of more layers of defense that may help thwart the attack.

Validation Failures

If an attacker broke into a DNS name server and modified the DNS info to have different information and did not (or could not) re-sign the zone with DNSSEC, then any user out there who used a validating DNS resolver would not be able to get to the page.  They would be protected against this attack.  (This is why we need to get DNSSEC validation deployed everywhere.)

Note, though, that if the DNS name servers were set to do automatic signing of the zone files, the attackers may be able to modify the files with their false information and then have their new information signed by DNSSEC.  Again, if the attackers can get control of the operations of the domain, including DNSSEC signing, they can modify the info as much as they want.

DS Record

When a DNS resolver “validates” the DNSSEC signatures on DNS information, it uses a “global chain of trust” that goes all the way up to the root of DNS to ensure that the information has not been compromised.  When a DNS operator signs a “zone” with DNSSEC, the “fingerprint” of the key used in the signing is given to the “parent” zone in the form of a “DS record” (where “DS” is “Delegation Signer”).  So if I am a DNS operator and I sign “example.com”, I would provide a DS record to the DNS operator of “.com” that has a fingerprint of the key I used.  If I signed “example.org”, I would provide a DS record to the DNS operator of “.org”, etc. (More info in this DS record tutorial.)

If an attacker broke into a DNS name server and tried to remove the DNSSEC signatures from a zone file, the existence of the DS record in the parent zone would cause a DNSSEC-validating DNS resolver to realize there was an error and not give the user the bogus information.  The users would be protected against this attack.  (This is why we need to get DNSSEC validation deployed everywhere.)

Similarly, if an attacker were able to get the registrar to change the NS records for the authoritative DNS servers for a domain to point to the attacker’s name servers, but was NOT able to get the registrar to update (or remove) the DS record in the parent zone, then even if the attacker signed the domain with a DNSSEC key, it would not be the key that would match up with the DS record.  People using DNSSEC-validating DNS resolvers would be protected against this kind of attack. (This is why we need to get DNSSEC validation deployed everywhere.)

Of course, if an attacker is able to get the registrar to give them control of the domain, then the attacker can provide a new DS record if the attacker signs with a new key – or can remove the DS record and downgrade the domain to an unsigned state.

DNSSEC, though, can help prevent a number of the potential attacks where an attacker compromises some servers in the infrastructure but does not have total control of the domain.

BUT…

… in this case with Microsoft the transfer of operations of the domain was legally sanctioned by a court in Nevada.  Microsoft assumed total control of the operations of the domains.

DNSSEC would not help users know they are not getting to the original web site. Nor would DNSSEC prevent the transfer in any way.  Nor would really any existing technical solution.  This issue goes outside the technical realm and into the legal/political realm.  As Dan Kaminsky himself said in a tweet:

“There’s likely no real world solution to making legal domain interdiction impossible.”

This is a space where we in the technical community must defer to our peers in the legal and public policy communities – or get involved directly in those communities – as our existing technical solutions offer no help here.

[1] To be completely accurate I should technically talk about a “zone” versus a “domain”. In DNS-speak, you operate a “zone” and serve out (and sign) “zone files”. I do realize that… but I am trying to keep this article aimed at more non-technical audiences for whom the domain/zone nuance is not clear.

UPDATE #1 – There is a good discussion of this article happening over on Hacker News (as well as in the comments below).

Jul 01

TDYR #160 – Congrats To Team USA On A Great World Cup

TDYR #160 - Congrats To Team USA On A Great World Cup by Dan York

Jul 01

A Three Year Cancerversary

Dan lori london 2014 3Today an anniversary slipped up upon us without much thought. We just came back very late last night from our first family vacation in about eight years (to London, where the photo accompanying this post was taken) and this morning were dealing with all the fallout of that return in terms of unpacking, getting back into routines, caring for our house and animals, etc. July 1 is also Canada Day, a day we celebrate in honor of our oldest daughter's birth in that country, and so we were honoring that day.

And then somewhere in the midst of all that jetlagged weariness the dark side of the date infiltrated my wife's consciousness and she posted a simple message to Facebook:

Today I am a three year survivor! July 1 is the cancerversary of my surgery and the start of 18 months of breast cancer treatment....

It was indeed three years ago today that we spent the day at Dartmouth Hitchcock Medical Center up in Lebanon, NH, as she underwent a dual mastectomy. It was, unbelievably to me, simply day surgery. She was back at home that night, albeit in severe pain and not up and around for quite some time.

It's been a long, strange road since then.

Some parts of that journey I've written about here in my many posts on the topic. Other parts I've not shared.

Mostly, we just go on.

I'm constantly amazed by the strength my wife shows through it all, and her willingness to be more open about it than many are. She is an inspiration to me - and I know to others.

Sadly, we've certainly come to know that she is not alone... and that even as we celebrate a three year anniversary, others are being diagnosed and treated now... while others are celebrating longer anniversaries... and others are passing away. Cancer is indeed the scourge that keeps on taking.

Hopefully some day we won't need to be marking anniversaries like this one.

Jul 01

Skype Shuts Down SkypeKit and the Skype Developer Website

Goodbye to SkypeKit... and perhaps more importantly to the developer.skype.com website. Prominently featured there now is a banner saying the site will close on July 31, 2014:

Skype Developer 3

Leaving aside the bizarre way to end the warning banner ("... to integrate with" and then nothing more), I went to the site because I received an email from Skype in the form of a "SkypeKit License Termination Notice". The email says in full:

Dear Dan ,

In July 2013, we notified you of our intention to end support for our SkypeKit SDK at the end of July 2014. With this date now approaching, this email serves as 30 days’ official notice of termination of the SkypeKit Licence Agreement (“Agreement”) pursuant to Section 13.2.4 of the Agreement. The Agreement will end on July 31st 2014. Upon termination of the Agreement you must promptly destroy all copies of the SkypeKit SDK in your possession or control, except that if you have already entered into the SkypeKit Distribution Terms and have received a commercialization keypair for your SkypeKit Product(s) then you may continue to distribute these SkypeKit Products(s).

Skype will not be issuing any new keypairs and we remind you that keypairs may only be used in connection with the SkypeKit Product for which they were issued. In addition, for hardware, keypairs may only be used for the specific version of the SkypeKit Product that was certified through our hardware certification program. Our hardware certification program for SkypeKit Products has now closed and no new hardware (including new models or versions of previously certified hardware) can be distributed.

Key investments in Skype’s application and service architecture may cause the Skype features to stop working without notice in SkypeKit products. As a result, we encourage you to end any further distribution of SkypeKit products.

We would also like to draw to your attention to the obligations that survive termination of the Agreement as described in Section 16.3 of the SkypeKit Licence Agreement.

The Skype Developer website will also close on July 31st, 2014. If you have any queries please contact Skype Developer Support.

Kind regards
Skype Developer Team

Looking back, I don't see the email from July 2013, but in truth I probably deleted it or it wound up in a spam folder. Sadly, I long ago lost much of my interest in Skype's latest developer follies.

If we jump back in time a bit, Skype first released a "preview" of their "SkypeKit" Software Development Kit (SDK) back in early 2011. Jim Courtney had a great writeup of their release of the public beta at eComm 2011. Like many others, I signed up and paid my $10 to see what was under the hood. I didn't do much with it but I remember looking at the python SDK a bit. Later in October 2011 I wrote about Skype's renaming of their public APIs and provided some clarification about what SkypeKit was all about.

And then I pretty much wrote nothing else about it... and much of the program gradually started fading away. In all my many posts about Skype, the only subsequent mention I find of SkypeKit was in a September 2010 post about Grandstream adding in Skype video to their IP phones.

In fairness, this was all happening before and then during the Microsoft acquisition of Skype in 2011 and so it was not surprising to see APIs created before Microsoft's acquisition being phased out.

What continues to surprise me is that there has never been any real replacement. Skype's 5th, 6th or 7th attempt (I lost track) at a developer program finally... just... died...

The folks at Skype wrote last November about the demise of the Desktop API and the need to support mobile devices. With that API's demise they also killed off their App Directory, which was their latest incarnation of a way to help developers get their apps out to Skype users.

Now Skype's entire "developer support" seems to be a category of pages on their support site, most of which seem to have answers about how the Skype Developer Program is no longer accepting registrations... or about why certain systems no longer work.

I get it... applications evolve. And Skype certainly has evolved away from its roots. It's just too bad, because once upon a time there seemed to be such promise for Skype as a communication platform that could be used widely by other companies and applications.

R.I.P. SkypeKit.

R.I.P. Skype Developer Program.

If you found this post interesting or useful, please consider either:

Jun 30

FIR #762 – 6/30/14 – For Immediate Release

Book review still coming; Quick News: How to view your website as Google does, GE's new policy hub, setting up Twitter Cards for a WordPress blog, big changes with Google Authorship and Technorati; Ragan promo; News That Fits: Digging deeper into Facebook organic reach, Michael Netzley's Asia Report, is PR Hacker spamming on an industrial scale?, Media Monitoring Minute from CustomScoop, listener comments, can attention replace the pageview?, Dan York's Tech Report, Igloo Software promo, last week on the FIR Podcast Network, drawing the legal line on reselling ebooks; music from Assembly of Dust; and more.

Jun 25

ICANN 50 DNSSEC Workshop Streaming Live TODAY From London

ICANN 50 logoAs we mentioned last week,  the DNSSEC Workshop at ICANN50 will take place from 8:30 – 14:45 London time TODAY, June 25, 2013 and will be streamed live via audio or via Adobe Connect (combined audio, slides and video).  More info can be found at:

http://london50.icann.org/en/schedule/wed-dnssec

The links for remote listening can be found there, as can the presentation slides.  The session will be recorded for later viewing if you can’t see it live.  This is the week’s big session on DNSSEC and covers topics such as:

  • Introduction and DNSSEC Deployment Around the World
  • DNSSEC Activities in the European region
  • The Operational Realities of Running DNSSEC
  • DANE and DNSSEC Applications
  • DNSSEC Automation
  • Panel Discussion/Demonstrations on Hardware Security Modules (HSMs)

We’ll also have a presentation from CDN provider Cloudflare about their plans for DNSSEC, a session about key rollovers and some great demos of new tools and services.  It should be quite an interesting and educational day!

Getting to the room for the DNSSEC Workshop

If you are here in London it turns out that finding the room where the DNSSEC Workshop will be held is a bit of a challenge.  The location is “Hilton 1-6″ on the third floor of the Tower Wing (the wing in the middle). The directions are as follows:

  1. Go right after exiting the elevators on the third floor and take an immediate right again (there will be a sign on the wall for Hilton rooms 1-17)
  2. Take a left at the next corridor.
  3. Take a right at a wide corridor where there are some tables on the right (there will be a sign on the wall for Hilton rooms 1-17)
  4. Go down the stairs under the sign “Hilton Meeting Room Business Center”

From this point there are two ways to enter at the back of the room (there is a third way but it is harder to describe):

  1. Go straight ahead through the ICANN staff breakfast/lunch area to the door marked Hilton 1.
  2. Go down the left-hand corridor to the door on the right marked Hilton 3

When in doubt, ask any Hilton staff person or ICANN staff person.  We hope to see you there!

More information

All the slides for today’s session can be found on the ICANN web page for the session.

To learn more about DNSSEC, please visit our “Start Here” page to find resources tailored to your type of organization.

Jun 23

Reminder – “DNSSEC For Everybody” Streamed Live From ICANN 50 Today

ICANN 50 logoJust a quick reminder that, as we mentioned last week, the DNSSEC For Everybody: A Beginner’s Guide session today at ICANN 50 in London will be streamed live via audio or via Adobe Connect (combined audio, slides and video).  This is a fun session where we step back to caveman days to try to explain DNSSEC in the simplest of terms… and also add some skits into the mix as well (yes, DNSSEC engineers doing a skit!).  It is happening from 17:00 to 18:30 British Summer Time (local time in London). More info can be found at:

http://london50.icann.org/en/schedule/mon-dnssec-everybody

The links for remote listening can be found there, as can the slides and handout for download.  The session will be recorded for later viewing if you can’t see it live.

If you want an even deeper dive into DNSSEC, plan to attend (remotely or here at ICANN 50) the DNSSEC Workshop happening most of the day on this coming Wednesday, June 25, where we’ll be starting at 8:30am and covering a wide range of topics related to DNSSEC.

To learn more about DNSSEC, please visit our “Start Here” page to find resources tailored to your type of organization.

Jun 23

Great To See Full (And Faster) IPv6 At ICANN 50 In London

Here at ICANN 50 in London (where I am focused on DNSSEC sessions) it was great to connect to the WiFi network and find that that I had full IPv6 connectivity.  Here’s a shot of the IPvFoo plugin for Chrome when I went to the main ICANN 50 website:

ICANN 50 IPv6

Even more fascinating was how much faster the IPv6 connectivity is here versus IPv4, undoubtedly because most of the 2,200+ 3,300+ attendees are using primarily IPv4.  Using Comcast’s Speedtest we wrote about back in February, I was amazed to see the dramatically different speeds:

ICANN 50 IPv6 Speed Test

I was so surprised that I had to run Comcast’s speed test several more times and test against multiple different servers. (Yes, I’m a network geek who is fascinated by this kind of thing!)  All of them gave similar results… one even offering an even higher IPv6 upload speed:

icann50-ipv6-comcast-speedtest2

Sadly, I don’t have any large videos I need to upload to YouTube or anything like that, because clearly this ICANN 50 network would be the place to do so! (Assuming the sites were all over IPv6, as YouTube is.)

To double-check, I also went to ipv6-test.com’s speed test, where IPv4/IPv6 is also differentiated, and again saw a difference (it seems to only test download speed):

IPv6 test from ipv6-test.com

All in all it is great to see that not only is ICANN offering IPv6 connectivity to all attendees… but it is faster than that over IPv4.

Way to go, ICANN!

UPDATE: Article updated with the information that there are now over 3,300 registrants at this ICANN meeting!