Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
May 07
Watch LIVE NOW – IPv6 Security Session Out of LACNIC 21
Interested to learn more about IPv6 security? Our Chris Grundemann will be speaking about “Security In An IPv6 World” at LACNIC 21 in Cancun in just a few minutes. He is the second speaker in a session that is scheduled to start at 9:30am local time (which is 10:30 US EDT and 14:30 UTC)… which is pretty much right now! You can view the session live at:
You can view the live stream in Spanish, Portuguese or English… although Chris will be speaking in English! 
Chris will also be speaking about the Deploy360 Programme tomorrow, May 7, 2014, at 9:05am local time (14:05 UTC). (You can read more about what Chris is doing at LACNIC 21 this week.)
Our colleague Mat Ford will be speaking on Friday at 9:15-9:30am local time (14:15-14:30 UTC) about our routing resilience survey.
You can see the full agenda for LACNIC 21 at their website.
May 06
Celebrate “Day Against DRM” With 50% Off All O’Reilly Ebooks
In celebration of the “Day Against DRM“, O’Reilly is running a sale of 50% off of all their ebooks and videos. All you have to do is go to their site and shopfor ebooks … that’s it!
As I note on my page about buying the book, I’m a big fan of buying directly from O’Reilly because the ebooks are DRM-free andyou get free updates and more.
DRM only hurts us as readers … and as an author I don’t want my readers locked into specific platforms. I’d like readers to be able to read my books on whatever device they want whenever they want.
As the site says, DRM is TOXIC to our freedom!
So… if you have been thinking about buying some O’Reilly ebooks – mine or anyone else’s – please buy them today and help spread the word that we as readers want our ebooks without DRM!
Thanks!
P.S. My “Seven Deadliest Unified Communications (UC) Attacks” book is also on sale today in ebook form through O’Reilly after O’Reilly started carrying the ebook version of 7 Deadliest UC Attacks last year.
P.P.S. Please note the 50%-off sale ends on May 7, 2014, at 5:00am US Pacific time.
May 05
DNSSEC-name-and-shame Spotlights Top Web Sites Without DNSSEC
Which of the Top Alexa-ranked sites support DNSSEC? How can you quickly find out if a web site supports DNSSEC? Last week we learned of a fun new site that came out of a recent hackathon at TheNextWeb 2014 conference in Amsterdam that aims to answer these questions. Called “DNSSEC name and shame!” the site can be found at the simple URL of:
http://dnssec-name-and-shame.com/
At the top you can just enter any domain name and the site will check whether that domain is signed with DNSSEC. But what is perhaps more interesting is to go a bit further down the page and look at the list of the Alexa Top 25 sites and the list of the event sponsors and “known good” examples. You can click on any link and it will tell you the result.
I won’t spoil the surprise of what you’ll find when you click those links… but suffice it to say that many of the sites need to read our information for content providers / website owners about how to sign their domains with DNSSEC! :-)
This DNSSEC-name-and-shame site is a cool example of the type of site / service that can be easily created using some of the new APIs available for DNS and DNSSEC. Several of the other hackathon projects were definitely cool and we’ll be spotlighting some of them in the weeks ahead.
Congrats to the developers of the site, Joel Purra and Tom Cuddy, too, for winning PayPal’s TNW Hack Battle prize. Great to see PayPal recognizing this work… and of course paypal.com has been signed with DNSSEC for quite some time now.
Do check the site out… test out domains that you work with… and if they are not signed, why not start today on getting them signed and making the Internet more secure?
P.S. We also enjoyed that Anne-Marie Eklund Löwinder of .SE lent her shaking-fist image to the site. She’s one of the early pioneers in the world of DNSSEC and it’s fun to see her here!
May 05
FIR #754 – 5/5/14 – For Immediate Release
Quick News: consequences of a lack of common sense on Twitter, Fleishman Hillard launches Native Newsroom for LinkedIn, WPP acquires Twist Image, more problems for social media policies; Ragan promo; News That Fits: a social media transformation, Michael Netzley's Asia Report, the fashion industry and Instagram, Media Monitoring Minute from CustomScoop, listener comments, is print the new killer app?, Dan York's Tech Report, last week on the FIR Podcast Network, Igloo Software promo, wearable tech and business; music from Groove Carnival, and more.
May 02
Reminder – Live Call In Two Hours About TLS / SSL And The Need For More Crypto Everywhere
Reminder – in two hours you can join a live discussion we mentioned earlier this week about the need for more TLS / SSL everywhere and what we can do as a technical community to make that happen. As I noted earlier the main guests will be Olle Johansson and Kristian Kielhofner with others joining in as well. Host Randy Resnick usually creates an enjoyable and informative session where much can be learned.
To join the call, you can either connect in to the Google+ Hangout at 12:00 noon US Eastern – or alternatively call in via the SIP, Skype or regular old phone numbers listed on the top of the VUC page for the episode. There is also an IRC backchannel where text chat occurs during the episodes. The session will be recorded if you cannot attend live.
For us, we’re interested in discussions like this one today because we want to build out our TLS for Applications area to have the best resources possible to help developers add TLS into their applications and in so doing make the Internet stronger and more secure for us all. (And on that note, if you would be interested in helping us create the info on our content roadmap for TLS – or know where we can find existing documents that fulfill those items – please contact us!)
May 02
Fedora 21 To Have DNSSEC Validation Enabled By Default
By way of a recent tweet from Red Hat’s Paul Wouters we learned the great news that the next release (21) of the Fedora operating system will include a DNSSEC-validating DNS resolver enabled by default. According the Fedora 21 release schedule, if all goes according to plan Fedora 21 should be generally available in October 2014. This will mark the first of the major Linux distributions that I am aware of that will offer the added security of DNSSEC validation by default. With Linux, you can of course always add a DNSSEC-validating DNS name server such as DNSSEC-Trigger, Unbound, dnsmasq or another DNSSEC-validating DNS server, but this move by the Fedora project will have the validation occurring by default.
From the Fedora 21 Proposed System Wide Change message:
There are growing instances of discussions and debates about the need for a trusted DNSSEC validating local resolver running on 127.0.0.1:53. There are multiple reasons for having such a resolver, importantly security & usability. Security & protection of user’s privacy becomes paramount with the backdrop of the increasingly snooping governments and service providers world wide.
People use Fedora on portable/mobile devices which are connected to diverse networks as and when required. The automatic DNS configurations provided by these networks are never trustworthy for DNSSEC validation. As currently there is no way to establish such trust.
Apart from trust, these name servers are often known to be flaky and unreliable. Which only adds to the overall bad and at times even frustrating user experience. In such a situation, having a trusted local DNS resolver not only makes sense but is in fact badly needed. It has become a need of the hour.
Going forward, as DNSSEC and IPv6 networks become more and more ubiquitous, having a trusted local DNS resolver will not only be imperative but be unavoidable. Because it will perform the most important operation of establishing trust between two parties.
All DNS literature strongly recommends it. And amongst all discussions and debates about issues involved in establishing such trust, it is unanimously agreed upon and accepted that having a trusted local DNS resolver is the best solution possible. It’ll simplify and facilitate lot of other design decisions and application development in future.
This is great news for those of us who want to see the security of the Internet strengthened through DNSSEC – and definitely in keeping with part of the plan for where we need to see DNSSEC validation.
Kudos to the team at Fedora who are making this happen and we look forward to seeing it come out in Fedora 21 later this year!
May 02
Plan – Where We Need To Get DNSSEC Validation Happening
For DNSSEC to succeed, we need to get DNSSEC validation happening within DNS resolvers at many different levels within the Internet ecosystem. Ideally, the DNSSEC validation will occur as close as possible to the end user (either a person or a device) so that the attack surface where an attacker could inject bogus DNS packets is minimized. For instance, if the DNSSEC validation occurs within an application on the end device, there is very little an attacker can do to inject bogus DNS packets. On the other hand, if the DNSSEC validation occurs out at a public DNS server somewhere out on the Internet, the attacker can inject packets anywhere between that public DNS server and the end device. The reality is that we would like to see DNSSEC validation happening at many different levels.
This page exists to track the progress of where we are with getting DNSSEC validation happening across the Internet. It is organized from the farthest point away from the end device down to the closest.
[At the moment, this page is a work-in-progress as we are still updating it with the current status of information (and feedback is welcome). ]
Public DNS Services
While the attack surface is quite large, it is still useful to have DNSSEC validation occurring in public DNS services available to all across the open Internet. The list of services known to perform DNSSEC validation by default includes:
Internet Service Providers / Network Operators
Internet Service Providers (ISPs) and other network operators are an excellent location for DNSSEC validation to occur as the ISPs DNS servers are typically provided to all customers as the “default” DNS resolvers for the customers to use. Attacks are still possible if an attacker can get onto the ISPs network but the area of the attack is significantly less than the entire Internet. Major ISPs known to support DNSSEC by default include:
- Comcast (North America)
- (list of ISPs in Sweden, Czech Republic, Netherlands, Brazil)
If you are an ISP or network operator and want to support DNSSEC validation, please see our page about DNSSEC for network operators.
Enterprise Networks
Enterprise networks are a critical place to perform DNSSEC validation as they can do so on behalf of a secured corporate network.
Suggestions for how to deploy DNSSEC validation can be found on our DNSSEC for enterprise customers page.
Home Networks and Consumer Electronic Devices (ex. home routers)
(include a list of consumer devices supporting DNSSEC validation – also include mention of dnsmasq)
Operating Systems
Having DNSSEC validation occur within the operating system of a device is one of the best places for validation to occur. The following operating systems are known to have DNSSEC validation enabled by default:
- Fedora 21 (coming in late 2014)
It is certainly possible for an individual to configure DNSSEC validation on an individual system using tools such as:
There are also guides out there that explain the easy steps to enable validation on existing systems:
- SURFnet guide to enabling DNSSEC validation for BIND, Unbound and Microsoft Windows
- Microsoft Guide to DNSSEC on Windows Server 2012
Applications
Ideally applications themselves may perform DNSSEC validation.
(include a list of applications known to include DNSSEC validation)
Resources available to developers include:
- List of developer libraries supporting DNSSEC
- getDNS API
More information can be found on the DNSSEC for developers page.
Apr 30
TDYR #149 – Getting Vaccinations For Upcoming Tavel To Djibouti
TDYR #149 - Getting Vaccinations For Upcoming Tavel To Djibouti by Dan York
Apr 30
Summary Report Now Posted of W3C/IAB “Strengthening The Internet (STRINT)” Workshop (Featured Blog)
Given that I've written here about the original call for papers for the W3C/IAB "Strengthening The Internet Against Pervasive Monitoring (STRINT)" Workshop and then subsequently that the STRINT submitted papers were publicly available, I feel compelled to close the loop and note that a report about the STRINT workshop has been publicly published as an Internet-draft. More...
Apr 30
Join The VUC Podcast Live On Friday, May 2, To Talk TLS/SSL And The Need For “More Crypto”
Why do we need “more crypto” everywhere? How can we get more people using TLS (SSL) in applications and services? If you are interested in this topic and want to discuss it with others, please do join the “VoIP Users Conference (VUC)” conference call this Friday, May 2, 2014, at 12 noon US Eastern time. The main guests will be Olle Johansson and Kristian Kielhofner and I will also be joining in to participate (as will typically a good number of people). Olle just recently participated in the “MeraCrypto” day-long session sponsored in part by the Internet Society Chapter in Sweden and has also been maintaining a set of slides about why we need “MoreCrypto”.
With the recent Heartbleed vulnerability in the news (here was my view on it) there is obviously a great amount of interest in the topic of getting more TLS / SSL out there. I’ll be on the call in part because we launched our “TLS for Applications” area out of our belief that we need more crypto out there being used. It should be good conversation and I’m very much looking forward to it!
To join the call, you can either connect in to the Google+ Hangout at 12:00 noon US Eastern – or alternatively call in via the SIP, Skype or regular old phone numbers listed on the top of the VUC page for the episode. There is also an IRC backchannel where text chat occurs during the episodes.
If you can’t listen live, the show will be recorded and you can listen to it later. If you can join live, please do… it should be great conversation on a very important topic!
