Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Mar 01
Weekend Project: Add DKIM / DNSSEC Verifier To Thunderbird
Here’s an interesting weekend project if you use Mozilla Thunderbird as your email client – add the DKIM Verifier add-on to ensure the validity of signatures on email messages. The connection to DNSSEC is that the public keys for DKIM are stored in DNS and so DNSSEC ensures that you are getting the correct DKIM keys.
This past week Pier Carlo Chiodi published a great tutorial, “Verifying DKIM signatures on Thunderbird with DNSSEC” that walks through the steps of adding the DKIM Verifier add-on to Thunderbird to verify the signature on the message and validate it all via DNSSEC.
As he notes in his text, this tutorials does the DKIM/DNSSEC validation in the client (Thunderbird) while other solutions might do the validation within the email server itself.
Thanks to Pier Carlo Chiodi for writing this tutorial. This is great to see… now we just need similar tutorials for other email clients!
Note: the image in this article is from Pier Carlo Chiodi’s blog post.
Feb 28
TDYR #114 – In Praise Of Propeller-driven Commuter Flights
TDYR #114 - In Praise Of Propeller-driven Commuter Flights by Dan York
Feb 28
Introducing A New Deploy360 Topic: TLS for Applications
How can we help make it easier for developers to learn how to add TLS (SSL) support to their applications? If you’ve been following our work here at Deploy360 for a while, you know that part of our attention is focused on accelerating the deployment of DNSSEC and of technologies that help in securing BPG and Internet routing.
With DNSSEC, a great bit of our focus has been on the enormous potential of the DANE protocol to help make Internet connections using Transport Layer Security (TLS) more secure. You already use TLS probably every day with your web browser… although you may know it more by its older name of “Secure Sockets Layer (SSL)”. Any time you go to a website with a “https” at the beginning of a URL, or if you see a “lock” icon in many browsers, you are using TLS. Any app developer using TLS is a great candidate to be using DANE.
But how do we get more developers using TLS to encrypt their connections and secure the data sent over those connections?
Around the time we were thinking about this, a new working group was launched within the IETF called “Using TLS in Applications (UTA)”. This working group is chartered to create a set of “best practices” guides to help application developers know how to implement TLS in the best way possible to defend against attacks such as those outlined in draft-sheffer-uta-tls-attacks. You can find out more about the UTA Working Group, including how to join the public mailing list, at these links:
It seemed to us that these documents being created within the UTA group were ones that should be shared widely. I put some ideas forward on the UTA mailing list and received positive responses – and so we’re launching this new section of Deploy360 to help get that information out. As the UTA working group publishes documents we’ll try to do what we can to help more developers and network operators learn about those documents.
To that end, I’ll also note that the UTA working group will be meeting this coming Friday, March 7, from 0900-1130 UTC at the IETF 89 meeting in London. I wrote about this in my article yesterday about the DNS-related activities happening at IETF 89. You can join the session remotely to listen in, so if this is of interest to you please do join.
Now, our “TLS for Applications” section here on Deploy360 will not be ONLY about the documents coming out of the UTA working group. We’ll also be finding the best documents and tutorials related to TLS that we can find out there on the Internet. We’ve put up a content roadmap identifying the types of documents we intend to add to the site.
We’d love to hear your feedback about this new section of Deploy360. Do you see this as something that will be helpful to you?
How You Can Help
We need your help! In order to provide the best possible resources to help application developers expand their use of TLS, we need to hear from you! We need your feedback to help us know how we can best help you. A few specific requests:
1. Read through our pages and content roadmap - Please take a look at our “TLS for Applications” page to understand what we are trying to do, and also please take a look at our content roadmap for BGP. Are the current resources listed helpful? Is the way we have structured the information helpful? Will the resources we list on our roadmap help you make your routers more secure?
2. Send us suggestions – If you know of a tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.
3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you connected to what we are doing.
4. Help us spread the word – As we publish resources and blog posts relating to adding TLS to applications, please help us spread those links through social networks so that more people can learn about the topic.
Thank you! Working together we can make the Internet more secure!
Feb 28
Meet The Deploy360 Team At IETF 89 Next Week
Will you be at IETF 89 next week in London? If so, please feel free to say hello to one of our team members there. We’ll all be there: myself (Dan York), Chris Grundemann, Megan Kruse and Jan Žorž.
You can expect to find at least one of us in any of the sessions that relate to IPv6, DNSSEC or securing BGP. Specifically, some of the sessions we’ll be at can be found in these posts:
- 3 Sessions About Securing BGP At IETF89 Next Week
- 6 Sessions About IPv6 At IETF 89 Next Week In London
- 8 Sessions About DNSSEC / DANE / DNS At IETF 89 Next Week
We’re always interested in talking to people about the work we do here and also how we can help you get these technologies more rapidly deployed. Got a question for us? Find us at the IETF sessions and let us know.
You can also send an email to us at “deploy360@isoc.org” if you’d like to set up a time to meet.
See you in London!
Feb 27
TDYR #113 – The Challenge Of Packing All The Gear For Audio And Video Content Creation
TDYR #113 - The Challenge Of Packing All The Gear For Audio And Video Content Creation by Dan York
Feb 27
8 Sessions About DNSSEC / DANE / DNS At IETF 89 Next Week
Wow! IETF 89 next week in London is going to be an extremely busy week for those of us interested in DNSSEC, DANE and DNS security in general. As I explained in a post today, “Rough Guide to IETF 89: DNSSEC, DANE and DNS Security“, there are 5 new working groups and BOFs related to DNS and DNSSEC in addition to the three already existing working groups.
I go into a great bit of detail in the Rough Guide blog post, but here are the quick summaries of what is happening this week:
- The DANE Working Group is focused on how to use the DANE protocol to add more security to TLS/SSL connections. The DANE WG agenda at IETF 89 is about using DANE with email and IM, operational guidance and much more.
- The DNS Operations (DNSOP) Working Group has a very full agenda with the biggest DNSSEC-related piece being the drafts around how to deal with the critical issue of the uploading of DS records from DNS operators to registries. Some other great DNSSEC work being discussed there, too.
- The brand new Using TLS in Applications (UTA) Working Group that has as a primary goal to deliver a set of documents that are “go to” security guides aimed at helping developers add TLS support into their applications. We’re interested in the potential DNSSEC/DANE connection there.
- The new Public Notary Transparency (trans) Working Group on Wednesday that is looking at how to update the experimental RFC 6962, “Certificate Transparency”, to reflect recent implementation and deployment experience. Our particular interest is that part of the charter is to ensure that this mechanism can work in the presence of DANE records in addition to regular web certificate-based system.
- The new EPP Extensions (eppext) working group that is focused is looking at draft-ietf-eppext-keyrelay that defines a mechanism that can be used to securely transfer a DNSSEC-signed domain from one operator to another.
- The “Encryption of DNS requests for confidentiality” (DNSE) BOF is exploring how to protect the confidentiality of DNS requests from sniffing. The DNSE BOF will use draft-bortzmeyer-dnsop-dns-privacy and draft-koch-perpass-dns-confidentiality as starting points for discussion.
- The Domain Boundaries (dbound) BOF is looking at how domain names are used in setting security policies. Our interest is in understanding how this may fit into the other DNS security components of the work we are doing such as DNSSEC and DANE.
- The Extensions for Scalable DNS Service Discovery (dnssd) Working Group is continuing their discussions about how DNS-SD (RFC6763) and mDNS (RFC6762) can be used beyond the local network. Our interest is in how this all gets done securely.
We will finish out the week with a breakfast meeting Friday morning with people involved in the DNSSEC Coordination effort (and anyone can join the mailing list) where we’ll have some conversation and food before heading off to the DNSOP and/or UTA working groups.
It’s going to be a crazy-busy week… but I’m looking forward to seeing all that we can get done!
Relevant Working Groups and BoFs
dnssd (Extensions for Scalable DNS Service Discovery) WG
Monday, March 3, 2014, 1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: https://datatracker.ietf.org/wg/dnssd/charter/
dnse (Encryption of DNS request for confidentiality) BOF
Tuesday, March 4, 2014, 1420-1550 UTC, Viscount Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnse/
List of BOFs: http://trac.tools.ietf.org/bof/trac/
trans (Public Notary Transparency) WG
Wednesday, March 5, 2014, 1520-1620 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: https://datatracker.ietf.org/wg/trans/charter/
dane (DNS-based Authentication of Named Entities) WG
Thursday, March 6, 2014, 0900-1130 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/
dbound (Domain Boundaries) BOF
Thursday, March 6, 2014, 1520-1650 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dbound/
List of BOFs: http://trac.tools.ietf.org/bof/trac/
eppext (Extensible Provisioning Protocol Extensions) WG
Thursday, March 6, 2014, 1700-1830 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/eppext/
Documents: https://datatracker.ietf.org/wg/eppext/
Charter: http://tools.ietf.org/wg/eppext/charter/
dnsop (DNS Operations) WG
Friday, March 7, 2014, 0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charter/
uta (Using TLS in Applications) WG
Friday, March 7, 2014, 0900-1130 UTC, Richmond/Chelsea/Tower Rooms
Agenda: https://datatracker.ietf.org/meeting/89/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charter/
Remote Participation
You don’t have to be in London to participate in the meetings of IETF 89. You can also:
- Listen to live audio streams.
- Participate in Jabber chat rooms to ask questions.
- Download the slides planned for each session.
- Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.
Information about how to participate can be found on the IETF 89 Remote Participation page. Keep in mind that times for London are in UTC.
Feb 27
Rough Guide To IETF 89: DNSSEC, DANE and DNS Security
At IETF 89 next week in London there is a huge amount of activity related to DNSSEC, DANE and DNS security in general, largely due to three brand new working groups and two new birds-of-a-feather (BOF) sessions.
Dan York
Feb 26
Papers Now Available Publicly for W3C/IAB “Strengthening the Internet” Workshop (Featured Blog)
Want to read a wide range of views on how to strengthen the security and privacy of the Internet? Interested to hear how some of the leaders of the open standards world think we can make the Internet more secure? As I wrote about previously here on CircleID, the W3C and the Internet Architecture Board (IAB) are jointly sponsoring a workshop on "Strengthening The Internet" (STRINT) on February 28 and March 1 in London just prior to the IETF 89 meeting happening all next week. More...
Feb 26
TDYR #112 – Getting Ready For IETF 89 Next Week In London
Next week is IETF 89 in London and in this episode I talk about the craziness of getting everything ready for the trip where I leave on Friday morning...
