Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Sep 26
How To Securely Transfer A DNSSEC-Signed Domain Between DNS Operators – SIDN’s EPP Keyrelay
What happens if you want to transfer a DNSSEC-signed domain from one DNS operator to another? Perhaps you are consolidating domains into one operator… or the new operator has better security… or is less expensive…
It turns out that there has not been an easy way to do this while ensuring that the DNSSEC “chain-of-trust” remains intact. If the old DNS operator (often referred to as the “losing operator” when talking about domain transfers) just stops serving DNS records, the new DNS operator (referred to as the “gaining operator“) can start serving DNS records – but there will be a time delay while a new DS record is recorded in the registry for the top-level domain (TLD) for whatever domain is being transferred. During that time, validation would fail because the DNSSEC records being served would not match the DS record contained in the TLD registry. This might only be a brief period of time… but as we start using DNSSEC more widely – and particularly for services like DANE that provide added integrity to SSL interactions – keeping the domain “always secure” will become increasingly important.
One solution that has been suggested – and successfully demonstrated! – is that of “EPP keyrelay” proposed by SIDN, the registry operator for .NL. Antoin Verschuren from SIDN Labs wrote up this solution in a document titled “EPP keyrelay: solving the last obstacle for DNSSEC deployment” (PDF). The mechanism has also been submitted as an Internet Draft to the IETF as: draft-gieben-epp-keyrelay.
Essentially, the mechanism introduces a new command into the Extensible Provisioning Protocol (EPP) used by DNS operators, registrars and registries and uses registry as a broker to transfer DNSSEC key information from the new DNS operator to the old DNS operator as part of the transfer process.
The document and Internet-Draft do indeed present an interesting solution to this challenge of domain transfer. Both are being discussed within the larger DNSSEC and DNS community – and I know that Antoin and the team at SIDN Labs would welcome further feedback – and implementation, of course! It’s great to have SIDN Labs providing a solution and we look forward to seeing how this work evolves – we definitely do need to ensure that domains can remain “always secure”, even when being transfered.
Sep 26
TDYR #038 – Heading To Poland And Ukraine For ION Krakow And ENOG 6
TDYR #038 - Heading To Poland And Ukraine For ION Krakow And ENOG 6 by Dan York
Sep 26
Renesys Chronicles Today’s Internet Blackout in the Sudan (Now Restored) (Featured Blog)
The team over at Renesys has once again provided a great analysis of an Internet outage in a country, this time in Sudan. In the article simply titled "Internet Blackout in Sudan", Doug Madory writes: A few hours ago, we observed a total Internet blackout in Sudan and, as we publish this blog, the Internet remains largely unavailable. By count of impacted networks, it is the largest national blackout since Egypt disconnected itself in January 2011..." More...
Sep 25
2 Excellent New Tutorials On IPv6 Address Planning From ISOC and SURFnet
How should you plan out your IPv6 addresses? What is the best way to allocate IPv6 address blocks to your various networks and subnets? What factors should you be considering when mapping out a plan for how best to use your IPv6 addresses? These are all great questions and were in fact topics I covered in two recent IPv6 webinars – but we’re very pleased to announce two recent documents that go into this topic in great detail (and we’ve added both to our new IPv6 Address Planning page):
IPv6 Address Planning: Guidelines for IPv6 address allocation
The first IPv6 address planning document is one written for our Deploy360 site by Tim Rooney at BT Diamond IP after he was reviewing our IPv6 content roadmap and contacted us about writing this document for our web portal. It’s a brand new document that we’re publishing for the first time today. Tim does an excellent job walking through the issues around why you need an IPv6 address plan, how you should set one up, suggestions for how to number subnets and then several examples of exactly how you could allocate addresses to subnets based on a plan. He concludes with some recommendations and observations.
It’s a solid document that I think will be quite useful for anyone starting out with IPv6. We greatly appreciate Tim’s contribution to our site and thank him for the time he spent on the document. (And we’re always open to new contributors!)
SURFnet: Preparing An IPv6 Address Plan
In a bit of synchronicity, the great team over at SURFnet came out with a new version of their IPv6 address planning document last week. They first came out with this document in 2011 and with the help of RIPE NCC made it available in both Dutch and English. In this new and improved version they’ve changed the flow of the text a bit and added in more information. The document starts out with a brief review of IPv6 addressing and then gets into the details of creating an address plan. It provides some excellent suggestions and recommendations and includes some detailed examples of how you could structure an address plan. The document also contains sections around how you manage the assignment of IPv6 addresses out to end devices (hosts).
This document, too, is an outstanding document for anyone getting started with IPv6. Thanks to the SURFnet team for coming out with this new version!
While the two documents cover similar ground, they both offer provide different and useful perspectives on how to create an IPv6 address plan. The combination of the two documents will be quite helpful for anyone looking to get started with IPv6.
We strongly encourage you to read both documents (and please do share them with others!) and provide any comments and feedback back to the authors. We’ve added them to a new IPv6 Address Planning page where we will also be adding other resources on this topic (and please let us know if you are aware of some resources we should consider adding). Now… let’s get those IPv6 networks deployed!
Sep 25
SURFnet: Preparing An IPv6 Address Plan
The team at SURFnet has created an excellent document called “Preparing an IPv6 Address Plan” that walks through the many different steps and concerns that you need to consider when creating a plan. The September 2013 version of the document is available from SURFnet’s website.
After briefly touching on the basics of IPv6 addressing and also the idea of simply not having an IP address plan, the document gets into a very detailed description of how you might go about creating an IPv6 addressing plan. It includes several examples and some excellent recommendations. The document concludes with some good suggestions around managing and addressing hosts (end-user devices) now that you have your address plan.
It’s an excellent document and it is great that SURFnet has made this available and has continued to update it with the latest information.
Please visit our IPv6 Address Planning page for other similar resources that can assist with developing an IPv6 address plan.
Sep 25
How To Get IPv6 Addresses
If you want to obtain IPv6 addresses for your network the process to do so depends upon the type of network you operate. If you are a home user or operator of a business network, you will want to start with the local Internet Service Provider (ISP) who provides your access to the Internet. If they are unable to provide you with IPv6 addresses, you will need to explore one of the various IPv6 transition mechanisms such as IPv6 tunneling.
If you are an Internet Service Provider or a large enterprise network operator and want to obtain large blocks of IPv6 addresses, you will need to contact the Regional Internet Registry (RIR) that services the geographic region in which you are based. Information can be found at these links:
- AFRINIC (Africa)
- ARIN (North America)
- APNIC (Asia Pacific)
- LACNIC (Latin and South America)
- RIPE NCC (Europe and eastern/northern Asia)
More information about the IPv6 programs and policies of the Regional Internet Registries may be found at the Numbering Resource Organization (NRO).
Sep 25
IPv6 Address Planning
When starting out with IPv6, it is helpful to plan out how you are going to allocate your IPv6 addresses across your various networks and subnets. Reasons for creating an IPv6 address plan include:
- Routing tables can be smaller and more efficient
- Security policies can be easier to implement
- Application policies can be implemented
- Network management/provisioning can be easier
- Troubleshooting can be easier, particularly with visual identification
- Easier scaling as more devices or locations are added
We have several resources available to assist you in thinking about and creating an IPv6 Address Plan:
- IPv6 Address Planning: Guidelines for IPv6 address allocation
- SURFnet: Preparing an IPv6 Address Plan
- Slides: IPv6 Address Planning
- (Coming soon) Webinar recording: Getting Started with IPv6
As far as obtaining IPv6 addresses, your best place to start is with contacting your Internet Service Provider (ISP) who provides your Internet access. If you are with an ISP or a large network operator, you will need to contact your Regional Internet Registry (RIR) to find out their process for obtaining IPv6 address blocks.
If your ISP is not able to provide you with IPv6 addresses and you are not eligible to obtain IPv6 addresses from an RIR you will need to explore one of the IPv6 transition mechanisms such as tunneling.
Sep 24
2% of All Traffic to Google Now Over IPv6! (Doubling in Past Year) (Featured Blog)
This weekend brought the great news that Google's IPv6 statistics have shown that connections over IPv6 to Google's web sites hit the 2% threshold for the first time. (You can see for yourself.) While 2% sounds tiny, as I wrote in a Deploy360 post today, the important fact here is that this represents a doubling of IPv6 traffic to Google over the past year! More...
Sep 24
Second Free IPv6 Webinar Tomorrow (Weds) – IPv6 Transition Technologies
If you missed today’s IPv6 webinar sponsored by AFRINIC, y0u still have a chance to join in tomorrow when the focus will be primarily on “IPv6 transition technologies” and how you can connect your network to IPv6. More information and the registration link can be found here:
http://www.afrinic.net/en/library/news/946-ipv6-webinar
Tomorrow session starts again at 13:00 UTC (15:00 CEST in much of Europe and 09:00 US Eastern) and will pick up where today’s session ended. I’ll be reviewing IPv6 Address Planning and then AFRINIC’s Hisham Ibrahim will pick up discussing various IPv6 transition technologies:
13:00 – 13:20 How to plan IPv6 resources (sub-netting & nibble boundaries) part 2
13:20 – 13:35 Dual Stack
13:25 – 13:35 Tunneling (manual and static)
13:35 – 13:55 Translation
13:55 – 14:10 Questions/Answers
The webinar is free but you need to register to get access to the event.
In today’s session, Hisham started out with a brief review of the status of IPv6 in Africa. The image in this post is an example of the information he posted – in this case it was showing requests for allocations of IPv6 addresses from across Africa. After that my Internet Society colleague Kevin Chege began with the basics of IPv6 addresses as well as the different types of addresses. I then followed with a lengthy discussion of the kinds of things to think about when coming up with an IPv6 address plan and gave a number of examples. I’ll be reviewing that tomorrow and then speaking a bit more about IPv6 address planning at an ISP level.
If you missed today’s sessions, both the slides and the recordings of the sessions will be made available in the next week. I’ll post information back here when they are online.
Today was an enjoyable event and I’m expecting tomorrow to be even more so given that transition technologies are typically among the topics people have the most interest in and questions about. I hope to see you there!
