Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Sep 23
Free “Learning IPv6″ Webinars TOMORROW (on Sept 24/25) Sponsored by AFRINIC and ISOC – Sign Up Now!
Want to learn about IPv6? Would you like to know more about how IPv6 works, the basics of IPv6 addressing as well as what transition mechanisms are available to help move from IPv4 to IPv6?
If so, you can take part in a set of two free webinars happening tomorrow, Tuesday, September 24, 2013, and then Wednesday, September 25. The webinars start at 13:00 UTC (15:00 in much of Europe (CEST) and 9:00 in US Eastern) and more information is at:
http://www.afrinic.net/en/library/news/946-ipv6-webinar
Our friends at AFRINIC have worked with the Internet Society regional staff in Africa and also France Telecom – Orange to create this series of webinars. The first set in French already took place on September 10 and 11. The English versions start tomorrow. While there is some content related to Africa at the very beginning, the majority of the session is about IPv6 in general and the organizers said they would welcome anyone who is interested in attending from anywhere in the world. As noted on the page I linked to above, the course plan is:
Webinar themes on 24 September
13:00 – 13:05 Overview of where Africa is on IPv4 and IPv6 use
13:05 – 13:25 IPv6 address basics – notation and representation
13:25 – 13:35 IPv6 addressing types
13:35 – 13:55 How to plan for IPv6 resources (sub-netting and nibble boundaries) part 1
13:55 – 14:10 Questions/Answers
Webinar themes on 25 September
13:00 – 13:20 How to plan IPv6 resources (sub-netting & nibble boundaries) part 2
13:20 – 13:35 Dual Stack
13:25 – 13:35 Tunneling (manual and static)
13:35 – 13:55 Translation
13:55 – 14:10 Questions/Answers
If you would like to attend these sessions, YOU NEED TO REGISTER TO ATTEND THESE WEBINARS! The links to register can be found on the page on AfriNIC’s site. Note that you need to register for each day individually, i.e. if you want to go to both days you need to register for both days separately.
Thanks to the teams at AFRINIC, the Internet Society’s Africa Regional Bureau and France Telecom – Orange for making these webinars available for free. We’re looking forward to seeing how these help more people within the African region (and anyone who attends from elsewhere) get started with IPv6!
P.S. In full disclosure I’ll also mention that I’ll be one of the presenters during the webinars talking about part of IPv6 addressing.
Sep 23
FIR #722 – 9/23/13 – For Immediate Release
Congratulations to Jeramiah Owyang and Maggie Fox; FIR on Strategy starts debuts this week; Neville at smwSMILE on Monday; Quick News: Ghost blogging platform released to early backers, Target places bet on earned media, how top PR firms used LinkedIn, NYT introduces ad that links to live conference stream; Ragan promo; News That Fits: getting to know the interobang and slab serifs, Dan York's report, six factors for employee engagement, Media Monitoring Minute from CustomScoop, listener comments, FTC to hold native advertising workshop, Michael Netzley's Asia report, survey on board perceptions of corporate reputation; music from Mother Hips; and more.
Sep 20
ICANN’s 2013 RAA Requires Domain Name Registrars To Support DNSSEC, IPv6
How do we get more domain name registrars to support DNSSEC? I don’t know how many times I’ve heard this:
“I want to sign my domain, but my registrar doesn’t support DNSSEC – what do I do?”
It’s been one of the proverbial questions that has indeed been a barrier to getting more domains signed. As most of the largest top-level domains (TLDs) are now all signed, and an increasing number of smaller TLDs are getting signed, and as the tools for signing domains have become increasingly easy to use, there are fewer and fewer reasons not to add the increased level of security to your domain using DNSSEC.
Except… you need the registrar for your domain name to accept your DNSSEC information (either a DS or DNSKEY record) and pass that information up to the TLD registry (such as “.org”, “.com”, “.nl”, etc.).
That is the key role played by a registrar. And that is the missing link for many people in having their signed domain fully integrated into the global chain-of-trust of DNSSEC.
Now, ICANN has maintained a list of registrars supporting DNSSEC and we’ve posted some tutorials about registrars and DNSSEC. A number of us have also been promoting DNSSEC to registrars at ICANN events through the DNSSEC workshops there (such as the one coming up at ICANN 48 in Buenos Aires) but the fact remains that many registrars are not yet supporting DNSSEC.
This may change soon, though, for one very simple reason.
ICANN has updated their “Registrar Accreditation Agreement (RAA)” that all “ICANN-accredited registrars” (and it’s a big list!) must sign to continue their affiliation with ICANN. The 2013 RAA, passed by the ICANN Board of Directors in June 2013, includes several provisions related to both DNSSEC and IPv6. The final 2013 RAA, available as a PDF file, has this section 3.19:
3.19 Additional Technical Specifications to Implement IPV6, DNSSEC and IDNs. Registrar shall comply with the Additional Registrar Operations Specification attached hereto.
The actual “Additional Registrar Operation Specification” is found on page 67 of the agreement and states for DNSSEC:
1. DNSSEC
Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC. Such requests shall be accepted and processed in a secure manner and according to industry best practices. Registrars shall accept any public key algorithm and digest type that is supported by the TLD of interest and appears in the registries posted at: <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec- alg-numbers.xml> and <http://www.iana.org/assignments/ds-rr-types/ds-rr- types.xml>. All such requests shall be transmitted to registries using the EPP extensions specified in RFC 5910 or its successors.
What this means is that registrars that wish to continue their ICANN accreditation must accept DNSSEC information from customers and relay that up to the TLD registries.
My understanding from people involved with the process is that the registrars are supposed to sign this agreement this year and if they do, the agreement is supposed to come into force by January 1, 2014.
While I’d of course love to think that this means that the big huge list of ICANN-accredited registrars will all be accepting DNSSEC records by January 1, I suspect that we’ll see some implementations by then… with others to follow at some point in 2014. The good news is that this new RAA will cause some registrars to at least get DNSSEC higher on their priorities.
The other factor here is that all the “new generic TLDs” (a.k.a. “newgtlds”) that ICANN is planning to start adding over the next months and years all mandate that DNSSEC is included as part of their operations. For registrars to fully support those newgtlds they will need to have DNSSEC support, anyway, so even without the 2013 RAA they will have another incentive to look at DNSSEC.
Now, the 2013 RAA only affects ICANN-accredited domain name registrars and there are certainly many other registrars that are not affiliated with ICANN. They therefore won’t be required to support passing of DNSSEC records. I’d like to think, though, that at some point there will be enough market momentum that those registrars will need to support DNSSEC … and hopefully lists like ICANN’s can just fade away as DNSSEC becomes just something offered by at least the majority of all registrars.
We’ll see… but this is certainly a positive step for removing this missing link for getting DNSSEC-signed domains into the global chain of trust.
I’ll note, also, that the 2013 RAA requires registrars to accept IPv6 records for domain names. From that “Additional Registrar Operation Specification” on page 67 of the RAA:
2. IPv6
To the extent that Registrar offers registrants the ability to register nameserver addresses, Registrar must allow both IPv4 addresses and IPv6 addresses to be specified.
This, too, is excellent news as it will help organizations make their content and services more easily available over IPv6 in addition to IPv4.
Yet to be seen is how this all happens in reality and in what timeframe implementations actually occur… but it’s definitely a positive step in the deployment of both protocols and of enabling a more secure and innovative Internet.
P.S. If you’re a registrar looking to get started with DNSSEC and/or IPv6, please do browse our resources – and please do let us know if there are any ways we can help you get your deployment happening! Are there specific questions you have? Tutorials you’d like to see? How can we help you?
NOTE: I should mention that I first learned of these RAA requirements through a talk that Michele Neylon gave at the ICANN 47 DNSSEC Workshop in Durban, South Africa in July. Michele now heads the Registrar Stakeholders Group within ICANN.
Sep 19
Two Years At The Internet Society
It rather staggers my mind that it was two years ago today, on September 19, 2011, that I began work for the Internet Society (a.k.a. "ISOC"). Longtime readers and friends may remember my impassioned (and naturally long) post at the time, "Ch-changes - Taking A New Job At The Internet Society To Join The Fight For The Open Internet".
Two years later that passion has only grown stronger! The events of recent months with the massive Internet surveillance disclosures have only reinforced the need for organizations like the Internet Society to be out there doing what they can to preserve the open character of the Internet.
Whether it is the excellent work on leading Internet technologies - and support for the IETF... the incredible work of our public policy team ... or the great work going on to to expand access to the Internet in regions where there is limited connectivity... or the global work of our chapters helping at a local and regional level... or the programs to develop the next generation of Internet leaders... or the many, many other activities going on around the globe... it's been an absolute pleasure to be a staff member for the Internet Society and I look forward to many more years ahead!
For me, being involved with the creation of the Deploy360 Programme has been an amazing experience. Working on Deploy360 has enabled me to unite my writing and communication skills with my passion for and knowledge of technologies such as DNS, IPv6 and routing technologies - as well as my enjoyment of social media as a way of distributing content and engaging in conversations. Plus, I've had a chance to continue my work with WordPress and so many other social tools.
I've had the opportunity to work with an outstanding team ... and I've had a chance to meet some of the most amazing people all around the world. With Deploy360 our goal is to find out what challenges people are having with deploying IPv6, DNSSEC and routing technologies - and then find or create the appropriate resources to answer those challenges and help people overcome those issues. To do that, you have to go out and meet people... to talk to to them... to hear their questions and to ask them questions.
And so there is this exquisite irony that someone who works for the Internet Society winds up spending an insane amount of time on airplanes traveling to places all around the world to meet with people responsible for deploying these open Internet protocols. And sometimes it's admittedly a bit absurd... such as the trip to Singapore where I spent more time in airplanes traveling there and back then I did actually on the ground in Singapore! (I was only there about 36 hours.)
But it's the people that make the travel worth it! I've met incredible people doing great work to keep the Internet open in so many different places... and in places that quite honestly I would never have even imagined that I'd wind up going! Sure, I've traveled through North America and Europe, but I mean... Russia? (see also: my thoughts on walking in Red Square) China? South Africa? India? Colombia? Poland? Singapore? Brazil? It's been a privilege to be in those places and meet these people doing such great work.
I hope that in some small way I've been able to help them with their efforts. I've certainly learned from what they are doing... and that's been fed directly back into what we're doing within the Deploy360 Programme.
Two years into the role there is still a great amount of work to do... we have content roadmaps that outline MANY documents we want to either find or create... we have new topics that we want to add to the site... we have code we want to help get created... we have new best current operational practices to help document... we have other groups we want to engage with...
The two years seem to have flown by rather quickly - it's been rather a whirlwind ... but I'm looking forward to where the next two years go. Lots to do - and the challenges ahead for the open nature of the Internet are only going to get tougher and more demanding!
I know I haven't been writing here on DisruptiveTelephony as much as I used to... but I'm hoping to do a bit more in the time ahead. Much of my writing these days is on the Deploy360 blog and sometimes over on CircleID. You can always track my writing via my danyork.me site... or of course follow me on any of the social networks.
Thanks for all the support and help that so many of you have given me over these past two years - and I look forward to working with so many more of you in the months and years ahead!
P.S. One great way you can help is to join the Internet Society to stay up-to-date on current issues affecting the Internet - membership is free for individuals. You can also subscribe to my infrequent email newsletter where I hit many of these topics.
Audio commentary related to this post can be found at:
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- following me on App.net
- subscribing to my email newsletter; or
- subscribing to the RSS feed
Sep 19
TDYR #037 – Two Years At The Internet Society
Two years ago today I started work at the Internet Society (ISOC). In this episode I briefly look back at the two years and what it has all meant to me. More info in this post: http://www.disruptivetelephony.com/2013/09/two-years-at-the-internet-society.html
My work at the Internet Society can be found at http://www.internetsociety.org/deploy360/
Sep 19
TDYR #036 – Consistency Is The Key To Online Content Creation / Blogging / Podcasting
Starting to create content online is EASY... keeping it *going* is the challenge. In this episode I talk about how *consistency* is the key to success in online communication and online content creation, whether that is blogging, podcasting, video, audio, social media such as Twitter or Facebook... or just posting content to your website
Sep 18
6 TLDs for Honduras, East Timor And Multiple Islands Are Now Signed With DNSSEC
We were delighted to learn from Garth Miller, the administrative contact for the .CX top-level domain (TLD), that 6 more TLDs have been signed with DNSSEC and now have DS records in the root zone. This means that people and businesses with domains registered in these TLDs can now receive the higher level of security possible with DNSSEC:
- CX – Christmas Island – http://dnsviz.net/d/dnssec.cx/dnssec/
- GS – South Georgia and South Sandwich Islands – http://dnsviz.net/d/dnssec.gs/dnssec/
- HN – Hondurus – http://dnsviz.net/d/dnssec.hn/dnssec/
- NF – Norfolk Island – http://dnsviz.net/d/dnssec.nf/dnssec/
- SB – Solomon Islands - http://dnsviz.net/d/dnssec.sb/dnssec/
- TL – Timor-Leste (also known as East Timor) - http://dnsviz.net/d/dnssec.tl/dnssec/
If you have a domain registered in those TLDs, your registrar should now be able to pass the required DS record up to the TLD registry. (See our page about registrars and DNSSEC for more information about this process with some registrars.) If your registrar does not yet support the uploading of DNSSEC information, now would be a great time to start asking them! 
Congratulations to Garth Miller and the teams associated with the various TLDs for making these signed TLDs happen. Per ICANN’s TLD Report, there are now 111 out of 318 TLDs signed which is excellent progress. (These new signed TLDs are also visible on the DNSSEC deployment maps we recently published.)
P.S. Bonus points if you know where all the islands are! I had to pull out a map for a couple of them.
Sep 17
4 More Days To Submit Speaking Ideas For DNSSEC Workshop At ICANN 48
Will you be attending the ICANN 48 meeting in Buenos Aires, Argentina, in November 2013? If so, you have four more days to submit a speaking proposal for the DNSSEC Workshop planned for Wednesday, November 20, 2013. I wrote about the call for speakers earlier but since that time the program committee decided to extend the proposal deadline to this Friday, September 20, 2013. (We received feedback that people were still returning from summer holidays and our original deadline was too close to that.
We have a great line up of speakers so far, including some excellent folks to give us updates on DNSSEC in Latin America, but we still have room for a few more proposals. The Call For Participation is included again below, along with the email address to which to send your ideas.
Thanks – and we’ll see you in Buenos Aires!
The DNSSEC Workshop program committee, of which I am a member, is seeking speakers for sessions on:
- DNSSEC activities in Latin America
- The operational realities of running DNSSEC
- DNSSEC and enterprise activities
- When unexpected events occur
- Preparing for root key rollover
- DANE and other DNSSEC applications
- DNSSEC automation
- Guidance for registrars in implementing DNSSEC
- APIs between registrars and DNS hosting operators
In this session, we are particularly interested in hearing from people who have found (or developed) solutions for automating their implementation of DNSSEC. We are also very interested in hearing from registrars given that the 2013 Registrar Accreditation Agreement (RAA) with ICANN will require ICANN-accredited registrars to at the very least support the acceptance of DNSSEC records from registrants.
The full “Call for Participation” is below that provides more details. If you have an idea for a presentation, please send a brief 1 or 2 sentence description to dnssec-buenosaires@shinkuro.com which will reach the whole program committee. (Please send email rather than leave a comment here.)
We already have some solid speakers who have indicated their interest and so we’re very much looking forward to another excellent session. I’ll also note that the ICANN meetings are free to attend – you have to register but there is no cost. You just have to pay for your travel and expenses to get to Buenos Aires. The DNSSEC Workshop will also be streamed live over the Internet for those wishing to watch/listen and will be archived for later viewing.
These workshops are really excellent technical sessions. I would encourage you to attend if at all possible and I would definitely encourage you to submit a proposal to speak. We’re always interested in hearing new perspectives.
Call for Participation — ICANN DNSSEC Workshop 20 November 2013
The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), is planning a DNSSEC Workshop at the ICANN meeting in Buenos Aires, Argentina on 20 November 2013. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Durban, South Africa on 17 July 2013. The presentations and transcripts are available at: http://durban47.icann.org/node/39749.
We are seeking presentations on the following topics:
1. DNSSEC Activities in Latin America:
For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Latin America, but also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implement DNSSEC or not?
2. The Operational Realities of Running DNSSEC
Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What’s best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?
3. DNSSEC and Enterprise Activities
DNSSEC has always been seen as a huge benefit to organizations looking to protect their identity and security on the Web. Large enterprises are an obvious target for DNS hackers and DNSSEC provides an ideal solution to this challenge. This session aims to look at the benefits and challenges of deploying DNSSEC for major enterprises. Topics for discussion:
* What is the current status of DNSSEC deployment among enterprises?
* What plans do the major enterprises have for their DNSSEC roadmaps?
* What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
* What are the challenges to deployment for these organizations? Do they foresee raising awareness of DNSSEC with their customers?
4. When Unexpected DNSSEC Events Occur
What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?
5. Preparing for Root Key Rollover
For this topic we are seeking input on issues relating to root key rollover. In particular, we are seeking comments from vendors, ISPs, and the community that will be affected by distribution of new root keys.
6. DANE and Other DNSSEC Applications
The DNS-based Authentication of Named Entitites (DANE) protocol is an exciting development where DNSSEC can be used to provide a strong additional trust layer for traditional SSL/TLS certificates. There is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:
* What are some of the new and innovative uses of DANE in new areas or industries?
* What tools and services are now available that can support DANE usage?
* How soon could DANE become a deployable reality?
* How can the industry used DANE as a mechanism for creating a more secure Internet?
7. DNSSEC Automation:
For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. Topics for which we would like to see presentations include:
* What tools, systems and services are available to help automate DNSSEC key management?
* Can you provide an analysis of current tools/services and identify gaps?
* Where in the various pieces that make up DNSSEC signing and validation are the best opportunities for automation?
* What are the costs and benefits of different approaches to automation?
8. Guidance for Registrars in Supporting DNSSEC:
The 2013 Registrar Accreditation Agreement (RAA) for Registrars and Resellers requires the support of DNSSEC beginning on January 1, 2014. We are seeking presentations discussing:
* What are the specific technical requirements of the RAA and how can registrars meet those requirements?
* What tools and systems are available for registrars that include DNSSEC support?
* What information do registrars need to provide to resellers and ultimately customers?
We are particularly interested in hearing from registrars who have signed the 2013 RAA and have either already implemented DNSSEC support or have a plan for doing so.
9. APIs Between the Registrars and DNS Hosting Operators:
One specific area that has been identified as needing focus is the communication between registrars and DNS hosting operators, specifically when these functions are provided by different entities. Right now the communication, such as the transfer of a DS record, occurs primarily by way of the domain name holder copying and pasting information from one web interface to another. How can this be automated? We would welcome presentations by either registrars or DNS hosting operators who have implemented APIs for the communication of DNSSEC information – or from people with ideas around how such APIs could be constructed.
In addition, we welcome suggestions for additional topics.
If you are interested in participating, please send a brief (1-2 sentence)
description of your proposed presentation to dnssec-buenosaires@shinkuro.com by **Friday, 06 September 2013**
We hope that you can join us.
Thank you,
Julie Hedlund
On behalf of the DNSSEC Workshop Program Committee:
Steve Crocker, Shinkuro
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Russ Mundy, Sparta/Parsons
Ondřej Surý, CZ.NIC
Lance Wolak, .ORG, The Public Interest Registry
Yoshiro Yoneya, JPRS
Dan York, Internet Society
Sep 16
Google Confirms Having IPv6 And IPv4 Will NOT Cause Duplicate Content Issues For Search Ranking
Great to see Google’s Matt Cutts formally confirming what many have us have assumed all along – that making a website available over both IPv6 and IPv4 would not bring about a “duplicate content” issue that would incur penalties in search engine ranking. The question Matt answers is:
As we are now closer than ever to switching to IPv6, could you please share info on how Google will evaluate websites. One website being in IPv4, exactly the same one in IPv6 – isn’t it considered duplicate content?
Here’s Matt’s response saying that there won’t be an issue:
If this was a reason you were hearing for NOT moving to IPv6, consider it addressed… why not get started today with making your sites available over IPv6? We’ve got a number of IPv6 resources available for you, including these:
- Tutorial: Making Content Available Over IP
- Video: How To IPv6-Enable ANY Website Using A Content Delivery Network (CDN)
and many more! (And if you can’t find what you need, please let us know! We’re here to help you make the move to IPv6!)
Sep 16
FIR #721 – 9/16/13 – For Immediate Release
FIR app for Windows 8 available; FIR Interview with Chris Muccio is up; FIR on Strategy with Andrea Vascellari is coming soon; Quick News: Mondelez partners with Twitter, Vodaphone's best-practice use of Twitter for customer service, in-bound marketing takes a back seat in agencies, Telegraph hires PBS exec in transition to digital; Ragan promo; News That Fits: the Twitter IPO, Michael Netzley's Asia report, McKinsey study shows execs are bullish on digital, Media Monitoring Minute from CustomScoop, listener comments, don't hide behind a Chief Digital Officer, Dan Yor's report, companies doing a lousy job explaining social purpose; how to comment; music from Tasherra Project; and more.
