Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Aug 23
Friday Humor: The Day The Routers Died
Yes, this video is almost 6 years old… but it’s still worth a laugh on a Friday afternoon! If you haven’t ever listened to “The Day The Routers Died” performed at the RIPE 55 meeting by Gary Feldman, well… you owe yourself the chance to do so! And if you have seen it… or were there … it’s a fun look back – many of the people visible are folks who are still very active today!
Note that the full lyrics are available on the YouTube page if you are interested.
(and now I’ve got that song stuck in my head!!!)
Aug 22
Test-ipv6.com Mirror Now Running In Slovenia
We were pleased to recently learn from our own Jan Zorz that he is now hosting a Slovenian mirror of the test-ipv6.com site at:
While located in Slovenia, the site is open to anyone to use to test your IPv6 connectivity. It is part of the worldwide network of mirrors of test-ipv6.com that have been established.
Very cool to see… and if you, too, are interested in operating a mirror, either as an official or “unofficial” mirror, instructions can be found in the Test-ipv6.com wiki.
Aug 21
New USENIX Paper: Measuring the Practical Impact of DNSSEC Deployment
At the recent 22nd USENIX Security Symposium in Washington, DC, a paper was presented that is now available for download: Measuring the Practical Impact of DNSSEC Deployment, written by several researchers from the University of California along with security researcher Eric Rescorla. Their work was to explore the cost vs benefit of deploying DNSSEC. As they note in their abstract:
We have performed a large-scale measurement of the effects of DNSSEC on client name resolution using an ad network to collect results from over 500,000 geographically-distributed clients. Our findings corroborate those of previous researchers in showing that a relatively small fraction of users are protected by DNSSEC-validating resolvers. And we show, for the first time, that enabling DNSSEC measurably increases end-to-end resolution failures. For every 10 clients that are protected from DNS tampering when a domain deploys DNSSEC, approximately one ordinary client (primarily in Asia) becomes unable to access the domain.
They go on to provide a background of DNS and DNSSEC, explain their methodology and systems and then outline their results. To perform their tests, they used web-based ads in what seems like a method similar to what Geoff Huston and George Michaelson have been doing at APNIC. (I have not specifically compared the two methodologies, but both are using web-based ads.)
The paper reaches several interesting conclusions. First, they found that DNSSEC validation was performed by about 2.6% of users out there. Second, they found that about 1% of clients failed to retrieve a validly DNSSEC-signed resource – and that this was primarily from clients in the Asia Pacific region and was related to DNS resolution falling back to TCP to accommodate larger packet sizes.
The full document is definitely worth a read as there is a wealth of information and also links out to other studies and surveys. They also include some good cautions in there for people undertaking similar advertising-based studies.
My one question about the study was when the measurements were taken and whether it was before or after Google enabled DNSSEC validation on their Public DNS servers back in May. I couldn’t find the timeframe in the study, but that could be important, as Geoff Huston’s latest measurements showed a jump in DNSSEC validation from 3.3% to 8.1% after Google made their change.
Regardless, it’s great to see these kind of studies out there and I look forward to reading any further research the team may perform in this area.
Aug 19
TDYR #029 – Leaving The Internet To Speak French For A Week
TDYR #029 - Leaving The Internet To Speak French For A Week by Dan York
Aug 19
Network Computing: IPv6 Adoption On The Rise
We were very pleased to see the article “IPv6 Adoption On The Rise” appear in Network Computing last week where author Tom Hollingsworth wrote about some of the new IPv6 adoption statistics coming out of the folks at RIPE NCC. As he writes:
The more interesting number comes again from RIPE when you cross reference the number of IPv4 prefixes that are also announcing IPv6 prefixes. Almost 70% of the IPv4 address space is being announced by networks that also announce IPv6. That’s pretty impressive. When you break it down by the size of the IPv4 network, it gets even better: The majority of networks with more than 100,000 IPv4 addresses are announcing IPv6 as well.
All of which is great to see! Looking at the specific RIPE NCC graph he references, I find it great to see that over 20% of networks in the APNIC region are already advertising IPv6 prefixes.
All in all just yet more signs that IPv6 adoption is moving upward! Have you deployed IPv6 yet? If not, why not? How can we help you?
Aug 19
FIR #717 – 8/19/13 – For Immediate Release
Coming up: Bloggade, FIR Live on Google link rules, and two FIR interviews; Quick News: AppNet's first birthday, SNCR's Coalition for Secure Digital Media, Slack's launch, YouTube's freeze of views at 301; Ragan promo; News That Fits: checking the facts with Full Fact Finder, Dan York's report, companies aren't adding social media to crisis plans, Media Monitoring Minute from CustomScoop, listener comments, Audi's augmented reality iPhone app, Twitter's study into viral videos; music from The House of Jed; and more.
Aug 16
TDYR #028 – TextIt, A New SMS App Service From Rwanda, Africa
I was fascinated by TextIt, a new SMS application service, not so much by their service, which is cool, but by the fact that they come out of Kigali, Rwanda, in Africa. Read the Hacker News thread to understand the technical aspects behind what they are doing - it's very cool and a sign of the incredible energy and innovation coming out of Africa!
http://textit.in/
https://news.ycombinator.com/item?id=6212029
Aug 16
Friday Humor: “Keep Calm and Enable DNSSEC” (and IPv6, too!)
Given that it’s a Friday afternoon and the end of our work week, I felt there was no better way to end the week than to highlight the image tweeted out by Marco Davids of SIDN this morning. Yes, indeed, we in the DNSSEC community now have our own version of the (overused?) “Keep Calm” Internet meme…
(And you can get the full-size version via Marco’s Twitter account.)
Now in seeing Marco’s tweet, I learned of www.keepcalm-o-matic.co.uk which I kind of knew had to exist out there somewhere, but had just never taken the time to find.
So… in order that IPv6 advocates don’t feel left out… I’ve created a “Keep Calm and Enable IPv6″ image as well! (And yes, I tried fitting both DNSSEC and IPv6 in, but didn’t like the result.)
Anyway, thanks, Marco, for giving us something to smile about today! Have a great Friday afternoon… and for those of you have a weekend ahead of you, I hope you have a great one!
Aug 16
Video: Matt Mullenweg’s State of the Word 2013
If you are fan of WordPress... if you use WordPress or maintain a WordPress site... and haven't yet watched Matt Mullenweg's "State of the Word 2013" talk from WordCamp San Francisco in July, I'd strongly encourage you to sit down for a bit and watch:
It's a great view into where the WordPress ecosystem is today - and where it is going in the future. Incredible stats, such as 46 million downloads in just the past 12 months! 336 new themes added in the past 12 months. 6,758 plugins added in the last year... and so much more.
A huge number is that 18.9% of web sites on the Internet now run WordPress!
Intriguing info about WordPress as an app platform... and where it is all going...
If you found this post interesting or useful, please consider either:
Aug 15
Digging Into The August 14 .GOV Outage Related To DNSSEC
Over the past day there have been a number of news reports talking about the brief outage that occurred yesterday, August 14, 2013, when sites ending in .GOV were unreachable if you were performing DNSSEC validation on those domain names. Many of those news reports are pointing at Johannes Ullrich’s post on the SANS ISC Diary site where he noted this issue.
The issue was fixed relatively quickly and the speculation on the dns-operations mailing list was later verified by a message sent from Verisign’s Duane Wessels to a number of mailing lists:
On the morning of August 14, a relatively small number of networks may have experienced an operational disruption related to the signing of the .gov zone. In preparation for a previously announced algorithm rollover, a software defect resulted in publishing the .gov zone signed only with DNSSEC algorithm 8 keys rather than with both algorithm 7 and 8. As a result .gov name resolution may have failed for validating recursive name servers. Upon discovery of the issue, Verisign took prompt action to restore the valid zone.
We can argue, perhaps, with the statement that “a relatively small number of networks” experienced this issue as those “networks” include all of Comcast’s 18 million users plus the millions of users out there who are using Google’s Public DNS services, as well as all the many other ISPs around the world who have enabled DNSSEC validation for their customers.
However, it may be true that a relatively small number of users of those networks happened to be visiting .GOV sites during the time period in question.
Regardless, the important part is to note here that this was an operational issue with the administration of DNSSEC for the .GOV domain rather than any particular issues related to the technology behind DNSSEC. As Duane Wessels had noted in an earlier message back on July 30, 2013, the .GOV zone is preparing to make a change to make its deployment of DNSSEC more secure:
An algorithm roll for the .gov zone will occur at the end of August, 2013. This notice is provided as a courtesy to the DNSSEC community. No action should be required on your part.
The .gov zone is currently signed with algorithm 7 (RSASHA1-NSEC3-SHA1) and will be changed to use algorithm 8 (RSA/SHA-256), bringing it in line with other top-level domains such as as .com, .net, and the root zone. The zone will be signed with both algorithms for a period of approximately 10 days.
Further scheduling details will be provided one week before the algorithm roll begins.
It seems that in Verisign’s preparations for that change an error was made and an incorrectly configured zone file was published instead. While obviously it would be preferable if the mistake had not been made, kudos to the team at Verisign for correcting the issue quickly and for also reporting back to the larger DNS / DNSSEC operations community on what the problem was that occurred.
Duane Wessels noted in his message today that Verisign is still planning to proceed with the algorithm rollover at the end of August and so we can expect to see more communication from them as they proceed with the change.
