Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Aug 15
Digging Into The August 14 .GOV Outage Related To DNSSEC
Over the past day there have been a number of news reports talking about the brief outage that occurred yesterday, August 14, 2013, when sites ending in .GOV were unreachable if you were performing DNSSEC validation on those domain names. Many of those news reports are pointing at Johannes Ullrich’s post on the SANS ISC Diary site where he noted this issue.
The issue was fixed relatively quickly and the speculation on the dns-operations mailing list was later verified by a message sent from Verisign’s Duane Wessels to a number of mailing lists:
On the morning of August 14, a relatively small number of networks may have experienced an operational disruption related to the signing of the .gov zone. In preparation for a previously announced algorithm rollover, a software defect resulted in publishing the .gov zone signed only with DNSSEC algorithm 8 keys rather than with both algorithm 7 and 8. As a result .gov name resolution may have failed for validating recursive name servers. Upon discovery of the issue, Verisign took prompt action to restore the valid zone.
We can argue, perhaps, with the statement that “a relatively small number of networks” experienced this issue as those “networks” include all of Comcast’s 18 million users plus the millions of users out there who are using Google’s Public DNS services, as well as all the many other ISPs around the world who have enabled DNSSEC validation for their customers.
However, it may be true that a relatively small number of users of those networks happened to be visiting .GOV sites during the time period in question.
Regardless, the important part is to note here that this was an operational issue with the administration of DNSSEC for the .GOV domain rather than any particular issues related to the technology behind DNSSEC. As Duane Wessels had noted in an earlier message back on July 30, 2013, the .GOV zone is preparing to make a change to make its deployment of DNSSEC more secure:
An algorithm roll for the .gov zone will occur at the end of August, 2013. This notice is provided as a courtesy to the DNSSEC community. No action should be required on your part.
The .gov zone is currently signed with algorithm 7 (RSASHA1-NSEC3-SHA1) and will be changed to use algorithm 8 (RSA/SHA-256), bringing it in line with other top-level domains such as as .com, .net, and the root zone. The zone will be signed with both algorithms for a period of approximately 10 days.
Further scheduling details will be provided one week before the algorithm roll begins.
It seems that in Verisign’s preparations for that change an error was made and an incorrectly configured zone file was published instead. While obviously it would be preferable if the mistake had not been made, kudos to the team at Verisign for correcting the issue quickly and for also reporting back to the larger DNS / DNSSEC operations community on what the problem was that occurred.
Duane Wessels noted in his message today that Verisign is still planning to proceed with the algorithm rollover at the end of August and so we can expect to see more communication from them as they proceed with the change.
Aug 14
Amused By Spotify’s Clever Suggestions of Popular Music "When You Were In School"
Working in a home office, I've found that I enjoy having Spotify on in the background playing a much larger range of music than what I have in my own collection. I have found the "Discover" tab to be quite a useful way to learn of newer bands that I have never heard of before. I did have to laugh yesterday, though, when I encountered this box in the Discover tab:
Yes, indeed, as any child of the '80s can attest, both of those were quite popular... I remember a summer around 1985 when it seemed like every radio station (remember them?) had "Money For Nothing" on near-constant repeat.
Similarly, Spotify noted that songs were "huge when you were a teenager", such as:
And I do remember, and still play, that Billy Joel song, although I'll admit that I don't really remember that Eddie Murphy song at all.
Regardless, it's definitely a clever and fun way that Spotify is using my age data to help highlight songs that I might want to listen to again.
If you have been using Spotify's Discover tab, have you rediscovered some old songs this way?
If you found this post interesting or useful, please consider either:
Aug 14
TDYR #027 – 10 Years Ago Today, The Massive Power Blackout In US And Canada
10 years ago today, on August 14, 2003, there was a massive power outage that affected Ontario, Canada, and much of the northeastern United States. In this episode I reflect on where I was that day and some of my thoughts around that event, as well as what it means for complex systems. More information about the event can be found at: http://en.wikipedia.org/wiki/Northeast_blackout_of_2003
Aug 13
Video: IETF Chair Jari Arkko Summarizes The Activities of IETF 87 In Berlin (Featured Blog)
The 87th meeting of the Internet Engineering Task Force (IETF) in Berlin, Germany, concluded on August 2, 2013. IETF Chair Jari Arkko recently published his summary of IETF 87 on the IETF Blog highlighting what he felt were some of the more important aspects of what was a very successful IETF meeting. I also had the privilege of interviewing Jari on video about the meeting. More...
Aug 12
FIR #716 – 8/12/13 – For Immediate Release
AirPR interview is up, marketing automation and Melbourne Mandate interviews coming, Bloggade 2013 is coming up; Quick news: promoted tweets boost offline sales, MixBit adds collaboration to Vine-Instagram competitor, top three tips from a LinkedIn expert, what consumers hate about social brands; Ragan promo; News That Fits: Google's new press release rules, Michael Netzley's Asia Report, how crooks are hijacking your Facebook likes, Media Monitoring Minute from CustomScoop, listener comments, executive email carpetbombinb a good reason for execs to go social, Dan York's report, how BBC kept the new Doctor Who a secret; music from New Mastersounds; and more.
Aug 12
FIR #716 – 12/5/13 – For Immediate Release
FIR Interview with AirPR CEO up, interviews coming with Craig Jolley and with Jean Valin and Dan Tisch, Bloggade 2013; Twitter promoted tweets, MixBit, top 3 LinkedIn tips, what consumers hate about social brands; Ragan promo, Google's new rules for press releases; Michael Netzley's Asia report, hijacking Facebook likes, Media Monitoring Minute, listener comments, executives might as well go social, Dan York's report, BBC PR strategy behind naming the new Doctor Who, music from New Mastersounds; and more.
Aug 02
TDYR #026 – Grüße Aus Berlin! at InterContinental Berlin
TDYR #026 - Grüße Aus Berlin! at InterContinental Berlin by Dan York
Jul 31
Slides: Introduction To The DANE Protocol
At the DNSSEC Workshop earlier this month at ICANN 47 in South Africa, I gave an introductory tutorial about the DANE protocol and how it can be used to secure Internet communication such as that through a web browser. I explained how DANE works, outlined some use cases and provided a series of links for people to learn more. The slides are now online:
I did record a video of the presentation and hope to get that uploaded in the next couple of (busy!) weeks.
More information about DANE can of course be found on our page about the DANE protocol.
Jul 29
Can We Create a Secure Caller ID For VoIP? (Featured Blog)
Can we create a "secure Caller ID" for IP-based communications, a.k.a. voice-over-IP (VoIP)? And specifically for VoIP based on the Session Initiation Protocol (SIP)? Can we create a way to securely identify the origin of a call that can be used to combat robocalling, phishing and telephony denial-of-service (TDOS) attacks? That is the challenge to be undertaken by the "Secure Telephone Identity Revisited (STIR)" group meeting tomorrow morning, July 30, 2013, at 9:00 am in Berlin, Germany, as part of the 87th meeting of the Internet Engineering Task Force (IETF). More...
