Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Jul 23
2 DNSSEC / DANE Sessions Next Week At IETF 87 In Berlin
Next week is the 87th meeting of the Internet Engineering Task Force (IETF) in Berlin, Germany, and there will be two working groups meeting that are related to DNSSEC on the agenda:
DNSOP
The DNSOP (DNS Operations) Working Group will meet on Thursday, August 1, from 1520-1650 (Berlin time) in the Bellevue room. There are 3 major items on the DNSOP agenda, but the one of strong importance related to DNSSEC is the discussion about how to communicate that there has been a change in the Key Signing Key (KSK) from a child zone up to a parent zone. In other words, when you create a new KSK for your child zone, can we get an automated way to communicate the existence of this new KSK to the parent zone so that a DS record can be created and the global chain of trust can be updated?
Somewhat ironically, I experienced this precise issue myself last week when, during the DNSSEC Workshop at ICANN 47, a KSK on one of my personal zones expired. The company providing DNS hosting for that domain automatically generated a new KSK, but they have no way of alerting the parent zone (.ORG in this case) that a new DS record is ready for upload. I had to login to the web interface for my registrar and copy/paste the DS record from the web interface of my DNS hosting provider. Meanwhile, my domain was failing validation.
There are two different proposals for mechanisms to automate this process. Warren Kumari, Olafur Gudmundsson and George Barwood submitted draft-kumari-ogud-dnsop-cds that proposed the creation of a new “CDS” record type in DNS. Essentially, the parent zone will periodically poll the child zones and if a new CDS record is found the parent zone will update the DS record for the zone. Separately, Wes Hardaker developed draft-hardaker-dnsop-csync providing a similar but broader mechanism for synchronizing child and parent zones. This draft involves the creation of a “CSYNC” record type in DNS which tells the parent zone which records in the child zone need to be updated in the parent zone. Wes originally wrote the draft to look at how to synchronize NS records and their associated A and AAAA records (what we often call “glue” records) between child and parent zones but then added support for DS and DNSKEY records to stimulate further discussion.
At DNSOP there will be a joint presentation about the two drafts with an interest in looking at “where do we go from here”. It should be an interesting discussion and if you are unable to attend in person you can listen to the remote audio stream at the specified time.
DANE
Right after DNSOP, the DANE Working Group will meet on Thursday, August 1, from 1700-1830 (Berlin time) in the Potsdam 1 room. With RFC 6698 now specifying the DANE protocol the WG is focused more on how DANE will be used by various services. The agenda has not yet been posted, but there has been active discussion on the DANE mailing list about drafts relating to using DANE with email (both SMTP and S/MIME) and with voice-over-IP (SIP) as well as with OpenPGP and OTR. As someone who sees DANE as a powerful reason to deploy DNSSEC, I’m very much looking foward to the discussion in this group and to seeing where DANE is going.
If you are unable to attend IETF 87 in person, you will be able to listen remotely to the DANE working group at its specified time.
Jul 22
FIR #713 – 7/22/13 – For Immediate Release
Brian Solis interview up, Youtility book review coming; Quick News: Facebook metrics dustup, a medical Instagram, fear of missing out (FOMO) and headlines for Twitter; Ragan promo; News That Fits: what brands can learn from today's newsrooms, Dan York's report, PR and sponsored content, Media Monitoring Minute from CustomScoop, listener comments, summer's the season to reassess your social media presence, Michael Netzley's Asia report, a look at social signals; how to comment; music from Mother Redcap; and more.
Jul 18
Over 8% Of Internet Users Now Use DNSSEC Validation, per Geoff Huston
Yesterday Geoff Huston published a long post on CircleID titled “DNS, DNSSEC and Google’s Public DNS Service” where he walks through the ongoing DNSSEC measurement efforts he and his team have been doing using flash-based advertisements. I recommend reading through the entire post, but the key part I was pleased to see was simply this:
Since March 2013 we’ve seen the proportion of end users who use DNSSEC resolvers that perform DNSSEC validation rise from 3.3% to 8.1%, or a rise of some 4.7%.
As Geoff notes, most of this rise was due to DNSSEC validation now being performed by Google’s Public DNS service, but his article has some fascinating statistics about where Google Public DNS seems to be being used.
He also lists the countries with the highest percentage of DNSSEC-validating clients. To no surprise given their long involvement with DNSSEC, Sweden came out on top but a number of the other countries listed may not be the ones you might expect.
It is all very cool to see and I look forward to watching these percentages grow over time!
Jul 18
TDYR #023 – The Energy Of Africa
As I prepare to leave South Africa, I recorded some final thoughts on the energy and enthusiasm I have found here...
Jul 17
TDYR #022 – “Africa Straight Up” – Breaking Down Stereotypes
Many of us outside of Africa tend to think of everything happening in Africa in terms of one monolithic entity... that it is all "Africa"... yet that is so incredibly wrong when you understand the amazing diversity and differences within the people and countries of Africa. A 29-minute video called "Africa Straight Up" aims to break down those stereotypes and help introduce people to the true nature of "Africa". If you have a half-hour to spare, I'd strongly encourage you to check it out:
http://www.youtube.com/watch?v=qKUVfcXB14w
Jul 17
DNSSEC Workshop Streaming Live Now Out Of ICANN47
If you are interested in the technical side of DNSSEC, there is a great 6+ hour workshop happening right now at ICANN 47 in Durban, South Africa. You can listen to the audio and watch the slides at:
http://durban47.icann.org/node/39749
I am also live-tweeting some information and links out of our Twitter account at http://twitter.com/deploy360
It is a great agenda bringing together many of the leading researchers and implementers of DNSSEC. Topics today include:
- DNSSEC Deployment Around the World
- DNSSEC for Managers – The Three Spheres
- Panel Discussion: DNSSEC Activities in Africa – ISPs, Registries, and Registrars
- Panel Discussion: DNSSEC Obligations in the Registration Accreditation Agreement
- Presentation: Patrik Fältström, NetNod – Is the World Upside Down?
- Panel Discussion: DNSSEC Planning and Operation
- Panel Discussion – DNSSEC Innovation: DANE and Other DNSSEC Applications
(The full agenda is available online.)
If you can’t watch live right now, the sessions are being recorded so that you will be able to watch them later.
Jul 16
Helping Expand DNSSEC Deployment By Working With Shinkuro And Parsons/SPARTA
When we began what would become the Deploy360 Programme about 18 months ago, we were concerned about how our activity regarding promoting DNSSEC deployment would be seen by other groups already active in the space. For instance we were very aware that there was the DNSSEC Deployment Initiative, funded by the U.S. Department of Homeland Security (DHS), that had been very active for a good number of years. The program had spawned a whole series of DNSSEC-related tools, a blog, the dnssec-deployment mailing list and other activities. How could we best complement this existing work? And would we be seen as a helpful new addition to the overall work? Or would we be seen as a competitor to be distrusted?
We were concerned and tried to step carefully as we began. To our delight what we found was a very welcoming community that was very appreciative of the energy and platform that we were bringing to the effort. Over the past year in particular we have worked very closely with both Steve Crocker and his team at Shinkuro, Inc,. and Russ Mundy and his tools-focused team at a company originally called SPARTA and now part of a larger company, Parsons. We’ve been working now with them on a variety of projects, including the monthly “DNSSEC Coordination Calls” that bring together people from across the community and industry interested in promoting and advancing the deployment of DNSSEC (and anyone is welcome to join the dnssec-coord mailing list).
And so it is with great pleasure that we can announce a formal Memorandum of Understanding (MoU) between the Internet Society, Shinkuro, and Parsons related to our combined efforts. The MoU document, now posted to our site, explains the history and roles of each entity and reaffirms our joint commitment to doing all we can to work with the rest of the larger DNS community to bring about the full deployment of DNSSEC around the world.
Steve Crocker and I had a chance to jointly talk about this MoU and our combined effort at the Internet Society Advisory Council meeting held in Beijing in April. The photo accompanying this post shows us holding the signed MoU. Russ Mundy was also there earlier in the week for the DNSSEC Workshop that we are all involved with that take place at ICANN meetings.
The signing of this MoU is an endorsement of the work we are already doing together – and a commitment by all three of us to work together to use the open multi-stakeholder process to involve even more people and organizations and to help the broader world understand how DNSSEC can significantly upgrade the security of the Internet.
We’re looking forward to continuing and expanding our work with Shinkuro and Parsons – and all of you! Please join us… you can join the dnssec-coord mailing list, join into the DNSSEC communities on social networks or email, follow us on social networks, come to one of our ION conferences or the DNSSEC workshops at ICANN meetings… or just keep following us here on the site!
Let’s get to work and help get DNSSEC deployed everywhere!
Jul 16
TDYR #021 – In South Africa This Week For ICANN 47 And The Africa DNS Forum
In this episode I talk about why I am in Durban, South Africa, this week (ICANN 47 and Africa DNS Forum) and some initial thoughts about Durban. More thoughts on Africa to come in future episodes...
Jul 15
Watch “DNSSEC For Everyone – A Beginner’s Guide” Live Today From ICANN47
Want to understand what DNSSEC is all about? Would you like to understand how DNSSEC helps make DNS more secure? And why DNSSEC is important?
Today (July 15, 2013) we’ll be streaming the “DNSSEC For Everyone – A Beginner’s Guide” session live out of ICANN 47 in Durban, South Africa. This is a fun session that takes a humorous view on DNSSEC… and includes a number of people (myself included) acting out a skit showing how DNS and DNSSEC work! 
Feedback from past sessions is that this all has helped people understand better how this all works – and so we encourage you to watch if you can.
You can watch the video and slides for the session at:
http://icann.adobeconnect.com/dur47-hall1b
An audio-only streaming option is also available from the session page on the ICANN 47 web site.
The session begins at 5:00pm in Durban, South Africa, which is also 5:00pm in central Europe and 11:00am in US Eastern time.
If you can’t watch the event live, I will be recording the video locally and will post a copy to the Deploy360 YouTube channel as soon as I can.
Jul 15
FIR #712 – 7/15/13 – For Immediate Release
Brian Solis Speakers and Speeches coming, new FIR interviews scheduled; Quick News: era of print PC magazines ends, newswires beat Twitter to breaking news, CIPR launches a chat service, how not to use a Twitter bot; Ragan promo; News That Fits: a look at hashtags, Michael Netzley's Asia report, the Porter Novelli recruitment ad kerfuffle, Media Monitoring Minute from CustomScoop, listener comments, NSA snooping has nothing on marketing, Dan York's report, new paywall experiment; music from Deep Banana Blackout; and more.
