Dan York

Just a guy in Vermont trying to connect all the dots...

Author's posts

Mar 26

Skip Tuesday and Go Directly To Wednesday

Skip Tuesday and Go Directly To Wednesday by Dan York

Mar 25

Slides: DANE, the next big thing after DNSSEC

What is the DANE protocol all about? How does it protect Internet communication? How does it relate to SSL/TLS certificates? What is wrong with the Web’s public key infrastructure (PKI), anyway?

At a recent cybersecurity conference in the Netherlands, Marco Davids of SIDN gave a presentation titled, “DANE, the next big thing after DNSSEC,” that covers these and other questions – and does so with a good degree of detail. His slides are available:

DANE presentation by SIDN

We, too, agree that DANE has a great potential to make the Internet much more secure by marrying the strong integrity protection of DNSSEC with the confidentiality of SSL/TLS certificates. We would encourage you to look at our DANE resources and start looking at what you can do today!

Mar 25

Video: The Mobile Business Case for IPv6

At the World IPv6 Congress in Paris last week, Cisco’s Mark Townsley gave this great interview about the business case for IPv6 in mobile networks:

It was great to hear his mention that Verizon is sending 30% of its traffic to Google over IPv6 as well as the mention of IPv6 growth on other mobile networks.

Hat tip to Cisco’s blog, where we first spotted mention of this video.

Mar 25

FIR #696 – 3/25/13 – For Immediate Release

Steve Rubel interview coming; FIR discount to London conference; Neville on March 27 panel; Quick news: Klout opens business dashboard, implications of AP's win vs. Meltwater, NYT attempts structured comments, Amazon launches Send to Kindle button; Ragan promo; News that Fits: 5 seconds to tell your story, Michael Netzley's Asia report, Coca-Cola asserts buzz doesn't affect short-term sales, Media Monitoring Minute from CustomScoop, how social media improved writing, Dan York's report, PR content in a mobile world; how to comment; music from the David Nelson Band; and more.

Mar 22

Google Clarifies DNSSEC Support – Opt In Now, Full Validation Coming Soon

Google logoAfter Google’s announcement earlier this week of DNSSEC validation support in their Public DNS service, there was some concern and discussion in various DNSSEC mailing lists about the fact that DNSSEC validation was not being performed by default and required a client to request validation.  Folks at Google clarified that this was just part of their initial rollout and that providing full validation is in their plans.

They have now also updated their FAQ about DNSSEC support in Google Public DNS and most importantly updated these two questions (my emphasis added):

Does Google Public DNS support the DNSSEC protocol?
Yes. Google Public DNS is a validating, security-aware resolver. Currently this is an opt-in feature: for queries coming from clients requesting validation (the AD and/or DO flag is set), Google Public DNS verifies that response records are correctly authenticated. Validation by default (i.e. for all queries) will be enabled soon.

Which client resolvers currently enable DNSSEC?
Unfortunately, most standard client stub resolvers do not enable full DNSSEC checking and cannot be easily reconfigured to do so. We have decided to make our initial launch only cover resolvers that explicitly ask for DNSSEC checking so that we become aware of any problems before exposing our users to possible large-scale DNS failures due to DNSSEC misconfigurations or outages. Once we are happy that we can safely enable DNSSEC for all users except those who explicitly opt out, we will do so.

It’s great to see Google responding to questions and adding these clarifications – and from the point of view of advocacy for DNSSEC deployment, it is great to have Google out there endorsing and promoting DNSSEC as a way to increase Internet security.

(And you can easily get started with DNSSEC if you haven’t already.)

For those of you who enjoy listening to audio, I recorded some audio commentary on our SoundCloud channel about why I view this news from Google as incredibly important:

Mar 21

On Forgetting My Phone And Being Completely Disconnected…

On Forgetting My Phone And Being Completely Disconnected... by Dan York

Mar 20

Any Tips On How To Recover Data From An External Disk on Mac OS X?

Any Tips On How To Recover Data From An External Disk on Mac OS X? by Dan York

Mar 20

“Introduction To DNSSEC” Animated Videos Uploaded To YouTube

With the buzz over Google’s news about DNSSEC yesterday, we’ve seen a large surge of visitors to our DNSSEC-related resources and in the midst of that someone pointed out that the excellent introduction to DNSSEC video from Shinkuro, Inc., was no longer available on YouTube. Given that we work well with the Shinkuro team, we reached out to them and found out that while they maintain a copy of the video on their site, they had not been responsible for the YouTube version.  With their permission, we have now uploaded the video to our Deploy360 YouTube channel and can make it available for embedding and viewing:

The silent animated video was created back in 2006 but continues to be an excellent illustration of how the DNSSEC process works and the threats it protects again.  Thanks again to Shinkuro for making the video available.

As we note on our resource page about the video, there is also a second version that doesn’t include the text narration on the right side that some of you may find useful if you want to show a video about DNSSEC and provide your own narration.  (In fact… it might be an interesting exercise to take this second video and create versions with voice-overs in a number of different languages – if you do that and create a version, let us know and we’ll look at linking to your video.)

 

Mar 20

Video – DNSSEC Deployment: From End-Customer To Content (ION San Diego)

What do we need to do to get DNSSEC widely deployed? How can we help accelerate the deployment? What is the benefit to network operators and content providers?  These were among the questions answered in a highly interactive panel at the ION Conference San Diego on December 11, 2012. There was a good dialogue between the panelists and many questions asked by the attendees.  As a moderator, it was one of the most fun and interesting panels I’ve done in a while as we had no slides and just engaged in a conversation among people with a deep amount of experience with DNSSEC.

You can watch the video on YouTube or embedded here:

Moderator: Dan York (Internet Society)
Panelists: Jim Galvin (Afilias); Richard Lamb (ICANN); Cricket Liu (Infoblox); Roland M. van Rijswijk — Deij (SURFnet)

To get started with DNSSEC, you may want to view our DNSSEC Basics page.

Mar 19

Google Public DNS – DNSSEC Validation

Google logoGoogle provides DNSSEC validation through the use of their “Google Public DNS” servers.  If your local DNS resolvers do not perform DNSSEC validation, you can change your operating system to point to the following DNS servers operated by Google for either (or both) IPv4 and IPv6:

8.8.8.8
8.8.4.4

2001:4860:4860::8888
2001:4860:4860::8844

Once configured, all future DNS queries will be resolved using these DNS servers and DNSSEC validation (if requested) will be performed by Google’s servers.  You will then benefit from the added protection of DNSSEC validation.

Typically this configuration is changed wherever you modify your network settings.  In Windows, this is usually in your “Control Panel” while in Mac OS X this will be in the Network part of your “System Preferences”.  For Linux and other operating systems the exact procedure will vary.

Note that there is one important caveat here - you have to request DNSSEC validation when you send the DNS query to Google’s Public DNS servers, i.e. they will only validate the DNS query if you request it.  To do that you need an application that supports DNSSEC.  For web browsers, there are add-ons and extensions for both Google Chrome and Mozilla Firefox:

If you are an application developer, there are DNS developer libraries that support DNSSEC available in a wide range of programming languages so that you can add DNSSEC support to your application.

You can test DNSSEC validation by attempting to visit one of the deliberately misconfigured sites listed on our DNSSEC Tools page.

Google provides the following information about using their Public DNS service:

The addition of DNSSEC was announced in March 2013 and noted that Google Public DNS is currently “serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day.”

Note: To get the most value out of DNSSEC, you need to use a DNSSEC-validating resolver, and also sign your domains. If you have domains registered, learn about how your can sign your domains with DNSSEC using domain name registrars.