Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Mar 25
Slides: DANE, the next big thing after DNSSEC
What is the DANE protocol all about? How does it protect Internet communication? How does it relate to SSL/TLS certificates? What is wrong with the Web’s public key infrastructure (PKI), anyway?
At a recent cybersecurity conference in the Netherlands, Marco Davids of SIDN gave a presentation titled, “DANE, the next big thing after DNSSEC,” that covers these and other questions – and does so with a good degree of detail. His slides are available:
We, too, agree that DANE has a great potential to make the Internet much more secure by marrying the strong integrity protection of DNSSEC with the confidentiality of SSL/TLS certificates. We would encourage you to look at our DANE resources and start looking at what you can do today!
Mar 25
Video: The Mobile Business Case for IPv6
At the World IPv6 Congress in Paris last week, Cisco’s Mark Townsley gave this great interview about the business case for IPv6 in mobile networks:
It was great to hear his mention that Verizon is sending 30% of its traffic to Google over IPv6 as well as the mention of IPv6 growth on other mobile networks.
Hat tip to Cisco’s blog, where we first spotted mention of this video.
Mar 25
FIR #696 – 3/25/13 – For Immediate Release
Steve Rubel interview coming; FIR discount to London conference; Neville on March 27 panel; Quick news: Klout opens business dashboard, implications of AP's win vs. Meltwater, NYT attempts structured comments, Amazon launches Send to Kindle button; Ragan promo; News that Fits: 5 seconds to tell your story, Michael Netzley's Asia report, Coca-Cola asserts buzz doesn't affect short-term sales, Media Monitoring Minute from CustomScoop, how social media improved writing, Dan York's report, PR content in a mobile world; how to comment; music from the David Nelson Band; and more.
Mar 22
Google Clarifies DNSSEC Support – Opt In Now, Full Validation Coming Soon
After Google’s announcement earlier this week of DNSSEC validation support in their Public DNS service, there was some concern and discussion in various DNSSEC mailing lists about the fact that DNSSEC validation was not being performed by default and required a client to request validation. Folks at Google clarified that this was just part of their initial rollout and that providing full validation is in their plans.
They have now also updated their FAQ about DNSSEC support in Google Public DNS and most importantly updated these two questions (my emphasis added):
Does Google Public DNS support the DNSSEC protocol?
Yes. Google Public DNS is a validating, security-aware resolver. Currently this is an opt-in feature: for queries coming from clients requesting validation (the AD and/or DO flag is set), Google Public DNS verifies that response records are correctly authenticated. Validation by default (i.e. for all queries) will be enabled soon.Which client resolvers currently enable DNSSEC?
Unfortunately, most standard client stub resolvers do not enable full DNSSEC checking and cannot be easily reconfigured to do so. We have decided to make our initial launch only cover resolvers that explicitly ask for DNSSEC checking so that we become aware of any problems before exposing our users to possible large-scale DNS failures due to DNSSEC misconfigurations or outages. Once we are happy that we can safely enable DNSSEC for all users except those who explicitly opt out, we will do so.
It’s great to see Google responding to questions and adding these clarifications – and from the point of view of advocacy for DNSSEC deployment, it is great to have Google out there endorsing and promoting DNSSEC as a way to increase Internet security.
(And you can easily get started with DNSSEC if you haven’t already.)
For those of you who enjoy listening to audio, I recorded some audio commentary on our SoundCloud channel about why I view this news from Google as incredibly important:
Mar 21
On Forgetting My Phone And Being Completely Disconnected…
On Forgetting My Phone And Being Completely Disconnected... by Dan York
Mar 20
Any Tips On How To Recover Data From An External Disk on Mac OS X?
Any Tips On How To Recover Data From An External Disk on Mac OS X? by Dan York
Mar 20
“Introduction To DNSSEC” Animated Videos Uploaded To YouTube
With the buzz over Google’s news about DNSSEC yesterday, we’ve seen a large surge of visitors to our DNSSEC-related resources and in the midst of that someone pointed out that the excellent introduction to DNSSEC video from Shinkuro, Inc., was no longer available on YouTube. Given that we work well with the Shinkuro team, we reached out to them and found out that while they maintain a copy of the video on their site, they had not been responsible for the YouTube version. With their permission, we have now uploaded the video to our Deploy360 YouTube channel and can make it available for embedding and viewing:
The silent animated video was created back in 2006 but continues to be an excellent illustration of how the DNSSEC process works and the threats it protects again. Thanks again to Shinkuro for making the video available.
As we note on our resource page about the video, there is also a second version that doesn’t include the text narration on the right side that some of you may find useful if you want to show a video about DNSSEC and provide your own narration. (In fact… it might be an interesting exercise to take this second video and create versions with voice-overs in a number of different languages – if you do that and create a version, let us know and we’ll look at linking to your video.)
Mar 20
Video – DNSSEC Deployment: From End-Customer To Content (ION San Diego)
What do we need to do to get DNSSEC widely deployed? How can we help accelerate the deployment? What is the benefit to network operators and content providers? These were among the questions answered in a highly interactive panel at the ION Conference San Diego on December 11, 2012. There was a good dialogue between the panelists and many questions asked by the attendees. As a moderator, it was one of the most fun and interesting panels I’ve done in a while as we had no slides and just engaged in a conversation among people with a deep amount of experience with DNSSEC.
You can watch the video on YouTube or embedded here:
Moderator: Dan York (Internet Society)
Panelists: Jim Galvin (Afilias); Richard Lamb (ICANN); Cricket Liu (Infoblox); Roland M. van Rijswijk — Deij (SURFnet)
To get started with DNSSEC, you may want to view our DNSSEC Basics page.
Mar 19
Google Public DNS – DNSSEC Validation
Google provides DNSSEC validation through the use of their “Google Public DNS” servers. If your local DNS resolvers do not perform DNSSEC validation, you can change your operating system to point to the following DNS servers operated by Google for either (or both) IPv4 and IPv6:
8.8.8.8
8.8.4.42001:4860:4860::8888
2001:4860:4860::8844
Once configured, all future DNS queries will be resolved using these DNS servers and DNSSEC validation (if requested) will be performed by Google’s servers. You will then benefit from the added protection of DNSSEC validation.
Typically this configuration is changed wherever you modify your network settings. In Windows, this is usually in your “Control Panel” while in Mac OS X this will be in the Network part of your “System Preferences”. For Linux and other operating systems the exact procedure will vary.
Note that there is one important caveat here - you have to request DNSSEC validation when you send the DNS query to Google’s Public DNS servers, i.e. they will only validate the DNS query if you request it. To do that you need an application that supports DNSSEC. For web browsers, there are add-ons and extensions for both Google Chrome and Mozilla Firefox:
If you are an application developer, there are DNS developer libraries that support DNSSEC available in a wide range of programming languages so that you can add DNSSEC support to your application.
You can test DNSSEC validation by attempting to visit one of the deliberately misconfigured sites listed on our DNSSEC Tools page.
Google provides the following information about using their Public DNS service:
- Overview of Google Public DNS
- Using Google Public DNS
- DNSSEC section of the Google Public DNS FAQ
- Security Benefits (which includes mention of DNSSEC)
The addition of DNSSEC was announced in March 2013 and noted that Google Public DNS is currently “serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day.”
Note: To get the most value out of DNSSEC, you need to use a DNSSEC-validating resolver, and also sign your domains. If you have domains registered, learn about how your can sign your domains with DNSSEC using domain name registrars.
Mar 19
Huge News For Internet Security – Google Public DNS Is Now Performing DNSSEC Validation!
In a huge step forward for Internet security today, Google announced that Google’s “Public DNS” service is now performing DNSSEC validation. What this means is that anyone using Google’s DNS servers (and anyone can do so – see below) can now get the increased security that comes with DNSSEC. (Learn more about the value of DNSSEC on our DNSSEC Basics page.)
It also means that if you want the added security of DNSSEC, but your Internet Service Provider and local operating system don’t validate with DNSSEC, you can simply change your operating system to point to the following DNS servers operated by Google for either (or both) IPv4 and IPv6:
8.8.8.8
8.8.4.42001:4860:4860::8888
2001:4860:4860::8844
Once configured, all future DNS queries will be resolved using these DNS servers and DNSSEC validation will be performed by Google’s servers. You will then benefit from the added protection of DNSSEC validation. (Our resource page about Google Public DNS offers a few more pointers about configuration.)
Note that there is one important caveat here - you have to request DNSSEC validation when you send the DNS query to Google’s Public DNS servers, i.e. they will only validate the DNS query if you request it. To do that you need an application that supports DNSSEC. For web browsers, there are add-ons and extensions for both Google Chrome and Mozilla Firefox:
If you are an application developer, there are DNS developer libraries that support DNSSEC available in a wide range of programming languages so that you can add DNSSEC support to your application.
In the announcement, Google’s Yunhong Gu noted that Google Public DNS is currently “serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day.” As the article further notes:
“Effective deployment of DNSSEC requires action from both DNS resolvers and authoritative name servers. Resolvers, especially those of ISPs and other public resolvers, need to start validating DNS responses. Meanwhile, domain owners have to sign their domains. Today, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. We encourage all involved parties to push DNSSEC deployment and further protect Internet users from DNS-based network intrusions.”
To that end, if you have domains registered, we strongly encourage you to learn about how your can sign your domains with DNSSEC using domain name registrars. You can learn more about which top-level domains support DNSSEC on our DNSSEC Statistics page.
Google provides the following information about using their Public DNS service:
- Overview of Google Public DNS
- Using Google Public DNS
- DNSSEC section of the Google Public DNS FAQ
- Security Benefits (which includes mention of DNSSEC)
This move by Google to provide this DNSSEC validation is a great addition to the support for DNSSEC validation offered by large US ISPs such as Comcast (making DNSSEC validation available to their 18 million customers) as well as ISPs in a wide range of countries including Sweden, the Czech Republic and Brazil.
We look forward to seeing more public DNS providers and more ISPs turn on DNSSEC validation in their networks. If you want to know more about what is involved with enabling DNSSEC validation on your network, including home and enterprise networks, this SURFnet white paper provides easy instructions for common DNS servers.
And in the meantime, if you don’t want to wait for your ISP and want to start getting the value in DNSSEC validation today, you now have the option of using Google’s public DNS servers!
