Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Dec 07
5 DNSSEC Training/Technical Sessions at USENIX LISA Next Week In San Diego
Want to learn more about DNSSEC? Next week at the USENIX Large Installation System Administration (LISA) Conference in San Diego there are going to be some excellent DNSSEC sessions in addition to our ION San Diego event happening on Tuesday.
Starting it off will be a half-day DNS and DNSSEC tutorial on Tuesday morning (right before our ION event) by Shumon Huque of the University of Pennsylvania. It looks like a great way to spend the morning diving deep into DNS and DNSSEC.
Tuesday afternoon will be our ION San Diego conference where we have two sessions focused on DNSSEC on our agenda. First, Pete Toscano of ARIN will talk about ARIN’s support of both DNSSEC and RPKI. Second, I’ll be moderating what should be a truly outstanding panel on the topic of deploying DNSSEC. We have a great group of panelists including Rick Lamb from ICANN, Infoblox’s Cricket Liu who is also the author of multiple O’Reilly books on DNS, Jim Galvin of Afilias (who operates multiple TLDs) and Roland van Rijswijk-Deij of SURFnet who has been very actively working on getting more validating DNS servers deployed. The panel will be a questions-based, highly interactive discussion session that we expect to be very educational (and perhaps entertaining) for all attending. I’ll have questions for the panel but there will also be plenty of opportunities for you to ask your questions, too.
(Did we mention that registering for ION San Diego is FREE? Just fill out the form and come in for great IPv6 and DNSSEC education.)
Jumping to Friday, there are then two invited talks about DNSSEC. First, Roland van Rijswijk-Deij of SURFnet will be discussing “DNSSEC: What Every Sysadmin Should be Doing to Keep Things Working“. Roland’s presentations have been both educational and amusing in the past, so I’m sure this should be a good one. Following Roland and closing out the DNSSEC sessions next week, Scott Rose of NIST will be presenting “DNSSEC Deployment in .gov: Progress and Lessons Learned” where he’ll be providing the case study of the US government’s deployment of DNSSEC and relaying their lessons learned thus far. Scott and the team at NIST have been doing great work monitoring the DNSSEC deployment and this session should be very helpful to those looking to understand how to deploy DNSSEC on a very large scale.
There you have it… lots of great DNSSEC material! If you are in San Diego next week for USENIX LISA, check out these sessions and also come to our ION conference. Great opportunities to learn what you need to do to get started with DNSSEC today!
Dec 03
World Conference on International Telecommunications (WCIT) Starts Today in Dubai
These ITRs were last updated in 1988... and the world of telecom has changed just a wee bit since then! :-)
Unless you've been asleep or offline for the past few months, you'll know that some of the countries out there are seeking to use this WCIT conference as a way to expand the ITRs to cover the Internet - and to thereby control the Internet more or to impose other business models on the Internet. Obviously a lot of people (myself included) are opposed to the expansion of the ITRs to include more of the Internet and believe that the ITRs should remain focused on the telecommunications interconnection related to the traditional Public Switched Telephone Network (PSTN).
This all will play out over the next two weeks in the meetings happening in Dubai that will culminate with a series of votes by the member states. The ITU is a United Nations (UN) entity and so each country gets a vote.
I'll not comment further here about the ITRs and WCIT, except to note that if you want to follow along with what is happening, my colleagues in the Internet Society Public Policy team (of which I am not a part) have been maintaining a site where they are curating news about WCIT:
http://www.scoop.it/t/wcit
They've been doing a great job and it's the site that I am using to keep up with what is being said out there about WCIT and the ITU.
That same team also has a great site full of background material about WCIT, the ITRs and other related information - follow the links in the right sidebar for much more material:
http://www.internetsociety.org/wcit/
The material includes a good background paper on the ITRs that explain a bit about how the ITRs evolved and why they matter. The Internet Society's communications team also has a page up that they will be updating throughout the week with news:
http://www.internetsociety.org/wcit-newsroom
You can expect to see social networks filling up with commentary, too... and I know I'll be watching two Twitter hashtags:
The reality is that true to the title of this blog, the telecommunications industry has been severely disrupted by the Internet. The world of the PSTN has been fundamentally altered by Voice over IP (VoIP), by "Over The Top" (OTT) applications, by SIP trunking... and so many other aspects of Internet-based communications. This WCIT event does provide a chance for all of those who have been victims of this disruption to try to push for changes that will be in their favor. Similarly, all of those wanting to ensure the Internet remains open are fully engaged now, too... and various countries are aligning on both sides.
It shall be an interesting next two weeks...
P.S. Vint Cerf's op-ed on CNN is worth a read on this topic: 'Father of the internet': Why we must fight for its freedom
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- subscribing to my email newsletter; or
- subscribing to the RSS feed
Dec 03
FIR #680 – 12/3/12 – For Immediate Release
Interviews coming with Craig Silverman and Ekaterina Walter; Quick News: ITN Productions launches citizen journalism channel, US mobile phone usage metrics, Leveson Inquiry report user experience; Ragan promo; News That Fits: Leveson traditional media oversight challenges; Dan York's report; Media Monitoring Minute; social media surveillance in DC; listener comments; TemboSocial promo; Michael Netzley's report; Bell Pottinger launches digital content agency; music from Ed Roth; and more.
Nov 30
What Happens When All Communication From A Country Is Disrupted?
What happens when all communications into and out of a country is completely disrupted? We're seeing that right now with Syria. As I wrote on CircleID yesterday, all Internet access is down... and reports say that all communication via cell phones and landlines has also been terminated.
What happens when a country just completely... drops... off...
It's scary, really, to think about. And we're seeing it play out right now. The links are still all down.
My thoughts are definitely with the people there in the country. I hope things are okay... and that the connections get restored soon.
Crazy times...
Nov 30
Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE
If you are looking to get started with the DANE protocol to provide higher security for SSL/TLS certificates, a basic question can be – how do you generate a TLSA record to put in your DNS zone file?
As we outlined before, there are a number of different tools you can use. One that is perhaps the simplest, though, is a package for Linux from Paul Wouters called “hash-slinger” that is available at:
One of the tools provided in the package is a command “tlsa” which does exactly what you might think – generate the TLSA record! Paul showed how easy it is:
$ tlsa --create ietf.org No certificate specified on the commandline, attempting to retrieve it from the server ietf.org. Attempting to get certificate from 64.170.98.30 Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org _443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e
That’s it! Now you can copy that record to your DNS zone file and you will be in the business of publishing a TLSA record!
Well, okay, it might not be that simple. If your nameserver or DNSSEC-signing tool doesn’t yet support the TLSA record (outlined in RFC 6698), you might need to add a “-o generic” flag onto the command line to get the appropriate record. And you might want to add on more options, as Shumon Huque did in his walk-through of setting up a TLSA record.
The key is that this tool is out there and can help all of us interested in getting the DANE protocol more widely deployed to start getting TLSA records more visible. Kudos to Paul for developing the tool and making it available.
If you use SSL/TLS on your sites, and you have your domain signed with DNSSEC, why not go the extra step and get a TLSA record out there?
Nov 30
Hash-slinger – a tool for creating TLSA records for the DANE protocol
Hash-slinger is a package of tools created by Paul Wouters of RedHat to make it easy to create records for the DANE protocol that will allow you to secure your SSL/TLS certificates using DNSSEC.
The package is available for Linux at:
One of the tools provided in the package is a command “tlsa” that generates TLSA records (outlined in RFC 6698). Paul Wouters showed how easy it is:
$ tlsa --create ietf.org No certificate specified on the commandline, attempting to retrieve it from the server ietf.org. Attempting to get certificate from 64.170.98.30 Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org _443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e
You can now copy that record to your DNS zone file and be in the business of publishing a TLSA record.
If your nameserver or DNSSEC-signing software does not yet support the TLSA RRtype defined in RFC 6698, you can create a “generic” record type:
$ tlsa --create -o generic ietf.org No certificate specified on the commandline, attempting to retrieve it from the server ietf.org. Attempting to get certificate from 64.170.98.30 Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org _443._tcp.ietf.org. IN TYPE52 \# 35 03000154f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e
The “tlsa” command also has other options for generating other types of TLSA records.
Nov 29
Finding My "Barriers To Blogging" Apply To Audio Podcasting As Well
In thinking about how I might do more audio podcasting, I found myself hitting many of the same barriers I wrote about with regard to blogging... so I made this recording:
Nov 29
Syria Disconnects From The Internet (Featured Blog)
This morning brought word that all Internet connections into Syria had been severed. Internet monitoring firm Renesys was among the first to report the news in a blog post that they have continued to update. That news was subsequently confirmed by other sites and services... Multiple reports indicate that all Internet, cell phone and landline connections to all or most of the country have been severed. More...
Nov 29
Skype 4.2.1 for iPad/iPhone Brings Microsoft Integration, Chat Interop, Better IM Features
Skype today brought its increased integration with Microsoft services to the iPhone and iPad with the new release 4.2.1 available in the iOS AppStore. As you can already do in the Windows, Mac and Android versions of Skype, the big feature is that you can now sign in with your "Microsoft account" and merge our Skype contacts with those from Windows Live Messenger (WLM) and Outlook.com. You will now be able to chat back and forth with your WLM contacts directly from within Skype.
This is very cool from the point-of-view that Skype has always been a "walled garden" of instant messaging (IM) that did not interoperate with any other service. Many of us long ago wound up having to use two IM clients on our system: 1) Skype; and 2) a multi-service client (like Adium or Pidgin) for all the other IM networks. This doesn't quite solve that problem because it is now really just expanding the Skype client to work with two IM networks, but it is at least a step toward greater interop.
In a post on Skype's "Garage" blog, Beom Soo Park indicates these new features:
- Sign in with your Microsoft Account to merge your Windows Live Messenger, Outlook.com and Skype accounts - then IM those contacts direct from Skype.
- Ability to edit and delete instant messages
- Choose an emoticon while typing an instant message via a new emoticon picker
- Animated emoticons for devices with a Retina display
- Edit phone numbers from the dial pad
- Create a new Skype account when you download the app
- UI improvements
Skype's post on their "Big Blog" has a bit more detail and mentions that Skype for iOS has now been downloaded over 120 million times. The improvements to the chat interface, particularly the editing, will definitely be useful. I personally don't really care about the improved emoticons, but I know some people do like those and will be pleased.
My only criticism is that in order to make use of the Microsoft integration you have to log out of your Skype account and then login with your Microsoft account, at which point you presumably can merge the accounts. It's not a big deal to me, as I don't use a "Microsoft account" these days. I certainly did have a WLM login that I used to use years ago, but I haven't used it in years and don't really feel any compelling need to do so. Still, it would be nice if the Microsoft account could just be added to your existing Skype login as you can do in so many other IM clients.
Anyway, Skype 4.2.1 for iOS/iPad/iPhone is now out there and ready for download from the AppStore.
P.S. If you installed Skype 4.2 yesterday, you'll need to go back to the AppStore today to get Skype 4.2.1 as there were some critical bugs that were fixed in 4.2.1.
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- subscribing to my email newsletter; or
- subscribing to the RSS feed
