Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Feb 13
NLnet Labs Makes Their DNSSEC Training Materials Freely Available For All To Use
Want to offer your own DNSSEC training courses? Or want to run an internal DNSSEC training class? Or want to give a DNSSEC presentation to a local user group? Or are you simply looking for material to help you learn more about DNSSEC?
If you answered yes to any of those questions, Olaf Kolkman and the team at NLnet Labs have given the Internet community a wonderful gift in the form of DNSSEC course materials that are freely available for usage and modification (subject to attribution). The slides are all part of a DNSSEC “Train the Trainer” course that Olaf recently gave and are available in PowerPoint, Keynote and PDF form from:
The materials are licensed under a permissive Creative Commons license that basically lets you do whatever you want to the materials, including modify them and use them for commercial training, provided you include the appropriate attribution link.
It’s great that the NLnet Labs team has made this material available and we hope that people across the Internet find it a useful way to teach about DNSSEC and get more people using DNSSEC!
Thanks, Olaf and NLnet Labs!
Feb 12
Attending O’Reilly’s Tools of Change Conference (TOCCON) This Week in New York
This week I will be in New York City at O'Reilly's Tools of Change for Publishing Conference, a.k.a. "TOC" or "TOCCON". As I wrote about recently on the Deploy360 blog, TOC is really the premiere gathering of the people behind the technology behind digital and online publishing. While there certainly are people there from the "traditional" publishing industry, the event really brings together all of those who are disrupting publishing as we know it.
For my part, I am going to primarily to do a deep-dive into the technology and tools behind ebook publishing. While some of my own books are offered as ebooks, the publishers have been the ones doing the actual ebook creation. I certainly understand the basics, but want to really dig deeper. I have a strong interest in seeing what we can do within the Internet Society Deploy360 Programme to take some of the long-form content we or our partners have and make that available in an ebook form. Partly I want people to be able to take the content and have it very easily accessible in an offline form. Partly I want to offer people the ability to consume our content using an ebook reader. And partly I want to experiment with marketing our content through some of the various ebook stores. LOTS of ideas... now, whether I will be able to carve out the time to implement those ideas is a different question. :-)
Anyway, if you are going to be down at TOCCON this week, please do say hello or drop me a msg via email or Twitter.
P.S. TOCCON will be an interesting event for me as I am not speaking, as I often do, nor am I staffing a booth, live tweeting, reporting or anything else. I am just there to learn, meet people and explore new ideas. I'm actually looking forward to the change of pace, bizarre as it will be for me. :-)
Feb 10
U.S. Curling Championships Start Rocking Philadelphia This Weekend!
Expect to see some outstanding curling happening this week!
More on the story:
A local Philadelphia country music station also seems to have helped produce a video with interviews and shots of what is going on there:
Looks like fun, and if you are in the Philadelphia area, this is your chance to get to see some of the best curlers in the nation!
Feb 10
ENISA: Good Practices Guide For Deploying DNSSEC
In March 2010, the European Network and Information Security Agency (ENISA) issued their “Good Practices Guide For Deploying DNSSEC” with the abstract:
Deploying DNSSEC requires a number of security details and procedures to be defined and followed with specific requirements as to timing. This guide addresses these issues from the point of view of information security managers responsible for defining a policy and procedures to secure the DNS services of a company or an organisation, and from the point of view of competent authorities defining or regulating requirements for deployment.
While the document was created prior to the signing of the root zone in July 2010, the concise 29-page guide still provides a good overview of what is involved with working with DNSSEC and provides good guidelines for using and implementing DNSSEC.
The Table of Contents for the document is:
- DNSSEC practices statement
- Signing your zone
- Value of a signed zone
- Designing a signing system
- Signing in a test environment
- Checking the DNS servers
- Key generation and management
- Physical security
- Use of NSEC3
- Key rollovers
- Performance issues
- Publication of keys
- Change of registrar
- Change a zone from signed to unsigned
- Change of domain holder (registrant)
- Selecting a product
- Outsourcing
- Change of DNS provider
- Validating DNS queries
- Configure trust anchors
- Routers, firewalls and other network equipment
- Conclusions
- ANNEX 1: Contents of a TAR’s policy and practices
- ANNEX 2: Support of DNSSEC on commonly used nameservers
- Reference
The document is available for free download in PDF form from the ENISA website.
Feb 10
DNSSEC Training: Internet Systems Consortium (ISC)
The Internet Systems Consortium (ISC), authors and maintains of the BIND DNS server, have been providing DNSSEC-related training for several years at both conferences and in training centers all over the world. Their latest schedule of courses can be found at:
ISC offers focused classes on DNSSEC and also includes DNSSEC as a component of other DNS-related classes. Note that ISC also provides IPv6 training classes.
The Internet Society Deploy360 Programme does not recommend or endorse any particular commercial providers of training. The information provided here is to assist people in finding training providers and is part of a larger effort to list all known providers of DNSSEC-related training. If you know of an additional training providers we should include, please contact us.
Feb 10
DNSSEC Training: NLnet Labs Course Materials (Slides)
In February 2012, Olaf Kolkman from NLnet Labs taught a 2-day DNSSEC “Train-The-Trainer” workshop and nicely made all his course materials available online at:
Olaf made all his courseware available as PDF, PowerPoint and Keynote files under a Creative Commons license that allows the course materials to be copied, modified and even used for commercial purposes – provided that an attribution link is maintained.
It’s great to see this kind of material being made available and we thank Olaf and NLnet Labs for making this material available to the broader community at no cost.
For quick reference, here are the sections of the NLnet Labs course materials (links go directly to the NLnet Labs site):
| DNS vulnerabilities | KEY | PPT | |
| Unbound | KEY | PPT | |
| DNSSEC Theory | KEY | PPT | |
| Troubleshooting | KEY | PPT | |
| Practicalities | KEY | PPT | |
| DNSSEC Key Rollover | KEY | PPT | |
| OpenDNSSEC | KEY | PPT | |
| DNS in a Workflow | KEY | PPT |
Feb 10
Friday Comic: XKCD on IPv6 and Nanobot Swarms…
Yes, this XKCD comic came out in February of last year, but I still find it amusing (click on the image to see a larger version):
For those not following IPv6, the joke here is that the nanobot swarm (ex. grey goo) wound up having to stop their proliferation – and destruction of earth – because they ran out of IPv6 addresses! This was, of course, mathematically debated in an XKCD forum along with other discussion.
Thankfully, since we haven’t yet made the full migration to IPv6, we’re nowhere near needing to worry about their exhaustion!
P.S. Speaking of IPv6, are you ready for World IPv6 Launch on June 6?
Feb 10
DNSSEC And The Challenge Of Modern Websites
Given that modern websites often pull content from a variety of different sites to build a single page, what impact does that have on DNSSEC and providing the security that it does?
That was one of the questions raised in a recent post by the DNSSEC Deployment Initiative titled “Are You Secure?” This key point was emphasized in this paragraph:
It shouldn’t come as a surprise to you that your browser was trying to load content from badsign-a.testsub.dnssec-deployment.org although you had not typed that in the address bar. More generally, it shouldn’t be surprising that it requires more than a single DNS lookup to fill the contents of a page. In fact, as the query trace from loading a relatively simple page such as www.dnssec-deployment.org illustrates below, an un-primed resolver easily performs in excess of a hundred lookups before the browser renders the complete page. Some of these queries are not even for names under the dnssec-deployment.org domain. For more content-packed sites the number of names looked up is even higher.
The way we build websites today does very often involve pulling in content from a variety of different sites. Sometimes it is something as simple as the latest jquery JavaScript library. Sometimes it is images or advertisements. Sometimes it is the latest tweets or other content from social networks.
The article goes on to talk about the value of moving DNSSEC validation directly into the application, such as the web browser, so that all DNS queries can be properly validated. The author ends on this note:
It is also important, given that web pages are typically composed of a number of discrete elements, that validation be performed for all lookups initiated by the browser and not just for the name typed in the address bar. Many browser plugins for DNSSEC support will validate only the latter; while that capability is certainly useful, the real benefit of local validation is realized only when the browser (or the OS) completely integrates DNSSEC validation capability into its internal resolver library and enables validation for all queries.
The good news is that browser vendors (and their user communities) have been showing increased interest in seeing DNSSEC capability extended to the end-applications. Proof-of-concept implementations of browsers with DNSSEC validation support (e.g., the DNSSEC-Tools Firefox patch) have been available for a while, and with DNSSEC validation capability being continuously extended to new platforms and devices, there is hope that DNSSEC capability in browsers will eventually become more commonplace.
We certainly share that hope that DNSSEC capability in browsers and other applications will become more commonplace. A goal of this entire Deploy360 Programme is to help bring that widespread availability about.
Application developers… have you checked out the developer libraries available now to help add DNSSEC support to your applications? Have you looked at what is available in the DNSSEC Tools project?
What else can we do to help you build DNSSEC into your applications?
P.S. In my case, I did see the correct image on the DNSSEC Deployment Initiative web pages, but that is because I’m running a local DNSSEC-validating DNS resolver on my MacBook Pro laptop. I’m using the excellent DNSSEC-Trigger tool from NLnet Labs – it’s available for Mac OS X, Windows or Linux.
Feb 09
ION Canada
00:00 -00:00
InterContinental Toronto Centre, Toronto, ON Canada
