Dan York

Just a guy in Vermont trying to connect all the dots...

Author's posts

Nov 02

Rough Guide to IETF 103: DNSSEC, DNS Security and DNS Privacy

As happened earlier this year at IETF 102 in Montreal, DNS privacy will receive a large focus in the DNSOP, DPRIVE and DNSSD working groups. Given the critical role DNS plays as part of the “public core” of the Internet in linking names and identifiers to IP addresses, the DNS must have stronger security and privacy controls.  As part of our Rough Guide to IETF 103, here’s a quick view on what’s happening in the world of DNS.

Note – all times below are Indochina Time (ICT), which is UTC+7.

DNS Operations (DNSOP)

The DNS sessions at IETF 103 start on Monday afternoon from 13:50-15:50 with the DNS Operations (DNSOP) Working Group.  As per usual, DNSOP has a packed agenda. The major security/privacy-related drafts include:

  • DNS query minimisationdraft-ietf-dnsop-rfc7816bis – Back in 2016, RFC 7816 defined an experimental way to increase DNS privacy and limiting the exposure of DNS query information by simply not sending the entire query all the way up the DNS resolver chain.  This new work is to move that RFC 7816 document from being an experiment to being an actual Internet standard.
  • Running a DNS root server locallydraft-ietf-dnsop-7706bis – Another way to increase DNS privacy is to not send queries up the DNS resolver chain to the root by running your own local copy of the root DNS servers. Back in 2015, the informational RFC 7706 defined how to do this and specified running it on the “loopback” interface of your local computer. This new work broadens that to allow the local copy to run more generally on local systems. At the recent ICANN 63 meeting in Barcelona, this was discussed as “hyperlocal” copies of the root zone of DNS. Wes Hardaker at ISI also has a site about this effort: https://localroot.isi.edu/ Not only could this increase privacy, but also resiliency of the DNS system. However, it is not without its critics and so there could be a good discussion in Bangkok.
  • Serving stale data to increase DNS resiliencydraft-ietf-dnsop-serve-stale – This project is setting up the criteria for when DNS resolvers could continue to use DNS data even after the Time To Live (TTL) expires. Basically, if you can’t reach an authoritative server for some reason, under what conditions could you continue to serve the records you previously retrieved from that server?

If there is time in the session, Paul Hoffman’s draft-hoffman-resolver-associated-doh may come up for discussion. This relates to the somewhat controversial DNS Over HTTPS (DOH), now defined in RFC 8484, that lets an app such as a web browser send DNS queries over HTTPS to a DOH server where the DNS resolution can occur.  The controversy with DOH is primarily two points: 1) it lets an application completely bypass local DNS servers and thereby bypass local DNS filtering or restrictions; and 2) the first announced use of DOH was by Mozilla Firefox with a DOH server from Cloudflare. This second point brought concerns about centralization and potential choke points.  As more entities have stood up DOH servers, there has been a need to help DOH clients understand which DOH server to use. Paul’s draft provides one such mechanism.

If by some miracle there happens to still be time in the session and there is an open mic, I may see if I can briefly ask the group if there is interest in moving forward the draft that several of us worked on about DNSSEC cryptographic algorithm agility – draft-york-dnsop-deploying-dnssec-crypto-algs .  However, given the agenda, I highly doubt there will be an opportunity – it will need to be mailing list activity.

DNS PRIVate Exchange (DPRIVE)

The DPRIVE working group meets Wednesday morning from 09:00-11:00 ICT.  This meeting at IETF 103 is primarily focused on the discussion about how to add privacy to the communication between a DNS recursive resolver and the authoritative DNS server for a given domain.  Specifically they will spend about 30 minutes on the “user perspective” of DNS privacy and a full hour on the “authoritative and recursive perspective” as the working group looks at whether to expand its work to increase the privacy of even more elements of the DNS infrastructure

Extensions for Scalable DNS Service Discovery (DNSSD)

Privacy will also get attention at the DNSSD Working Group on Thursday afternoon from 13:50-15:50 ICT.  DNSSD focuses on how to make device discovery easier across multiple networks. For instance, helping you find available printers on not just your own network, but also on other networks to which your network is connected. However in doing so the current mechanisms expose a great deal of information.

The working group had a lengthy discussion at IETF 102 in Montreal about DNS privacy – and are planning for a significant 50 minute discussion block here at IETF 103 in Bangkok.

DNSSEC Coordination informal breakfast meeting

As a final note, on Friday morning we may try an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. This time we are not sure yet because with the formal meetings ending on Thursday, many people may be traveling home on Firday. We’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

DANE and DNSSEC will also appear in the TLS Working Group’s meeting on Wednesday. The draft-ietf-tls-dnssec-chain-extension will be presented as a potential way to make DANE work faster by allowing both DANE and DNSSEC records to be transmitted in a single exchange, thus reducing the time involved with DANE transactions. There has been a lengthy discussion on the TLS list and the chairs are scheduling 55 minutes for this discussion.

Given the key role DNS plays in the Internet in general, you can also expect DNS to appear in other groups throughout the week.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 103:

DNSOP (DNS Operations) WG
Monday, 5 November 2018, 13:50-15:50 ICT, Chitlada 1
Agenda: https://datatracker.ietf.org/meeting/103/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

DPRIVE (DNS PRIVate Exchange) WG
Wednesday, 7 November 2018, 09:00-11:00 ICT, Meeting 1
Agenda: https://datatracker.ietf.org/meeting/103/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Thursday, 8 November 2018, 13:50-15:50 ICT, Meeting 2
Agenda: https://datatracker.ietf.org/meeting/103/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: http://tools.ietf.org/wg/dnssd/charters/

Follow Us

It will be a busy week in Bangkok, and whether you plan to be there or join remotely, there’s much to monitor. Follow us on the Internet Society blogTwitter, or Facebook using #IETF103 to keep up with the latest news.

The post Rough Guide to IETF 103: DNSSEC, DNS Security and DNS Privacy appeared first on Internet Society.

Oct 29

Internet Society Seeks Nominations for 2019 Board of Trustees (Featured Blog)

Are you passionate about ensuring the Internet remains open, globally-connected, secure and trustworthy - for everyone? Do you have experience in Internet standards, development or public policy? If so, please consider applying for one of the open seats on the Internet Society Board of Trustees. The Board of Trustees provides strategic direction, inspiration, and oversight to advance the Society's mission. More...

Oct 29

Internet Society Seeks Nominations for 2019 Board of Trustees (Featured Blog)

Are you passionate about ensuring the Internet remains open, globally-connected, secure and trustworthy - for everyone? Do you have experience in Internet standards, development or public policy? If so, please consider applying for one of the open seats on the Internet Society Board of Trustees. The Board of Trustees provides strategic direction, inspiration, and oversight to advance the Society's mission. More...

Oct 29

Nominations Now Open for 2019 Internet Society Board of Trustees Election

The Internet Society Nominations Committee is now inviting nominations for candidates to serve on the Internet Society Board of Trustees.

In 2019, Internet Society Chapters and the IETF will each select one Trustee, and our Organization Members will select two Trustees. Following an orientation program, all new Trustees will begin 3-year terms commencing with the Internet Society Annual General Meeting in July.

The Board of Trustees provides strategic direction, inspiration, and oversight to advance the Internet Society’s mission of preserving the open, globally-connected, trustworthy and secure Internet for everyone.

If you or someone you know is interested in serving on the Board, please see the official Call for Nominations, additional information, and links to online nomination forms at:
http://www.internetsociety.org/trustees

The nominations period closes at 15:00 UTC on Friday, 14 December 2018.

The post Nominations Now Open for 2019 Internet Society Board of Trustees Election appeared first on Internet Society.

Oct 24

New Internet Draft: Considerations on Internet Consolidation and the Internet Architecture

Swirling vortex of stars

Are there assumptions about the Internet architecture that no longer hold in a world where larger, more centralized entities provide big parts of the Internet service? If the world changes, the Internet and its technology/architecture may have to match those changes. It appears that level[ing] the playing field for new entrants or small players brings potential benefits. Are there technical solutions that are missing today?

These questions were one of many asked in a new Internet Draft published yesterday by former IETF Chair Jari Arkko on behalf of several Internet Architecture Board (IAB) members with the title “Considerations on Internet Consolidation and the Internet Architecture”:

https://tools.ietf.org/html/draft-arkko-iab-internet-consolidation-00

The draft text is based on the IAB “Consolidation” blog post back in March 2018as well as a new post Jari and Brian Trammell have written for the APNIC and RIPE sites.

The abstract of the Internet Draft is:

Many of us have held a vision of the Internet as the ultimate distributed platform that allows communication, the provision of services, and competition from any corner of the world. But as the Internet has matured, it seems to also feed the creation of large, centralised entities in many areas. This phenomenon could be looked at from many different angles, but this memo considers the topic from the perspective of how available technology and Internet architecture drives different market directions.

The document discusses different aspects of consolidation including economic and technical factors. It ends with a section 3, “Actions,” that lists these questions and comments for discussion:

  •  Are there assumptions about the Internet architecture that no longer hold in a world where larger, more centralised entities provide big parts of the Internet service? If the world changes, the Internet and its technology/architecture may have to match those changes. It appears that level the playing field for new entrants or small players brings potential benefits. Are there technical solutions that are missing today?
  • Assuming that one does not wish for regulation, technologies that support distributed architectures, open source implementations of currently centralised network functions, or help increase user’s control can be beneficial. Federation, for example, would help enable distributed services in situations where smaller entities would like to collaborate.
  • Similarly, in an asymmetric power balance between users and services, tools that enable the user to control what information is provided to a particular service can be very helpful. Some such tools exist, for instance, in the privacy and tracking-prevention modes of popular browsers but why are these modes not the default, and could we develop them further?
  • It is also surprising that in the age of software-defined everything, we can program almost anything else except the globally provided, packaged services. Opening up interfaces would allow the building of additional, innovative services, and better match with users’ needs.
  • Silver bullets are rare, of course. Internet service markets sometimes fragment rather than cooperate through federation. And the asymmetric power balances are easiest changed with data that is in your control, but it is much harder to change when someone else holds it. Nevertheless, the exploration of solutions to ensure the Internet is kept open for new innovations and in the control of users is very important.
  • What IETF topics that should be pursued to address some of the issues around consolidation?
  • What measurements relating to the developments centralization or consolidation should be pursued?
  • What research – such as distributed Internet architectures – should be driven forward?

These are all excellent questions, many of which have no easy answers. The draft encourages people interested in this topic to join the IAB’s “architecture-discuss” mailing list (open to anyone interested to subscribe) as one place to discuss this. This is all part of the ongoing effort by the IAB to encourage a broader discussion on these changes that have taken place to the way in which the Internet operates.

It is great to see this Internet Draft and I do look forward to the future discussions to see what actions or activities may emerge. It’s a challenging issue. As the draft discusses, there are both positive and negative aspects to consolidation of services – and the tradeoffs are not always clear.

This broader issue of consolidation or centralization has been an area of interest for us at the Internet Society for quite some time, dating back to our “future Internet scenarios” in 2008 and even before. More recently, our Global Internet Report 2017 on the “Paths to Our Digital Future” recognized the concerns – so much so that we decided to focus our next version of the GIR on this specific topic. (Read our 2018 GIR concept note).

Beyond the Global Internet Report, we’ve published articles relating to consolidation – and it’s been a theme emerging in several of our “Future Thinking” posts. I know that we will continue to write and speak about this theme because at its core it is about the future of what we want the Internet to be.

Please do join in these conversations. Share this Internet Draft with others. Share our 2017 Global Internet Report. Engage in the discussions. Help identify what the issues may be – and what solutions might be.

The Internet must be for everyone. Together we can #ShapeTomorrow.

Image credit: a cropped section of a photo by Paul Gilmore on Unsplash

The post New Internet Draft: Considerations on Internet Consolidation and the Internet Architecture appeared first on Internet Society.

Oct 23

Watch Live – DNSSEC Workshop on October 24 at ICANN 63 in Barcelona

ICANN 63 banner image

What can we learn from recent success of the Root KSK Rollover? What is the status of DNSSEC deployment in parts of Europe – and what lessons have been learned? How can we increase the automation of the DNSSEC “chain of trust”? And what new things are people doing with DANE?

All these topics and more will be discussed at the DNSSEC Workshop at the ICANN 63 meeting in Barcelona, Spain, on Wednesday, October 24, 2018. The session will begin at 9:00 and conclude at 15:00 CEST (UTC+2).

The agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities
    • Includes presenters from these TLDs: .DK, .DE, .CH, .UK, .SE, .IT, .ES, .CZ
  • Report on the Execution of the .BR Algorithm Rollover
  • Panel: Automating Update of DS records
  • Panel: Post KSK Roll? Plan for the Next KSK Roll?
  • DANE usage and use cases
  • DNSSEC – How Can I Help?

It should be an outstanding session!  For those onsite, the workshop will be room 113.

 

Lunch will be served between the second and third sessions.

Thank you to our lunch sponsors: Afilias, CIRA, and SIDN.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

Image credit: ICANN

The post Watch Live – DNSSEC Workshop on October 24 at ICANN 63 in Barcelona appeared first on Internet Society.

Oct 16

Testing the details element

I was rather amazed today to discover the <details> element. Where had this been?  Clearly I’ve not been keeping up with the evolution of HTML! 😞

Why is this site called deepdark.blue?I wanted to test out using a “new generic top-level domain” (newgtld).
But why .blue?Why not? And because I like the color blue.
But is there any other point to this site?Nope. None whatsoever. It’s just a testing site.

Per the Mozilla documentation of <details>, this is supported by all modern browsers except Microsoft IE and Microsoft Edge. It does seem that MS is working on adding this to Edge, though.

Hat tip to someone on Mastodon who pointed me to:

Oct 16

TDYR 357 – The DNSSEC KSK Rollover on October 11 was blissfully boring

October 11, 2018, was a blissfully boring day on the Internet - and that was a beautiful thing! The long-planned DNSSEC Root KSK Rollover (described in TDYR 356 - https://soundcloud.com/danyork/tdyr-356-are-you-prepared-for ) did *NOT* "break the Internet". There were no large outages. Everything went as planned. In this episode, I talk about all of that, why it matters - and what is next. Image credit: NLNet Labs - https://www.nlnetlabs.nl/

Oct 15

Website update: Experiencing problems with translations into French and Spanish

I must apologize to readers of our French and Spanish versions of our website. We are currently experiencing a problem with our usage of the WordPress Multilingual (WPML) plugin that is preventing us from sending our new content out for translation.  It is proving to be quite difficult to identify and fix the issue. We are working with our development team, our hosting provider, and the WPML support team to find the solution. I hope that in the next couple of days we can solve this and return to our regular publishing in three languages.

Thank you for your patience.

P.S. Those who want more of the technical details can see the open WPML support ticket. You are also welcome to contact me directly at york@isoc.org.

The post Website update: Experiencing problems with translations into French and Spanish appeared first on Internet Society.

Oct 12

We Need to Talk… about the State of Internet Governance

Pre IGF Speed Dating

In about a month, some of the key stakeholders in Internet Governance will come together in Paris and talk about the public policy challenges facing the Internet in 2018 and beyond. They will do so at the Internet Governance Forum, a UN-supported platform that will meet for the thirteenth time this year.

The IGF traditionally brings different groups of stakeholders into a large conference centre, and provides for the opportunity for these different stakeholders to discuss: the idea being that understanding, consensus and collaboration will emerge between these different communities.

Join us for a pre-IGF stakeholder networking event on Tuesday, 16 October in Brussels.  Learn more and register!

Multistakeholderism: a vivid term with many meanings

The IGF model of multistakeholderism is one of a plethora of different approaches to engaging with actors beyond states in questions of global governance. Some rely more on governments, other processes rely on technical expertise, others have come and gone. Others, like the Internet Society, tend to refer to multistakeholder approaches, rather than one model.

Many observers tend to think this concept was invented by the Internet community, but shaping (global) policy through direct engagement with stakeholders has been an integral part of a range of different policy fields for a long time. In environmental policy, labour relations, and forestry management to name but a few, one of the key questions asked by policymakers has been “how can we develop globally-relevant, fair, legitimate and efficient policies?” The conclusions drawn policymakers often included the strengthening of participatory governance mechanisms, which is where multistakeholder approaches step in. These approaches try to answer the ‘who’ (participation), ‘why’ (purpose), and ‘how’ (process) questions differently from how governments of flesh and steel would normally answer them.

For better or worse, the IGF is one of the biggest platforms for Internet Governance. The IGF undoubtedly serves a purpose at this moment, and is very useful for many of its participants. However, we have been talking about its reform for a while now, and even longer.

What needs to happen?

Does the IGF need another grand review? There are many things that could be done to generate a new momentum behind the IGF. These are not new and do not address all the problems, but as a whole, these elements may work to help us consider some of the ‘who’, ‘how’ and ‘why’ questions that still linger around the IGFs and other multistakeholder fora.

  1. Sort out our calendars. First of all, this IGF takes place at a time when an increasingly important number of ‘competititors’ will also be discussing Internet Governance. For example, the ITU’s Plenipotentiary is taking place at the same time as the IGF.
  2. Give it time. The IGF also has no day zero this year, to enable different groups to organise fringe events and coordination meetings. Hence, meetings like the Brussels pre-IGF meeting, on 16 October are incredibly important to allow for people to share information prior to the meeting itself.
  3. Work out who does what. Other venues are also venturing into the IGF space, with the UN Secretary General’s High Level Panel on Digital Cooperation recently having been announced, amongst others. So, we see a collection of different fora being (re-)established to focus on Internet Governance. Rather than a threat, this is actually an opportunity to think about the next thirteen years of the IGF: a little competition is actually a good thing.
  4. Get real. The IGF has often been touted as the opportunity to gather the world’s Internet community together to discuss how the Internet should be governed. This gargantuan task is not an easy one. What can the IGF actually achieve? The expectations of the forum need to be clearly set out, so that all stakehholders can share the same aim, and then work to deliver it.
  5. Focus. It may be useful to generate common themes and threads for discussion across IGFs, so that reporting, discussion and measurement can be continuous and tell a coherent and consistent story from one IGF to the next.
  6. Make much better use of the NRIs. National and Regional initiatives can feed into discussions at the IGF in a far more constructive way. They can also be platforms to push outcomes from the IGFs.
  7. Ensure all stakeholders are involved. IGFs tend to be open spaces, but that does not mean that self-exclusion, ignorance, or what I have heard termed ‘exclusion by acronym’ does not exist. Despite the diverse and broad nature of the subjects discussed at the IGFs, much of the entrepreneurial community is not present at these discussions; and their discussions on these topics go on in parallel in other spaces, such as this one. Furthermore, if states want the IGF process to be as legitimate as possible, they also need to engage fully in the events.

Join us for a pre-IGF stakeholder networking event on Tuesday, 16 October in Brussels. Learn more and register!

The post We Need to Talk… about the State of Internet Governance appeared first on Internet Society.