Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Mar 06
DNSSEC and DANE Activities at ICANN 58 in Copenhagen, March 12-15, 2017
Next week in Copenhagen, Denmark, ICANN 58 will include some great technical info about DNSSEC and DANE happening in several sessions. Here is the plan…
All times below are Central European Time (CET), which is UTC+1.
DNSSEC For Everybody: A Beginner’s Guide – Sunday, 12 March
On Sunday, March 12, 2017, we’ll have the “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.
- 17:00-18:30 – Hall A3
- More info: https://schedule.icann.org/event/9nnk/dnssec-for-everybody-a-beginners-guide
- WATCH LIVE: https://participate.icann.org/cph58-halla3
Please come with your questions and prepare to learn all about DNSSEC!
Tech Day – Monday, 13 March
The Monday of most ICANN meetings includes the ccNSO “Tech Day”. While the current agenda does not include anything specific to DNSSEC or DANE, there is a session about DNS Privacy (DPRIVE) that may of of interest to some. See this link for more information:
Root Key Signing Key Rollover: Changing the Keys to the Domain Name System – Tuesday, 14 March
On Tuesday, March 14, ICANN staff will offer a special session talking about the Root Key Rollover process. While we’ll also have some of this info in the Wednesday DNSSEC Workshop, this special session may be of interest to some. The abstract is:
The keys to the Domain Name System are changing for the first time ever. ICANN operates the root zone key signing key (KSK), which is the “master” key for DNS Security Extensions (DNSSEC). This cryptographic key was created when the root zone was signed in 2010. In this session, members of ICANN’s Technical Team will provide an update on the KSK rollover and answer community questions. This session will be of particular interest to Internet service providers, enterprise network operators and others who have enabled DNSSEC validation.
- 17:00-18:15 – Hall B3
- More info: https://schedule.icann.org/event/9nqE/root-key-signing-key-rollover-changing-the-keys-to-the-domain-name-system
- WATCH LIVE: https://participate.icann.org/cph58-hallb3
DNSSEC Implementers Gathering – TUESDAY, 14 March
Later in the evening of Tuesday, March 14, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. We’ll gather at a local restaurant / pub in the city of Copenhagen. Invitations have gone out to various DNSSEC mailing lists – if you are interested in attending please send a message to me at york@isoc.org. We thank DK Hostmaster for their generous sponsorship of this gathering at ICANN 58!
Please note: This gathering takes place on Tuesday evening in Copenhagen versus the usual Monday evening. As may be obvious, there is no remote participation option.
DNSSEC Workshop – 15 March
Our main 6-hour workshop will take place on Wednesday, 15 March, from 09:00 – 15:00 in Hall A3. Lunch will be included.
THANK YOU TO OUR LUNCH SPONSORS: Afilias, CIRA, and SIDN.
The very full agenda includes:
- DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
- Panel: DNSSEC Activities in the European Region
- Update on IETF DNSSEC Activities
- Root Key Rollover Update
- Panel: Validation in ISPs – Root Key Rollover Preparation
- Demonstration: Opportunistic IPsec using DNSSEC implementation
- State of ECDSA adoption in (cc)TLDs
- The Great DNSSEC/DNS Quiz
- Trusted Email Services
- Demonstration: SMILLA, an SMIMEA aware MILTER-program for SMTP servers
- DNSSEC – How Can I Help?
It should be an excellent session!
- 09:00 – 15:00, Hall A3
- WATCH LIVE: https://participate.icann.org/cph58-halla3
- More info and slides are available from these URLs (ICANN’s online schedule system breaks it up into sections based on breaks and lunch):
I will be there in Copenhagen and am looking forward to giving multiple presentations during the Wednesday session. It’s always a great gathering of some of the best technical people involved with DNS.
Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!
If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.
Mar 03
Comments? Internet Draft on DNSSEC Crypto Algorithm Agility
What are the challenges in deploying new cryptographic algorithms for DNSSEC? As we look to move to using new crypto algorithms such as ECDSA, what are the barriers to getting those new algorithms rolled out? And how can we overcome those barriers?
A few of us wrote an Internet Draft on this topic:
and with IETF 98 fast approaching I am considering whether we need to publish a revision. So I’m curious – what do you think? Are there topics that we missed? Text that we could make a bit more clear? Additional points to consider?
We’d welcome any and all feedback. You can leave comments here on the blog post, or on social media where this appears… or you could just do that old-fashioned email thing.
Thanks in advance!
The post Comments? Internet Draft on DNSSEC Crypto Algorithm Agility appeared first on Internet Society.
Mar 03
Comments? Internet Draft on DNSSEC Crypto Algorithm Agility
What are the challenges in deploying new cryptographic algorithms for DNSSEC? As we look to move to using new crypto algorithms such as ECDSA, what are the barriers to getting those new algorithms rolled out? And how can we overcome those barriers?
A few of us wrote an Internet Draft on this topic:
and with IETF 98 fast approaching I am considering whether we need to publish a revision. So I’m curious – what do you think? Are there topics that we missed? Text that we could make a bit more clear? Additional points to consider?
We’d welcome any and all feedback. You can leave comments here on the blog post, or on social media where this appears… or you could just do that old-fashioned email thing.
Thanks in advance!
Mar 02
TDYR 323 – My First Lyft Ride Was Awesome
I just used Lyft for the first time (an Uber competitor) and recorded my thoughts...
Feb 26
Watch Live Today! DNS Privacy Workshop Streaming from NDSS 2017
Want to learn the latest about DNS privacy? About the latest research and techniques to protect the confidentiality of your DNS info and queries?
Starting at 8:55 am PST (UTC-8) today, there will be what looks to be an outstanding workshop on DNS Privacy streaming live out of the Network and Distributed System Security Symposium (NDSS) in San Diego, California.
View the agenda of the DNS Privacy Workshop to see all the excellent sessions. You can then join live at:
https://isoc.zoom.us/j/935912695
(Other remote connection options can be found at the bottom of the agenda page.)
Note – this workshop is not about DNSSEC, which is a method to protect the integrity of DNS (to ensure DNS info is not modified in transit), but rather new work being done within the IETF to improve the confidentiality of DNS.
The sessions include:
- How DNS Works in Tor & Its Anonymity Implications
- DNS Privacy through Mixnets and Micropayments
- Towards Secure Name Resolution on the Internet – GNS
- Changing DNS Usage Profiles for Increased Privacy Protection
- DNS-DNS: DNS-based De-NAT Scheme
- Can NSEC5 be practical for DNSSEC deployments?
- Privacy analysis of the DNS-based protocol for obtaining inclusion proof
- Panel Discussion: The Tension between DNS Privacy and DNS Service Management
- The Usability Challenge for DNS Privacy and End Users
- An Empirical Comparison of DNS Padding Schemes
- DNS Service Discovery Privacy
- Trustworthy DNS Privacy Services
- EIL: Dealing with the Privacy Problem of ECS
- Panel Discussion: DNS-over-TLS Service Provision Challenges: Testing, Verification, internet.nl
If you are not there in person (as I will not be), you can also follow along on the #NDSS17 hashtag on Twitter. There will also be tweets coming out of:
Stéphane Bortzmeyer will also be attending (and speaking at) the workshop – and he is usually a prolific tweeter at @bortzmeyer.
The sessions will also be recorded for later viewing. I’m looking forward to seeing the activity coming out of this event spur further activity on making DNS even more secure and private.
Please do follow along remotely – and please do share this information with other people you think might be interested. Thank you!
Image from Unsplash – I thought about showing the wide beaches, but the reality is that the conference participants won’t really get a chance to visit them. I thought “Lifeguard” was appropriate, though, because lifeguards are all about protecting people and keeping things safe.
The post Watch Live Today! DNS Privacy Workshop Streaming from NDSS 2017 appeared first on Internet Society.
Feb 26
Watch Live Today! DNS Privacy Workshop Streaming from NDSS 2017
Want to learn the latest about DNS privacy? About the latest research and techniques to protect the confidentiality of your DNS info and queries?
Starting at 8:55 am PST (UTC-8) today, there will be what looks to be an outstanding workshop on DNS Privacy streaming live out of the Network and Distributed System Security Symposium (NDSS) in San Diego, California.
View the agenda of the DNS Privacy Workshop to see all the excellent sessions. You can then join live at:
https://isoc.zoom.us/j/935912695
(Other remote connection options can be found at the bottom of the agenda page.)
Note – this workshop is not about DNSSEC, which is a method to protect the integrity of DNS (to ensure DNS info is not modified in transit), but rather new work being done within the IETF to improve the confidentiality of DNS.
The sessions include:
- How DNS Works in Tor & Its Anonymity Implications
- DNS Privacy through Mixnets and Micropayments
- Towards Secure Name Resolution on the Internet – GNS
- Changing DNS Usage Profiles for Increased Privacy Protection
- DNS-DNS: DNS-based De-NAT Scheme
- Can NSEC5 be practical for DNSSEC deployments?
- Privacy analysis of the DNS-based protocol for obtaining inclusion proof
- Panel Discussion: The Tension between DNS Privacy and DNS Service Management
- The Usability Challenge for DNS Privacy and End Users
- An Empirical Comparison of DNS Padding Schemes
- DNS Service Discovery Privacy
- Trustworthy DNS Privacy Services
- EIL: Dealing with the Privacy Problem of ECS
- Panel Discussion: DNS-over-TLS Service Provision Challenges: Testing, Verification, internet.nl
If you are not there in person (as I will not be), you can also follow along on the #NDSS17 hashtag on Twitter. There will also be tweets coming out of:
Stéphane Bortzmeyer will also be attending (and speaking at) the workshop – and he is usually a prolific tweeter at @bortzmeyer.
The sessions will also be recorded for later viewing. I’m looking forward to seeing the activity coming out of this event spur further activity on making DNS even more secure and private.
Please do follow along remotely – and please do share this information with other people you think might be interested. Thank you!
Image from Unsplash – I thought about showing the wide beaches, but the reality is that the conference participants won’t really get a chance to visit them. I thought “Lifeguard” was appropriate, though, because lifeguards are all about protecting people and keeping things safe.
Feb 21
The Danger of Giving Up Social Media Passwords – So Many Other Services Are Connected
"What's the harm in giving up my Twitter password?", you might say, "all someone can do is see my direct messages and post a tweet from me, right?"
Think again. The reality today is that social media services are used for far more than just posting updates or photos of cats. They also act as "identity providers" allowing us to easily login to other sites and services.
We've all seen the "Login with Twitter" or "Continue with Facebook" buttons on various sites. Or for Google or LinkedIn. These offer a tremendous convenience. You can rapidly sign into sites without having to remember yet-another-password.
But...
... if you give your passwords to your social media accounts to someone, they could potentially[1]:
Dan York
Feb 20
The Danger of Giving Up Social Media Passwords – So Many Other Services Are Connected
“What’s the harm in giving up my Twitter password?“, you might say, “all someone can do is see my direct messages and post a tweet from me, right?“
Think again. The reality today is that social media services are used for far more than just posting updates or photos of cats. They also act as “identity providers” allowing us to easily login to other sites and services. 
We’ve all seen the “Login with Twitter” or “Continue with Facebook” buttons on various sites. Or for Google or LinkedIn. These offer a tremendous convenience. You can rapidly sign into sites without having to remember yet-another-password.
But…
… if you give your passwords to your social media accounts to someone, they could potentially[1]:
- Impersonate you on social media accounts and post updates in your name.
- Sign in to the comment sections of various news media sites and leave comments using your name.
- Connect in to photo sites and see our photos, and modify or delete the photos, or post new ones in your name.
- Sign in to e-commerce sites, view your orders and purchase items.
- Login to video sites and see what videos you have watched, or post new ones to your account.
- Login to your Medium account, view and change any articles you have written, add new comments as you.
- Sign in to Goodreads, view all your books, see all the lists of what you want to read, view all your reviews and post reviews in your name.
- Login to your Spotify account and learn all about what kind of music you like to listen to.
And that’s only a small number of examples.
We live in an era of highly-connected systems. And there are so many systems and services! The convenience of using our social media accounts to login is easy to understand.
But… if you give someone your password to a social media account, or are required to give your social media passwords to someone, you are giving them access to so much more than just that social media service.
What can you do?
1. Don’t give out your social media passwords!
2. Understand where your social media IDs are being used. In both Twitter and Facebook you can go into your “Settings” and choose “Apps” to see where you have granted access. You can revoke access there for sites and services you no longer use.
3. Think about whether you want to continue using your social media IDs in so many places. Does the convenience outweigh the issue of having so many services linked to one identity?
4. Enable 2-Factor Authentication on sites that offer this, which requires a second step beyond just your password to login. These are very easy to use, often using a phone or a small and inexpensive “dongle” that fits on your keyring.[2] Do note that this may not help if you are required by authorities to provide your social media passwords as they may require you provide the device used for two-factor authentication.
5. Use a password manager instead of using your social media ID to login to other sites,  which enables you to generate and use very strong passwords and access them all with one master password. There are many excellent free and paid options available for both computers and mobile devices, with a variety of features.
6. Spread the word. Help others understand how critically important our social media passwords are.
P.S. For more ideas, please see
[1] Depending upon how you have configured the service to work.
[2] The FIDO Alliance is a leader in this area, and a list of enabled sites and certified products is available on their site https://fidoalliance.org/adoption/overview/
The post The Danger of Giving Up Social Media Passwords – So Many Other Services Are Connected appeared first on Internet Society.
Feb 20
FIR #75: The Quality of Your Intent
Note: This episode continues our experiment with a streamlined format: two guest co-hosts instead of three panelists and fewer stories. We were able to shave even more time off the show this week and will aim for further slimming next week. Please let us know how you like the format — and the length — by sending an email to fircomments@gmail.com.
Doug Haslam and Augie Ray join Shel Holtz for this week’s episode, which covered these stories…
- An Accenture report found that loyalty programs aren’t working, with millions of reward points lingering unused while consumers have different criteria for what makes them loyal.
- Listener Tim Watt asked about our discussion in episode #73 about Volkswagen overcoming its emissions crisis to become the world’s top automaker. We discuss whether it would have mattered had the crisis been characterized as a public health issue rather than an environmental one.
- PewDie Pie was dropped as a paid influencer for Disney and Google dropped him from its premium ad program after he shared anti-Semitic videos. It’s a challenge for brands hold influencers accountable for their content; it’s also impossible to distinguish real rogue Twitter accounts created by disgruntled government employees from fake ones. Meanwhile, several media outlets nearly fell for a fake press release claiming McDonald’s was trying to acquire Chipotle, and a movie company launched a fake news campaign to promote a new film. With so much fakery everywhere, will consumers start distrusting everything they see?
- Dan York reports on social media passwords.
- The 2017 Edelman Trust Barometer calls for companies to put employees first, but new data from Gallup suggests most organizations aren’t heeding that advice.
Connect with guest co-hosts on Twitter at @dough and @augieray.
Links to the source material for this episode are on Contentle.
Special thanks to Jay Moonah for the opening and closing music.
FIR was recorded using Zencastr.
About today’s guest co-hosts:
Doug Haslam’s career has spanned a variety of disciplines within the communications field: radio technology, editorial production, public relations, marketing, social media and digital. Currently a senior consultant with Stone Temple Consulting, Doug began with public radio, producing news and thoughtful sports programs, moving into technology public relations, and currently to social media and content strategy for brands of all sizes and industries. Doug’s love of media has come full circle, as his most recent positions have seen him taking full advantage of his content creation skills, managing social media and brand publishing programs for a wide variety of clients.
Augie Ray is a Research Director covering customer experience for marketing leaders at Gartner. He has had a diverse career, including leading a digital experiential agency, directing social business at USAA and managing a global customer experience team at American Express. In his present role, Augie researches and advises clients on topics such as Voice of Customer, customer journey mapping, customer experience strategy and virtual reality.
The post FIR #75: The Quality of Your Intent appeared first on FIR Podcast Network.
Feb 15
CITO Olaf Kolkman Speaking at RSA 2017 about IoT Security with Bruce Schneier
Today at the RSA Conference 2017 in San Francisco, our Chief Internet Technology Officer Olaf Kolkman will be speaking as part of a panel on:
Internet of Insecurity: Can Industry Solve It or Is Regulation Required?
The abstract of the session is:
Dan York
