Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Nov 04
DNSSEC Activities at ICANN 57 in Hyderabad on 4-7 November 2016 (Featured Blog)
Friday marks the beginning of the ICANN 57 meeting in Hyderabad, India. As per usual there will be a range of activities related to DNSSEC or DANE. Two of the sessions will be streamed live and will be recorded for later viewing. Here is what is happening. All times below are India Standard Time (IST), which is UTC+05:30. Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted! More...
Nov 03
DNSSEC and DANE Activities at ICANN 57 in Hyderabad, India, November 4-7, 2016
Friday marks the beginning of the ICANN 57 meeting in Hyderabad, India. As per usual there will be a range of activities related to DNSSEC or DANE. Two of the sessions will be streamed live and will be recorded for later viewing. Here is what is happening.
All times below are India Standard Time (IST), which is UTC+05:30. (Yes, it is a half-hour off from other timezones.)
DNSSEC For Everybody: A Beginner’s Guide – 4 Nov
On Friday, November 4, 2016, we’ll have our “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.
- 17:00-18:30 – Hall 2
- More info: https://icann572016.sched.org/event/8cyu/dnssec-for-everybody-a-beginners-guide
- WATCH LIVE: https://participate.icann.org/hyd57-hall2
Please come with your questions and prepare to learn all about DNSSEC!
DNSSEC Implementers Gathering – 6 Nov
On Sunday, November 6, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. Invitations have gone out to various DNSSEC mailing lists – if you are interested in attending please send a message to me at york@isoc.org. We thank Afilias for their generous sponsorship of this gathering at ICANN 57!
DNSSEC Workshop – 7 Nov
Our big 6-hour workshop will take place on Monday, November 7, from 09:00 – 15:00 in Room G.03/G.04. Lunch will be included. Thank you to our lunch sponsors: Afilias, CIRA, Dyn and SIDN.
The very full agenda includes:
- DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
- Panel: DNSSEC Activities in the Asia Pacific Region
- Aggressive Use of NSEC/NSEC3
- Panel: Root Key Rollover Discussion – Recursive Resolver Software Readiness
- Demonstration: DNS Operator Interface for DNSSEC
- Research Infrastructure for Internet Naming, Identification, and the DNS
- The Great DNSSEC/DNS Quiz
- Demonstration: Windows Server DNSSEC Functionality
- Demonstration: DNSSEC-S/MIME-DANE Package for Microsoft Outlook
- Secure Mailserver Using DNSSEC/TLSA
- DNSSEC – How Can I Help?
It should be an outstanding session!
- 09:00 – 15:00, Room G.03/G.04
- WATCH LIVE: https://participate.icann.org/hyd57-G3
- More info and slides are available from these URLs (ICANN’s online schedule system breaks it up into sections based on breaks and lunch):
As neither I nor Russ Mundy were able to travel to Hyderabad, I want to personally thank Wes Hardaker and Jacques Latour for stepping in to help with some of the emceeing and other meeting facilitation duties.
Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!
If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.
Nov 02
NIST Publishes New Guide: “DNS-Based Email Security” about DANE and DNSSEC
How can we make email more secure and trusted? How can we encrypt all email between mail servers? And how can we use DANE and DNSSEC to provide that added layer of security?
Today the U.S. National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology released a “draft practice guide” exploring those exact questions. Titled “Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6)” the document offers guidance to enterprises and others into “how commercially available technologies can meet an organization’s needs to improve email security and defend against email-based attacks such as phishing and man-in-the-middle types of attacks.” Specifically it gets into how DNSSEC and DANE can be used to authenticate server addresses and the Transport Layer Security (TLS) certificates used for confidentiality.
As NIST states on their web page, the goal of the project around this publication is:
- Encrypt emails between mail servers
- Allow individual email users to digitally sign and/or encrypt email messages
- Allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages
You can download the guide or sections of it from that web page.
NIST is seeking public comments on this new guide from today through December 19, 2016.
It’s great to see NIST publishing this document and we hope everyone reading this post will take a look and spread the word.
And if you are interested in getting started with DNSSEC and DANE, please visit our Start Here page to find resources to help.
Nov 01
In September, Singapore and Senegal Signed Their .SN and .SG with DNSSEC
Congratulations to the teams in both Singapore and Senegal for signing their country-code top-level domains (ccTLDs) with DNSSEC back in September. According to Rick Lamb’s list of DNSSEC-signed TLDs, Singapore’s signature for the .SG domain was added to the root of DNS on September 22, and Senegal’s signature for .SN was added on September 30. [1]
This means that as of those dates, second-level domains under .SG and .SN could start receiving the added layer of security and trust possible with DNSSEC. In Singapore SGNIC started actively encouraging people to sign their domains. In Africa, ICANN’s Yaovi Atohoun wrote about how Senegal is the third African ccTLD to sign with DNSSEC this year.
I also added both countries to our weekly DNSSEC Deployment Maps so people can see them there. (And here’s a test of your geography: where are Senegal and Singapore?)
This is all great news as the world continues to add a layer of trust to answers from DNS by using DNSSEC. Congrats again to the teams in both countries!
If you would like to get started with DNSSEC, please visit our Start Here page to begin.
[1] To be precise, what happened is that the “Delegation Signer” or “DS” records for each TLD were added to the root of DNS. The DS record is a fingerprint of the DNSKEY used to sign the domain. It is included in the parent zone to create a “global chain of trust” from the root of DNS on down.
Nov 01
Writing Every Day of November – the NaNoWriMo and NaBloPoMo Challenges
Today is the day! Every year on November 1 some number of writers across the world challenge themselves to write EVERY SINGLE DAY in November.
Some amazingly choose to focus on writing a novel. They go the "NaNoWriMo" route, a.k.a. "National Novel Writing Month"... where "national" is really any nation in the world. Best place to learn more is the simple address: nanowrimo.org
Given that the target of NaNoWriMo is to write 50,000+ words, that's a serious commitment!
Others of us, and I'll add myself this year, choose to focus instead on writing at least one blog post every day as part of "NaBloPoMo", a.k.a. "National Blog Posting Month".
NaBloPoMo started back in 2006 and since 2011 has been championed by the BlogHer community. BlogHer is supporting NaBloPoMo again in 2016, but it wasn't clear for a while if they were going to do so. Meanwhile, another group at the "Cheerpeppers" site started a "blog once a day" challenge under the name "Nano Poblano".
Regardless, the point is to challenge yourself to write every day.
And of course being in our social world, you can follow along at the hashtags #NaNoWriMo and #NaBloPoMo - and also now #Nanopoblano (the hashtags all link to Twitter here but you can find them used on other social networks as well).
For myself, I am going to give it a try. Writing (and publishing) every day. As I recently wrote, I'm struggling to write consistently... so this provides a goal for me to strive for.
Now, I won't be writing here on Disruptive Conversations every day. My personal goal is publish some article across all my various blogs each day of November. That includes the blogs at the Internet Society, my employer.
You - and I - will be able to track how I am doing at my danyork.me site where I aggregate all my posts across all my sites.
We'll see how I do!
And best wishes to everyone else who are pushing themselves to do one of these challenges this year. Let's see the writing happen!
P.S. I haven't signed up for either the BlogHer or Cheerpeppers challenges. I'm just doing this for me right now.
Oct 31
For Immediate Release #59: Kick Him in the (Virtual) Nuts!
Christopher Barger (Brain+Trust Partners), Gini Dietrich (Arment Dietrich Inc.), and Doug Haslam (Stone Temple Consulting) were on the FIR panel for some conversation about the following topics…
- A study found a correlation between increased investment in CSR activities and profitability.
- Ratings for National Football League broadcasts are way down and a lot of reasons are being cited. A lot of them come down to the NFL’s culture and values.
- Sexism is alive and well — even at the PRSA conference.
- PR agencies aren’t training their staffs to deliver the kind of digital services their clients want.
- Dan York reports on the feud between Twitter and Facebook over live streaming enhancements.
- Twitter is discontinuing Vine, and Vine producers aren’t happy. (Neither is one of Vine’s founders.)
- A study finds CMOs believe Artificial Intelligence will be bigger than social media.
- Apple has dropped a lot of ports customers are accustomed to on its latest MacBook Pro.
Connect with our panelists on Twitter at @cbarger, @ginidietrich, and @dough.
Doug Haslam’s jargon list from this episode:
- Change Agent
- Grok
- Walk the talk
- Talk the talk
- Gak
Links to the source material for this episode are on Contentle.
Special thanks to Jay Moonah for the opening and closing music.
About today’s panel:
Christopher Barger is a partner at Brain+Trust Partners, an executive consultancy helping leaders manage an evolving marketplace with common sense and strategic guidance. He was previously Senior Vice President of Global Programs at Voce Communications, a Porter Novelli company, helping clients around the world develop and execute social media strategies. Christopher has been in the Porter Novelli family since 2011, arriving after nearly seven years of leading social media programs at Fortune 50 companies, and has a decade and a half’s experience building corporate communications strategies. Before joining PN, Christopher was director of global social media at General Motors, building the company’s social media program and leading its presence across multiple social networks. Christopher also previously managed social media initiatives and corporate communications for IBM, serving from 2005-2007 as that company’s first “Blogger-in-Chief” and playing the pivotal role in the development of IBM’s social media program. Christopher is the author of the book “The Social Media Strategist” (McGraw Hill, 2012).
Gini Dietrich is the founder and CEO of Arment Dietrich, a Chicago-based integrated marketing communications firm. She is the lead blogger at the PR and marketing blog, Spin Sucks, is co-author of Marketing In the Round, and is co-host of Inside PR, a weekly podcast about communications and social media. Her second book, Spin Sucks, is now available! She speaks, she writes for Crain’s Chicago Business and other publications.
Doug Haslam’s career has spanned a variety of disciplines within the communications field: radio technology, editorial production, public relations, marketing, social media and digital. Currently a senior consultant with Stone Temple Consulting, Doug began with public radio, producing news and thoughtful sports programs, moving into technology public relations, and currently to social media and content strategy for brands of all sizes and industries. Doug’s love of media has come full circle, as his most recent positions have seen him taking full advantage of his content creation skills, managing social media and brand publishing programs for a wide variety of clients.
The post FIR #59: Kick Him in the (Virtual) Nuts! appeared first on FIR Podcast Network.
Oct 27
Watch Live TODAY – DNSSEC Root KSK Ceremony at 17:00 UTC
Today a critical part of DNS security – DNSSEC – will receive a major update, and you can watch it all live at starting at 17:00 UTC (1:00pm US EDT – local time) streaming out of ICANN’s data center in Virginia:
https://www.iana.org/dnssec/ceremonies/27
Olaf Kolkman, our CITO, will be in attendance as a “Crypto Officer” (key holder). Olaf wrote a post with info about the 25th key ceremony back in May 2016 and shared some of his photos.
The important step today is that this key ceremony will involve the creation of a new Key Signing Key (KSK) for the root of DNS. This begins what will be a year-long process of “rolling over” the cryptographic key at the heart of the DNSSEC system. ICANN has a page dedicated to the “Root KSK Rollover” explaining the details – and this “at-a-glance” PDF provides the key facts and dates.
This is a great step in making DNSSEC even more secure.
If you’re interested, ICANN posts the “script” that will be used to go through today’s key ceremony. All of the key ceremonies are streamed live and archived for later viewing.
If you want to learn more about DNSSEC in general, please visit our Start Here page to find resources to help!
Image credit – Olaf Kolkman on Flickr. Used with permission.
Oct 25
How To Survive A DNS DDoS Attack – Consider using multiple DNS providers
How can your company continue to make its website and Internet services available during a massive distributed denial-of-service (DDoS) attack against a DNS hosting provider? In light of last Friday’s attack on Dyn’s DNS infrastructure, many people are asking this question.
One potential solution is to look at using multiple DNS providers for hosting your DNS records. The challenge with Friday’s attack was that so many of the affected companies – Twitter, Github, Spotify, Etsy, SoundCloud and many more – were using ONLY one provider for DNS services. When that DNS provider, Dyn, Inc, then came under attack, people couldn’t get to the servers running those services. It was a single point of failure.
Dan York
