Dan York

Just a guy in Vermont trying to connect all the dots...

Author's posts

Sep 03

Do you use Docker Swarm? If so, how?

Docker swarm page

UPDATE – 20 Nov 2018 – I wrote this back in 2016 as I was just experimenting with Docker. Since that time, not only did Swarm emerge as Docker’s tool for container management/orchestration/clustering, but we also saw the emergence and then domination of Kubernetes as a tool for container orchestration.  I’m leaving this post online, but at this point the examples are quite prominent for how Swarm and other tools can be used.

—-

Do you use Docker Swarm? If so, how?  I have been incredibly intrigued ever since reading about the release of Docker 1.12 earlier this week.

As Benjamin Wooten writes, now with only two commands:

  • We get a deployment platform which gives us resilience, robustness, failover and fault tolerance for our containers.
  • We get load balancing and a routing mesh which makes service discovery simple.
  • We can use our server resources more efficiently with various allocation strategies.
  • We can scale containers up and down with one command.
  • Communications within the cluster are secured with dynamically rotating certificates.

Ever since, I have been reading more, such as this piece about setting up a swarm with Raspberry Pi systems.

Now I am curious… how are any of you reading this using Docker Swarm? What are doing with it?  I am intrigued and curious to do more…

Sep 02

Facebook Says: Get Your Site Mobile-Friendly Or Your Ads Will Suffer

Fb mobile performance

If your web site isn't "mobile-friendly" yet, and you do any advertising on Facebook, well... you better make your site mobile-friendly very soon! Facebook said on Wednesday that websites will be penalized in Facebook's advertising network if they are NOT mobile-friendly. The Wall St. Journal covered this news as did a number of other sites.

I completely understand Facebook's logic here. As they say at the beginning:

Has this ever happened to you? You tap a link on your mobile device, only to have the website take so long to load, you leave before you even see it. You’re not the only one. As many as 40 percent of website visitors abandon a site at 3 seconds of delay.

People are spending more and more time on mobile—consuming content, interacting with businesses and making purchases. However, since it’s a relatively new channel, many businesses haven’t optimized their website for mobile yet and still have very slow loading times. This can lead to negative experiences for people, and problems for businesses such as site abandonment, missed business objectives and inaccurate measurement.

I agree. I abandon visiting sites on my mobile phone all the time because the sites take a long time to load.

Of course, for me, I'm following links from posts inside of Facebook, not ads, but the principal is the same.

If you haven't optimized your site for mobile yet, there are plenty of resources available. Here are a few:

Beyond Facebook ads, of course, Google announced way back in 2014 that they would be penalizing sites in search result ranking that were NOT mobile-friendly. This news this week is just another reason to get this done!

Have you made your sites mobile-friendly? If not, why not?

An audio commentary on this topic is also available:

Sep 02

TDYR 311 – Facebook Says Get Mobile-Friendly Or Your Ads Will Suffer

This week Facebook provided yet another reason to make sure your website is "mobile-friendly" - ads for sites that are NOT will be penalized in Facebook's advertising network. In this episode I talk about that and some of the resources available. Read more: http://www.disruptiveconversations.com/2016/09/facebook-says-get-your-site-mobile-friendly-or-your-ads-will-suffer.html

Sep 01

TDYR 310 – Initial Thoughts on Facebook Messenger “Instant Video”

Facebook Messenger today launched "Instant Video", allowing you to add video to a text chat. In this episode I offer some initial thoughts about why this is interesting... Read more: http://www.disruptivetelephony.com/2016/09/facebook-messengers-instant-video-lets-you-simultaneously-use-video-and-chat.html

Sep 01

Facebook Messenger’s "Instant Video" Lets You Simultaneously Use Video and Chat

FB instant video

The messaging wars continue! Today Facebook Messenger added "Instant Video" to it's iOS and Android app, allowing you to easily share live video while still in a text chat. Facebook has had "video calling" since back in May 2015, but that requires both parties to answer the video call in the same way that Facetime, Wire and every other video app does it.

"Instant Video" is different:

  • VIDEO STARTS OUT ONE-WAY - Only the video of the person initiating "Instant Video" is shown. The recipient sees the video of the sender, but their video connection is NOT enabled. Now, the recipient can start sending video, but they don't have to.

  • AUDIO IS OFF INITIALLY - When the sender starts their video, the recipient receives the video without any sound. They can easily start getting sound by tapping on the speaker icon on the video, but this is great because often you are having a text conversation precisely because you don't want to use audio.

  • YOU CAN STILL SEE THE CHAT - The video overlays the upper right corner of the chat window, but that's it. You can still see the chat messages and continue having your chat.

This last point is quite important and useful. This "Instant Video" lets you add video to a chat, while still allowing chat to be the primary communication medium.

Predictably, there was a great amount of media coverage of this launch today. Some noted that this was yet-another-way Facebook was cloning Snapchat. Others called this an answer to Google Duo.

Regardless, I immediately saw a personal use case. Occasionally I will go to a local coffee shop to pick up muffins for my wife and I. The flavors are always changing. If I don't see one I think she'll like, I often wind up calling - or texting her with the flavors. But it would be actually a bit easier and faster if I texted her "which one do you want?" and then sent her a live video stream where I panned back and forth across the choices. Sure, that may seem a silly use case... but it immediately sprang to my mind.

For "Instant Video" to work, a couple of conditions need to be true:

  • YOU BOTH NEED THE LATEST MESSENGER APP - You need to have the latest version for either iOS or Android.

  • YOU BOTH NEED TO BE *IN* THE CHAT - This is key. You can't just open up Messenger and start sending video to someone who is listed in your contacts. You need to actually be in communication with the other person.

Once this second item is true the video icon on the top of the screen starts pulsating - at which point you can start sending "Instant Video".

I'd note that this is the same icon used to initiate a "regular" video call. However, when you are in a chat with someone else the pulsating icon means you can do this new "Instant Video" style of chat.

I found I really liked the overlay aspect. Here's the view I saw on my end:

FB Messenger video overlay

It worked very well to continue the text conversation while having the video right there, too.

It's an interesting addition as Facebook continues to try to make Messenger be THE tool that people use for messaging. Facebook has this advantage of having an absolutely massive "directory" of users (see "the Directory Dilemma") and so we may see this helping with keep people inside of Facebook's shiny walls.

What do you think? Do you see yourself using this "Instant Video"?

Sep 01

New RFC 7958 – DNSSEC Trust Anchor Publication for the Root Zone

RFC 7958 text

How can you trust the root of the “global chain of trust” that is used in DNSSEC? How can you be sure as you are validating DNSSEC signatures that this global chain works?

To provide this chain of validation, DNSSEC relies on what is called a “trust anchor”. When you check the signature for DNS records for “internetsociety.org”, for instance, you go through a process along the lines of this (a simplified version):

  1. Your validating recursive resolver gets the DNS records (such as “A” or “AAAA”) for “INTERNETSOCIETY.ORG” along with the DNSSEC signature in a RRSIG record and the public key used for the signing in a DNSKEY record.
  2. It then retrieves the DS record for “INTERNETSOCIETY.ORG” from .ORG to verify that this is the correct DNSKEY.  It also retrieves a RRSIG record for the DS record and the DNSKEY record from .ORG.
  3. Next it retrieves the DS record for “.ORG” from the root of DNS, along with the associated RRSIG for the DS record and the DNSKEY for the root.
  4. HERE IS THE CHALLENGE – How does your recursive resolver know that the DNSKEY it retrieved for the root of DNS is the correct one?

This is where there is a need for a “trust anchor” that the recursive resolver can trust to know that this is indeed the correct DNSKEY it should be using.

The DNSSEC protocol can be used with any trust anchor, but in practice we all use the DNSSEC trust anchors published by IANA (with ICANN doing the actual publishing as part of their contract to perform the IANA functions).

A new informational (non-standard) RFC 7958 out this week explains the formats IANA uses to publish the root key trust anchors and how those trust anchors can be retrieved.  It also outlines additional steps that can be taken during the retrieval to ensure the trust anchors aren’t modified during the retrieval.

In 2017 we will see a change in the Root Key Signing Key (KSK) in 2017, which will mean a change in the root trust anchor. This RFC 7958 is a good reference to have out there so that everyone can understand exactly how to retrieve and use the trust anchors at the heart of DNSSEC.

Please do read this new RFC and share it widely with anyone involved in developing applications or services that perform DNS resolution and validation.

And if you know very little about DNSSEC but want to learn more, please visit our Start Here page to find resources to help you get started!

Aug 31

Conectando Lo Desconectando: La Historia de la Visita A Una Escuela Agua Azul, México

¿Cómo llevas el internet a un pueblo remoto en México donde ni siquiera hay servicio telefónico? En junio de 2016, salimos en viaje a fin de responder esta pregunta. Fue el día antes del inicio del OECD Ministerial Meeting en el Digital Economy en Cancun y nuestro ISOC Mexico Chapter arregló la visita.

Nuestro grupo era pequeño: Internet Society President & CEO Kathy Brown, Regional Bureau Director para América Latina Sebastián Bellagamba, Alejandro Pisanty del ISOC Mexico Chapter y yo.

Dan York

Aug 29

Want to Share Info with the DNSSEC Community? ICANN57 DNSSEC Workshop Seeking Proposals by Sept 15 (Featured Blog)

Do you have information or an idea you would like to share with members of the broader DNS / DNSSEC community? Have you developed a new tool that makes DNSSEC or DANE deployment easier? Have you performed new measurements? Would you like feedback about a new idea you have? Would you like to demonstrate a new service you have? If so, we're seeking proposals for the DNSSEC Workshop to be held at ICANN57 in Hyderabad, India, in early November 2016. More...

Aug 29

Want to share info with the DNSSEC community? ICANN57 DNSSEC Workshop seeking proposals by Sept 15 (Featured Blog)

More...

Aug 29

Call for Participation – DNSSEC Workshop at ICANN57 in Hyderabad, India

ICANN 57 logoThe DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN57 meeting held from 03-09 November 2016 in Hyderabad, India. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Helsinki, Finland on 27 June 2016. The presentations and transcripts are available at: http://sched.co/7NCj and http://sched.co/7NCk

At ICANN57 we are particularly interested in live demonstrations of uses of DNSSEC or DANE. Examples might include:

  • Email clients and servers using DNSSEC, OPENPGPKEY, or S/MIME for secure email.
  • Tools for automating the generation of DNSSEC/DANE records.
  • Services for monitoring or managing DNSSEC signing or validation.
  • Tools or services for using DNSSEC/DANE along with other existing protocols and
    services such as SSH, XMPP, SMTP, S/MIME or PGP/GPG.
  • Innovative uses of APIs to do something new and different using DNSSEC/DANE.
  • S/MIME and Microsoft Outlook integration with active directory.

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-hyderabad@isoc.org by **15 September 2016**.

We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE. Examples of the types of topics we are seeking include:

1. DNSSEC activities in Asia

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Asia and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. Preparation for Root Key Rollover

In preparation for the Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3. Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:

  • Can you describe your experiences with negative Trust Anchors and operational realities?
  • What does an ISP need to do to prepare its network for implementing DNSSEC validation?
  • How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
  • What measurements are available about the degree of DNSSEC validation currently deployed?
  • What tools are available to help an ISP deploy DNSSEC validation?
  • What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

4. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

5. DANE and DNSSEC application automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • Where are the best opportunities for automation within DNSSEC signing and validation processes?
  • What are the costs and benefits of different approaches to automation?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?
  • How soon could DANE and other DNSSEC applications become a deployable reality?
  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6. When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

7. DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:

  • What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
  • What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
  • How should an enterprise best prepare its IT staff and network to implement DNSSEC?
  • What tools and systems are available to assist enterprises in the deployment of DNSSEC?
  • How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

8. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-hyderabad@isoc.org by **15 September 2016**.

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society