Category: DANE

Rough Guide to IETF 102: DNSSEC, DNS Security and Privacy

DNS privacy will receive a large focus in the latter half of the IETF 102 week with attention in the DPRIVE, DNSSD, and OPSEC working groups. In an interesting bit of scheduling (which is always challenging), most of the DNS sessions are Wednesday through Friday. As part of our Rough Guide to IETF 102, here’s a quick view on what’s happening in the world of DNS.

Given that IETF 102 is in Montreal, Canada, all times below are Eastern Daylight Time (EDT), which is UTC-4.

IETF 102 Hackathon

The “DNS team” has become a regular feature of the IETF Hackathons and the Montreal meeting is no different. The IETF 102 Hackathon wiki outlines the work that will start tomorrow (scroll down to see it). Major security/privacy projects include:

Anyone is welcome to join the DNS team for part or all of that event.

DNS Operations (DNSOP)

The DNS sessions at IETF 102 start on Wednesday morning from 9:30am – 12noon with the DNS Operations (DNSOP) Working Group. Paul Wouters and Ondrej Sury will be speaking about “Algorithm Implementation Requirements and Usage Guidance for DNSSEC“, where they will be offering updated guidance around what cryptographic algorithms should be used for different aspects of DNSSEC.  Shumon Huque will be bringing the latest updates to draft-huque-dnsop-multi-provider-dnssec, exploring how to deploy DNSSEC in environments where multiple DNS providers are in use. Paul Wouters will also bring a new draft, draft-pwouters-powerbind, which introduces a new flag for DNSSEC keys that can address a potential attack. Given the critical role DNS plays, the DNSOP agenda has many other drafts up for discussion and action. The DNSOP working group also has a second meeting block on Thursday from 18:10-19:10.

DNS PRIVate Exchange (DPRIVE)

The DPRIVE working group meets Wednesday afternoon from 13:30-15:00 EDT.  As shown on the agenda, there will be three major blocks of discussion. After some initial discussion of current work on existing DNS privacy policies, there will be a larger discussion about some new work called “Oblivious DNS” that aims to make DNS privacy protection even stronger. This work originated in a paper at Princeton University – https://odns.cs.princeton.edu/ – and now is captured in draft-annee-dprive-oblivious-dns. It should be quite an interesting discussion!

The third major area will continue discussion about how to add privacy to the communication between a DNS recursive resolver and the authoritative DNS server for a given domain.  This is work outside the current  DPRIVE Working Group charter and so the group will be discussing whether to ask to expand their mandate to cover this new work.

Extensions for Scalable DNS Service Discovery (DNSSD)

Privacy will also get attention at the DNSSD Working Group on Thursday morning from 9:30-12:00 EDT.  DNSSD focuses on how to make device discovery easier across multiple networks. For instance, helping you find available printers on not just your own network, but also on other networks to which your network is connected. However in doing so the current mechanisms expose a great deal of information. The agenda allocates 65 minutes to Christian Huitema to guide a discussion around the way forward. Drafts under discussion include:

There are other drafts under discussion at DNSSD, but these are the ones probably most of interest to readers of this article.

DNS Resolver Identification and Use (DRIU)

IETF 102 will feature a number of Birds-of-a-Feather (BOF) sessions, and one in particular relates to DNS security. The quick description is:

The IETF has added additional methods for DNS stub resolvers to get to recursive resolvers (notably DNS-over-TLS, RFC 7858), and is about to add another (DNS-over-HTTPS, from the DOH Working Group). As these have been developed, questions have been raised about how to identify these resolvers from protocols such as DHCP and DHCPv6, what the security properties these transports have in various configurations (such as between strict security and opportunistic security), and what it means for a user who has multiple resolvers configured when the elements of the configured set have different transports and security properties.

The DRIU session will be on Thursday from 15:50-17:50, right before the second DNSOP session (although in a different room).

Operational Security Capabilities for IP Network Infrastructure

In the very last slot on Friday afternoon from 11:50-13:20, the OPSEC working group will feature Benno Overeinder speaking about “Recommendations for DNS Privacy Service Operators. This document outlines things DNS operators should thing about when considering offering “DNS privacy” services. It builds on the work coming out of the DPRIVE working group and the experience gained from the IETF Hackathon and the real-world deployment of these new protocols.

DNSSEC Coordination informal breakfast meeting

As a final note, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

DANE and DNSSEC will also appear in the TLS Working Group’s Monday meeting. The draft-ietf-tls-dnssec-chain-extension will be presented as a potential way to make DANE work faster by allowing both DANE and DNSSEC records to be transmitted in a single exchange, thus reducing the time involved with DANE transactions. Given the key role DNS plays in the Internet in general, you can also expect DNS to appear in other groups throughout the week.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 102:

DNSOP (DNS Operations) WG
Wednesday, 18 July 2018, 9:30-12:00 EDT, Laurier
Thursday, 19 July 2018, 18:10-19:10 EDT, Place du Canada

Agenda: https://datatracker.ietf.org/meeting/102/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

DPRIVE (DNS PRIVate Exchange) WG
Wednesday, 18 July 2018, 13:30-15:00 EDT, Place du Canada
Agenda: https://datatracker.ietf.org/meeting/102/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Thursday, 19 July 2018, 9:30-12:00 EDT, Duluth
Agenda: https://datatracker.ietf.org/meeting/102/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: http://tools.ietf.org/wg/dnssd/charters/

DRIU (DNS Resolver Identification and Use) BOF
Thursday, 19 July 2018, 15:50-17:50 EDT, Viger
Agenda: https://datatracker.ietf.org/meeting/102/materials/agenda-102-driu

OPSEC (Operational Security Capabilities for IP Network Infrastructure) WG
Friday, 20 July 2018, 11:50-13:20 EDT, Viger
Agenda: https://datatracker.ietf.org/meeting/102/agenda/opsec/
Documents: https://datatracker.ietf.org/wg/opsec/
Charter: http://tools.ietf.org/wg/doh/charters/

Follow Us

It will be a busy week in Montreal, and whether you plan to be there or join remotely, there’s much to monitor. Read the full series of Rough Guide to IETF 102 posts, and follow us on the Internet Society blog, Twitter, or Facebook using #IETF102 to keep up with the latest news.

The post Rough Guide to IETF 102: DNSSEC, DNS Security and Privacy appeared first on Internet Society.

Rough Guide to IETF 101: DNSSEC, DANE, DNS Security and Privacy

It’s going to be a crazy busy week in London next week in the world of DNS security and privacy! As part of our Rough Guide to IETF 101, here’s a quick view on what’s happening in the world of DNS.  (See the full agenda online for everything else.)

IETF 101 Hackathon

As usual, there will be a good-sized “DNS team” at the IETF 101 Hackathon starting tomorrow. The IETF 101 Hackathon wiki outlines the work (scroll down to see it). Major security/privacy projects include:

  • Implementing some of the initial ideas for DNS privacy communication between DNS resolvers and authoritative servers.
  • Implementation and testing of the drafts related to DNS-over-HTTPS (from the new DOH working group).
  • Work on DANE authentication within systems using the DNS Privacy (DPRIVE) mechanisms.

Anyone is welcome to join us for part or all of that event.

Thursday Sponsor Lunch about DNSSEC Root Key Rollover

On Thursday, March 22, at 12:30 UTC, ICANN CTO David Conrad will speak on “Rolling the DNS Root Key Based on Input from Many ICANN Communities“. As the abstract notes, he’ll be talking about how ICANN got to where it is today with the Root KSK Rollover – and about the open comment period on the plan to roll the KSK in October 2018.

David’s session will be streamed live for anyone wishing to view remotely.

DNS Operations (DNSOP)

The DNS sessions at IETF 101 really begin on Tuesday, March 20, with the DNS Operations (DNSOP) Working Group from 15:50 – 18:20 UTC. Several of the drafts under discussion will relate to the Root KSK Rollover and how to better automate and monitor key rollovers. DNSOP also meets on Thursday, March 22, from 18:10-19:10, where one draft of great interest will be draft-huque-dnsop-multi-provider-dnssec. This document explores how to deploy DNSSEC in environments where multiple DNS providers are in use. As per usual, given the critical role DNS plays, the DNSOP agenda has many other drafts up for discussion and action.

DNS PRIVate Exchange (DPRIVE)

The DPRIVE working group meets Wednesday afternoon from 13:30-15:00 UTC.  As shown on the agenda, there will be two major blocks of discussion. First, Sara Dickinson will offer recommendations for best current practices for people operating DNS privacy servers. This builds off of the excellent work she and others have been doing within the DNS Privacy Project.

The second major discussion area will involve Stephane Bortzmeyer discussing how to add privacy to the communication between a DNS recursive resolver and the authoritative DNS server for a given domain.  When the DPRIVE working group was first chartered, the discussion was whether to focus on the privacy/confidentiality between a stub resolver and the local recursive resolver; or between the recursive resolver and authoritative server; or both. The discussion was to focus on the stub-to-recursive-resolver connection – and that is now basically done from a standards perspective. So Stephane is looking to move the group on into the next phase of privacy. As a result, the session will also include a discussion around re-chartering the DPRIVE Working Group to work on this next stage of work.

Extensions for Scalable DNS Service Discovery (DNSSD)

On a similar privacy theme, the DNSSD Working Group will meet Thursday morning from 9:30-12:00 UTC and include a significant block of time discussing privacy and confidentiality.  DNSSD focuses on how to make device discovery easier across multiple networks. For instance, helping you find available printers on not just your own network, but also on other networks to which your network is connected. However in doing so the current mechanisms expose a great deal of information. draft-ietf-dnssd-privacy-03 and several related drafts explore how to add privacy protection to this mechanism. The DNSSD agenda shows more information.

DNS-Over-HTTPS (DOH)

IETF 101 will also feature the second meeting of one of the working groups with the most fun names – DNS Over HTTPS or… “DOH!” This group is working on standardizing how to use DNS within the context of HTTPS. It meets on Thursday from 13:30-15:30. As the agenda indicates, the focus is on some of the practical implementation experience and the work on the group’s single Internet-draft: draft-ietf-doh-dns-over-https.

DOH is an interesting working group in that it was formed for the express purpose of creating a single RFC. With that draft moving to completion, this might be the final meeting of DOH – unless it is rechartered to do some additional work.

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

DANE and DNSSEC will also appear in the TLS Working Group’s Wednesday meeting. The draft-ietf-tls-dnssec-chain-extension will be presented as a potential way to make DANE work faster by allowing both DANE and DNSSEC records to be transmitted in a single exchange, thus reducing the time involved with DANE transactions. Given the key role DNS plays in the Internet in general, you can also expect DNS to appear in other groups throughout the week.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 101:

DNSOP (DNS Operations) WG
Tuesday, 20 March 2018, 15:50-18:30 UTC, Sandringham
Thursday, 22 March 2018, 18:10-19:10 UTC, Sandringham

Agenda: https://datatracker.ietf.org/meeting/101/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

DPRIVE (DNS PRIVate Exchange) WG
Wednesday, 21 March 2018, 13:30-15:00 UTC, Balmoral
Agenda: https://datatracker.ietf.org/meeting/101/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Thursday, 22 March 2018, 9:30-12:00 UTC, Buckingham
Agenda: https://datatracker.ietf.org/meeting/101/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: http://tools.ietf.org/wg/dnssd/charters/

DOH (DNS over HTTPS) WG
Thursday, 22 March 2018, 13:30-15:30 UTC, Blenheim
Agenda: https://datatracker.ietf.org/meeting/101/agenda/doh/
Documents: https://datatracker.ietf.org/wg/doh/
Charter: http://tools.ietf.org/wg/doh/charters/

Follow Us

It will be a busy week in London, and whether you plan to be there or join remotely, there’s much to monitor. Read the full series of Rough Guide to IETF 101 posts, and follow us on the Internet Society blogTwitter, or Facebook using #IETF101 to keep up with the latest news.

The post Rough Guide to IETF 101: DNSSEC, DANE, DNS Security and Privacy appeared first on Internet Society.

DNSSEC and DANE Activities at ICANN 58 in Copenhagen, March 12-15, 2017

ICANN 58 LogoNext week in Copenhagen, Denmark, ICANN 58 will include some great technical info about DNSSEC and DANE happening in several sessions. Here is the plan…

All times below are Central European Time (CET), which is UTC+1.


DNSSEC For Everybody: A Beginner’s Guide – Sunday, 12 March

On Sunday, March 12, 2017, we’ll have the “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.

Please come with your questions and prepare to learn all about DNSSEC!


Tech Day – Monday, 13 March

The Monday of most ICANN meetings includes the ccNSO “Tech Day”. While the current agenda does not include anything specific to DNSSEC or DANE, there is a session about DNS Privacy (DPRIVE) that may of of interest to some.  See this link for more information:


Root Key Signing Key Rollover: Changing the Keys to the Domain Name System – Tuesday, 14 March

On Tuesday, March 14, ICANN staff will offer a special session talking about the Root Key Rollover process. While we’ll also have some of this info in the Wednesday DNSSEC Workshop, this special session may be of interest to some. The abstract is:

The keys to the Domain Name System are changing for the first time ever. ICANN operates the root zone key signing key (KSK), which is the “master” key for DNS Security Extensions (DNSSEC). This cryptographic key was created when the root zone was signed in 2010. In this session, members of ICANN’s Technical Team will provide an update on the KSK rollover and answer community questions. This session will be of particular interest to Internet service providers, enterprise network operators and others who have enabled DNSSEC validation.


DNSSEC Implementers Gathering –  TUESDAY, 14 March

Later in the evening of Tuesday, March 14, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. We’ll gather at a local restaurant / pub in the city of Copenhagen. Invitations have gone out to various DNSSEC mailing lists – if you are interested in attending please send a message to me at york@isoc.org.  We thank DK Hostmaster for their generous sponsorship of this gathering at ICANN 58!

Please note: This gathering takes place on Tuesday evening in Copenhagen versus the usual Monday evening. As may be obvious, there is no remote participation option.


DNSSEC Workshop – 15 March

Our main 6-hour workshop will take place on Wednesday, 15 March, from 09:00 – 15:00 in Hall A3. Lunch will be included.

THANK YOU TO OUR LUNCH SPONSORS: Afilias, CIRA, and SIDN.

The very full agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities in the European Region
  • Update on IETF DNSSEC Activities
  • Root Key Rollover Update
  • Panel: Validation in ISPs – Root Key Rollover Preparation
  • Demonstration: Opportunistic IPsec using DNSSEC implementation
  • State of ECDSA adoption in (cc)TLDs
  • The Great DNSSEC/DNS Quiz
  • Trusted Email Services
  • Demonstration: SMILLA, an SMIMEA aware MILTER-program for SMTP servers
  • DNSSEC – How Can I Help?

It should be an excellent session!


I will be there in Copenhagen and am looking forward to giving multiple presentations during the Wednesday session. It’s always a great gathering of some of the best technical people involved with DNS.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

New report: “State of DNSSEC Deployment 2016”

State of DNSSEC Deployment 2016

What is the current state of deployment of the DNS Security Extensions? (DNSSEC) How many domains are secured with DNSSEC? What actual usage are we seeing on the Internet? What software is available to help?

For years there have been many statistics about DNSSEC available, but it’s been hard to get an overall picture of deployment. To help with this, we’ve worked over the past few months to pull together as much information as possible into one document:

We encourage you to please read the document – and share it widely with people who need to understand more about the security of the Domain Name System.

We also welcome feedback on questions such as:

  • How helpful did you find the report?
  • What sections were particularly helpful? (or not?)
  • Is there additional information you’d like to see included in a future report?

You can post the feedback here as a comment – or send it to me directly via email.

Our intent is that this will be the first in an ongoing annual series of reports for at least the next few years until DNSSEC is more widely deployed.  Our goal is for the “State of DNSSEC Deployment 2017” report to be ready in time for the ICANN 60 DNSSEC Workshop happening in early November 2017 in Abu Dhabi.

I’d like to thank Chip Sharp for all his hard work assembling this report and incorporating feedback. I also want to thank the group of people who provided a quick final review and proofreading in the last weeks of December (noted in the final Acknowledgements section). And I want to thank everyone within the larger DNSSEC community who continue to share their information, statistics and more.

Please do share this State of DNSSEC Deployment 2016 report with others – and if you haven’t done anything with DNSSEC on your own networks or domains, please visit our Start Here pages to learn how you can begin! Together we can make the DNS – and through that the wider Internet – a bit more secure and trusted.

 

DNSSEC and DANE Activities at ICANN 57 in Hyderabad, India, November 4-7, 2016

ICANN 57 Hyderabad logoFriday marks the beginning of the ICANN 57 meeting in Hyderabad, India. As per usual there will be a range of activities related to DNSSEC or DANE. Two of the sessions will be streamed live and will be recorded for later viewing.  Here is what is happening.

All times below are India Standard Time (IST), which is UTC+05:30. (Yes, it is a half-hour off from other timezones.)


DNSSEC For Everybody: A Beginner’s Guide – 4 Nov

On Friday, November 4, 2016, we’ll have our “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.

Please come with your questions and prepare to learn all about DNSSEC!

DNSSEC Implementers Gathering – 6 Nov

On Sunday, November 6, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. Invitations have gone out to various DNSSEC mailing lists – if you are interested in attending please send a message to me at york@isoc.org.  We thank Afilias for their generous sponsorship of this gathering at ICANN 57!

DNSSEC Workshop – 7 Nov

Our big 6-hour workshop will take place on Monday, November 7, from 09:00 – 15:00 in Room G.03/G.04. Lunch will be included. Thank you to our lunch sponsors: Afilias, CIRA, Dyn and SIDN.

The very full agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities in the Asia Pacific Region
  • Aggressive Use of NSEC/NSEC3
  • Panel: Root Key Rollover Discussion – Recursive Resolver Software Readiness
  • Demonstration: DNS Operator Interface for DNSSEC
  • Research Infrastructure for Internet Naming, Identification, and the DNS
  • The Great DNSSEC/DNS Quiz
  • Demonstration: Windows Server DNSSEC Functionality
  • Demonstration: DNSSEC-S/MIME-DANE Package for Microsoft Outlook
  • Secure Mailserver Using DNSSEC/TLSA
  • DNSSEC – How Can I Help?

It should be an outstanding session!


As neither I nor Russ Mundy were able to travel to Hyderabad, I want to personally thank Wes Hardaker and Jacques Latour for stepping in to help with some of the emceeing and other meeting facilitation duties.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

NIST Publishes New Guide: “DNS-Based Email Security” about DANE and DNSSEC

NIST Report on DANE for email

How can we make email more secure and trusted? How can we encrypt all email between mail servers? And how can we use DANE and DNSSEC to provide that added layer of security?

Today the U.S. National Cybersecurity Center of Excellence (NCCoE)  and the National Institute of Standards and Technology released a “draft practice guide” exploring those exact questions. Titled “Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6)” the document offers guidance to enterprises and others into “how commercially available technologies can meet an organization’s needs to improve email security and defend against email-based attacks such as phishing and man-in-the-middle types of attacks.”  Specifically it gets into how DNSSEC and DANE can be used to authenticate server addresses and the Transport Layer Security (TLS) certificates used for confidentiality.

As NIST states on their web page, the goal of the project around this publication is:

  • Encrypt emails between mail servers
  • Allow individual email users to digitally sign and/or encrypt email messages
  • Allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages

You can download the guide or sections of it from that web page.

NIST is seeking public comments on this new guide from today through December 19, 2016.

It’s great to see NIST publishing this document and we hope everyone reading this post will take a look and spread the word.

And if you are interested in getting started with DNSSEC and DANE, please visit our Start Here page to find resources to help.

DNSSEC and DANE Activities at ICANN 55 and Africa DNS Forum in Marrakech March 5-10

ICANN 55 logoStarting this Friday, March 5, I’ll be in Marrakech, Morocco, for a great bit of DNS security discussions at two events:  the Africa DNS Forum 2016 and the 55th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN).

Some great introductions to DNSSEC and DANE – and some outstanding technical presentations on Wednesday.  Two important changes from previous ICANN meetings:

  1. The “DNSSEC For Everybody” tutorial is now on Sunday instead of the usual Monday.
  2. The “DNSSEC Workshop” will be live streamed over YouTube in addition to the usual Adobe Connect (links are included below).

You can also follow along live on most social networks using these hashtags: #AfricaDNSForum, #ICANN55, #DNSSEC.

I also note at the end of the schedule below that I’ll be briefing ICANN staff and interested board members about the MANRS initiative to secure BGP and reduce IP spoofing as part of the Technical Experts Group (TEG) meeting at ICANN 55.

In addition to all of this technical and security work happening at ICANN 55, we at the Internet Society will also be extremely focused on the IANA Stewardship Transition process.  Please read this post from my colleague Konstantinos Komaitis where he explains why this upcoming meeting will be such a critical milestone.

Here are the  main activities – remote participation is available for all of them except one. Do note that all times are Western European Time (WET) which is the same as UTC.


Africa DNS Forum: Panel on DNS Tools

On Saturday, March 5, from 14:00 – 15:30 I will be talking about DNSSEC and DANE in a panel about “DNS and Internet Security Tools: DNSSEC, IPv6 and DANE“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016


Africa DNS Forum: Panel on emerging trends in DNS security

On Sunday, March 6, from 11:00 – 12:45 my colleague Michuki Mwangi will be moderating a panel on “Emerging Trends in DNS Security“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016

I will be in the audience listening to what looks to be a great set of panelists.


DNSSEC For Everybody: A Beginner’s Guide

On Sunday, March 6, we’ll have the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 16:45 – 18:15  where we’ll do our “skit” dramatizing DNS and DNSSEC. If you have been seeking to understand WHY this all matters, do join in to see! You can watch it remotely (or watch the archive later) at:

https://meetings.icann.org/en/marrakech55/schedule/sun-dnssec-everybody

And yes, I’ll be talking about blue smoke as I usually do – and this time I get to have a role in the skit!

NOTE: This session has historically taken place on the Monday afternoon of each ICANN meeting, but it was changed to Sunday as of this meeting as ICANN is in the process of consolidating tutorials on the Sunday of the event.


DNSSEC Implementers Gathering

On Monday, many of us who have been involved with deploying DNSSEC or DANE will travel to a nearby restaurant for the “DNSSEC Implementers Gathering” for food, drink and conversation from 19:00-20:00 IST.

Many thanks to Afilias for sponsoring the event.  This is the one event where there is no remote participation possible.


DNSSEC Workshop

As usual, the main event will be the DNSSEC Workshop on Wednesday, March 9, from 9:00 to 15:15 WET.

Remote participation information, slides, the agenda and more info can be found at:

https://meetings.icann.org/en/marrakech55/schedule/wed-dnssec

At the event the workshop will also be streamed live via YouTube at:

The sessions will be recorded on both YouTube and Adobe Connect if you would like to listen to them later. Slides will be posted to the workshop page before the event begins.

The current agenda includes:

0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts

  • Dan York, Internet Society
0915-0930 – Presentation: Update on the ‘Sunset’ of the DNSSEC Look-aside Validation Registry (DLV)

  • Victoria Risk, Internet Systems Consortium (ISC)
0930-1045 – Panel Discussion: DNSSEC Activities in the African Region

  • Moderator: Mark Elkins, DNS/ZACR
  • Panelists:
    • Alain Aina, AfriNIC
    • Landi Ahmed, KeNIC
    • Alex Corenthin and Khoudia Gueye Sy, .SN
    • Eberhard Lisse, .NA
1045-1100 – Break
1100-1130 –Presentation: DNSSEC SIGNER Switchover

  • Alain Aina, AfriNIC
1130-1200 – Presentation: DNSSEC At Scale

  • Dani Grant, Cloudflare
1200-1230 – Great DNS/DNSSEC Quiz

  • Dan York, Internet Society, presenting questions developed by Roy Ahrens, ICANN
1230-1315 – Lunch Break
1315-1415 – Panel Discussion: DNSSEC and Elliptic Curve Cryptography

  • Moderator and panelist: Dan York, Internet Society
  • Panelists:
    • Geoff Huston, APNIC
    • Jim Galvin, Afilias
    • Ólafur Guðmundsson, CloudFlare
    • Ondřej Surý, CZNIC
1415-1500 – Panel Discussion:  DNSSEC Root Key Signing Key (KSK) Rollover

  • Moderator: Russ Mundy, Parsons
  • Panelists
    • ICANN Root KSK Rollover Design Team members
    • Warren Kumari, Google
1500-1515 – Presentation: DNSSEC – How Can I Help?

  • Russ Mundy, Parsons and Dan York, Internet Society

ICANN Board with Technical Experts Group

After the 6+ hours of the DNSSEC Workshop are over, I’ll then head over to the meeting of the Technical Experts Group (TEG) from 15:30 – 17:00 where will I will be participating in the discussions meant to advise the ICANN staff and interested ICANN Board members about emerging trends in technology.  Toward the end of the session I will be presenting for about 15 minutes on the MANRS initiative to secure BGP and reduce IP spoofing in order to make the Internet’s routing infrastructure more resilient and secure.

Remote participation is available through the links found on the session page:

https://meetings.icann.org/en/marrakech55/schedule/wed-board-technical


If you will be there at either the Africa DNS Forum 2016 or  ICANN 55 please do say hello – you can find me in these sessions… or drop me a note at york@isoc.org and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!

Got a DNSSEC or DANE Story or Tool To Share? Submit a Proposal For ICANN 55 DNSSEC Workshop

ICANN 55 logoDo you have an idea for a new way to use DNSSEC or DANE to make the Internet more secure?  Have you recently installed DNSSEC and have a great case study you can share of lessons learned?  Do you have a new tool or service that makes DNSSEC or DANE easier to use or deploy?

If you do, and if you will be attending ICANN 55 in Marrakech, Morocco (or can get there), we are now seeking proposals for the ICANN 55 DNSSEC Workshop that will take place on Wednesday, 9 March 2016.  Anyone is welcome to send in a brief (1-2 sentences) description of what you would like to talk about to:

dnssec-marrakech@isoc.org

The deadline is Monday, 14 December 2015.

Any ideas related to DNSSEC or DANE are welcome.  To provide some suggestions, the full Call for Presentations is included below with a list of different ideas.  You can also view the agenda of the recent ICANN 54 DNSSEC Workshop in October in Dublin to get a sense of what we talk about at these events.

These DNSSEC Workshops are great ways to bring ideas to the wider DNSSEC community.  All sessions are recorded as well so that people get a chance to view them later.

If you are doing anything interesting with DNSSEC or DANE, I’d strongly encourage you to submit a proposal!

The full call for participation is below…


 

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 55 meeting on 09 March 2016 in Marrakech, Morocco.  The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.  For reference, the most recent session was held at the ICANN meeting in Dublin, Ireland on 21 October 2015. The presentations and transcripts are available at: https://meetings.icann.org/en/dublin54/schedule/wed-dnssec.

At ICANN 55 we are particularly interested in live demonstrations of uses of DNSSEC or DANE.  Examples might include:

* Email clients and servers using DNSSEC, OPENPGPKEY, or S/MIME for secure email.
* Tools for automating the generation of DNSSEC/DANE records.
* Services for monitoring or managing DNSSEC signing or validation.
* Tools or services for using DNSSEC/DANE along with other existing protocols and
services such as SSH, XMPP, SMTP, S/MIME or PGP/GPG.
* Innovative uses of APIs to do something new and different using DNSSEC/DANE.
* S/MIME and Microsoft Outlook integration with active directory.

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.

We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-marrakech@isoc.org by **Monday, 14 December 2015**

Examples of the types of topics we are seeking include:

1.  DNSSEC activities in Africa

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Africa and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment.  In particular, we will consider the following questions:  Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do?  What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC?  We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2.  Potential impacts of Root Key Rollover

Given many concerns about the need to do a Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys.  We would like to be able to offer suggestions out of this panel to the wider technical community.  If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3.  Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers.  We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world.  We are interested in presentations on topics such as:
* Can you describe your experiences with negative Trust Anchors and operational realities?
* What does an ISP need to do to prepare its network for implementing DNSSEC validation?
* How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
* What measurements are available about the degree of DNSSEC validation currently deployed?
* What tools are available to help an ISP deploy DNSSEC validation?
* What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

4. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

5.  DANE and DNSSEC application automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations  on topics such as:
* What tools, systems and services are available to help automate DNSSEC key management?
* Can you provide an analysis of current tools/services and identify gaps?
* Where are the best opportunities for automation within DNSSEC signing and validation processes?
* What are the costs and benefits of different approaches to automation?
* What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
* What tools and services are now available that can support DANE usage?
* How soon could DANE and other DNSSEC applications become a deployable reality?
* How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services.  For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome.  Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6.  When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

7.  DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:
* What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
* What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
* How should an enterprise best prepare its IT staff and network to implement DNSSEC?
* What tools and systems are available to assist enterprises in the deployment of DNSSEC?
* How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

8. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-marrakech@isoc.org by **Monday, 14 December 2015**

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

TechTarget Sheds Light On DNSSEC, CAs and Government Spying / Control

TechTarget article about DNSSEC

Over on TechTarget, Michael Heller wrote this week about some of the criticisms around DNSSEC and how some of them may be rooted in misunderstandings of what DNSSEC is all about.  His article is:

I’m admittedly NOT a fan of title TechTarget gave the piece – it’s got that negative slant along the lines of “well, at least DNSSEC isn’t as bad as CAs” – but putting the title aside I thought it was quite a good article.  Michael Heller starts out quoting John Levine about TLS certificates, which is what we know of in the technical realm as the DANE protocol.

He then went on to quote me more extensively than I expected … and I’m  quite pleased overall with what he did.  Particularly that he led with what I’ve been saying endlessly in presentations and articles for years now:

DNSSEC does one thing and one thing only: It protects the integrity of the information stored in DNS. DNSSEC ensures that the information for a domain name that you get out of DNS is the same information that the operator of that domain name put into DNS.

Every time someone on Twitter or Hacker News gets excited about how DNSSEC doesn’t protect the confidentiality of DNS information I always go back – that’s not the point!

As Heller writes later in the article, the work of the DPRIVE Working Group inside IETF is aiming to work on part of the confidentiality of DNS queries.

The other point I was pleased to see was that he addressed the issue of government control of top-level domains (TLDs).  Some critics of DNSSEC continue to maintain that using DNSSEC is giving over control to governments.  My point was that it depends upon what TLD you are talking about. Certainly some country-code TLDs (ccTLDs) are controlled by governments and so a government could in fact change your DNS information … but that can happen regardless of DNSSEC.   (The case of Art.sy and the Syrian .SY TLD is an interesting example of challenges with ccTLDs.)

So… if you are concerned about this… well… don’t use one of those TLDs!

Stick with one of the TLDs where you know who the entity behind it is.

He also did cover what I do think is an important point about DNSSEC:

“Historically, DNS servers have often been boxes that network administrators set up and then generally ignored, as they’ve just been off running. Adding DNSSEC requires that some additional care must be given to the DNS servers,” York said.

This is very true. DNS servers often are just started up and then ignored. With DNSSEC you do have to be aware of them and plan for regular changing of the keys, ensuring the server times are in sync, etc.  It’s not necessarily a great amount of work… but you do have to pay attention to DNS servers.

I was also pleased that he captured the point at the end that DNSSEC evolves.  We’ve just recently seen that evolution with CloudFlare rolling out their DNSSEC services on a massive scale using the newer ECDSA elliptic curve encryption algorithm that is more secure cryptographically than RSA algorithms and has a smaller packet size.    We also see the evolution with the proposed Internet-Draft about using Ed25519 elliptic curve algorithms.  Yes, getting these changes deployed out into the field will take time, as resolvers and DNS servers all need to be changed to support them, along with user interfaces and more.

The point, though, is that DNSSEC is not a fixed and static technology. It can – and will evolve as security concerns change.

It’s good to see this piece out there and I do hope it encourages more people to look into how they can get started with DNSSEC.

Speaking of that… if you want to get started with DNSSEC please visit our Start Here page to find resources tailored to your type of organization!

Links To DNS / DNSSEC / DANE / DPRIVE Projects From IETF 93 Hackathon

With IETF 94 starting this weekend in Yokohama, Japan, I realized that I had not posted the results of the great work that the “DNS team” did at the IETF 93 Hackathon back in July in Prague.  Here’s a slideshow that outlines the results:

Slide 2 really shows the different aspects of “DNS security” that the team worked on:

Summary of DNS work at IETF 93 hackathon

Perhaps the more important fact was that we had actual code released publicly. Here were the releases:

And yes, this last one was a little experiment in playing with JSON and python that I did.

To our amazement, our DNS team (which grew from the time we first started talking about it) received the “Best in Show” award based on the judges’ view of what we did.  Here was a photo of some of the team and some of the judges (when the winners were announced some team members had already gone to other meetings):

DNS team at IETF 93 hackathon

There will be another “DNS team” at the IETF 94 Hackathon this weekend and while I won’t be there myself, I do hope they have a great time!

P.S. If you want to get started with DNSSEC and DANE yourself, please visit our Start Here page!