Category: DANE

Feb 04

Many DNSSEC and DANE Activities At ICANN52 Next Week In Singapore

ICANN 52 - SingaporeWhat is happening with DNSSEC in the Asia-Pacific region?  What are DNSSEC and DANE  all about, anyway?  What challenges are large DNS operators encountering when deploying DNSSEC?   All of these questions and many more will be discussed next week at ICANN 52 in Singapore.  Here is the quick guide – please note that all times are Singapore Time which is UTC+8.  (So, for instance, the 8:30 am SGT start time of the DNSSEC Workshop on Wednesday, 11 Feb, will be 1:30am Wednesday in Central European Time and 7:30pm Tuesday evening in US Eastern time.)

DNSSEC For Everybody: A Beginner’s Guide

The week starts off on Monday, 9 February, 2015, with the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 17:00 – 18:30 SGT where we’ll be explaining what DNSSEC is all about and also putting on our “skit” dramatizing what happens with DNS and DNSSEC.  I don’t know if we’ll be awarded an Emmy anytime soon for our performance… but we have a good bit of fun with it and people have commented that it has really helped them understand how DNS and DNSSEC work.

You can follow along remotely (or watch it later) at:

http://singapore52.icann.org/en/schedule/mon-dnssec-everybody

Oh, and you get to see me talk about DNSSEC and blue smoke…

DNSSEC Implementers Gathering

As we noted previously, on Monday evening from 19:30-21:30 some number of us will be heading to a nearby pub for the “DNSSEC Implementers Gathering” where we’ll be talking informally amongst ourselves and figuring out how we can work together to accelerate DNSSEC and DANE adoption.  For perhaps obvious reasons, there is no remote participation available, but if you are in Singapore you are welcome to join us – we just ask for your RSVP by the end of the day tomorrow, Thursday, February 6, 2015.  Thanks to Comcast, NBC Universal and the MPAA for making this gathering possible, as they also did at ICANN 51 in L.A.

DNSSEC Workshop

The BIG event for the week is of course the DNSSEC Workshop on Wednesday, 11 February 2015, starting at 8:30 and ending at 14:45 SGT.  It will be streamed live and you can join in at this address:

http://singapore52.icann.org/en/schedule/wed-dnssec

The slides and other information will be up soon, but I can tell you the agenda will be this:

  1. Introduction and DNSSEC Deployment Around the World
  2. 10th Anniversary of DNSSEC Workshops
  3. DNSSEC Deployment in the Asia Region
  4. Reverse DNS and DNSSEC in Japan
  5. ccTLD Deployment Experiences
  6. The Operational Realities of Running DNSSEC
  7. When Unexpected DNSSEC Events Occur
  8. DNSSEC and DNS Operators

As a member of the Program Committee, I am very pleased with the presentations and speakers we have and I’m very much looking forward to the event.  The last panel, in particular, is of interest to me as it will involve a number of DNS operators, including CloudFlare, talking about challenges they have encountered while rolling out large-scale DNSSEC and looking to identify solutions within the community.  It should be a very interesting session.   I also always enjoy the DNSSEC case studies from the regional panels.

There will be a number of other side meetings and other discussions going on, but these are the main sessions.  I also understand there will be some DNSSEC activity happening at Tech Day on Monday, 9 February, but the agenda has not yet been posted.  We’ll publish an update once we know more.

If you are at ICANN 52 in Singapore please do find me at one of the events and say hello, or drop me an email message and we can arrange a time to connect.  You will of course find info on our Deploy360 social media channels during the events next week.  You can also follow along with our ICANN 52 blog posts as we publish them next week.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

Dec 11

DANE Interim Meeting on Dec 2 Focused on Email and S/MIME

IETF LogoFor those of you interested in tracking the evolution of the DANE protocol to add a DNSSEC-secured layer of trust to TLS certificates, the DANE Working Group within the IETF recently held an “Interim Virtual Meeting” via  conference call on December 2, 2014, where the focus was all around using DANE for securing email using S/MIME.  The minutes for the meeting can be found at:

The primary two drafts that were discussed were:

I was not able to attend myself but the minutes do provide a view into what occurred during the session.   There has also been further discussion on the DANE mailing list (to which anyone is welcome to subscribe).

What continues to be fascinating is how much interest there is in using DANE for better securing email communication, and this session was for those looking to use DANE for email systems using S/MIME.  It will be interesting to see where this goes over the next months.  At IETF 91 in November Eric Osterweil from Verisign demonstrated a version of Thunderbird that supported this usage of DANE.  He said they were looking at making that available publicly and that could certainly be of interest to many.

If you want to learn more about DANE, please visit our DANE page – and if you like to get started with DNSSEC please visit our Start Here page to find resources to help you begin.

Dec 03

Olle Johansson’s #MoreCrypto V2.0 Slide Deck – With TLS

Olle Johansson is a tireless crusader for bringing about a more secure Internet… and just recently published a new version 2.0 of his “#MoreCrypto” slide presentation that this time incorporates a good bit more information about TLS. He includes some tutorial information about TLS and gives multiple examples of using certificates, including with the DANE protocol.

If you are looking to come up to speed on how we make the Internet more secure as well as why it is important, the deck is very useful.  We do encourage you to check it out!

And when you’re done, why not head over to our “TLS for Applications” area to learn more about adding TLS to your applications?  Or visit our Start Here page to get started with IPv6, DNSSEC, TLS and more?

P.S. Olle is always open to feedback about his slides, too… you can reach him at oej@edvina.net.

Nov 12

Deploy360@IETF91, Day 3: DANE, HOMENET and Operators and the IETF (OPSAWG)

Sharon Goldberg ANRP prize winnerToday’s third day of IETF 91 is for us on the Deploy360 team both a lighter day in terms of a schedule, but a heavier day in that we have two actual presentations today: Chris is speaking in the OPS Area meeting this morning about our Operators and the IETF project and I’ll be speaking in the DANE working group in the afternoon about DANE deployment.  HOMENET is also meeting this morning and there are connections there to both the IPv6 and DNS security work we talk about here on Deploy360.

These are, of course, only a very small fraction of the many different working groups meeting at IETF 91 today – but these are the ones that line up with our Deploy360 topics.

Read on for more information…

NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US). I suggest using the “tools-style” agenda as it has easy links to the chat room, Meetecho and other documents for each session.

In the morning 9:00-11:30 block our attention will be focused in two working groups.  Of primary importance, our Chris Grundemann will be in the Operations and Management Area Working Group (OPSAWG) in Coral 1 presenting on the work he and Jan Žorž have been doing as part of our Operators and the IETF project to collect information and feedback from network operators about their participation, or lack thereof, in the IETF.  Today he’ll be presenting a summary of the results of the survey he and Jan undertook.  Chris’ slides are available online and he and Jan also published an Internet Draft, draft-opsawg-operators-ietf,  with more information.  (And you can listen live starting at 9:00 HST (UTC-10) , although it looks like Chris is scheduled later in the session.)

Simultaneously over in Coral 3, the HOMENET WG will be meeting to discuss standards related to home/small networks.  As Phil Roberts wrote about, there is a great bit of IPv6-related activity happening within this group.  As I mentioned earlier, too, there is are a couple of DNS-related matters in HOMENET this time around.  One draft, draft-jeong-homenet-device-name-autoconf, explores how home network devices and appliances and sensors that make up the “Internet of Things” (IoT) can be automatically configured with DNS names for monitoring and remote control. Our interest is naturally in how this interaction with DNS can be secured.  Another draft looks at the idea of using a “.home” top-level domain (TLD) for home networks.

After lunch our attention then moves to the DANE Working Group happening from 13:00-15:00 HST in Coral 3.  As I described in my Rough Guide post about DNSSEC, there is a great amount of activity happening here related to DNSSEC and DANE.  As I mentioned in a recent post, I’ll be presenting at the end of the session asking the question “what can we learn from existing DANE deployments?”  I summarized many of the thoughts and questions in draft-york-dane-deployment-observations but have expanded upon that in the slides I’ve prepared for today’s session.  (I also couldn’t resist adding in photos of broccoli and cookies… but why will become clear in the discussion!)

When DANE is done we don’t have a particular focus in the final 15:20-16:50 HST session block on the IETF 91 agenda today, although several groups are of personal interest.  There are also several DNS-related side meetings that are seeming to be scheduled during that time.

We’ll end the day with the usual IETF Operations and Administration Plenary from 17:10-19:40 HST that typically provides good insight into how the IETF is doing… and the “open mic” sessions can usually be educational, entertaining or both.  :-)

If you are around at IETF 91 in Honolulu, please do find us and say hello!

P.S. Today’s photo is of Sharon Goldberg presenting about RPKI and BGP security in the ANRP presentation mentioned yesterday.

See also:

Relevant Working Groups

We would suggest you use the “tools-style” agenda to find links to easily participate remotely in each of these sessions.

OPSAWG (Operations and Management Area) WG
Wednesday, 12 November 2014, 0900-1130 HST, Coral 1
Agenda: https://tools.ietf.org/wg/opsawg/agenda
Documents: https://tools.ietf.org/wg/opsawg/
Charter: https://tools.ietf.org/wg/opsawg/charter

HOMENET (Home Networking) WG
Wednesday, 12 November 2014, 0900-1130 HST, Coral 3
Agenda: https://datatracker.ietf.org/meeting/91/agenda/homenet/
Documents: https://datatracker.ietf.org/wg/homenet/
Charter: https://datatracker.ietf.org/wg/homenet/charter/

DANE (DNS-based Authentication of Named Entities) WG
Wednesday, 12 November 2014, 1300-1500 HST, Coral 3
Agenda: https://datatracker.ietf.org/meeting/91/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/

 

For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Nov 07

Comments? What Can We Learn From Existing DANE Deployments?

IETF LogoWhat can we learn from existing deployments of the DANE protocol?  As more people start implementing DANE in their applications, are there lessons we can learn to feed back into the standards development process?  What are the barriers people are finding to using DANE? How can we help accelerate the deployment of DANE and DNSSEC?

As I mentioned in my Rough Guide to IETF 91 post and also my post here on Deploy360, I have a short bit of time at the end of the DANE Working Group agenda on next Wednesday, November 12, 2014, to raise these questions and try to get some feedback. To help with that, I wrote an Internet-Draft that you can find at:

https://tools.ietf.org/html/draft-york-dane-deployment-observations

In the document, I outline some of the concerns and issues that I have observed related to DANE deployment, including:

  • Lack of awareness of DANE
  • Challenges creating TLSA records
  • Inability to enter TLSA records at DNS hosting operators
  • Availability of developer libraries
  • Perception that DANE is only for self-signed certificates
  • Performance concerns
  • Cryptographic concerns

I then offered these questions for discussion:

  • What roadblocks are people running into with implementing DANE? (outside of the broader issue of getting DNSSEC validation and signing more widely available) are there lessons we can feed back into our process of developing DANE-related standards?
  • Are there more “Using DANE with <foo>” types of documents that we can or should create? (And who is willing to do so?)
  • Are there some good examples/case studies of DANE implementations that we could perhaps capture as informational RFCs? (The Jabber community’s implementation comes to mind)
  • Are there places where it would be helpful if there were reference implementations of DANE support? For example, DANE for email got a boost when support was added to postfix. Are there other commonly-used open source projects where the addition of DANE support would help move deployment along?
  • Are there test tools that need to be developed? Or existing ones that need to be better promoted? Are there interop tests we can arrange?

I’m looking forward to the discussion on Wednesday… but I also welcome any comments you may have NOW on this topic.  You are welcome to send comments directly to me, send them to the DANE mailing list (you need to subscribe first), post them here as comments to this article – or post them on any of the social networks where this post appears. (although either email or posting the comments here on our site are the best ways to make sure I actually see your comments)

What can we learn from DANE deployment so far – and how can we use that to help get more DANE usage happening?

Nov 05

A Great Amount of DNSSEC / DANE / DNS Activity At IETF 91 Next Week

IETF LogoWhat is happening next week at IETF 91 in Honolulu with regard to DNSSEC, DANE and other “DNS security” topics?

great amount of activity, it turns out!

So much that my “Rough Guide to IETF 91: DNSSEC, DANE and DNS Security” turned into quite a lengthy article.  Please read that article for the full description, but a quick summary can be:

  • DNSOP will have discussions around “Negative Trust Anchors”, “DNS Cookies” and more.
  • DANE will discuss using DANE for email, and specifically S/MIME, as well as SRV records and a discussion led by me about what we can learn from current deployments of DANE.
  • A brand new DPRIVE working group will be exploring challenges around privacy and confidentiality of DNS queries.
  • TRANS will look at applying Certificate Transparency (CT) mechanism to DNSSEC keys.
  • EPPEXT will discuss how to move a draft forward about secure transfer of DNSSEC-signed domains between registrars.
  • HOMENET and DNSSD will both be looking at different aspects of using DNS with small networks or “Internet of Things” (IoT) environments – and the question of course is how this usage gets secured.

… and again you’ll want to read the full article to understand more.  The key point is that it will be busy for those of us interested in DNS-related issues!   If you are going to be out at IETF 91, please do contact us or find me there.  Odds are pretty good you’ll find me in either the DNS or IPv6 sessions!

And if you want to get started today with DNSSEC, please visit our Start Here page to learn how!

Jul 22

Deploy360@IETF90, Day 2: DNSOP, DANE, UTA, V6OPS, IDR, OPSEC and ISOC@IETF

IETF LogoToday seems to be “DNS Day” here at IETF 90 in Toronto with the two major DNS-related working groups we follow here at Deploy360, DNSOP and DANE, both meeting on the same day.  We’ve also got V6OPS meeting again (as they did yesterday), have several IPv6-security drafts in OPSEC and have routing discussions happening in IDR.  Oh, and we’ll be splitting ourselves 3 ways in the first time slot (and wishing we had clones!). Plus, we’ll have the “ISOC@IETF” briefing panel at lunch time looking at security and privacy issues. It’s going to be a busy day!

If you’d like to join the DNSOP or DANE sessions (or any of the others) remotely to hear the discussion you can follow the instructions on the IETF 90 Remote Participation page or use the “tools-style” agenda page that provides easy links to the audio stream, jabber chat room documents and more for each of the sessions.

DNSOP, DANE and UTA

As I mentioned in my Rough Guide post about DNSSEC/DANE at IETF 90, there is a great amount happening in both DNSOP and DANE.  Here is the relevant excerpt from that post:

DNS Operations (DNSOP)

Tuesday morning from 9:00-11:30 EDT the DNSOP Working Group kicks off with a full agenda that includes a great amount of DNSSEC activity. Matthijs Mekking will bepresenting a draft about DNSSEC key and signing policies. Daniel Migault will betackling the topic of what the requirements are for DNSSEC validation so that DNS resolvers can always have validation enabled.

Of particular interest to folks looking to get DNSSEC deployed (as I am) will be the “DNSSEC Roadblock Avoidance” draft that explores what are the problems with DNSSEC validation in many common network environments – and how do we mitigate those problems.

As the agenda indicates, there will be a range of other topics covered in DNSOP, too. The biggest and most controversial discussion may be around how we optimize the distribution of root zone data, with Warren Kumari and Paul Hoffman offering one view of distributing the root zone and Paul Vixie and Xiaodong Lee offering another view of how to scale the root of DNS. Given that DNSSEC plays an important role in both scenarios we’ll be paying close attention to what I expect will be quite a passionate discussion!

Beyond those topics you can probably expect to see some of the many other documents under DNSOP (scroll down the page to see the full list) raised for consideration – unless, of course, the root optimization discussion consumes most of the time, as could easily happen.

DNS-based Authentication of Named Entities (DANE)

Later on Tuesday afternoon, the working group looking after the DANE protocol will be actively discussing how various other protocols can use DANE / DNSSEC to provide a higher level of security for TLS (SSL) certificates. We should see discussion aroundthe “DANE and OpenPGP” draft as well as the “DANE and SMIME” draft. One of the DANE WG co-chairs, Olafur Gudmundsson, told me that the “SMTP security via opportunistic DANE TLS” draft and the “Using DANE with SRV Records” draft will both be going to Working Group Last Call and so that may or may not trigger some comments.

What may generate more discussion, though, is interest in changing the “DANE Operational Guidance” draft into a “DANEbis” document, i.e. looking at it as a replacement/update for RFC6698 that defines DANE. This should be an interesting discussion!

On a similar track, Paul Wouters will be speaking about standardizing how “Raw Public Keys” for TLS can be authenticated using DANE. As I understand it, Paul wants to extend the TLSA record used in DANE to support more than just PKIX-formatted certificates, allowing DANE to be used for applications that do not require PKIX certs.

I am also intrigued to learn more about ideas from Haixin Duan to use DANE to better secure the usage of HTTPS connections in content distribution networks (CDNs). Haixin Duan and some colleagues have written a paper that goes into more detail (search for “DANE” to jump to the relevant section).

If there is time Olafur tells me that the chairs also intend to kick off a discussion of “reverse DANE”, i.e. DANE records for clients, that might lead to some interesting applications and areas of work.

Unfortunately at the same time as DNSOP from 09:00-11:30,  the Using TLS in Applications (UTA) working group will be meeting. While the UTA agenda  doesn’t directly mention DNSSEC, we definitely pay attention to UTA given that the drafts all focus on securing TLS and that DANE could potentially play a role here. We also have an interest for our “TLS For Applications” section of Deploy360.

IPv6

Beyond DNS, today the IPv6 Operations (V6OPS) working group is back with an agenda once again looking at the operational aspects of running IPv6.  The first document on running multiple IPv6 prefixes was actually addressed in yesterday’s session so there may be more time available for other discussions.  I’m personally intrigued by the discussion about power consumption due to IPv6 multicast on WiFi devices.  I’ve not been directly following that draft so I’m intrigued to learn more.

Outside of V6OPS, IPv6 will also feature prominently on today’s OPSEC agenda with two drafts from Fernando Gont being presented that talk about how firewalls interact with IPv6. First he’ll be discussing how many firewalls drop IPv6 extension headers (EH) and his thoughts about that.  Second, he’s got a draft on “Requirements for IPv6 Enterprise Firewalls” that looks quite interesting.

(As an aside, having lived in Canada from 2000-2005, I’m very pleased that there is at least one draft (Fernando’s) being presented here in Toronto that includes “eh” in it, given that this is a very common Canadian verbal expression, as in “It’s going to be a great day, eh?” :-) )

Routing and Securing BGP

Today is also the day one of the major routing working groups we track will be meeting, unfortunately in that same 9:00-11:30 am block as DNSOP and UTA.  The Inter-Domain Routing (IDR) working group has an extremely packed agenda full of all sorts of drafts related to securing BGP and improving the security of our routing infrastructure.  As our colleague Andrei Robachevsky wrote in his Rough Guide post, IDR “continues to work on better handling of malformed BGP attributes that may cause serious outages, and even cascading effects for other networks.  Because of the timing conflict, I won’t personally be in IDR, but you can expect to find Andrei there.

ISOC@IETF90 Briefing: Internet Security and Privacy: Ten Years Later

In the midst of all the working groups today we’ll spend our lunch time from 11:45-12:45 at the traditional “ISOC@IETF Briefing Panel” that happens every Tuesday of an IETF meeting.  The theme this time is “Internet Security and Privacy: Ten years later” and the abstract begins:

Many fundamental Internet protocols and architectural elements were designed for relatively closed and controlled networks and later used in a fairly trusted environment. Then came explosive Internet growth that changed its very nature – the Internet became a global, open communication medium to which anyone could connect and contribute.

At the same time, the Internet model was also changing. Concentration and centralization of certain functions at various Internet architecture layers created new types of vulnerabilities and, consequently, facilitated new threats such as pervasive monitoring. These vulnerabilities manifest themselves in different ways – for instance, in lack of diversity in implementations of critical security protocols, like TLS.

The number and nature of connected devices is also changing dramatically – sensors, controllers, appliances, etc., all communicating without human intervention.

The Internet continues to change and this evolution will continue. How will security and privacy challenges be addressed ten years from now? What are the missing building blocks that need to be developed? Will current approaches allow us to catch up or is a change of paradigm required?

There are a great set of panelists and this should be a great discussion.  It will be live streamed over YouTube and anyone is welcome to watch.  (Unless they are trying to view the stream from Germany, where apparently they can’t.)

And after all that is done we’ll probably be going to the IETF Social event tonight to talk to more people about how we might be able to help them… before eventually getting to bed to get ready for Day 3…

The information about the relevant working groups today is:

DNSOP (DNS Operations) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/
(Tuesday, July 22, 2014, 0900-1130 EDT, Ballroom)

UTA (Using TLS in Applications) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charters/
(Tuesday, July 22, 2014, 0900-1130 EDT, Ontario)

IDR (Inter-Domain Routing Working Group) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/
(Tuesday, 22 July, 0900-1130 EDT, Tudor 7/8 Room)

OPSEC (Operational Security) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/opsec/
Charter: https://datatracker.ietf.org/wg/opsec/charter/
(Tuesday, 22 July, 1300-1400 EDT, Territories Room)

V6OPS (IPv6 Operations) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/
(Tuesday, July 22, 2014, 1420-1620 EDT, Ontario)

DANE (DNS-based Authentication of Named Entities) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/
(Tuesday, July 22, 2014, 1640-1840 EDT, Canadian)

For more background on what is happening at IETF 90, please see our “Rough Guide to IETF 90″ posts on the ITM blog:

If you are here at IETF 90 in Toronto, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Jul 21

Deploy360@IETF90, Day1: v6OPS, DNSSEC in SIPCORE, 6TISCH and the Technical Plenary

IETF LogoToday here in Toronto at IETF 90 the main activity for the Deploy360 team will be the “IPv6 Operations” (V6OPS) session happening at 9:00am EDT this morning.  The V6OPS agenda  shows that today there will be three larger discussions of interest to us:

  • A discussion of how the interaction between SLAAC and DHCPv6 for can be improved for the configuration of IPv6 clients. There is an Internet Draft that explains the problem statement and will be the basis for the discussion.
  • An analysis of problems encountered in a mobile environment when IPv6-enabled devices roam between mobile networks. Again, an Internet Draft provides the analysis. Coming out of the work of a number of mobile service providers this should be an interesting session.
  • A discussion about what is the appropriate usage of Unique Local Addresses (ULAs).  A draft will be presented but there will also be a much larger discussion happening around what the role of ULAs will be.

There are also a few other topics on the V6OPS agenda and overall it should be a busy session.

If you’d like to join the V6OPS session (or any of the others) remotely to hear the discussion you can follow the instructions on the IETF 90 Remote Participation page or use the “tools-style” agenda page that provides easy links to the audio stream, jabber chat room documents and more for each of the sessions.

After that I’ll be over in the SIPCORE session in the afternoon for Olle Johansson’s draft about how DANE can be used to improve the security of VOIP sessions using TLS and SIP. As I said in my Rough Guide post about DNSSEC/DANE at IETF 90, Olle’s draft presents an interesting usage of DANE in the world of SIP-based voice-over-IP (VoIP).

Next I’ll be over listening in the 6TISCH working group.  This is not one I’ve been actively monitoring but it is of interest to me because it is looking at how IPv6 gets used in automated environments and in Low-power and Lossy Networks (LLNs) that many of us may broadly group into the “Internet of Things”.  From the 6TISCH charter:

The IEEE802.15.4e Timeslotted Channel Hopping (TSCH) is a recent amendment to the Medium Access Control (MAC) portion of the IEEE802.15.4  standard. TSCH is the emerging standard for industrial automation and  process control LLNs, with a direct inheritance from WirelessHART and ISA100.11a. Defining IPv6 over TSCH, 6TiSCH is a key to enable the further adoption of IPv6 in industrial standards and the convergence of Operational Technology (OT) with Information Technology (IT).

Finally, our formal schedule will end today with what should be a very interesting Technical Plenary looking at the link between “network topology” and geography.  The Technical Plenary will be streamed live at http://www.ietf.org/live/ starting at 5:10pm EDT and is available for all to watch. Here is the description of the main technical focus:

Since network gear, links, and the nodes they connect must be in some specific physical place, there is always a relationship between geography and network topology. The flow of data through that topology has generally, however, been relatively independent of the geography.

Recently, some public policy proposals have tried to tie the flow of data on the network to national or regional boundaries. This panel will discuss the relationship between geography and network topology from three points of view.

Each panelist will make a brief presentation, and then we will discuss the implications of their findings. A Question & Answer session will follow the presentations.

I’m personally fascinated by this topic so I’ll be looking forward to this plenary session! Again it is at http://www.ietf.org/live/ – please feel free to share that link widely.

The information about the relevant working groups today is:

V6OPS (IPv6 Operations) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/
(Monday, July 21, 2014, 0900-1130 EDT, Canadian room)

SIPCORE (Session Initiation Protocol Core) WG
Agenda: https://datatracker.ietf.org/meeting/90/agenda/sipcore/
Documents: https://datatracker.ietf.org/wg/sipcore/
Charter: http://tools.ietf.org/wg/uta/charters/
(Monday, July 21, 2014, 1300-1500 EDT, Territories room)

6TISCH (IPv6 over TSCH mode of 802.16e4)
Agenda: https://datatracker.ietf.org/meeting/90/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6tisch/ 
(Monday, July 21, 2014, 1520-1650 EDT, Territories room)

For more background on what is happening at IETF 90, please see our “Rough Guide to IETF 90″ posts on the ITM blog:

If you are here at IETF 90 in Toronto, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Jul 17

A Huge Amount Of DNSSEC Activity Next Week At IETF 90 In Toronto

DNSSEC badgeIf you are interested in DNSSEC and/or “DNS security” in general, there is going to be a great amount of activity happening in a number of different working group sessions at IETF 90 next week in Toronto.

I wrote about all of this in a post on the ITM blog, “Rough Guide to IETF 90: DNSSEC, DANE and DNS Security“, a part of the Rough Guide to IETF 90 series of posts.

You can read the full details (and find links to all the drafts), but here’s a quick summary:

  • The DNSOP (DNS Operations) Working Group will be talking about DNSSEC key and signing policies and requirements for DNSSEC validation in DNS resolvers.  The group will also talk about the “DNSSEC roadblock avoidance” draft before getting into what should be a lively discussion about how we better optimize the distribution of data in the root zone of DNS.
  • The DANE Working Group will discuss a number of ways the DANE protocol can be used with applications such as OpenPGP, SMIME, SMTP and more.  There will also be a discussion of turning the “DANE Operational Guidance” draft into an actual update/replacement for RFC 6698 that defines DANE. It should be very interesting session!
  • The SIPCORE Working Group will discuss a draft about using DANE and DNSSEC for SIP-based Voice-over-IP (VoIP).
  • The TRANS Working Group will explore whether or not there is a role for Certificate Transparency (CT) to play with DNSSEC and/or DANE.
  • The HOMENET Working Group will discuss two different drafts relating to DNSSEC and customer-premise equipment (CPE) such as home wifi routers.

And a couple of other working groups may have DNSSEC-related discussions as well.  All in all it will be a very busy week at IETF 90!

Again, more details and links to all of the associated drafts can be found in the Rough Guide to IETF 90 article about DNSSEC.

If you aren’t able to actually be in Toronto, you still can participate remotely – see the IETF 90 Remote Participation page for more information about how you can join in to the discussions.

If you are in Toronto, please do feel free to say hello and introduce yourself.  You can pretty much expect to find me in all of these various DNSSEC-related sessions (and many of the IPv6-related sessions, too).

Jul 11

A Hosting Provider Marketing “Secure Hosting with SSL, DNSSEC and DANE / TLSA”

I have no idea whether “dotplex” is a good web hosting provider in Germany and I know absolutely nothing about them as a company, but as a DNSSEC advocate I was absolutely thrilled to see dotplex marketing the fact that you could have DNSSEC and DANE if you host with them:

Secure hosting with DNSSEC and DANE

Pure awesomeness!

Of course, they may not be the first to do this but they are the first I personally have seen (and please feel free to leave us comments telling us that your hosting provider has done this for a while).

Now… if we can just get every other web hosting provider to do this then we’d wind up with a much more secure Internet!  (And we could take away the argument by critics that there aren’t a lot of people providing DANE/TLSA records.)

Kudos to dotplex for marketing DNSSEC/DANE and I wish them all the best with their secure hosting offering!

If YOU would like to get started offering DNSSEC and DANE, please see our START HERE page to find resources for your type of organization – and please let us know if you can’t find resources that will help you.