Category: DANE

Speaking At SIPNOC 2014 On June 10 About TLS For SIP/VoIP/UC

SIPNOC 2014 logoWhat advantages does Transport Layer Security (TLS, what we used to call “SSL”) bring to voice-over-IP (VoIP) that uses the Session Initiation Protocol (SIP)? What is the state of TLS usage within SIP and VoIP? Why isn’t it being used more?

Tomorrow, June 10, 2014, I’ll be speaking at the SIP Network Operators Conference (SIPNOC) 2014 event down in Herndon, Virginia, on the topic of “Is It Time For TLS For SIP?“. I’ll be discussing why we need more TLS usage in SIP-based communication, including what we think of as “VoIP” and also “Unified Communications (UC)”. The abstract for my talk is:

With concerns about large-scale pervasive monitoring on the Internet, many groups are encouraging the increased use of Transport Layer Security (TLS, what we used to call “SSL”). While SIP has had TLS support for quite some time, it is often not used. This session will look at concerns of using TLS with SIP and discuss opportunities for providing higher security for SIP-based communication. The session will also outline some newer innovations such as the DANE protocol that when coupled with DNSSEC can provide a higher level of trust for TLS encryption.

As you can tell, my focus will be around the “TLS for Applications” topic area we have here on Deploy360, as well as some discussion around DANE and what it can bring in terms of increased security.

I’ve spoken at SIPNOC events for the past two years (and before that) but my topic has always included IPv6.  This time I won’t be doing that… but to my delight one of the talks before mine tomorrow will be Carl Klatsky from Comcast providing a case study of their work their voice services to IPv6.  Here is his abstract:

Comcast Voice IPv6 Deployment Lessons Learned. Presented by Carl Klatsky, Comcast.

This presentation will review the successes, challenges, and lessons learned in deploying IPv6 support into Comcast’s IMS based SIP voice network, in support of an upcoming IPv6 technical trial. The presentation will review the overall target architecture covering both access and network side elements, and share the lessons learned with the SIP community.

I’m very much looking forward to hearing what Carl has to say!

There are many other great sessions on the SIPNOC 2014 agenda.  Unfortunately I can only be at the event tomorrow and will be missing out on the great content on Wednesday and Thursday.  You can, of course, expect to find me in any of the security-related sessions on Tuesday!

If any of you reading this are at SIPNOC 2014 tomorrow please do feel free to say hello!

P.S. And before anyone asks in the comments, no, there is not a live stream (or recordings) of the SIPNOC sessions.  They try to keep it an informal atmosphere where information can be shared with the conference sessions without that information being immediately public.

 

Watch/Listen LIVE To The ICANN 49 DNSSEC Workshop On Wednesday, March 26

ICANN 49 SingaporeWant to learn about DNSSEC from people who have actually deployed DNSSEC in their region? Want to learn about DANE and how it can be used in applications? How can DNSSEC make the Internet more secure? As I mentioned last week, these are some of the topics that will be discussed in the ICANN 49 DNSSEC Workshop that will be streaming live out of Singapore on Wednesday, March 26, from 8:30am – 2:45pm Singapore time. The session will be recorded for those unable to watch live.

[WARNING: Singapore local time is UTC+8, so it is 7 hours ahead of Central European time, 12 hours ahead of US Eastern time and 15 hours ahead of US Pacific time.  So if you are on the US East Coast, for example, this workshop will start at 8:30pm TONIGHT (Tuesday, March 25).]

Topics to be discussed include:

  • DNSSEC Deployment Metrics
  • DNSSEC Activities in the Asia Pacific Region
  • Case study of the deployment of DNSSEC at .ee (Estonia)
  • Guidance for Registrars in Supporting DNSSEC – and DNSSEC requirements in the 2013 Registrar Accreditation Agreement (RAA)
  • Preparing for DNSSEC Root Key Rollover
  • DNSSEC Applications
  • Demonstration of DANE applications and tools

A full agenda and all of the available slides can be found on the ICANN 49 DNSSEC Workshop program page. You can watch or listen to the event via:

The session should provide excellent information for people interested in DNSSEC and how we can make the Internet more secure.  Please do join in!

And if you are interested in deploying DNSSEC, please check out our DNSSEC resource pages to learn more.

Deploy360@IETF89, Day 5: dnsop, uta

IETF LogoIt’s our last day here at the 89th IETF meeting and it’s been a very exhausting but exhilirating meeting so far!  A lot of excellent work happening in so many areas! Our final day here ends with a number of DNSSEC-related topics being presented in the DNSOP Working Group – while at the exact same time is the first meeting of the brand new UTA Working Goup that is part of the inspiration for our new TLS for Applications area of Deploy360.

After that, there is an afternoon meeting of the Internet Society Advisory Council which a few of us will attend… and then we’ll be heading back home!  Thanks for all the many people who have come up to us and told us about how they appreciate our work – that kind of feedback means a lot and is greatly appreciated!

If you do want to meet with us in these few remaining hours of IETF 89, either find us at one of these sessions or send us email to deploy360@isoc.org.

Thanks, again, for all the great feedback!

Friday, March 7, 2014

dnsop (DNS Operations) WG
0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

uta (Using TLS in Applications) WG
0900-1130 UTC, Richmond/Chelsea/Tower Rooms
Agenda: https://datatracker.ietf.org/meeting/89/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charters/


Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

Deploy360@IETF89, Day 4: dane, sunset4, v6ops, 6tisch, idr, dbound, eppext, sipcore and dnsop

IETF LogoThe fourth day for our Deploy360 team at the 89th IETF meeting could perhaps best be described as “utter madness” as there are multiple working groups meeting on ALL of the topics we cover here:  IPv6, DNSSEC, securing BGP and even our new TLS for Applications area. In particular, several of the major DNS groups are holding their only meetings today.

Details and links are farther down below (along with remote participation info), but as we mentioned in our pre-IETF89 posts about IPv6, DNSSEC and Securing BPG,  today will bring:

  • The meeting of the DANE Working Group (read more about the DANE protocol).
  • The work in SUNSET4 on phasing out IPv4 and the second meeting of v6OPS focused on operational guidance for IPv6.
  • The 6TiSCH work on IPv6 in resource-constrained “Internet of Things” kinds of networks.
  • The IDR working group has many work items relating to BGP.
  • There is a new DBOUND BOF session that is looking into boundaries in the DNS related to domain names and how those could apply to security policies.
  • In EPPEXT there is an extension proposed for how to securely pass DNSSEC keying material between operators and registries.

Beyond all of those, there are two other Thursday meetings that have come to our attention:

  • In the 1300-1500 block when we already have 3 other sessions of interest, the SIPCORE Working Group is planning a 45 minute discussion on “Happy Eyeballs for SIP” looking at what needs to be done to make SIP work over IPv6. (Where SIP is the dominant open standard used in voice-over-IP.)
  • At the end of the day, a brand new timeslot was opened up from 1840-2040 where the DNSOP Working Group is going to get a head-start on their Friday morning agenda and very specifically focus on the outcome of yesterday’s DNSE BOF around what can be done to protect the confidentiality of DNS queries.  The main point of this evening timeslot is so that TLS can be discussed with some of the people from the UTA Working Group joining in to the discussion (since UTA and DNSOP are scheduled at the same time on Friday morning).

All in all its going to be an extremely busy day for all of us!  We’re looking forward to it, though, as great things are definitely happening!

Thursday, March 6, 2014

dane (DNS-based Authentication of Named Entities) WG
0900-1130 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/

sunset4 (Sunsetting IPv4) WG
0900-1130 UTC, Palace C
Agenda: https://datatracker.ietf.org/meeting/89/agenda/sunset4/(combined with the Multiple Interface (mif) WG meeting)
Documents: https://datatracker.ietf.org/wg/sunset4/
Charter: http://tools.ietf.org/wg/sunset4/charters

v6ops (IPv6 Operations) WG
1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/v6ops/
Documents: https://datatracker.ietf.org/wg/v6ops/
Charter: https://datatracker.ietf.org/wg/v6ops/charter/

6tisch (IPv6 over TSCH mode of 802.16e4)
Thursday, March 6, 2014, 1300-1500 UTC, Buckingham Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/6tisch/
Documents: https://datatracker.ietf.org/wg/6tisch/
Charter: https://datatracker.ietf.org/doc/charter-ietf-6tisch/ 

idr (Inter-Domain Routing Working Group)
1300-1500 UTC, Blenheim Room
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/idr
Documents: https://datatracker.ietf.org/wg/idr/
Charter: https://datatracker.ietf.org/wg/idr/charter/

sipcore (Session Initiation Protocol Core)
1300-1500 UTC, Palace C
WG Agenda: https://datatracker.ietf.org/meeting/89/agenda/sipcore
Documents: https://datatracker.ietf.org/wg/sipcore/
Charter: https://datatracker.ietf.org/wg/sipcore/charter/

dbound (Domain Boundaries) BOF
1520-1650 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dbound/
List of BOFs: http://trac.tools.ietf.org/bof/trac/

eppext (Extensible Provisioning Protocol Extensions) WG
1700-1830 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/eppext/
Documents: https://datatracker.ietf.org/wg/eppext/
Charter: http://tools.ietf.org/wg/eppext/charters/

dnsop (DNS Operations) WG
1840-2040 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charter/


Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

8 Sessions About DNSSEC / DANE / DNS At IETF 89 Next Week

IETF LogoWow! IETF 89 next week in London is going to be an extremely busy week for those of us interested in DNSSEC, DANE  and DNS security in general. As I explained in a post today, “Rough Guide to IETF 89: DNSSEC, DANE and DNS Security“, there are 5 new working groups and BOFs related to DNS and DNSSEC in addition to the three already existing working groups.

I go into a great bit of detail in the Rough Guide blog post, but here are the quick summaries of what is happening this week:

  • The DANE Working Group is focused on how to use the DANE protocol to add more security to TLS/SSL connections. The DANE WG agenda at IETF 89 is about using DANE with email and IM, operational guidance and much more.
  • The DNS Operations (DNSOP) Working Group has a very full agenda with the biggest DNSSEC-related piece being the drafts around how to deal with the critical issue of the uploading of DS records from DNS operators to registries.  Some other great DNSSEC work being discussed there, too.
  • The brand new Using TLS in Applications (UTA) Working Group that has as a primary goal to deliver a set of documents that are “go to” security guides aimed at helping developers add TLS support into their applications.  We’re interested in the potential DNSSEC/DANE connection there.
  • The new Public Notary Transparency (trans) Working Group on Wednesday that is looking at how to update the experimental RFC 6962, “Certificate Transparency”, to reflect recent implementation and deployment experience.  Our particular interest is that part of the charter is to ensure that this mechanism can work in the presence of DANE records in addition to regular web certificate-based system.
  • The new EPP Extensions (eppext) working group that is focused is looking at draft-ietf-eppext-keyrelay that defines a mechanism that can be used to securely transfer a DNSSEC-signed domain from one operator to another.
  • The “Encryption of DNS requests for confidentiality” (DNSE) BOF is exploring how to protect the confidentiality of DNS requests from sniffing.   The DNSE BOF will use draft-bortzmeyer-dnsop-dns-privacy and draft-koch-perpass-dns-confidentiality as starting points for discussion.
  • The Domain Boundaries (dbound) BOF is looking at how domain names are used in setting security policies.  Our interest is in understanding how this may fit into the other DNS security components of the work we are doing such as DNSSEC and DANE.
  • The Extensions for Scalable DNS Service Discovery (dnssd) Working Group is continuing their discussions about how DNS-SD (RFC6763) and mDNS (RFC6762) can be used beyond the local network. Our interest is in how this all gets done securely.

We will finish out the week with a breakfast meeting Friday morning with people involved in the DNSSEC Coordination effort (and anyone can join the mailing list) where we’ll have some conversation and food before heading off to the DNSOP and/or UTA working groups.

It’s going to be a crazy-busy week… but I’m looking forward to seeing all that we can get done!

Relevant Working Groups and BoFs

dnssd (Extensions for Scalable DNS Service Discovery) WG
Monday, March 3, 2014, 1300-1500 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: https://datatracker.ietf.org/wg/dnssd/charter/

dnse (Encryption of DNS request for confidentiality) BOF
Tuesday, March 4, 2014, 1420-1550 UTC, Viscount Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnse/
List of BOFs: http://trac.tools.ietf.org/bof/trac/

trans (Public Notary Transparency) WG
Wednesday, March 5, 2014, 1520-1620 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: https://datatracker.ietf.org/wg/trans/charter/

dane (DNS-based Authentication of Named Entities) WG
Thursday, March 6, 2014, 0900-1130 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/

dbound (Domain Boundaries) BOF
Thursday, March 6, 2014, 1520-1650 UTC, Blenheim Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dbound/
List of BOFs: http://trac.tools.ietf.org/bof/trac/

eppext (Extensible Provisioning Protocol Extensions) WG
Thursday, March 6, 2014, 1700-1830 UTC, Park Suite
Agenda: https://datatracker.ietf.org/meeting/89/agenda/eppext/
Documents: https://datatracker.ietf.org/wg/eppext/
Charter: http://tools.ietf.org/wg/eppext/charter/

dnsop (DNS Operations) WG
Friday, March 7, 2014, 0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charter/

uta (Using TLS in Applications) WG
Friday, March 7, 2014, 0900-1130 UTC, Richmond/Chelsea/Tower Rooms
Agenda: https://datatracker.ietf.org/meeting/89/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charter/


Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.

Weekend Project: Join the XMPP “Security Test Day” today to test DNSSEC / DANE

XMPP logoIf you have a bit of time today, February 22, 2014, and want to help an effort aimed at making the Internet more secure, the XMPP Standards Foundation (XSF) is holding their second “Security Test Day” today.  The goal is to encrypt all traffic between servers and clients on the public network of XMPP servers. (Note that some of you may be more familiar with XMPP as its original name of “Jabber”.) This is all laid out in their manifesto for ubiquitous encryption on the XMPP network.

The connection to the work we are doing here at the Deploy360 Programme is that many of the XMPP servers have DNSSEC-signed domains and many are implementing DANE to secure the usage of TLS/SSL certificates in both server-to-server and client-to-server communication.  The XSF provides guidance on securing DNS via DNSSEC for XMPP servers and the IM Observatory provides two lists of interest:

It is outstanding to see the number of servers that have implemented both DNSSEC and DANE!  

Anyway, if you have an XMPP server, or want to set one up, today is a test day when the XMPP community is working on encrypting all their communication.  Visit their “Second Security Test Day” post to understand more about how you can participate.

This is great work that will definitely help make part of the Internet more secure. If you have time to help today, it would be great!

NIST Offers New Tool To Verify TLSA Records For DANE / DNSSEC

Are you experimenting with using the DANE protocol to provide an additional layer of security to your TLS/SSL certificates via DNSSEC?  Would you like to easily test that your TLSA record needed for DANE works correctly?

If so, the folks at the US National Institute of Standards and Technology (NIST) now have a new tool for testing TLSA records and DANE support.  All you do is go to:

https://www.had-pilot.com/dane/danelaw.html

and in the simplest form just enter in the URL of the site you want to test.  Here is an example of what happened when I entered https://www.freebsd.org/ (click image to see larger version):

dane-tls-testing-nist-tool

 

The site basically tests that you have your TLSA record correctly configured and that it matches the TLS/SSL certificate you are using with your web server.

Now, if you don’t have a site with a TLSA record but want to see how the tool works, the NIST tool helpfully lets you choose from one of the DANE test sites we list here on Deploy360.  You can also connect to the NIST “DANE Reference site” to explore different usage types.

In an email message to several public mailing lists, tool author Stephen Nightingale at NIST indicated that his latest version of this tool was now offering the choice of testing from clients based either on TLSlite or GnuTLS. He goes on to note:

Mine was one of the ‘DANE-in-the-App’ sites that Viktor Dukhovni reviewed, and he kindly gave an extensive critique. Many of his points have been addressed. A few things still to clear up:

  • I’m not checking for certificate revocation. That is on the list to fix.
  • For 0xx and 1xx uses, it is hard to identify a single canonical CA list. I have overlapping, but different Root Cert sets from Mozilla, Fedora and Linux Mint. So when searching for an authority to build a verification chain I cycle through all of these until succeeding or exhaustion of the possibilities. Some of the DANE 360 listed sets (including some from members of this group) fail to authenticate because the root certs are not in my authorities. A golden, canonical CA list would be nice to find. But I guess that its non-universal availability is one of the problems of the CA system that DANE is aiming squarely at.

The differences between TLSlite and GnuTLS clients highlight the fact that there are unresolved interoperability issues among TLS implementations. It seems reasonable that TLS interoperability testing be instituted as pre-requisite to DANE testing. The development of a TLS Interoperability test suite is therefore on our ‘to-do’ list. I look forward to seeing the newly upgraded OpenSSL client with added DANE. It is quite possible that as an interim step before its appearance I will add this DANE-in-the-App implementation to pyOpenSSL and/or Twisted.

Thanks to Stephen and the team at NIST for making this tool public and we hope that it will help those of you working with DANE to test out your implementations.

Are There More (or Newer) DNSSEC / DANE Application Developer Libraries We Should Add To Our List?

dnssecWhat developer libraries / modules are you using to add DNSSEC or DANE support to your applications?  For some time now we’ve maintained a list of DNSSEC developer libraries at:

http://www.internetsociety.org/deploy360/resources/dnssec-developer-libraries/

but I noticed that the list is now two years old!  While many of the libraries listed on the “common” ones that many developers use, I have to think that there have also been some newer libraries in the time since, perhaps in some other languages.  Before I spent time looking around developer sites and mailing lists, I thought I would ask you all who visit this site – do you know of any libraries we aren’t listing?

If you are aware of any additional libraries that we should add to the list, we would love to hear about them, either as comments to this blog post, as comments on the social networks where this post will appear, or via email or our feedback form.

Your help will be greatly appreciated!  Thanks!

Weekend Project: Install The DNSSEC/TLSA Validator for Chrome, Firefox, more

DNSSEC / TLSA ValidatorHow do you know if a website has a domain signed by DNSSEC?  Here’s another quick weekend project, very similar to last weekend’s project , where you can add support to your web browsers to know the DNSSEC status of sites you are visiting.  Even better, as people start to use the DANE protocol to secure TLS/SSL certificates, you’ll be able to know when DANE is being use.

The great team at CZ.NIC Labs has released a new version 2.1 of their plugin for Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Opera.  You can get it at:

https://www.dnssec-validator.cz/

A key difference in this version from previous versions is that it now has support for the TLSA record in DNS that is used by the DANE protocol to add an extra layer of trust to the usage of TLS/SSL certificates.

Once you have the DNSSEC/TLSA validator installed in your browser, you should be able to go to links on these pages to test out your new capabilities:

When you visit the sites, you should see additional icons in your browser’s address bar that will give you information such as this:

tlsa-browser

The addition of TLSA record support is a great new feature!  While TLSA record usage is still quite small among web sites today, having this ability to see the TLSA usage will definitely help the people out there who are pioneering the usage.

Kudos to the CZ.NIC team for making this available!

P.S. Do note that in order for this to work in your web browser needs to have access to a DNSSEC-validating DNS resolver.   [UPDATE: As noted in the comments to this post, the add-on no longer requires access to a DNSSEC-validating DNS resolver. The required capabilities were built into the code instead.  Having said that, it's still also great to make sure your local DNS resolver does do DNSSEC validation for all the other apps you have.] The add-on can use DNSSEC-validating DNS resolvers from CZ.NIC or Google, buy why not make your network that much more secure and install your own DNSSEC-validating resolvers?  Check out our recent weekend project to learn more about how to configure DNSSEC validation on your local DNS resolver.

Video – ENOG6: DNSSEC and DANE Deployment Trends, Tools And Challenges

What are DNSSEC and DANE all about?  What advantages do they have?  What tools are out there to help?  Back in October I spoke at the ENOG 6 event in Kiev, Ukraine, about DNSSEC deployment trends and also the opportunities with the DANE protocol to build an additional secure layer of trust in TLS/SSL certificates.  The video is available for viewing and the slides are also available online:

It was a great session and I had a good number of questions from people in the room.  Now.. the question is… how can we help YOU deploy DNSSEC?