Category: DANE

Jul 03

Comments? Olle’s Thoughts on SIP (VoIP) and DNSSEC / DANE

How you you think DNSSEC and specifically DANE could be used with the Session Initiation Protocol (SIP) to provide an added layer of security to voice / video communications over IP? (a.k.a. “VoIP”)   I started raising this question back in a presentation at SIPNOC 2013 and again in a recent VUC interview about DNSSEC and VoIP, but today to my delight Olle Johansson dove a bit deeper with a set of slides about SIP and DNSSEC / DANE he posted up on SlideShare. These are just his “brainstorming” a bit about how DNSSEC/DANE could work with SIP – and he has posted them for comment and feedback:

I like that he went deeper than I had done into precisely where in the SIP interactions DNSSEC / DANE could play a role.  Olle is definitely looking for comment which you can leave in many different places (such as SlideShare, this blog post, anywhere it’s posted on social networks) or can send directly to Olle or send out on the DANE working group mailing list.

I’m pleased to see the continued evolution of this discussion… and I look forward to seeing more work happen in this space.  (Note that I’ve set up a page here about DNSSEC and VoIP to track where some of this work is happening (and am always looking for items to add).)

Apr 01

DNSSEC Presentations Coming Up at ICANN46 in Beijing

ICANN 46 logoNext week at the ICANN 46 meetings in Beijing, China, there will be a series of DNSSEC-related workshops. I (Dan York) will be there at ICANN 46 and will be participating in these sessions. If you are able to attend in person, the events will be an excellent way to learn more about DNSSEC.

NOTE: Remote participation IS possible. See the links below to listen to the live streams.

The major DNSSEC-related meetings are on Monday, April 8, 2013, and Wednesday, April 10, 2013. They are:

DNSSEC for Everybody – A Beginner’s Guide

Monday, 8 April 2013 – 5pm-6:30pm, Auditorium – http://beijing46.icann.org/node/37065

This very basic introductory session is aimed to help attendees understand more about how DNSSEC can secure the Domain Name System and make the Internet more secure. As DNSSEC gets more widely deployed it is critical to understand how DNSSEC works. This session provides an interactive and fun way to learn how DNSSEC works, what tools are available to help and what best practices are currently being used.

DNSSEC Workshop

Wednesday, 10 April 2013, 8:30am-2:45pm, Rainbow – http://beijing46.icann.org/node/37125

This 6+ hour workshop brings together industry leaders on DNSSEC for a series of panel discussions about the state of the art in implementing DNSSEC, current best practices, government regulations and operational practices. Sessions also include talks about the latest and innovative uses of DNSSEC. Panels at ICANN 46 include:

  • Introduction and DNSSEC Deployment Around The World
  • DNSSEC: Regulative, Legislative and Persuasive Approaches to Encouraging Deployment
  • DNSSEC Deployment in Asia Pacific
  • Use of DNSSEC in the Reverse Name Space
  • The Operational Realities of DNSSEC
  • DNSSEC Innovation: DANE and Other DNSSEC Applications
  • Root Key Rollover

There will be case studies and reports on some of the latest tools. Of interest to many may be the talk from someone at CNNIC about China’s plans for deploying DNSSEC and signing .CN.  I’ll be moderating the panel on “DNSSEC Innovation” as well as providing a brief tutorial about the DANE protocol and how it helps.  Several of the other panelists will also be talking about DANE so it should be a good session.

I’ve attended several of these workshops now and have been very impressed by the quality of the sessions in terms of technical content.  If you’re at all interested in DNSSEC, I really can’t recommend the event strongly enough.  In full disclosure, I joined the Program Committee for this ICANN 46 workshop, so I’m a wee bit biased… but it also means I’ve seen many of the proposals as well as the completed slide decks – and I can say that there will be some excellent sessions there.

On Monday evening, there will also be an informal gathering of people involved with implementing DNSSEC to discuss and exchange information about DNSSEC implementations.  As noted in the email announcement, you need to RSVP by Thursday, April 4, as it is being held at a local restaurant and a count of attendees is needed.

In looking over the ICANN 46 schedule, another meeting I will probably attend is the “Joint DNS Security and Stability Analysis Working Group (DSSA)” on Thursday, April 11, 2013.  While it is not specifically about DNSSEC, it relates to “DNS security” in general and I would think it should be a rather interesting session given the recent DDoS attacks going on that are using DNS amplification.

If you are going to be at ICANN 46 and would like to meet with me to talk about DNSSEC, IPv6, routing resiliency or just Deploy360 in general, please feel free to drop me a note or find me in one of these sessions mentioned here.

You can also listen to an audio version of this post at:

Mar 25

Slides: DANE, the next big thing after DNSSEC

What is the DANE protocol all about? How does it protect Internet communication? How does it relate to SSL/TLS certificates? What is wrong with the Web’s public key infrastructure (PKI), anyway?

At a recent cybersecurity conference in the Netherlands, Marco Davids of SIDN gave a presentation titled, “DANE, the next big thing after DNSSEC,” that covers these and other questions – and does so with a good degree of detail. His slides are available:

DANE presentation by SIDN

We, too, agree that DANE has a great potential to make the Internet much more secure by marrying the strong integrity protection of DNSSEC with the confidentiality of SSL/TLS certificates. We would encourage you to look at our DANE resources and start looking at what you can do today!

Mar 14

Deploy360@IETF86: Day 4 – IPv6, DNSSEC and Routing, Oh, My!

IETF LogoDay 4 of the 86th meeting of the Internet Engineering Task Force (IETF)  hits all of our Deploy360 topics – IPv6, DNSSEC and Routing Resiliency/Security.

General information about participating remotely can be found on the Remote Participation page as well as the IETF86 agenda – specific info for the groups we are following is included below.

0900-1130 Thursday, March 14

Homenet – Caribbean 3
This working group focuses on the evolving networking technology within and among relatively small “residential home” networks.

Interface to the Routing System (I2RS) – Caribbean 5
This is a new working group meeting for the first time that is seeking to define a publicly documented interface into the Internet’s routing system for applications to use. The best way to understand this new group would be to read draft-atlas-i2rs-problem-statement.

1300-1500 Thursday, March 14

Port Control Protocol (PCP) – Caribbean 6

The PCP working group is back again looking at how to enable communication from applications across middleboxes such as Network Address Translation (NAT) devices and firewalls for both IPv4 and IPv6.

Two other groups also may be of interest during this time block:

1510-1710 Thursday, March 14

Dynamic Host Configuration (dhc) – Caribbean 1
The DHC working group looks at DHCP and aspects of dynamically configuring IP addresses, both for IPv4 and IPv6, although the focus these days is on DHCPv6.

Operational Security  (opsec) – Caribbean 3
The OPSEC working group looks at the operational security concerns of IP networks. In this meeting there are 3 drafts focused on the security of IPv6 networks.

1730-1830 Thursday, March 14

Dynamic Host Configuration (dhc) – Caribbean 1
The DHC working group will continue to meet during this timeslot. Information is above.

DNS Operations  (DNSOP) – Caribbean 4
The DNSOP Working Group focuses on operational aspects of the Domain Name System and at this session has multiple drafts relating to DNSSEC.

1900-2100 Bits-N-Bites

This reception / networking time in Grand Sierra D should be an interesting chance to look at new technology from a number of sponsors.

2000-?  Alternative PKI Side Meeting, Boca 4

For those people interested in authentication and the public key infrastructure (PKI) aspects of the Web, there will be an “Alternative PKI Models Side Meeting” in room Boca 4, the IAB office, to talk about the requirements, goals and the design assumptions for a Web PKI.  Given our interest in DNSSEC and DANE, I (Dan) will be in this meeting to participate.

And after all of that… we’ll be trying to figure out how to get some food.  :-)

P.S. For a broader view of the Internet Society’s interest in IETF 86 beyond that of just the topics we cover here at Deploy360, please see our “Rough Guide to IETF 86′s Hot Topics“.

NEW! Listen to this post (and please follow Deploy360 on SoundCloud if you use that service):

Jan 07

Verisign Labs DANE Demonstration Page and Test Sites

Are you developing software that uses the DANE protocol to combine the strong integrity of DNSSEC with the encryption of TLS/SSL?

If so, the folks over at Verisign Labs have stood up a demonstration page and a series of test sites at:

http://dane.verisignlabs.com/

They provide a number of different test cases that you can use to test your DANE support.  We’ve added their sites to our list of DANE test sites and we definitely thank Verisign for making them available.

Check the sites out… and lets see DANE support getting added to more applications!

Nov 30

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE

If you are looking to get started with the DANE protocol to provide higher security for SSL/TLS certificates, a basic question can be – how do you generate a TLSA record to put in your DNS zone file?

As we outlined before, there are a number of different tools you can use.  One that is perhaps the simplest, though, is a package for Linux from Paul Wouters called “hash-slinger” that is available at:

http://people.redhat.com/pwouters/hash-slinger/

One of the tools provided in the package is a command “tlsa” which does exactly what you might think – generate the TLSA record!  Paul showed how easy it is:

$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

That’s it!  Now you can copy that record to your DNS zone file and you will be in the business of publishing a TLSA record!

Well, okay, it might not be that simple.  If your nameserver or DNSSEC-signing tool doesn’t yet support the TLSA record (outlined in RFC 6698), you might need to add a “-o generic” flag onto the command line to get the appropriate record. And you might want to add on more options, as Shumon Huque did in his walk-through of setting up a TLSA record.

The key is that this tool is out there and can help all of us interested in getting the DANE protocol more widely deployed to start getting TLSA records more visible. Kudos to Paul for developing the tool and making it available.

If you use SSL/TLS on your sites, and you have your domain signed with DNSSEC, why not go the extra step and get a TLSA record out there?

Nov 30

Hash-slinger – a tool for creating TLSA records for the DANE protocol

Hash-slinger is a package of tools created by Paul Wouters of RedHat to make it easy to create records for  the DANE protocol that will allow you to secure your SSL/TLS certificates using DNSSEC.

The package is available for Linux at:

http://people.redhat.com/pwouters/hash-slinger/

One of the tools provided in the package is a command “tlsa” that generates TLSA records (outlined in RFC 6698). Paul Wouters showed how easy it is:

$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

You can now copy that record to your DNS zone file and be in the business of publishing a TLSA record.

If your nameserver or DNSSEC-signing software does not yet support the TLSA RRtype defined in RFC 6698, you can create a “generic” record type:

$ tlsa --create -o generic ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TYPE52 \# 35 03000154f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

The “tlsa” command also has other options for generating other types of TLSA records.

 

 

Nov 21

Slides – Adding DNSSEC to Fedora and Red Hat Linux

What is the status of DNSSEC being added to Fedora and Red Hat Linux?  What changes have already been made?  What changes will occur in the future?  What tools are available to help?

At the recent ICANN45 DNSSEC Deployment Workshop, Paul Wouters from Red Hat spoke about integrating DNSSEC into Linux. Paul’s slides are available for download and a video of the entire workshop is available from the main page.

Paul Wouters presentation on DNSSEC in Linux

In the presentation, Paul talks about the difference between Fedora and Red Hat Linux and then dives into what needed to be modified to support DNSSEC. He provides some insight into their experiences using DNSSEC in different configurations and with different tools.

Paul also spoke about support for the DANE protocol to use DNSSEC to validate SSL/TLS certificates and in particular his TLSA Validator add-on for the Firefox browser and his “hash-slinger” tool that generates TLSA records.  Both tools are available at his site at:

http://people.redhat.com/pwouters/

It was a great presentation to hear, and Paul is very active within the DNSSEC community working on tools such as these to help get DNSSEC further deployed. It is well worth some time checking out his tools.

Oct 19

Walking Through Setting Up A TLSA Record for DNSSEC/DANE

In a post titled “DNSSEC and Certificates” today, Shumon Huque provides a nice walk-through of the steps needed to get set up with a TLSA record in DNS to tie a SSL/TLS certificate into the global chain-of-trust created by DNSSEC. First, though, he explains very succinctly why we should care about security issues related to current certificate authorities (CAs) and how the new DANE protocol helps address this.

He then steps through what he had to do with openssl to create the appropriate TLSA record for his existing SSL certificate (and points out the availability of Paul Wouters hash-slinger tool to make this even easier).

It’s good to see posts like this explaining the process and we’ll be looking to add tutorials like this to our site as we continue to expand our DANE coverage in the weeks and months ahead.

By the way, Shumon will be one of the speakers at our ION San Diego conference on December 11th.  If you want to learn about DNSSEC and IPv6 topics and can get to San Diego, we’d definitely suggest you consider attending!

P.S. We’ve added Shumon’s site to the list of DANE test sites that developers can use to test out new DANE applications.

Oct 10

21 Sites You Can Use To Test DANE Support (DNSSEC + SSL/TLS)

Have you been working on an application that uses the new DANE protocol to combine the encryption of SSL/TLS with the strong integrity protection of DNSSEC? Have you been looking for a way to test your application with a variety of different test cases? If so, we’ve started compiling a list of sites that are currently publishing the TLSA records used by DANE. You can find the list at:

http://www.internetsociety.org/deploy360/resources/dane-test-sites/

As you’ll see on that page, we currently have sites listed for the following protocols and situations:

  • HTTP – Valid TLSA Record With Valid CA-signed TLS Certificate
  • HTTP – Valid TLSA Record With Valid Self-signed TLS Certificate
  • HTTP – Valid TLSA Record With Invalid CA-signed TLS Certificate
  • HTTP – Invalid TLSA Record
  • HTTP – Valid TLSA Record With Invalid DNSSEC Signature
  • SMTP
  • XMPP/Jabber

If you are currently publishing TLSA records, please do let us know and we’ll be glad to add your site to the list. In these early days we’d like to make it as easy as possible for developers to find sites with which they can test their apps.

Thanks – and we’re looking forward to seeing the wide deployment of DANE enabling a much more secure Internet!