Category: DNS

Celebrating 30 Years Of The Domain Name System (DNS) This Month!

dns-250Thirty years ago this month, in November 1983, two RFCs were published that defined the critical Internet service that we now take for granted and use every day – the Domain Name System or more generally just “DNS”. Those two RFCs, authored by Paul Mockapetris, were:

These two RFCs formed the basis for what was to become the DNS system we use today.  There was a great amount of discussion in the early 1980′s around how to move beyond the flat naming convention used in the early “ARPA Internet”.  Several proposals were out there that make for interesting reading today, including RFC 799, RFC 819 and RFC 830.  As Paul Mockapetris relays in a video for the Internet Hall of Fame (IHOF) Internet timeline, his boss at the time, Jon Postel, asked Paul to look at the various ideas and come up with a proposal of his own for how it should work.  The result was RFCs 882 and 883.

Four years later, in November 1987, these two original RFCs (882 and 883) were then “obsoleted” by RFC 1034 and RFC 1035 in which Paul updated and expanded the original RFCs based on the experience of those four years in actually implementing DNS. These newer RFCs 1034 and 1035 are still the basis of DNS today, although they have been “updated” many times since, including by the addition of DNSSEC in RFCs 4033, 4034 and 4035.

Today the DNS is a critical part of our Internet infrastructure and is the service guiding us in connecting to all the other services we use across the Internet. We all use DNS all the time every day even though, as Paul Mockapetris wrote earlier this year, we may not even be aware that we are using DNS.

Here at the Deploy360 Programme we are focused on how we collectively can make the DNS more secure using DNS Security Extensions (DNSSEC) and through that how we can make the overall Internet safer and more secure.  But as we do that, we do also need to step back and just think about how amazing the overall DNS system is – and how incredibly critical it has become!

Happy 30th anniversary to the DNS!  It will be fascinating to see where it goes next!

P.S. Many thanks to Ondřej Surý of NIC.CZ who pointed out this 30-year anniversary today on the dns-operations mailing list.


UPDATE: Our colleague Andrei Robachevsky also provided some commentary in a post, Happy 30th Birthday, DNS!, where he points to some other briefing papers, studies and reports around DNS, and also touches on issues relating to the abuse of DNS.


An audio commentary on this topic is also available:

4 Sessions About DNSSEC, DNS And DANE At IETF 88 Next Week

IETF LogoNext week IETF 88 in Vancouver will be a bit quieter on the DNSSEC and DANE front.  As I wrote in a post today on our “Internet Technology Matters (ITM)” blog, “Rough Guide to IETF 88: DNSSEC, DANE and DNS“, the only major working group related to DNSSEC that will be meeting will be the DNSOP WG on Tuesday, November 5th.  However, in that meeting there will be the very big topic of how we automate the transfer of updated DS / DNSKEY records from a child zone up to a parent zone within DNS.  There are  a couple of different proposals that will be discussed, including:

It should be an excellent discussion.  As I wrote in the ITM post, there are several other interesting drafts as well being discussed in DNSOP – all focused around improving the operations of DNSSEC.  It should be a great session at IETF!

The DANE Working Group is not meeting but as I mentioned in the other article I expect that DNSSEC / DANE will come up in some of the many conversations that will be going on next week related to how we harden the Internet against large-scale surveillance and pervasive monitoring.  The Technical Plenary on Wednesday, November 6, should be an excellent event well worth listening to.   The “Perpass” BOF session will dive into more details. I don’t know if DNSSEC / DANE will be discussed there… but it certainly could be.

The DNS-SD Working Group discussion could also be quite interesting because as you extend DNS service discovery beyond a simple local network into a multi-network environment, you need to have some way to securely communicate that information.  We’ll see what is begin talked about in that regard.

Anyway, here are four of the sessions where DNSSEC / DANE / DNS will be discussed – you can expect to find me in all of them:

NOTE: If you are not going to be in Vancouver next week, there are multiple ways that you can participate remotely in these working groups, including audio streams and Jabber chat rooms.

Video Interview: Why Use Knot DNS For DNS And DNSSEC?

Knot DNSWhat is the “Knot DNS” server all about and why would you want to use it versus one of the other DNS servers supporting DNSSEC?  At the recent ENOG 6 event in Kiev, Ukraine, I had a chance to speak with Jaromir Talir from CZ.NIC Labs and the resulting video interview can be found below. If you are interested in checking out the software, you can visit:

http://www.knot-dns.cz/

The software is available pre-packaged for several versions of Linux as well as in source-code form.

Here is my interview with Jaromir (and I apologize to Jaromir for repeatedly calling his organization by its domain “nic.cz” instead of by the organization’s name of “cz.nic”):

Prior to this interview, Jaromir had spoken on stage at ENOG 6 in more detail about Knot DNS. His ENOG 6 slides about Knot DNS are online and a video recording of his presentation is available:

It’s great to see a new entrant into the field of DNS name servers.  While the existing servers are very rock solid, it’s always great to see new people coming in with new ideas and new tools.  As Jaromir says in the interview, having diversity among your servers can be a good practice.  I’d encourage you to go check out Knot DNS and let Jaromir and the CZ.NIC team know what you think of it!

Knot DNS

Knot DNSKnot DNS is an authoritative DNS name server that can be used to serve out zone records and includes support for DNSSEC and DANE.  One of the key design goals is to provide simple DNSSEC support for dynamic DNS.  Knot DNS is developed by the team at CZ.NIC and can be found at:

https://www.knot-dns.cz/

It is available pre-packaged for several versions of Linux and also as source code as a release or directly from a git repository.

Knot DNS is highly scalable and used by CZ.NIC for the operation of the .CZ TLD. It was developed with the target audience of network operators and DNS operators in mind but can be used by anyone needing to serve out DNS records.

For an overview of Knot DNS, you can view this short video interview with Jaromir Talir of CZ.NIC:

Prior to this interview, Jaromir had spoken on stage at ENOG 6 in Kiev, Ukrain, in more detail about Knot DNS. His ENOG 6 slides about Knot DNS are online and a video recording of his presentation is available:

DNS Servers Supporting DNSSEC

When you install a DNS “server” on your network, it generally acts as either: 1) an “authoritative server” serving out DNS records on behalf of a zone; or 2) a “recursive nameserver” (also called a “caching nameserver“, a “caching recursive nameserver” or simply a “resolver“) that performs DNS queries.

The following DNS software is known to support DNSSEC.  If you have additions, please contact us.

[EDITORIAL NOTE: This page is still a work in progress.  Individual pages are being created for each of the servers listed that will link to the server website but also to specific pages and tutorials about using that server with DNSSEC. The goal is to have this completed by the end of October 2013.]

Authoritative DNS servers

The following DNS servers can serve out DNSSEC-signed zones and typically also include mechanisms for directly performing DNSSEC-signing within the software (listed alphabetically):

  • BIND
  • Knot DNS
  • Microsoft Windows Server 2012
  • NSD
  • PowerDNS

Recursive DNS servers (a.k.a. “resolvers”)

The following DNS servers can perform validation of DNSSEC signatures when performing DNS queries (listed alphabetically):

  • BIND
  • Microsoft Windows Server 2012
  • Unbound

If you know of additional software we should list here, please contact us.

FreeBSD 10 To Include OpenSSH With DNSSEC Support (for SSHFP records)

freebsd-logoVery cool news out of the FreeBSD team yesterday… the upcoming FreeBSD 10 will include support in OpenSSH for DNSSEC. The key point is this:

This means that OpenSSH will silently trust DNSSEC-signed SSHFP records.

What this means is this: when you go to ssh into an unknown system (i.e. one that is not in your “known_hosts” file), OpenSSH will do a query for a SSHFP record and use DNSSEC validation to ensure that the SSHFP record is indeed the one that the domain operator wants you to use.

This process of using a SSHFP record was defined in RFC 4255 back in 2006.  If you are familiar with how ssh (a.k.a. “secure shell“) works, when you connect to an unknown system for the first time you are presented with the “fingerprint” of the public key of the server to which you are connecting.  In theory you could verify this fingerprint through some out-of-band mechanism (perhaps seeing it on a web page or having received it separately in an email).  In practice, the vast majority of people just hit enter/return or type “yes” or something like that.

In the RFC 4255 mechanism, the operator of the server would publish a SSHFP record in DNS that would have the fingerprint of the SSH public key.  This is the same key fingerprint that would normally be presented to a user.  By using DNSSEC to sign the DNS zone that includes the SSHFP record, the server operator can provide a method for a DNSSEC-validating SSH client to verify that the SSH fingerprint is in fact the one that should be used to connect to the server.

This creates a higher level of trust and security in SSH connections.

It’s great to see this added to FreeBSD 10, which, according to the FreeBSD Release Engineering page, should be available sometime in November 2013.

For those curious, the SSHFP record is similar to what was defined six years later in RFC 6698 for the DANE protocol, which is really no surprise as they share a common author, Jakob Schlyter.  DANE’s TLSA record is a bit more complex and, for instance, allows for the inclusion of a complete SSL/TLS certificate rather than just a fingerprint.  In both cases, though, the idea is the same – use a DNS record to provide a means to verify a public key, and use DNSSEC to provide integrity protection so you know that you can trust the DNS record.

Great to see this being rolled out in an enabled state. Kudos to the FreeBSD team for doing this!

Africa DNS Forum Happening Today And Tomorrow – Live stream / webcast available

AfTLD logoInterested in learning about the state of the Domain Name System (DNS) in Africa?  As I mentioned previously, I’m in Durban, South Africa, for the next week for the Africa DNS Forum today and tomorrow and then ICANN 47 next week.  The first Africa DNS Forum is happening right now and you can watch live now:

http://icann.adobeconnect.com/dur47-hall1b

The Africa DNS Forum agenda is posted on the AfTLD website and includes these topics:

  • Trends, opportunities and challenges of the DNS industry
  • Registries Business: Registry Strategies for domain name growth
  • Registrar business: Registrar strategies in a competitive environment
  • Legal Issues: Cross-border domain registrations
  • Registrar Accreditation and accreditation in a borderless environment
  • Governments and ccTLD: Supporting the domain name growth

The sessions are happening today, July 12, 2013, from 8:30 – 17:30 and tomorrow, July 13, from 9:00 – 14:00.  South Africa Standard Time is UTC+2 which is currently the same time as Central European Summer Time and 6 hours ahead of US Eastern time.

Related to our work here at Deploy360, there will be a section of the first panel on Registries Business that will be focused on DNSSEC and how usage can be accelerated for ccTLDs in Africa. I’m looking forward to hearing the presentations and discussions happening over these next two days – many great and exciting things are happening for the Internet in Africa right now!

First Africa DNS Forum To Be Held July 12-13 In Durban, South Africa

AfTLD logoWhat can African registries and registrars do to grow the domain name business in Africa? What role can the African governments play to empower registries and registrars? What can be learnt from successful registries and registrars operating outside Africa and adapted to strengthen their African counterparts? How can cross-border collaborations be setup to strengthen the African DNS Industry? What policies can be implemented to ensure a robust domain name industry? What are the processes that should be implemented to support a structured ccTLD framework? What are the provisions that should exist in order to ensue trust amongst registrants?

These are some of the many questions that are planned for discussion at the first Africa DNS Forum to be held July 12-13, 2013, in Durban, South Africa, just prior to the ICANN 47 event the following week. The DNS Forum is organized by AfTLD and sponsored by the Internet Society and ICANN and is looking to be quite a good event with a program agenda very focused on how to grow business usage of the Internet within Africa.

I (Dan York) will be there attending the event and am looking forward to speaking with people from the region.  I’ll be moderating one of the panels and will also be looking to talk to people informally about DNSSEC and how we can get more African ccTLDs using DNSSEC. I’ll also be encouraging people to attend the DNSSEC workshops that will be part of the ICANN 47 event the following week.

If you are already planning to be in Durban for ICANN 47 I’d encourage you to come a few days early and attend this DNS Forum.  Registration is open to all interested.

Video: My Discussion of DNSSEC and DANE with VoIP / SIP on The VUC

What role could DNSSEC potentially play to help better secure voice-over-IP (VoIP)? How could the DANE protocol help provide a stronger level of security to SSL/TLS certificates used in VoIP? What VoIP software out there right now works with DNSSEC?

Back on May 3, 2013, I participated in a VoIP Users Conference (VUC) call on precisely these questions. In the call that went for close to 90 minutes I outlined what DNSSEC and DANE are all about, how they work in a web browser world and how they could potentially work in a world of VoIP with SIP. We also discussed the current support for DNSSEC in the Jitsi softphone and the Kamailio SIP server. There was also a healthy question and answer period where we went off on different tangents. I referenced a presentation I made at SIPNOC 2013 and the slides for that presentation as well as other resources are available from the Deploy360 DNSSEC and VoIP page.

It was a great call and the video is available on YouTube:

If you want to just listen to the audio, you can play or download it from the VUC episode page.


If you found this post interesting or useful, please consider either:


Comcast Publishing Domains Failing DNSSEC Via Twitter

Comcast DNS Twitter accountHow do you know when a domain is failing DNSSEC validation? What if there was a way to let the broader industry know about these validation failures?  The folks over at Comcast’s DNS team have been trying an experiment for a while in posting these DNSSEC validation failures publicly to Twitter at:

https://twitter.com/comcastdns

If you are a system/network operator deploying DNSSEC and want to be alerted when sites are found to be failing validation, following this Twitter account is one way you can get alerts.

I don’t know whether publishing domains failing DNSSEC validation via Twitter will really be a long-term solution to letting the wider industry know about domains that are currently failing validation, but I applaud Comcast’s DNS team for trying something different … and I do follow the account myself because I find the occasional tweets interesting to see.