Category: DNSSEC

Oct 29

Please Take This DNSSEC Survey To Help Understanding of Value, Obstacles, Priorities

DNSSEC badgeDo you have a few minutes to answer a 12 question survey about your views on DNSSEC?  Tim Rooney over at BT Diamond IP has launched a survey to try to gather data around viewpoints on DNSSEC deployment. As Tim says in his blog post announcing the survey:

BT Diamond IP is sponsoring a DNSSEC survey to gather input from DNS and network administrators regarding their opinions about the value of DNSSEC, potential obstacles to implementation, and relative priority of deployment. And you are hereby invited to participate! The survey consists of twelve questions plus a thirteenth if you’d like to enter your contact information to be entered for a drawing for a $100 VISA gift card. The survey will remain open through November 3, 2014, after which we will compile the results and publish a free survey report.

I’ve taken the survey myself and agree that it would be useful to have data around the different questions asked.  Obviously this is a “self-selected” survey in the sense that only people who learn about it will fill out the survey… and odds are that they will probably learn about it through channels like this one (our blog) where they might already be interested in DNSSEC.

Still, I think the results will be helpful in gaining some understanding of what people are thinking about with regard to DNSSEC deployment.

If you have a few minutes, please take the survey.

And yes, obviously BT Diamond IP is not doing this entirely altruistically… they do hope to gain some leads for their own business… but if you don’t want to give them your contact information simply do not fill out the 13th optional question (and I didn’t).  The overall statistics could be quite helpful!

And if you want to get started deploying DNSSEC today, please visit our Start Here page to find resources targeted at your type of organization or role.

Oct 24

DNSSEC Is A Building Block, Not A Magic Bullet

Olaf KolkmanSpeaking at Broadband World Forum (BBWF) in Amsterdam this week, our CITO Olaf Kolkman was quoted as saying a key point we’ve been emphasizing throughout our work:

“There is no magic solution to any cyber security or internet security type of threat. But there are a number of building blocks that are promising.”

They include domain name system security extensions (DNSSEC), which help to secure certain kinds of information on networks.

“But they’re building blocks, they’re not magic bullets,” he said.

Exactly!

When we speak about DNSSEC or TLS  or BGP security, we are often immediately met by detractors with “But it doesn’t do ______” which, in their minds, immediately disqualifies the technology from further usage.  Often this is said, even though DNSSEC/TLS/BGP was never intended to do whatever it is they want.  They just expect the technology to magically do it all!

For example, with DNSSEC, some people immediately say “but it doesn’t protect against the confidentiality of your DNS queries!”  Well, no, it was never intended for that.  DNSSEC is entirely about protecting the integrity of your DNS queries, i.e. ensuring that the information you receive from DNS is the identical information that the operator of the domain put into DNS.  That’s it.  Confidentiality of DNS queries is something completely different! (And is now being discussed by the new DPRIVE working group inside the IETF.)

And by being a smaller building block, DNSSEC can be built upon to bring about powerful new innovations such as the DANE protocol, where we can add an additional layer of trust to TLS / SSL certificates and interactions.

What has made the Internet work so well on a technical level and evolve into the amazing communications medium that it has become is the fact that it is built from small building blocks that are then loosely coupled together in ways that make sense.

Building blocks, not magic bullets!

P.S. And if you want to get started with security building blocks like DNSSEC, please visit our Start Here page!

Oct 21

DPRIVE – New IETF Working Group On DNS Privacy

IETF LogoHow can we ensure the confidentiality of DNS queries to protect against pervasive monitoring?  What kind of mechanisms can be developed to increase the privacy of an individual’s DNS transactions?

After holding a BOF session (DNSE) at an earlier IETF meeting, the IETF has now chartered a new Working Group called DPRIVE (DNS PRIVate Exchange) to dig into this matter. Part of the WG charter states:

The set of DNS requests that an individual makes can provide an
attacker with a large amount of information about that individual.
DPRIVE aims to deprive the attacker of this information. (The IETF
defines pervasive monitoring as an attack [RFC7258])

The primary focus of this Working Group is to develop mechanisms that
provide confidentiality between DNS Clients and Iterative Resolvers,
but it may also later consider mechanisms that provide confidentiality
between Iterative Resolvers and Authoritative Servers, or provide
end-to-end confidentiality of DNS transactions. Some of the results of
this working group may be experimental. The Working Group will also
develop an evaluation document to provide methods for measuring the
performance against pervasive monitoring; and how well the goal is met.
The Working Group will also develop a document providing example
assessments for common use cases.

The group has adopted its first document for consideration, Stephane Bortzmeyer’s “DNS privacy considerations”, draft-bortzmeyer-dnsop-dns-privacy, and discussion has already begun on the “dns-privacy” mailing list.  This list is open to anyone to join. You can subscribe at:

https://www.ietf.org/mailman/listinfo/dns-privacy

and the archives are available at:

http://www.ietf.org/mail-archive/web/dns-privacy/current/maillist.html

While this group does not directly relate to the work we do here at Deploy360 related to DNSSEC, it is part of the overall effort to increase the security of the DNS, and so I thought it would be of interest to our readers.

If you are interested in monitoring what is being discussed about DNS privacy, or contributing to those discussions, I would definitely encourage you to subscribe and join in the conversations and the work to make the Internet more secure!

Oct 20

New DNSSEC Deployment Maps – Now Corrected And Updated

DNSSEC Deployment Map - Oct 14, 2014If you have been receiving our DNSSEC deployment maps by email or just using the maps from our web page, you need to know an important fact:

The maps we’ve been publishing recently have had the incorrect status set for several countries.

The maps published last week on October 14, 2014, (and the ones distributed via email today) have now been fully verified to have the correct status of all country-code top-level domains (ccTLDs).

The maps are correct today!

To explain a bit more, in preparation for last week’s DNSSEC Workshop at ICANN 51 I was puzzled by something that didn’t seem right with we were publishing.  Specifically, Australia was showing up in a September map as having a “DS in Root” when I knew for a fact that .AU did not (and could easily confirm using “dig” at the command-line).  Diving into the issue more, I discovered what happened.

One of the strengths of our set of DNSSEC deployment maps is that we track 5 stages of DNSSEC deployment versus simply showing whether they are publishing a DS in the root zone.  This allows us to do some forward projection to what we think the state of DNSSEC deployment may be in the future based on statements made by various ccTLDs about their plans for DNSSEC deployment.

But what if those plans don’t work out exactly right?

Our database contains records for each ccTLD based on both factual data (such as whether they have a DS record in the root zone) and observed information that could be from announcements, presentations at industry conferences, blog posts, email messages, etc.

In this case, there were forward-looking records for a number of ccTLDs that had been entered into the database but then had not actually happened on the projected dates.  For whatever reasons, various plans and public statements did not hit their target dates.

I spent my plane flight out to Los Angeles going through the tedious exercise of comparing our database with a list of TLDs that had a DS in the root zone, and then followed that up with further confirmations once I had Internet access in L.A.  The end result is that I identified the forward-looking records that needed to be changed and updated our database in time to generate the maps I needed for last Wednesday’s workshop.

I also identified a hole in our process where I was not routinely checking the forward-looking records to be sure that they were in fact happening.  This is all part of the learning process after we took on maintenance of these maps from Shinkuro, Inc., earlier in 2014.  Now we’ll be sure to check this in the future.

I do apologize if anyone used these maps in recent presentations over the past few months.  We’ll be working to make sure they stay updated in the time ahead.

By the way, if you do want to receive these DNSSEC deployment maps by email each week, you can subscribe to the public email list.  The maps are distributed via email each Monday morning, along with comma-separated value (CSV) files containing the DNSSEC status of all the ccTLDs and the generic TLDs (gTLDs).

And… if you want to get started with DNSSEC yourself, please visit our Start Here page to find resources aimed at your type of organization or role.

Oct 16

Root DNSSEC KSK Rollover Workshop Streaming Live Today From ICANN 51

ICANN 51 Los Angeles

Today (Oct 16, 2014) from 9:00 am to 12 noon US Pacific, a special public workshop about implications of a “rollover” of the “Root Key Signing Key (KSK)” that serves as the ultimate “trust anchor” for DNSSEC will be streamed live from ICANN 51 in Los Angeles. Information about how to participate remotely can be found at:

http://la51.icann.org/en/schedule/thu-dnssec-key-rollover

(Note: the times on that page have not yet been updated.  The workshop will be from 09:00-12:00, although it may extend later if discussions continue.  It will definitely conclude by no later than 13;30 PDT.)

ICANN Chief Technology Officer (CTO) David Conrad has organized this public discussion about issues related to changing the Root KSK.  This will be a chance to publicly discuss what we collectively see as potential issues when the Root KSK is rolled or changed and what we need to do about those issues.  This is a critically important topic and so it is great to see ICANN holding this session.

The public workshop is aimed to be a discussion forum to collect guidance from a wide range of people.  An adhoc program committee was established of Joe Abley, Duane Wessels, Roy Arends, Jakob Schlyter, David Conrad and myself.  I was asked to act as a moderator to ensure that the flow moves appropriately and that all get to contribute.  The proposed agenda is:

1. INTRODUCTION

A brief level setting of why the workshop has been called, where we are at in the process (ICANN public consultation in early 2013, SSAC report, ICANN Board resolution in Nov 2013), and what we hope to do in the workshop.  (See my recent “Background Information” post for links for more info.)

2. HOW a Root KSK Rollover might occur

We would like to discuss how an automated (RFC5011) would occur as well as non-5011 roll options and options for a staggered roll.  Joe Abley will discuss a couple of relevant Internet Drafts.

3. WHAT a Root KSK Rollover might involve

We would like to discuss what changes might be made during a Root KSK Rollover. Specifically two points:

  a. ALGORITHM CHANGE – Geoff Huston will give a presentation about potential impacts of a change of the algorithm. (Geoff also presented this information about the DNS-OARC meeting this past weekend.)

  b. Length of KSK – There has been some discussion about changing the length of ZSKs and KSKs and moving to longer key sizes.  We would like a discussion around this idea and the potential impacts.

4. IMPLICATIONS

Discussion of additional implications beyond those discussed earlier.  For instance, issues around response sizes.

5. POTENTIAL TIMELINE (unanchored)

We would like to discuss what a potential timeline might look like for the entire process.  The intent is NOT to establish a fixed date but rather to establish what a timeline might look like for the full process to take place.

6. NEXT STEPS

We want to spend the end of the session identifying specific steps and actions that will occur coming out of this workshop.

If you are interested in this topic, you can join ICANN’s “ksk-rollover” mailing list and read the archives.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

 

Oct 15

Watch LIVE Today – DNSSEC Workshop at ICANN 51

ICANN 51 Los AngelesStarting in just a few minutes will be the large DNSSEC Workshop from 08:30-14:45 PDT in the Pacific Palisades room at ICANN 51.  This is the BIG session of the week related to all things about DNSSEC and DANE.  The full agenda, slides and remote participation information can be found at:

http://la51.icann.org/en/schedule/wed-dnssec

(Slides and detailed agenda are not online yet but should be soon.)

The bulk of the session includes 5 panels for which we have assembled an excellent collection of speakers:

  • DNSSEC Activities in North America
  • Impact of Root Key Rollover
  • DNSSEC Deployment in Operating Systems
  • DNS/DNSSEC Monitoring
  • DANE and Email Services

Additionally I’ll be providing some DNSSEC deployment statistics and the beginning and wrapping it up with a “How You Can Help” session at the end.

These DNSSEC Workshop sessions bring together an outstanding group of technical people involved with DNS and DNSSEC and are well worth attending either in person or remotely.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

 

Oct 13

Watch LIVE Today – DNSSEC For Everybody: A Beginners Guide (ICANN51)

ICANN 51 Los AngelesAs we mentioned last week, in just a few hours you’ll be able to watch and listen live to this event coming out of ICANN 51 in Los Angeles:

17:00 – 18:30 PDT – DNSSEC for Everybody: A Beginner’s Guide

In this session we’ll once again go back to the caveman days and talk about blue smoke in a light-hearted session aimed at helping people understand DNSSEC.  We’ll also do our “skit” acting out DNS and DNSSEC again… and typically answer a great number of questions from people.  You can participate remotely and view the handout at:

http://la51.icann.org/en/schedule/mon-dnssec-everybody

It’s usually always a good time with many great questions.  I’ll be there doing the introduction and then helping with the answering of questions.

Please do look at our larger list of DNSSEC activities happening at ICANN 51 this week – MANY great activities going on!

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

See (some of) you in L.A.!

Oct 10

Background Information For The DNSSEC Root KSK Rollover Workshop At ICANN51

ICANN 51 Los AngelesAs I mentioned yesterday, there is a great amount of DNSSEC-related activity happening at ICANN 51 in Los Angeles next week.  One of the new items is the Root KSK Rollover Workshop on Thursday, October 16, 2014, from 9:00-12noon US Pacific time (UTC-7).  This workshop will be accessible remotely from links off of this page:

http://la51.icann.org/en/schedule/thu-dnssec-key-rollover

The point of this session is to publicly discuss what potential impact we see might happen with a change of the Root Key Signing Key (KSK) that is at the heart of the DNSSEC “global chain of trust”. What impacts might there be on people using DNSSEC validation in their daily operations?  And how do we help mitigate those potential issues?

If we change the Root KSK, all the DNSSEC-validating DNS resolvers out there might update their local trust anchors to the new Root KSK and everything will be perfectly fine.  Or… they might not and so when the old Root KSK disappears those DNS resolvers might start failing to return valid DNSSEC-signed records… effectively breaking Internet usage for many people and giving DNSSEC a very bad reputation (and slowing/reducing deployment).  How do we prevent that?

It is a very important discussion!

ICANN Public Consultation

For some background on this whole issue, you can go back to the public consultation ICANN performed about the KSK rollover back in early 2013:

https://www.icann.org/public-comments/root-zone-consultation-2013-03-08-en

A report summarizing the public comments is available here:

https://www.icann.org/en/system/files/files/report-comments-root-zone-consultation-08apr14-en.pdf

That document also contains the list of “ICANN Recommendations” that were given to the ICANN Board.

The public comments themselves are available individually here:

http://forum.icann.org/lists/comments-root-zone-consultation-08mar13/

They include the comments that Andrei Robachevsky and I submitted on behalf of the Internet Society which could effectively be summarized as: we believe the Root KSK should be rolled as soon as possible and as frequently as possible.

SSAC Report

Additionally, SSAC released SAC063 with their advice on DNSSEC Key Rollover in November 2013:

https://www.icann.org/en/system/files/files/sac-063-en.pdf

All of these documents  (the comments and the SSAC report) do provide some background information into the views of various people and organizations into the implications of a KSK rollover and also motivation for the views of most that we need to roll the KSK sooner rather than later.

ICANN Board Resolution

I would also note that on November 21, 2013, the ICANN Board adopted a resolution directing ICANN’s President and CEO to evaluate the SSAC advice and provide a recommendation to the board regarding the acceptance of that advice within 90 days:

https://features.icann.org/board-advice#advice-to-board_f=dnssec%20key%20rollover&advice-to-board_d=false&advice-to-board_e=18

That process started… but then stalled when the larger “IANA Transition” issue was injected by the NTIA last year.  This workshop next week, as well as the private interop testing, is, in my view, an effort by ICANN’s new CTO, David Conrad, to try to get this effort back on track and make some actions happen.

Going Forward

A key point about this workshop on Thursday, October 16, is that most people are not talking about IF the Root KSK will be rolled, but rather HOW the Root KSK can be rolled most effectively and how we can mitigate any potential issues that arise.  It is also interesting to note that some of the discussion has changed from the need to roll the key for cryptographic/security reasons to talking about the need to change the Root KSK to, for instance, utilize a better and faster encryption algorithm.

Ksk-rollover Mailing List

Much of this discussion is happening on the ksk-rollover mailing list hosted by ICANN. This list is open to the public and anyone can join.  The ksk-rollover list archives provide additional background info for the meeting on Thursday.

This public workshop should be an interesting discussion next Thursday.  I do encourage anyone interested in this important issue to join in and participate.

Oct 09

A Great Amount Of DNSSEC/DANE Activity At ICANN 51 In L.A. Next Week

ICANN 51 Los AngelesStarting in just a few days there is going to be a great amount of activity related to DNSSEC and DANE happening in conjunction with the ICANN 51 meeting in Los Angeles from October 12-16, 2014.

As usual, there will be the large DNSSEC Workshop on Wednesday, October 15 that always happens with ICANN meetings, as well as the “DNSSEC for Everybody” and “DNSSEC Impelementer’s Gathering” on Monday.

However, at ICANN 51 there will be three other activities:

Due to some schedule conflicts I will be unfortunately missing the DNS-OARC meetings but I’ll be out there on Monday afternoon and look forward to seeing many of you there!

To walk through the activities, let me break it down day by day.

Saturday and Sunday, October 11-12

DNS-OARC will be holding its 2014 Fall Workshop and Annual General Meeting this weekend.  Saturday the 11th is primarily focused on organizational matters but on Sunday the 12th the group gets into detailed technical discussions.  Some of the sessions that may be of interest to Deploy360 readers include:

  • Measuring the cost of DNSSEC
  • Improved NSEC3 performance in DNSSEC
  • NSEC5: Provably Preventing DNSSEC Zone Enumeration
  • A Survey of Current DANE/TLSA Deployment

Many of the other sessions look quite fascinating as well (to a “DNS geek” such as myself!). Per the Overview page, you can participate remotely using these means:

Monday, October 13

10:30 – 17:00 PDT – Tech Day (combined ccNSO/DNS-OARC)

On every Monday of an ICANN week the ccNSO (for country-code top-level domains (ccTLDs)) holds a “Tech Day” full of technical presentations on a wide range of topics. For ICANN 51 they have combined with DNS-OARC and the result is an excellent session full of DNS and DNSSEC talks.  Remote participation info is available at:

http://la51.icann.org/en/schedule/mon-tech

although the actual agenda is on the DNS-OARC site.  Some of the sessions that may be of interest to Deploy360 readers include:

  • DNSViz – powerful and extensible DNS analysis
  • Low-Cost Threshold Cryptography HSM for OpenDNSSEC
  • DNS Bake-off

This last “bake-off” session I mention is one in which the different vendors/organizations behind various DNS servers all get up in front of the room and talk about what is new or different in their latest software. When this panel has happened before at Tech Day it’s been a great way to learn what is new with the different DNS software implementations.

A number of other sessions will probably be quite interesting and the opening keynote at 11:00 by Paul Mockapetris should be quite educational as well.

17:00 – 18:30 PDT – DNSSEC for Everybody: A Beginner’s Guide

In this session we’ll once again go back to the caveman days and talk about blue smoke in a light-hearted session aimed at helping people understand DNSSEC.  We’ll also do our “skit” acting out DNS and DNSSEC again… and typically answer a great number of questions from people.  You can participate remotely and view the handout at:

http://la51.icann.org/en/schedule/mon-dnssec-everybody

19:30 – 21:30 (or later) PDT – DNSSEC Implementers Gathering

After that session is over there will be a smaller informal gathering at a nearby restaurant where people who are actually involved in deploying DNSSEC and/or creating the tools to deploy DNSSEC will gather together for food, drinks and conversation to explore what more can be done to accelerate DNSSEC deployment. These sessions have created strong connections and usually generated new projects and ideas for further work.

Alas, there is no way that anyone can participate remotely. :-)  We would like to thank Comcast, NBC Universal and the MPAA for providing sponsorship money so that we could hold this gathering and make it accessible to all who will attend.  (Attendance has now been closed due to space limitations.)

Wednesday, October 15

08:30 – 14:45 PDT – DNSSEC Workshop

This is the BIG session of the week related to all things about DNSSEC and DANE.  The full agenda, slides and remote participation information can be found at:

http://la51.icann.org/en/schedule/wed-dnssec

(Slides and detailed agenda are not online yet but should be soon.)

The bulk of the session includes 5 panels for which we have assembled an excellent collection of speakers:

  • DNSSEC Activities in North America
  • Impact of Root Key Rollover
  • DNSSEC Deployment in Operating Systems
  • DNS/DNSSEC Monitoring
  • DANE and Email Services

Additionally I’ll be providing some DNSSEC deployment statistics and the beginning and wrapping it up with a “How You Can Help” session at the end.

These DNSSEC Workshop sessions bring together an outstanding group of technical people involved with DNS and DNSSEC and are well worth attending either in person or remotely.

09:00 – ? – Root KSK Rollover Interoperability Testing

At the same time as the public DNSSEC Workshop is taking place, there will be a private meeting of service providers, vendors, application developers and others who will be focused on performing some actual interoperability testing to determine what exactly will be some of the technical issues when we as a community roll (or change) the “Root Key Signing Key (KSK)” that is at the top of the global “chain of trust” in DNSSEC.

This closed interop workshop will then lead to…

Thursday, October 16

09:00 – 12:00 DNSSEC Key Rollover Workshop

ICANN Chief Technology Officer (CTO) David Conrad is organizing a public discussion about issues related to changing the Root KSK.  This will be a chance to publicly discuss what we collectively see as potential issues when the Root KSK is rolled or changed and what we need to do about those issues.  This is a critically important topic and so it is great to see ICANN holding this session.  Information about how to participate remotely can be found at:

http://la51.icann.org/en/schedule/thu-dnssec-key-rollover

(Note: the times on that page have not yet been updated.  The workshop will only be from 09:00-12:00.)

I would expect some of the discussion will involve the results of the interop testing happening on Wednesday but the intent is to have it be a wider discussion during this workshop.  If you are interested in this topic, you can join ICANN’s “ksk-rollover” mailing list and read the archives.

It is also worth noting that ICANN’s Security and Stability Advisory Committee (SSAC) will hold its public meeting from 08:00 – 09:00 immediately prior to this workshop.  The SSAC public meetings usually include topics of interest to those of us working with DNSSEC and “DNS security” in general.

And… after all of that we’ll all make our journeys home rather exhausted from so much conversation about DNSSEC! :-)

Seriously, though, it will be an excellent week full of DNSSEC and DANE conversations.  If you are out at ICANN 51 please do find me at one of the events and say hello, or drop me an email message and we can arrange a time to connect.  You will of course find info on our Deploy360 social media channels during the events next week.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

See (some of) you in L.A.!

Oct 09

Join The Monthly “DNSSEC Coordination” Calls To Help Advance DNSSEC

If you are interested in helping advance the deployment of DNSSEC, there are a group of us that gather in a conference call on the first Thursday of each month to exchange information, share ideas and develop plans to accelerate more usage and deployment of DNSSEC.  This is a group focused more on the advocacy and promotion of DNSSEC and DANE, rather than focused on technical deployment issues. (There are other email lists and groups for that.)  It is not a formal group but just a group of people interested in coordinating our activities so that we can we can learn from each other and work together to make thing happen quicker.

These “DNSSEC coordination” calls are hosted by the Internet Society and open to anyone interested in helping.  Please simply join the “dnssec-coord” mailing list to be connected to others and learn about the upcoming calls and events.

P.S. While you are at it, you may want to join in to some of the other lists and forums that make up the “DNSSEC community”.