Category: DNSSEC

Apr 29

New DNSSEC Deployment Maps for April 28, 2014, Now Available

DNSSEC Deployment Map for April 28, 2014I’ve made a couple of updates recently to our DNSSEC Deployment Maps section of the site.

First, I updated the page to display the most recent deployment maps from yesterday, April 28, 2014.  The big change from previous maps is that Australia now appears in blue as the folks there have signed the .AU top-level domain on their production servers, but the DS is not yet in the root of DNS (that is scheduled for August 2014 right now).

Second, I changed the settings on the archive of the ‘dnssec-maps’ mailing list to be publicly accessible.  This means that anyone can simply go to the archive to obtain the most recent set of DNSSEC deployment maps and also the comma-separated value (CSV) files that track all the domains, including generic TLDs and the “newgTLDs”.   The deployment maps are generated automatically every Monday morning so with the list archive publicly available you can always get to the most recent version of the maps.

Ultimately I’d like to figure out how to have the maps automatically update on a page on our site by way of some type of WordPress plugin or other mechanism, but for the moment I’m still manually updating the images on the DNSSEC deployment maps page whenever there have been major changes or after a longer period of time has passed.

If you’d like to receive these maps automatically every Monday, you can simply subscribe to the ‘dnssec-maps’ mailing list and you’ll receive an email with the maps and CSV files each week.    If you have ideas for enhancements, we’re also tracking those over on Github – feel free to raise “issues” with any ideas or feedback you have.

Apr 21

Call For Participation – ICANN 50 DNSSEC Workshop on 25 June In London

ICANN 50 LogoAre you planning to attend the ICANN 50 meeting in London in June?  If so, would you like to share your experience with deploying DNSSEC?  As noted below, we are seeking proposals for presentations to be given during the DNSSEC Workshop that will happen on Wednesday, June 25, 2014, during the ICANN week.

The full list of topic areas for which we are seeking proposals is included below. If you have an idea for a presentation, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-london at shinkuro.com as soon as possible – but no later than by Friday, 09 May 2014.  You can send an idea now if you would like… even if you have an idea you are not sure about, you are welcome to send it in and ask if it is appropriate.  These are great sessions and the agenda tends to fill up pretty quickly, so if you want to be included  please do send in a proposal as soon as possible!

Thanks,
Dan

Call for Participation — ICANN DNSSEC Workshop 25 June 2014

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN meeting in London on 25 June 2014. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Singapore on 26 March 2014. The presentations and transcripts are available at: http://singapore49.icann.org/en/schedule/wed-dnssec.

We are seeking presentations on the following topics:

1. DNSSEC Activities in the European region:

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in the European region and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC?

2. The Operational Realities of Running DNSSEC:

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

3. DNSSEC Automation:

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. Topics for which we would like to see presentations include:

  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • Where in the various pieces that make up DNSSEC signing and validation are the best opportunities for automation?
  • What are the costs and benefits of different approaches to automation?

4. When Unexpected DNSSEC Events Occur:

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

5. DANE and DNSSEC Applications:

The DNS-based Authentication of Named Entitites (DANE) protocol is an exciting development where DNSSEC can be used to provide a strong additional trust layer for traditional SSL/TLS certificates. There is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?
  • How soon could DANE and other DNSSEC applications become a deployable reality?
  • How can the industry used DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE applications and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6. DNSSEC and DANE In The Enterprise:

Similar to ISPs, enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the enterprises’s own domains. We are seeking presentations from enterprises who have implemented DNSSEC on either or both validation and signing and can address questions such as:

  • What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
  • What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
  • How should an enterprise best prepare its IT staff and network to implement DNSSEC?
  • What tools and systems are available to assist enterprises in the deployment of DNSSEC?
  • How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

7. Guidance for Registrars in Supporting DNSSEC:

The 2013 Registrar Accreditation Agreement (RAA) for Registrars and Resellers requires the support of DNSSEC beginning on January 1, 2014. We are seeking presentations discussing:

  • What are the specific technical requirements of the RAA and how can registrars meet those requirements?
  • What tools and systems are available for registrars that include DNSSEC support?
  • What information do registrars need to provide to resellers and ultimately customers?

We are particularly interested in hearing from registrars who have signed the 2013 RAA and have either already implemented DNSSEC support or have a plan for doing so.

8. Implementing DNSSEC Validation At Internet Service Providers (ISPs):

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:

  • What does an ISP need to do to prepare its network for implementing DNSSEC validation?
  • How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
  • What measurements are available about the degree of DNSSEC validation currently deployed?
  • What tools are available to help an ISP deploy DNSSEC validation?
  • What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, cpu, bandwidth, technical support, etc.)?

9. APIs Between the Registrars and DNS Hosting Operators:

One specific area that has been identified as needing focus is the communication between registrars and DNS hosting operators, specifically when these functions are provided by different entities. Right now the communication, such as the transfer of a DS record, occurs primarily by way of the domain name holder copying and pasting information from one web interface to another. How can this be automated? We would welcome presentations by either registrars or DNS hosting operators who have implemented APIs for the communication of DNSSEC information – or from people with ideas around how such APIs could be constructed.

10. Panel Discussion/Demonstrations on Hardware Security Modules (HSMs):

HSMs are a key element in DNSSEC deployment, particularly in maintaining the security of the Zone Signing Key (ZSK). We are interested in demonstrations of HSMs as well as presentations on HSM challenges and benefits.

11. Preparing for Root Key Rollover

For this topic we are seeking input on issues relating to root key rollover. In particular, we are seeking comments from vendors, ISPs, and the community that will be affected by distribution of new root keys.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-london at shinkuro.com by Friday, 09 May 2014

We hope that you can join us.

Thank you,
Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

  • Steve Crocker, Shinkuro
  • Mark Elkins, DNS/ZACR
  • Cath Goulding, Nominet UK
  • Jean Robert Hountomey, AfricaCERT
  • Jacques Latour, .CA
  • Xiaodong Lee, CNNIC
  • Luciano Minuchin, NIC.AR
  • Russ Mundy, Sparta/Parsons
  • Ondřej Surý, CZ.NIC
  • Yoshiro Yoneya, JPRS
  • Dan York, Internet Society

Apr 01

Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security

bgpmon-turkish-hijackOver the weekend there were extremely disturbing reports out of Turkey of escalations in the attempts by the Turkish government to block social media sites such as Twitter and YouTube. The steps now being taken appear to have the Turkish Internet service providers (ISPs) hijacking the routes to public DNS servers such as those operated by Google and masquerading as those DNS servers to provide answers back to their citizens.

Effectively, the Turkish ISPs, operating to comply with a Turkish government ban, are performing a “man-in-the-middle” (MiTM) attack against their citizens and giving them false information.

The Internet Society made a statement on the subject yesterday, explaining its “deep concern” for the situation, and our Chief Internet Technology Officer Leslie Daigle has described how these recent moves “represent an attack not just on DNS infrastructure, but on the global Internet routing system itself.

Background

As we noted ten days ago, ISPs in Turkey started out attempting to implement the government’s ban by simply blocking those sites in DNS. When Turkish citizens tried to go to those social media sites, their device would query DNS to get the correct IP address to connect to.  The Turkish ISPs who were providing the DNS servers used by the Turkish citizens simply failed to give back a response for Twitter and YouTube.

Turkish citizens found they could get around this block by simply changing their devices’ DNS settings to point to open public DNS resolvers such as those operated by Google.

Predictably, the Turkish ISPs then attempted to block the addresses for Google Public DNS servers and other similar servers. The ISPs then started to engage in the typical kind of “whac-a-mole” game with their citizens where the citizens would find new ways to get around the censorship… and the ISPs would then try to shut down those.

BGP Hijacking

Starting this past Saturday, March 29, though, reports started coming in that the Turkish ISPs were taking this to a whole new level by hijacking routing of the Border Gateway Protocol (BGP) and pretending to be Google’s Public DNS servers (and the servers of other similar services).

In other words, the devices operated by Turkish citizens on Turkish networks were connecting to what they thought were Google’s Public DNS servers (and other services) and were getting back answers from those services.

The answers the Turkish citizens were receiving were just the wrong answers.

Instead of going to Twitter or YouTube they were being redirected to sites operated by Turkish ISPs.  Google confirmed this in a post on their Online Security Blog that included in part:

A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for, be it YouTube, Twitter, or any other.

But imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service.

Writing over on the BGPMon blog, Andree Toonk detailed the specifics of the BGP route hijack that took place.  Essentially, the Turkish ISPs started “advertising” a more specific route for Google’s Public DNS servers.  The way BGP works, Google advertises a route for traffic to get to its servers on its network.  As the BGPMon blog post indicates, that is normally a “8.8.8.0/24″ route directing people to AS 15169.  However, the Turkish ISPs advertised a specific route for “8.8.8.8/32″ that went to their own network.

In BGP, a router typically selects the most specific route as the one to use to connect to a given IP address.  So all the routers on networks connected to Turkish ISPs would use this very specific route instead of the one advertised by Google.

They apparently did this for all of Google’s Public DNS addresses as well as those of other open public DNS providers as well.  Over on the Renesys Blog, Earl Zmijewski shared their observations including showing precisely when the hijacking occurred:

The Turkish ISPs are pretending to be Google’s specific DNS servers to everyone who is connected to their network.

Delivering False DNS Information

The Turkish ISPs went a step further, though, in that they set up their own DNS servers that answered as if they were Google’s Public DNS servers.  As Andree Toonk wrote on the BGPmon blog:

Turk Telekom went one step further, instead of null routing this IP address they brought up servers with the IP addresses of the hijacked DNS servers and are now pretending to be these DNS servers.  These new fake servers are receiving traffic for 8.8.8.8 and other popular DNS providers and are answering DNS queries for the incoming DNS requests. 

Stéphane Bortzmeyer also documented this in a lengthy post on his blog where he used the RIPE NCC’s Atlas probe network to show that DNS answers in Turkey are different from those in other areas.  The Renesys blog post also confirmed this, as did many posts on social media services and other online sites.  A good number of tech media sites have weighed in on the matter as well.

The Need To Secure BGP

From our Deploy360 point of view, this kind of attack against the Internet provides a great case study of why we need to better secure BGP and why we need to get DNSSEC validation more widely deployed.

With BGP, the fact that anyone can advertise a route for any other network means that ISPs can do precisely what the Turkish ISPs have done and hijack routes to masquerade as anyone else.  Clearly this is unacceptable.  As we talk about on our “Securing BGP” page, and is also detailed more deeply in the BGP Operations And Security Internet-Draft, there are efforts underway to deploy “secure origin validation” so that routers in the network know which advertised routes to trust and which ones not to trust.

If the routers on networks in Turkey had secure origin validation in place, when they received the more specific route from the Turkish ISPs they could have checked the origin, realized that the route advertisement was not coming from the operator of the original network and simply disregarded the more specific route. They would have continued to use the original routes that were advertised by the original network operators.

Now, granted, if the ONLY routes from the networks inside of Turkey out to the rest of the Internet are through a small number of large Turkish ISPs who work with the government to enforce banned sites, then this kind of origin validation will not help the “downstream” networks.  While they may disregard the announced specific route because of origin validation, their traffic using the original route will still have to travel through the networks of the small number of large ISPs who can then - within the large ISP networks – perform the BGP hijacking.  However, if any of the downstream networks have alternate Internet connections (and this may not be possible within Turkey) they may be able to use routes going out those connections.

It is also useful to note that secure origin validation could help networks outside of Turkey.  When a government is causing network operators to mess around with the routing tables that make up the fundamental architecture of the Internet, they are playing with fire. One mistake could have a very large impact on the rest of the Internet, such as the time when a Pakistani ISP rerouted global YouTube traffic to a network in Pakistan back in 2008!  In their escalating attempts to block access for Turkish users, it is entirely possible that someone at one of the Turkish ISPs could leak incorrect routes out into the larger Internet.  Secure origin validation running on other networks around the Internet would prevent these incorrect routes from being taken seriously.

Where DNSSEC Would Help

On the DNSSEC side, if the Turkish citizens had DNSSEC-validating DNS resolvers running on their local networks or even better on their actual devices, and if, for instance, Google had DNSSEC-signed the DNS records for their Public DNS servers, then Turkish users would be able to know that they were not getting to the correct servers.  Note that this would not  help them get to new servers… but they would know that they were not getting the correct information. Applications that validated the DNSSEC signatures on information retrieved from DNS could then discard the invalid information and try other ways to get that information.

DNSSEC helps ensure that you are getting to the correct site and not to a site set up by, for example, a spammer or phisher trying to steal your identity. Similarly it could protect you from going to sites set up by a government (or via a government mandate) that are pretending to be a site that they are not. For this to work, of course, the original sites (such as Twitter and YouTube) need to have their DNS information signed with DNSSEC, and users out on the Internet need to have DNSSEC validation happening in their local DNS resolvers.

Which is why we need to get DNSSEC deployed as fast as possible – to ensure that the information that we all get out of DNS is the same information that was put in to DNS by the operators of a given domain… and not the information put in by an attacker, which, in this case, could be ISPs acting on behalf of a government.

Again, this would not necessarily help a Turkish user get to Twitter or YouTube, but would prevent them from going to spoofed sites.  Additionally, if the operating system were validating the DNSSEC signatures on name server records the system could have noticed that the information it was getting back from, for instance, Google’s Public DNS, did not validate with the “global chain of trust” and so could have warned that the DNS information was suspicious (or perhaps chosen to try to use additional DNS servers that did validate correctly).

How To Help

The question now is what we do to strengthen the Internet against these kind of attacks on the Internet’s infrastructure.  Within our area of focus, we have three requests:

1. Understand how to secure BGP, and do so! - Please visit our “Securing BGP” section of the site, read the BGP Operations and Security Internet Draft, look at our BGP content roadmap and see if there are any documents there that you can contribute to help us build out our content and get more people taking these steps to secure their routers.  If you are a network operator, any steps you can take to make your routers more secure will go far.

2. Deploy DNSSEC validation - Wherever you can, turn on DNSSEC validation in any DNS recursive resolvers.  The steps to do so are very simple for the common DNS resolvers.

3. Sign your domains with DNSSEC – If you have a domain registered, see if you can sign it with DNSSEC (here are the steps you need) and if you encounter any issues please raise the issue with your domain name registrar, DNS hosting operator, IT department or whomever is blocking the process.

These steps will make attacks on the Internet’s infrastructure such as those happening in Turkey today more difficult and raise the complexity needed by the attackers.

Beyond these steps, this situation clearly points out the need for a wider diversity of Internet access methods.  Even with these steps above implemented, Turkish users who are limited to only the specific Turkish ISPs have no choice in receiving their default routes and connections.  If more options were to be available in the region, the ability of those users to have access to the information on the Internet would not be restricted.

The Internet needs to be hardened against attacks such as these.  Please help make the Internet stronger!

 

 

Mar 30

Congrats to Aruba for Signing .AW with DNSSEC

dnssecIt was great to see that Aruba is the latest country-code top-level domain (ccTLD) to join the 298 TLDs that have signed their TLD with DNSSEC. With the .AW TLD signed, the first barrier is removed for companies and organizations seeking to sign their .AW domains and achieve the higher level of security possible with DNSSEC. At some point soon the registry for .AW should be able to start accepting DS records and the global chain of trust can then extend down to all signed .AW domains.

If your domain is in one of the other 297 signed TLDs, what are you doing to secure your domain? Have you signed your domain with DNSSEC yet? If not, how can we help you get to that point?

P.S. Aruba will now show up in the DNSSEC deployment maps and CSV files that we publish every Monday. If you are interested in receiving those maps each week via email, please visit the page and sign up.

Mar 28

Next DNS-OARC Meeting May 10-11, 2014, Before RIPE68 in Warsaw

dns-oarcIf you are interested in all matters related to DNS, including DNSSEC, the next meeting of the DNS Operations Analysis and Research Center (DNS-OARC) will take place May 10-11, 2014, in Warsaw, Poland.  Sponsored this time by Microsoft, the “OARC 2014 Spring Workshop” is immediately before the RIPE 68 meeting taking place in the same location.

The agenda for the OARC 2014 Spring Workshop is still evolving but already includes a range of what look like excellent presentations related to DNSSEC and other similar topics.  The attendee list, too, is also filling up with many people with deep experience from across the industry.

It should be an excellent event for those interested in DNS and DNSSEC!

Meeting registration is free if you can get to Warsaw.  If you were already planning to go to the RIPE 68 meeting why not go a couple of days earlier and immerse yourself in DNS? :-)

Mar 27

New IETF Mailing List To Discuss Privacy and Confidentiality of DNS

IETF LogoHow can we better protect the privacy and confidentiality of DNS queries? While DNSSEC protects the integrity of answers coming back from DNS (i.e. ensuring they aren’t modified in transit), what can be done to protect the confidentiality and privacy of information retrieved from DNS?  Particularly against the kind of pervasive monitoring and large-scale network sniffing we’ve become aware of?

We mentioned previously that at IETF 89 this month in London there was the “Encryption of DNS requests for confidentiality” (DNSE) BOF looking at these topics.  There was vigorous discussion during that BOF and then at the DNSOP working group meeting.  That large amount of interest has now sparked the creation of a new mailing list for all those interested in participating.  This “dns-privacy” list is public and open to anyone to subscribe:

List address: dns-privacy@ietf.org
To subscribe: https://www.ietf.org/mailman/listinfo/dns-privacy
Archive: http://www.ietf.org/mail-archive/web/dns-privacy/

As you can see from the mailing list archive, there is already some discussion underway.  If you want some background the Internet drafts draft-bortzmeyer-dnsop-dns-privacy and draft-koch-perpass-dns-confidentiality may be useful.

While this doesn’t specifically related to the DNSSEC topic we cover here on Deploy360, it is part of the same overall space of “making DNS more secure” and so I thought it would be useful to point people to this new list.

Working together as an industry and community, we can make DNS more secure!  Please do join in and help out.

Mar 26

Congratulations to Portugal’s .PT on their DNSSEC growth!

Tonight at the DNSSEC Implementers Gathering at ICANN 49 in Singapore, I was seated next to an attendee from the registry in Portugal that operates the .PT top-level domain and she let me know about some dramatic growth they had recently seen.  She also clued me in to their dnssec.pt page that has their statistics and also info about DNSSEC workshops and other events (I’ve now added this to our DNSSEC Statistics page).  As noted on the chart below from March 14, 2014, the big jump that happened for them was when their second largest registrar/DNS hosting provider jumped from 200 to 4,000 .PT domain names signed with DNSSEC.

DNSSEC growth in Portugal

 

This is compared to the chart from only 11 days earlier showing Flesk at 199 signed domains.  In speaking with her this jump was apparently not due to any incentives but rather to a registrar looking to do the right thing and provide more security options to their customers.

Congratulations to the team at .PT for seeing this big jump in second-level domains!

Mar 25

Watch/Listen LIVE To The ICANN 49 DNSSEC Workshop On Wednesday, March 26

ICANN 49 SingaporeWant to learn about DNSSEC from people who have actually deployed DNSSEC in their region? Want to learn about DANE and how it can be used in applications? How can DNSSEC make the Internet more secure? As I mentioned last week, these are some of the topics that will be discussed in the ICANN 49 DNSSEC Workshop that will be streaming live out of Singapore on Wednesday, March 26, from 8:30am – 2:45pm Singapore time. The session will be recorded for those unable to watch live.

[WARNING: Singapore local time is UTC+8, so it is 7 hours ahead of Central European time, 12 hours ahead of US Eastern time and 15 hours ahead of US Pacific time.  So if you are on the US East Coast, for example, this workshop will start at 8:30pm TONIGHT (Tuesday, March 25).]

Topics to be discussed include:

  • DNSSEC Deployment Metrics
  • DNSSEC Activities in the Asia Pacific Region
  • Case study of the deployment of DNSSEC at .ee (Estonia)
  • Guidance for Registrars in Supporting DNSSEC – and DNSSEC requirements in the 2013 Registrar Accreditation Agreement (RAA)
  • Preparing for DNSSEC Root Key Rollover
  • DNSSEC Applications
  • Demonstration of DANE applications and tools

A full agenda and all of the available slides can be found on the ICANN 49 DNSSEC Workshop program page. You can watch or listen to the event via:

The session should provide excellent information for people interested in DNSSEC and how we can make the Internet more secure.  Please do join in!

And if you are interested in deploying DNSSEC, please check out our DNSSEC resource pages to learn more.

Mar 24

Watch/Listen Live TODAY To The “DNSSEC For Everybody: A Beginner’s Guide”

ICANN 49 SingaporeIn just about 1.5 hours from now here at ICANN 49 in Singapore we’ll be part of the “DNSSEC For Everybody: A Beginner’s Guide” session.  Running from 17:00 – 18:30 Singapore time, the session will start at the very basic level of why should anyone care about DNSSEC and get into what kind of problem we are trying to solve.  This session includes a skit where we visually act out DNS and DNSSEC transactions.

You can listen remotely via an audio stream or listen and view the slides via a a virtual meeting room.  Details are on the program page.

The session will be recorded for later viewing, which may be appreciated by any readers in the Western hemisphere (such as those in the USA) for whom Singapore time at UTC+8 will be very early in the morning. :-)

Mar 23

Free DNSSEC Training May 22-23, 2014, in Stockholm, Sweden

OpenDNSSEC logoAre you in Stockholm, Sweden, (or can easily get there) and interested in learning more about DNSSEC? If so, we’ve learned that the great folks at OpenDNSSEC will be offering a free two-day training class on May 22-23, 2014.  More info can be found at:

http://www.opendnssec.org/support/trainings/

The agenda is online as are the study materials. This training is obviously aimed at people who will use OpenDNSSEC as a means of signing their DNS zones and if you haven’t considered that option before you may want to do so.

Given that this is a hands-on workshop, it is not available for remote participants.  As the web page notes, the OpenDNSSEC team is open to bringing this training to other locations.

For other training options, please visit our DNSSEC Training page.