Category: DNSSEC

Mar 21

Turkey’s Ban On Twitter Will Inadvertently Cause A Rise In DNSSEC Validation

turkey-google-dnsToday the media is buzzing with the news of the Turkish government banning Twitter and even more with the fact that citizens are figuring out ways around that.  ”The Internet routes around censorship“, as the saying goes (or close to that). There are predictably MANY tweets out there on hashtags like #TurkeyBlockedTwitter and #TwitterBlockedInTurkey.

And many photos like the one I’m inserting here are appearing not only on Twitter but across the web and other media.   As The Verge notes, it seems the Turkish government is just using a simple DNS block, presumably at all Internet service providers (ISPs) in Turkey, to prevent people from connecting to Twitter.

As the people in Turkey have discovered, this block can be easily circumvented simply by changing your device’s network settings to use public DNS servers such as those operated by Google.

Leaving the politics aside, my first reaction as a DNSSEC advocate was “Cool! Now we’ll see an uptick in DNSSEC-validated DNS queries!

The reason, of course, is that Google’s Public DNS service performs DNSSEC validation by default on ALL DNS queries.  So, not only are all those Turkish citizens getting around the ban on Twitter, but they are also getting more security and ensuring that the responses they get back from DNS for a domain are indeed the correct information entered by the operator of that domain (for companies/organizations that have signed their domain).

Hopefully the situation there in Turkey will stabilize and the ban will be lifted. In the meantime, though, I suspect those people doing DNSSEC measurements will see a burst in DNSSEC validation happening from that region.

P.S. As I pointed out at the bottom of the earlier post about Google Public DNS turning on DNSSEC validation that I reference above, the use of a public DNS resolver performing DNSSEC validation does not completely ensure the security of the results you receive back.  There is still an opportunity for an attacker to inject or modify DNS packets on the path between your device and the distant DNS resolver.  That is why we ideally want to see DNSSEC validation happening at a much closer level such as on the edge of your local network or perhaps even in your actual device.  However, having it happen on public DNS resolvers is a great first step toward making DNS results more secure.

Mar 21

Last Day To RSVP For ICANN 49 DNSSEC Implementers Gathering March 26 in Singapore

ICANN 49 SingaporeWill you be at ICANN 49 in Singapore next week?  And are you deploying  DNSSEC and interested in meeting with others who are also doing so?

As we mentioned earlier this week, there are three sessions at ICANN 49 focused on DNSSEC and one of those is  an “informal gathering of DNSSEC implementers” on the evening of March 26 from 19:30-21:30 (or later). This is a time to share experiences, exchange information and just generally interact with other people involved with deploying DNSSEC.  As ICANN’s Julie Hedlund wrote in a note to various email lists:

This is a unique opportunity to meet with and talk to key implementers, such as CNNIC, JPRS, NZNIC, CIRA, CZNIC, Nominet UK, SIDN, and others. We do ask that in order to participate you should come prepared to say a few words about your experiences.

It’s a great chance to meet people working with DNSSEC.  If you will be in Singapore and interested in joining us,  please RSVP by the close of business TODAY (21 March 2014) so that we can have accurate information for the location of the event.   Details and location information will be sent via email to all those who have RSVP’d.

See (some of) you in Singapore!

Mar 20

Microsoft Publishes Guide To Deploying DNSSEC In Windows Server 2012

Microsoft DNSSEC GuideDo you work in an enterprise using Microsoft Windows Server 2012 and are interested in either deploying DNSSEC validation to provide better security to your users – and/or securing your own DNS zones using DNSSEC?

If so, the good folks at Microsoft just recently released a new guide “DNSSEC in Windows Server 2012” that guides you through what you need to do to deploy DNSSEC in Windows Server 2012 and Windows Server 2012 R2.  I’d note that it covers both the validation and signing sides of DNSSEC.

The document has four major sections:

  • Overview of DNSSEC
  • DNSSEC in Windows
  • DNSSEC Deployment Planning
  • Deploy DNSSEC with Windows Server 2012

as well as few appendices.  The document goes into quite a deep level of detail with how DNSSEC is integrated into various aspects of Windows Server 2012.  The “Deployment Planning” section seemed quite useful, too, as it explored some of the performance requirements and also suggested a process for staging a deployment.

In reading through the document, I was quite impressed by the “Deploy DNSSEC with Windows Server 2012″ section that includes many different checklists to help administrators know precisely what they need to be doing.  While I don’t personally work with a Windows Server 2012, the checklists seemed to be covering the areas that I would want them to cover.

As we look to get more enterprises doing DNSSEC validation and also signing their own zones, it is great to see this document come out of Microsoft!    If you work with Microsoft Windows Server 2012, definitely do give it a look – and start deploying DNSSEC today!

 

Mar 19

3 DNSSEC Sessions At ICANN 49 Next Week In Singapore

ICANN 49 SingaporeNext week we’ll be at ICANN 49 in Singapore for several excellent DNSSEC-related sessions, two of which will also be streamed live for those who want to watch remotely.

DNSSEC For Everybody: A Beginner’s Guide

First up on Monday, March 24, 2014, in the late afternoon from 17:00 – 18:30 Singapore time will be the DNSSEC For Everybody: A Beginner’s Guide session where we start at the very basic level of why should anyone care about DNSSEC and get into what kind of problem we are trying to solve.  This session includes a skit (seriously!) where we act out DNS and DNSSEC transactions.  We even have some newer props this time around… so it will be a bit of fun and our feedback has been that this helps people greatly in understanding what DNSSEC is all about.

You can listen remotely via an audio stream or listen and view the slides via a a virtual meeting room.  Details are on the program page.

DNSSEC Workshop

The BIG event of the week is the DNSSEC Workshop on Wednesday, March 26, where we meet from 8:30 – 14:45 Singapore time for this detailed session diving into many different aspects of DNSSEC.  I’m on the Program Committee for the workshop and I can tell you that there will be some excellent presentations at this session.  The slides and full agenda will be available soon, but the major areas of discussion will include:

  • Introduction and DNSSEC Deployment Around the World
  • DNSSEC Activities in the Asia Pacific region
  • Guidance for Registrars in Supporting DNSSEC
  • The Operational Realities of Running DNSSEC
  • Preparing for Root Key Rollover
  • Implementing DNSSEC Validation At Internet Service Providers (ISPs) DANE and DNSSEC Applications

[UPDATE: The slides and full agenda are now available.]

The workshop continues to attract some of the best technical people involved with DNSSEC and the conversations and discussions that happen there provide outstanding value to those interested in these topics.  If you’re interested in DNSSEC and how it can make the Internet more secure, I highly recommend you tuning in!

You can listen remotely via an audio stream or listen and view the slides via a a virtual meeting room.  Details are on the program page.

DNSSEC Implementers Gathering

Finally, Wednesday evening from 19:30-21:30 (or later) some of us will join in an “informal gathering of DNSSEC implementers” at a nearby restaurant/bar. This is a time to share experiences, exchange information and just generally interact with other people involved with deploying DNSSEC.  As ICANN’s Julie Hedlund wrote in a note to various email lists:

This is a unique opportunity to meet with and talk to key implementers, such as CNNIC, JPRS, NZNIC, CIRA, CZNIC, Nominet UK, SIDN, and others. We do ask that in order to participate you should come prepared to say a few words about your experiences.

It’s been a fun time at past events and generated both good conversations and connections for future work activities after the meetings are over.

It should perhaps be obvious but this event will NOT be available for remote participation.  If you will be in Singapore, though, and are interested in interacting with others who are deploying DNSSEC, you are welcome to join us.  As Julie requests, please RSVP by close of business on this Friday, March 21, 2014.

Say Hello!

I will be there in Singapore as will Chris Grundemann from our team.  Please do say hello – you can find me at any of these events and also around other areas of ICANN. You can also email us at deploy360@isoc.org if you’d like to meet with us.  You can also contact us via Twitter, Facebook or Google+.

Mar 15

Weekend Project: Try Out “Bloodhound”, A Web Browser With Full DNSSEC Support

bloodhoundHere is a quick project to try out this weekend… download and try out the Bloodhound web browser from the DNSSEC Tools Project.

This web browser is a modified version of Mozilla Firefox that supports local validation of DNSSEC and also usage of the DANE protocol.  The cool part about Bloodhound is that it validates ALL web addresses used in the building of a web page, i.e. it is not just validating only the main URL for a site.  Given that many web pages today make many calls to other web sites for various components and pieces of the site, Bloodhound will ensure that all of those are validated via DNSSEC.

Once you have Bloodhound installed, you can visit our lists:

where you should see failures happen when you attempt to go to the “bad” sites.

More information about how to configure Bloodhound is available on the DNSSEC Tools Project website.  The Bloodhound browser was created as an experimental project to advance DNSSEC deployment and as a test bed for how DNSSEC validation can be build directly into applications.  If you have feedback or would like to get more information, please see the bottom of the Bloodhound web page for how to get in touch with the folks at the DNSSEC Tools Project.

Mar 13

A Breakfast Gathering of DNSSEC Advocates At IETF 89

One of the great joys of working within the DNSSEC community is the truly outstanding and passionate people that are all focused on how we can make the Internet more secure and trustworthy. Last week at IETF 89 in London a few of us who were there were able to meet for breakfast on Friday morning and we have a photo to prove that (click for a larger version):

DNSSEC Advocates

It was an enjoyable time and several ideas for further activities came out of the conversations that happened there. Plus we got to see who was wide awake at 7:30am and who was desperately needing caffeine. :-)

The people there at the breakfast were subscribers to the “dnssec-coord” mailing list that was set up to help in the coordination and communication between people who want to accelerate the deployment of DNSSEC.  That list is open to anyone to join.  We have a monthly conference call and do other work on the mailing list.  Some of the people on the list are able to get to IETF and/or ICANN meetings.  Some of the list subscribers don’t go to those meetings and participate only electronically and on the phone calls. Some are from large companies and some are individual consultants.    It doesn’t matter… all are welcome to join and be part of the conversation about how to make the Internet more secure via DNSSEC and DANE.

We’d love to have you join us!  If you’d like to help accelerate the adoption of DNSSEC and are interested in the advocacy/promotion/publicity side of the adoption work, please feel free to subscribe to dnssec-coord and join in our efforts.

 

Mar 11

DNSSEC Training In Rwanda For The .RW ccTLD

I was very pleased to learn via a series of tweets this morning of a two-day DNSSEC training seminar that happened in Kacyiru, Rwanda, sponsored by the Rwanda Information and Communication Technology Association (RICTA) in partnership with ICANN. The seminar took place over the last two days and the agenda looks quite good.

rwanda-dnssec-training

It seems they got some good news coverage on two local sites, complete with other photos of the event: IGIHE and UMUSEKE. Unfortunately, as I cannot read Kinyarwanda, and neither, it seems, can Google Translate, I don’t have any idea what the articles are saying beyond the technical acronyms.

The attendance is great to see as Africa is one region where it would be great to see more ccTLDs signed with DNSSEC.  At this moment Rwanda’s .RW is not appearing on either our DNSSEC deployment maps nor on ICANN’s DNSSEC Status Report as signed with DNSSEC… but hopefully with a workshop like this that status will be changing soon!

P.S. To that end, I note that the seminar invitation reads “Adoption event for the .RW country code top-level domain name”. If anyone reads this from RICTA and could email us info about when they are planning to sign the .RW ccTLD, we’d love to add that information to our DNSSEC deployment maps.

Photo credit: RICTAInfo on Twitter

Mar 09

Free DNSSEC Training In Singapore March 19-21

DNSSEC trainingAre you going to be in Singapore March 19-21 and would be interested in some DNSSEC training?

We’ve been alerted by our friends at ICANN and the NSRC that they have a few open seats in the DNSSEC training classes they are offering on March 19-21 in cooperation with the Singapore NIC (operators of the .sg ccTLD).  Rick Lamb, one of the instructors, notified us that the training is free if people can get there – and that people who hold ISC2 certifications such as the CISSP credential can earn Continuing Professional Education (CPE) credits for attending the course.

The training agenda looks excellent and having worked a good bit with Rick I can very definitely say he is incredibly knowledgable with everything related to DNSSEC.  I’ve also heard great things about the other instructor, Phil Regnauld, and of NSRC training in general.

Rick said it would be best if people contacted him directly via email to see if there is still space in this course.  I’ll note that this training is happening right before the ICANN 49 meeting in Singapore, and so if you are already going to ICANN 49 perhaps you can adjust your schedule and go a few days early to check out this training!

Mar 08

Weekend Project: Check Out The New “getdns” API

getdnsapiAre you an application developer who makes queries to DNS somewhere inside your application?

If so… or if you aren’t, but are just looking for a reason to play around with some code… there’s a new “getdns” API out that is designed to make it easier to interact with DNS.  From the website:

getdns is a modern asynchronous DNS API. It implements DNS entry points from a design developed and vetted by application developers, in an API specification edited by Paul Hoffman. With the development of this API, we intend to offer application developers a modernized and flexible way to access DNS security (DNSSEC) and other powerful new DNS features; a particular hope is to inspire application developers towards innovative security solutions in their applications.

You can read more about it at:

http://getdnsapi.net/

And the code is available on Github at:

https://github.com/getdnsapi/getdns

There are also bindings for python and node.js in the works. This new “getdns” API has been developed by a team of developers from NLnet Labs, Verisign Labs and No Mountain Software and is based off of the getdns API specification documented by Paul Hoffman.

Members of the team gave a presentation at IETF 89 whose slides you can view about this new API and what you can do with it.  While  I haven’t played with it myself yet, I’m pleased to see that one major point is that it provides developers with easy usage of DNSSEC.  All in all it’s very cool to see a new API out there and we do encourage people to check it out and see what you think of it.  I’d note that because the code is maintained at Github, you can file issues there if you have questions or bugs.  There is also an email list for developers and users who want to get more involved with the project.

Congrats to the developer team for releasing this new API and we hope that it enables  app developers to more easily interact with DNS and DNSSEC!

Mar 07

Deploy360@IETF89, Day 5: dnsop, uta

IETF LogoIt’s our last day here at the 89th IETF meeting and it’s been a very exhausting but exhilirating meeting so far!  A lot of excellent work happening in so many areas! Our final day here ends with a number of DNSSEC-related topics being presented in the DNSOP Working Group – while at the exact same time is the first meeting of the brand new UTA Working Goup that is part of the inspiration for our new TLS for Applications area of Deploy360.

After that, there is an afternoon meeting of the Internet Society Advisory Council which a few of us will attend… and then we’ll be heading back home!  Thanks for all the many people who have come up to us and told us about how they appreciate our work – that kind of feedback means a lot and is greatly appreciated!

If you do want to meet with us in these few remaining hours of IETF 89, either find us at one of these sessions or send us email to deploy360@isoc.org.

Thanks, again, for all the great feedback!

Friday, March 7, 2014

dnsop (DNS Operations) WG
0900-1130 UTC, Sovereign Room
Agenda: https://datatracker.ietf.org/meeting/89/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

uta (Using TLS in Applications) WG
0900-1130 UTC, Richmond/Chelsea/Tower Rooms
Agenda: https://datatracker.ietf.org/meeting/89/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/
Charter: http://tools.ietf.org/wg/uta/charters/

Remote Participation

You don’t have to be in London to participate in the meetings of IETF 89. You can also:

  • Listen to live audio streams.
  • Participate in Jabber chat rooms to ask questions.
  • Download the slides planned for each session.
  • Listen and watch “Meetecho” conferencing sessions that provide an integrated view of slides, audio, chat and video.

Information about how to participate can be found on the IETF 89 Remote Participation page.  Keep in mind that times for London are in UTC.