Category: DNSSEC

DNSSEC and DANE Activities at ICANN 57 in Hyderabad, India, November 4-7, 2016

ICANN 57 Hyderabad logoFriday marks the beginning of the ICANN 57 meeting in Hyderabad, India. As per usual there will be a range of activities related to DNSSEC or DANE. Two of the sessions will be streamed live and will be recorded for later viewing.  Here is what is happening.

All times below are India Standard Time (IST), which is UTC+05:30. (Yes, it is a half-hour off from other timezones.)


DNSSEC For Everybody: A Beginner’s Guide – 4 Nov

On Friday, November 4, 2016, we’ll have our “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.

Please come with your questions and prepare to learn all about DNSSEC!

DNSSEC Implementers Gathering – 6 Nov

On Sunday, November 6, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. Invitations have gone out to various DNSSEC mailing lists – if you are interested in attending please send a message to me at york@isoc.org.  We thank Afilias for their generous sponsorship of this gathering at ICANN 57!

DNSSEC Workshop – 7 Nov

Our big 6-hour workshop will take place on Monday, November 7, from 09:00 – 15:00 in Room G.03/G.04. Lunch will be included. Thank you to our lunch sponsors: Afilias, CIRA, Dyn and SIDN.

The very full agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities in the Asia Pacific Region
  • Aggressive Use of NSEC/NSEC3
  • Panel: Root Key Rollover Discussion – Recursive Resolver Software Readiness
  • Demonstration: DNS Operator Interface for DNSSEC
  • Research Infrastructure for Internet Naming, Identification, and the DNS
  • The Great DNSSEC/DNS Quiz
  • Demonstration: Windows Server DNSSEC Functionality
  • Demonstration: DNSSEC-S/MIME-DANE Package for Microsoft Outlook
  • Secure Mailserver Using DNSSEC/TLSA
  • DNSSEC – How Can I Help?

It should be an outstanding session!


As neither I nor Russ Mundy were able to travel to Hyderabad, I want to personally thank Wes Hardaker and Jacques Latour for stepping in to help with some of the emceeing and other meeting facilitation duties.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

NIST Publishes New Guide: “DNS-Based Email Security” about DANE and DNSSEC

NIST Report on DANE for email

How can we make email more secure and trusted? How can we encrypt all email between mail servers? And how can we use DANE and DNSSEC to provide that added layer of security?

Today the U.S. National Cybersecurity Center of Excellence (NCCoE)  and the National Institute of Standards and Technology released a “draft practice guide” exploring those exact questions. Titled “Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6)” the document offers guidance to enterprises and others into “how commercially available technologies can meet an organization’s needs to improve email security and defend against email-based attacks such as phishing and man-in-the-middle types of attacks.”  Specifically it gets into how DNSSEC and DANE can be used to authenticate server addresses and the Transport Layer Security (TLS) certificates used for confidentiality.

As NIST states on their web page, the goal of the project around this publication is:

  • Encrypt emails between mail servers
  • Allow individual email users to digitally sign and/or encrypt email messages
  • Allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages

You can download the guide or sections of it from that web page.

NIST is seeking public comments on this new guide from today through December 19, 2016.

It’s great to see NIST publishing this document and we hope everyone reading this post will take a look and spread the word.

And if you are interested in getting started with DNSSEC and DANE, please visit our Start Here page to find resources to help.

In September, Singapore and Senegal Signed Their .SN and .SG with DNSSEC

singapore-and-senegal-sign-with-dnssec

Congratulations to the teams in both Singapore and Senegal for signing their country-code top-level domains (ccTLDs) with DNSSEC back in September. According to Rick Lamb’s list of DNSSEC-signed TLDs, Singapore’s signature for the .SG domain was added to the root of DNS on September 22, and Senegal’s signature for .SN was added on September 30. [1]

This means that as of those dates, second-level domains under .SG and .SN could start receiving the added layer of security and trust possible with DNSSEC.  In Singapore SGNIC started actively encouraging people to sign their domains. In Africa, ICANN’s Yaovi Atohoun wrote about how Senegal is the third African ccTLD to sign with DNSSEC this year.

I also added both countries to our weekly DNSSEC Deployment Maps so people can see them there. (And here’s a test of your geography: where are Senegal and Singapore?)

This is all great news as the world continues to add a layer of trust to answers from DNS by using DNSSEC. Congrats again to the teams in both countries!

If you would like to get started with DNSSEC, please visit our Start Here page to begin.


[1] To be precise, what happened is that the “Delegation Signer” or “DS” records for each TLD were added to the root of DNS. The DS record is a fingerprint of the DNSKEY used to sign the domain.  It is included in the parent zone to create a “global chain of trust” from the root of DNS on down.

Watch Live TODAY – DNSSEC Root KSK Ceremony at 17:00 UTC

DNSSEC Key Ceremony 25

Today a critical part of DNS security – DNSSEC – will receive a major update, and you can watch it all live at starting at 17:00 UTC (1:00pm US EDT – local time) streaming out of ICANN’s data center in Virginia:

https://www.iana.org/dnssec/ceremonies/27

Olaf Kolkman, our CITO, will be in attendance as a “Crypto Officer” (key holder). Olaf wrote a post with info about the 25th key ceremony back in May 2016 and shared some of his photos.

The important step today is that this key ceremony will involve the creation of a new Key Signing Key (KSK) for the root of DNS. This begins what will be a year-long process of “rolling over” the cryptographic key at the heart of the DNSSEC system. ICANN has a page dedicated to the “Root KSK Rollover” explaining the details – and this “at-a-glance” PDF provides the key facts and dates.

This is a great step in making DNSSEC even more secure.

If you’re interested, ICANN posts the “script” that will be used to go through today’s key ceremony. All of the key ceremonies are streamed live and archived for later viewing.

If you want to learn more about DNSSEC in general, please visit our Start Here page to find resources to help!


Image credit – Olaf Kolkman on Flickr. Used with permission.

New RFC 7958 – DNSSEC Trust Anchor Publication for the Root Zone

RFC 7958 text

How can you trust the root of the “global chain of trust” that is used in DNSSEC? How can you be sure as you are validating DNSSEC signatures that this global chain works?

To provide this chain of validation, DNSSEC relies on what is called a “trust anchor”. When you check the signature for DNS records for “internetsociety.org”, for instance, you go through a process along the lines of this (a simplified version):

  1. Your validating recursive resolver gets the DNS records (such as “A” or “AAAA”) for “INTERNETSOCIETY.ORG” along with the DNSSEC signature in a RRSIG record and the public key used for the signing in a DNSKEY record.
  2. It then retrieves the DS record for “INTERNETSOCIETY.ORG” from .ORG to verify that this is the correct DNSKEY.  It also retrieves a RRSIG record for the DS record and the DNSKEY record from .ORG.
  3. Next it retrieves the DS record for “.ORG” from the root of DNS, along with the associated RRSIG for the DS record and the DNSKEY for the root.
  4. HERE IS THE CHALLENGE – How does your recursive resolver know that the DNSKEY it retrieved for the root of DNS is the correct one?

This is where there is a need for a “trust anchor” that the recursive resolver can trust to know that this is indeed the correct DNSKEY it should be using.

The DNSSEC protocol can be used with any trust anchor, but in practice we all use the DNSSEC trust anchors published by IANA (with ICANN doing the actual publishing as part of their contract to perform the IANA functions).

A new informational (non-standard) RFC 7958 out this week explains the formats IANA uses to publish the root key trust anchors and how those trust anchors can be retrieved.  It also outlines additional steps that can be taken during the retrieval to ensure the trust anchors aren’t modified during the retrieval.

In 2017 we will see a change in the Root Key Signing Key (KSK) in 2017, which will mean a change in the root trust anchor. This RFC 7958 is a good reference to have out there so that everyone can understand exactly how to retrieve and use the trust anchors at the heart of DNSSEC.

Please do read this new RFC and share it widely with anyone involved in developing applications or services that perform DNS resolution and validation.

And if you know very little about DNSSEC but want to learn more, please visit our Start Here page to find resources to help you get started!

Do you have an idea? Call for Participation – DNSSEC Workshop at ICANN57 in Hyderabad, India

ICANN 57 Hyderabad logo

Have you created a new tool that makes DNSSEC or DANE deployment easier? Would you like to share a case study of implementing DNSSEC within your enterprise or network? Do you have an idea to help with preparing for the Root Key Rollover?  Have you performed new measurements of DNSSEC adoption?

If you have any ideas along those lines and will be in Hyderabad, India, for ICANN 57 (or can get there), we are currently seeking proposals for talks in the DNSSEC Workshop.  The full “Call for Participation” is included below with ideas for what we are seeking.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-hyderabad@isoc.org by **15 September 2016**.

This is a great opportunity to share your information with the larger DNSSEC community. If you are seeking feedback on ideas, many people are glad to help. These sessions provide a great amount of technical detail and an opportunity to learn more.

Please consider sending in a proposal!

Call for Participation — ICANN DNSSEC Workshop at ICANN57 at Hyderabad, India

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN57 meeting held from 03-09 November 2016 in Hyderabad, India. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Helsinki, Finland on 27 June 2016. The presentations and transcripts are available at: http://sched.co/7NCj and http://sched.co/7NCk

At ICANN57 we are particularly interested in live demonstrations of uses of DNSSEC or DANE. Examples might include:

  • Email clients and servers using DNSSEC, OPENPGPKEY, or S/MIME for secure email.
  • Tools for automating the generation of DNSSEC/DANE records.
  • Services for monitoring or managing DNSSEC signing or validation.
  • Tools or services for using DNSSEC/DANE along with other existing protocols and
    services such as SSH, XMPP, SMTP, S/MIME or PGP/GPG.
  • Innovative uses of APIs to do something new and different using DNSSEC/DANE.
  • S/MIME and Microsoft Outlook integration with active directory.

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.

We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE. Examples of the types of topics we are seeking include:

1. DNSSEC activities in Asia

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Asia and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. Preparation for Root Key Rollover

In preparation for the Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3. Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:

  • Can you describe your experiences with negative Trust Anchors and operational realities?
  • What does an ISP need to do to prepare its network for implementing DNSSEC validation?
  • How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
  • What measurements are available about the degree of DNSSEC validation currently deployed?
  • What tools are available to help an ISP deploy DNSSEC validation?
  • What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

4. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

5. DANE and DNSSEC application automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • Where are the best opportunities for automation within DNSSEC signing and validation processes?
  • What are the costs and benefits of different approaches to automation?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?
  • How soon could DANE and other DNSSEC applications become a deployable reality?
  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6. When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

7. DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:

  • What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
  • What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
  • How should an enterprise best prepare its IT staff and network to implement DNSSEC?
  • What tools and systems are available to assist enterprises in the deployment of DNSSEC?
  • How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

8. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-hyderabad@isoc.org by **15 September 2016**.

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

Deadline of August 14 for Call for Presentations at DNS-OARC 25

DNS-OARC logoDo you have an idea about how to improve DNS that you would like to present to a community of people active with DNS?  Have you done research into new ways to better secure DNS or increase the privacy?  Have you done something with DNSSEC or DANE that you’d like to share with others?

If so, the team over at the DNS Operations Analysis and Research Center (DNS-OARC) has issued their Call for Presentations for DNS-OARC 25.  The DNS-OARC 25 meeting takes place on Saturday and Sunday, October 15-16, 2016, right before the NANOG 68 meeting.

The deadline to submit proposals is AUGUST 14, 2016.

To get a sense of the topics discussed in a DNS-OARC meeting, I would suggest viewing the list of contributions to DNS-OARC 24 in Montreal last October.

If you have an idea, please do submit a proposal – read the DNS-OARC CFP for all the details.

 

Join the DNS Security team at the IETF 96 Hackathon this weekend…

IETF 96 Hackathon

If you will be in Berlin, Germany, this weekend and are interested in putting your coding or documentation skills to good use in helping make DNS more secure, please plan to join a group of about 20 of us at the IETF 96 Hackathon who will be working on DNS-related projects. The Hackathon is at the InterContinental Hotel from 9:00am – 9:00pm on Saturday, July 16, and from 9:00am – 6:00pm on Sunday, July 17. (You don’t have to be there the whole time – some people come and go.)

NOTE: you do NOT have to be attending IETF 96 to participate in the Hackathon. It is separate – and free – but you do need to register to attend. We welcome other developers in the Berlin area who want to join us during the weekend.

Details can be found on the IETF 96 Hackathon wiki page.

We have a group of 20+ people who will be working on a variety of DNS, DNSSEC, DPRIVE and DANE projects. There are some projects that could use some additional help (including non-coding help such as documentation and user testing). You are also welcome to bring other projects to the Hackathon.

You can see the list of projects and ideas on the IETF wiki hackathon page – although you need to scroll down to find the DNS section.

The GetDNS crew has a number of projects underway, including TLS interfaces, a Universal Acceptance review and RFC5011 testing. Rick Lamb plans to make BIND work with smartcards without patches. I plan to work on the code behind the weekly DNSSEC deployment maps. I’m sure others will bring some projects, too, by the time it begins.

A good group of “DNS people”  have now done this for the past several IETF meetings. It’s been a great experience and moved a number of DNS-related projects forward.  We would definitely welcome anyone else who wants to join us, even if just for part of the time.  Bring your coding and documentation skills and help make DNS better!

P.S. And of course you can also join in with the many other excellent projects happening at the Hackathon, too, including some great work on TLS implementations.  We here at Deploy360 just happen to be focused on DNS…

Schedule of DNSSEC Activities at ICANN 56 in Helsinki

ICANN 56 LogoStarting on Monday, 27 June 2016, the ICANN 56 meeting will take place in Helsinki, Finland.

This is the first meeting in ICANN’s new shorter “B” format of a “policy forum”. As a result, there have been some changes to the schedule of DNSSEC activities (which are expected to return to their regular format for ICANN 57 this fall in Hyderabad):

  • There is no “DNSSEC for Everyone” beginner session.
  • The “DNSSEC Workshop” has moved from Wednesday to Monday and is only 4 hours instead of the usual 6+ hours.
  • The “DNSSEC Implementers Gathering” has changed from Monday night to Tuesday night so as not to conflict with the ICANN reception.

Here is what the schedule looks like:


DNSSEC Workshop

The DNSSEC Workshop will take place on the morning of Monday, 27 June 2016. All times are Eastern European Summer Time (EEST), which is UTC+3.

We are grateful to four companies for their sponsorship of this event:  Afilias, CIRA, Dyn and SIDN.

  • 09:15-09:30–Introduction/Maps: Dan York, Internet Society
  • 09:30-10:00–Measurement Survey of Server-Side DNSSEC Adoption: Matthäus Wander
  • 10:00-10:15–Observation of DNSSEC Trends: Geoff Huston, APNIC
  • 10:15-11:15–Panel Discussion: DNSSEC Deployment Challenges: Nick Shorey, Dani Grant, CloudFlare, Ari-Matti Husa, FICORA, Geoff Huston, APNIC
  • 11:15-11:45–KSK Rollover and ZSK Length Increase: Roy Arends, ICANN and Duane Wessels, Verisign
  • 11:45-12:00–DNSSEC Encryption Algorithms: Dan York, Internet Society, and Ondrej Sury, CZNIC
  • 12:00-12:15–DNSSEC: How Can I Help? Dan York, Internet Society, and Russ Mundy, Parsons
  • 12:15-12:30–DNSSEC/DNS Quiz: Roy Arends, ICANN
  • 12:30-13:30–Sponsored Lunch

All sessions will be available for remote participation and will be recorded for later viewing:

We’ve got some great sessions and we’re looking forward to another exciting session! And after lunch you can stay around for “Tech Day” where there will be a range of other DNS-related talks.


DNSSEC Implementers Gathering

On Tuesday evening, many of us who have been involved with DNSSEC, DANE or “DNS security” will gather informally at a local restaurant in Helsinki.  We’ll have some light food, drinks and conversation.  If you’d like to join us, please email Dan York at york@isoc.org .


And… that will be it! If you are at ICANN 56 please do say hello – you can find Dan York in these sessions… or drop him a note at york@isoc.org and he can arrange a time to connect.

DNSSEC Activities At ICANN 56 In Helsinki – 27-28 June 2016

ICANN 56 logoNext week is the 56th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Helsinki, Finland, and while it is a smaller “policy forum” style of meeting, there will still be some activities related to DNSSEC, DANE and DNS security in general.  Unlike the larger meetings, there will not be the “DNSSEC for Everybody” session with its ever-popular skit. The 6-hour DNSSEC Workshop will also be moved to Monday from its traditional Wednesday – and will split the day with “Tech Day”. The informal DNSSEC Implementers Gathering will also move from Monday evening to Tuesday evening.

So with all that, here’s what the schedule looks like…


DNSSEC Workshop

The DNSSEC Workshop will take place on the morning of Monday, 27 June 2016. All times are Eastern European Summer Time (EEST), which is UTC+3.

We are grateful to four companies for their sponsorship of this event:  Afilias, CIRA, Dyn and SIDN.

  • 09:15-09:30–Introduction/Maps: Dan York, Internet Society
  • 09:30-10:00–Measurement Survey of Server-Side DNSSEC Adoption: Matthäus Wander
  • 10:00-10:15–Observation of DNSSEC Trends: Geoff Huston, APNIC
  • 10:15-11:15–Panel Discussion: DNSSEC Deployment Challenges: Nick Shorey, Dani Grant, CloudFlare, Ari-Matti Husa, FICORA, Geoff Huston, APNIC
  • 11:15-11:45–KSK Rollover and ZSK Length Increase: Roy Arends, ICANN and Duane Wessels, Verisign
  • 11:45-12:00–DNSSEC Encryption Algorithms: Dan York, Internet Society, and Ondrej Sury, CZNIC
  • 12:00-12:15–DNSSEC: How Can I Help? Dan York, Internet Society, and Russ Mundy, Parsons
  • 12:15-12:30–DNSSEC/DNS Quiz: Roy Arends, ICANN
  • 12:30-13:30–Sponsored Lunch

All sessions will be available for remote participation and will be recorded for later viewing:

We’ve got some great sessions and we’re looking forward to another exciting session! And after lunch you can stay around for “Tech Day” where there will be a range of other DNS-related talks.


DNSSEC Implementers Gathering

On Tuesday evening, many of us who have been involved with DNSSEC, DANE or “DNS security” will gather informally at a local restaurant in Helsinki.  We’ll have some light food, drinks and conversation.  If you’d like to join us, please email me at york@isoc.org .


And… that will be it!  There’s no Technology Experts Group (TEG) meeting with the ICANN Board or anything else that we usually are involved with.

If you are at ICANN 56 please do say hello – you can find me in these sessions… or drop me a note at york@isoc.org and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!