Category: DNSSEC

Jul 31

Slides: Introduction To The DANE Protocol

At the DNSSEC Workshop earlier this month at ICANN 47 in South Africa, I gave an introductory tutorial about the DANE protocol and how it can be used to secure Internet communication such as that through a web browser. I explained how DANE works, outlined some use cases and provided a series of links for people to learn more. The slides are now online:

I did record a video of the presentation and hope to get that uploaded in the next couple of (busy!) weeks.

More information about DANE can of course be found on our page about the DANE protocol.

Jul 25

“Rough Guide To IETF 87″ Now Available – IPv6, DNSSEC, Routing and much, much more…

IETF LogoNext week is the 87th meeting of the Internet Engineering Task Force (IETF), taking place this time in Berlin, Germany, and it will be an incredibly busy week as something like 1,200-1,500 engineers gather in a hotel meeting space to debate and discuss various topics and create the open standards that power the Internet.  There are many different working groups meeting during the week and the IETF 87 agenda can seem a bit overwhelming.  To help with that, as we’ve done in the past, the Internet Society has published our “Rough Guide to IETF 87″ available at:

http://www.internetsociety.org/rough-guide-ietf87

This document reflects our (Internet Society) interests and what we see as the important topics related to the technology priorities we have an an organization.  The working groups and events listed are ones where we have Internet Society staff participating or where the topic being covered is one of our priorities.

For instance, within our team here at Deploy360, we’ll be there in Berlin at the working groups related to:

  • IPv6
  • DNSSEC
  • Routing resiliency and security

Most of which, but not all, are captured in the Rough Guide.  As we noted in an earlier post about DNSSEC activities, there are two groups focused on DNSSEC and DANE that are of great interest to us.  There are a wide number of IPv6-related groups in which we’ll be participating and several groups related to routing resiliency and security.

If you are reading this page here on our Deploy360 site, hopefully the Rough Guide will help you understand where we will be spending our time.

There are, of course, a great many other working groups meeting next week at IETF 87 that are doing outstanding work in Internet infrastructure, applications, routing, security, real-time communications, network operations and so much more.  The full agenda for IETF 87 is an amazing list of all the great open standards work happening across the IETF!

NOTE: If you unable to attend IETF 87 in Berlin in person, there are numerous methods of remote participation that you will allow you to listen to what is going on and to provide comments.

Jul 23

2 DNSSEC / DANE Sessions Next Week At IETF 87 In Berlin

IETF LogoNext week is the 87th meeting of the Internet Engineering Task Force (IETF)  in Berlin, Germany, and there will be two working groups meeting that are related to DNSSEC on the agenda:

DNSOP

The DNSOP (DNS Operations) Working Group will meet on Thursday, August 1, from 1520-1650 (Berlin time) in the Bellevue room.  There are 3 major items on the DNSOP agenda, but the one of strong importance related to DNSSEC is the discussion about how to communicate that there has been a change in the Key Signing Key (KSK) from a child zone up to a parent zone.  In other words, when you create a new KSK for your child zone, can we get an automated way to communicate the existence of this new KSK to the parent zone so that a DS record can be created and the global chain of trust can be updated?

Somewhat ironically, I experienced this precise issue myself last week when, during the DNSSEC Workshop at ICANN 47, a KSK on one of my personal zones expired.  The company providing DNS hosting for that domain automatically generated a new KSK, but they have no way of alerting the parent zone (.ORG in this case) that a new DS record is ready for upload.  I had to login to the web interface for my registrar and copy/paste the DS record from the web interface of my DNS hosting provider.  Meanwhile, my domain was failing validation.

There are two different proposals for mechanisms to automate this process.  Warren Kumari, Olafur Gudmundsson and George Barwood submitted draft-kumari-ogud-dnsop-cds that proposed the creation of a new “CDS” record type in DNS.  Essentially, the parent zone will periodically poll the child zones and if a new CDS record is found the parent zone will update the DS record for the zone.  Separately, Wes Hardaker developed draft-hardaker-dnsop-csync providing a similar but broader mechanism for synchronizing child and parent zones. This draft involves the creation of a “CSYNC” record type in DNS which tells the parent zone which records in the child zone need to be updated in the parent zone.  Wes originally wrote the draft to look at how to synchronize NS records and their associated A and AAAA records (what we often call “glue” records) between child and parent zones but then added support for DS and DNSKEY records to stimulate further discussion.

At DNSOP there will be a joint presentation about the two drafts with an interest in looking at “where do we go from here”.  It should be an interesting discussion and if you are unable to attend in person you can listen to the remote audio stream at the specified time.

DANE

Right after DNSOP, the DANE Working Group will meet on Thursday, August 1, from 1700-1830 (Berlin time) in the Potsdam 1 room.  With RFC 6698 now specifying the DANE protocol the WG is focused more on how DANE will be used by various services.  The agenda has not yet been posted, but there has been active discussion on the DANE mailing list about drafts relating to using DANE with email (both SMTP and S/MIME) and with voice-over-IP (SIP) as well as with OpenPGP and OTR.  As someone who sees DANE as a powerful reason to deploy DNSSEC, I’m very much looking foward to the discussion in this group and to seeing where DANE is going.

If you are unable to attend IETF 87 in person, you will be able to listen remotely to the DANE working group at its specified time.

Jul 18

Over 8% Of Internet Users Now Use DNSSEC Validation, per Geoff Huston

Yesterday Geoff Huston published a long post on CircleID titled “DNS, DNSSEC and Google’s Public DNS Service” where he walks through the ongoing DNSSEC measurement efforts he and his team have been doing using flash-based advertisements.  I recommend reading through the entire post, but the key part I was pleased to see was simply this:

Since March 2013 we’ve seen the proportion of end users who use DNSSEC resolvers that perform DNSSEC validation rise from 3.3% to 8.1%, or a rise of some 4.7%.

As Geoff notes, most of this rise was due to DNSSEC validation now being performed by Google’s Public DNS service, but his article has some fascinating statistics about where Google Public DNS seems to be being used.

He also lists the countries with the highest percentage of DNSSEC-validating clients.  To no surprise given their long involvement with DNSSEC, Sweden came out on top but a number of the other countries listed may not be the ones you might expect.

It is all very cool to see and I look forward to watching these percentages grow over time!

Jul 17

DNSSEC Workshop Streaming Live Now Out Of ICANN47

ICANN 47 meeting in Durban, South AfricaIf you are interested in the technical side of DNSSEC, there is a great 6+ hour workshop happening right now at ICANN 47 in Durban, South Africa.  You can listen to the audio and watch the slides at:

http://durban47.icann.org/node/39749

I am also live-tweeting some information and links out of our Twitter account at http://twitter.com/deploy360

It is a great agenda bringing together many of the leading researchers and implementers of DNSSEC.  Topics today include:

  • DNSSEC Deployment Around the World
  • DNSSEC for Managers – The Three Spheres
  • Panel Discussion: DNSSEC Activities in Africa – ISPs, Registries, and Registrars
  • Panel Discussion: DNSSEC Obligations in the Registration Accreditation Agreement
  • Presentation: Patrik Fältström, NetNod – Is the World Upside Down?
  • Panel Discussion: DNSSEC Planning and Operation
  • Panel Discussion – DNSSEC Innovation: DANE and Other DNSSEC Applications

(The full agenda is available online.)

If you can’t watch live right now, the sessions are being recorded so that you will be able to watch them later.

Jul 16

Helping Expand DNSSEC Deployment By Working With Shinkuro And Parsons/SPARTA

When we began what would become the Deploy360 Programme about 18 months ago, we were concerned about how our activity regarding promoting DNSSEC deployment would be seen by other groups already active in the space.  For instance we were very aware that there was the DNSSEC Deployment Initiative, funded by the U.S. Department of Homeland Security (DHS), that had been very active for a good number of years.  The program had spawned a whole series of DNSSEC-related tools, a blog, the dnssec-deployment mailing list and other activities.  How could we best complement this existing work?  And would we be seen as a helpful new addition to the overall work?  Or would we be seen as a competitor to be distrusted?

Steve Crocker and Dan YorkWe were concerned and tried to step carefully as we began.  To our delight what we found was a very welcoming community that was very appreciative of the energy and platform that we were bringing to the effort. Over the past year in particular we have worked very closely with both Steve Crocker and his team at Shinkuro, Inc,. and Russ Mundy and his tools-focused team at a company originally called SPARTA and now part of a larger company, Parsons.  We’ve been working now with them on a variety of projects, including the monthly “DNSSEC Coordination Calls” that bring together people from across the community and industry interested in promoting and advancing the deployment of DNSSEC (and anyone is welcome to join the dnssec-coord mailing list).

And so it is with great pleasure that we can announce a formal Memorandum of Understanding (MoU) between the Internet Society, Shinkuro, and Parsons related to our combined efforts.  The MoU document, now posted to our site, explains the history and roles of each entity and reaffirms our joint commitment to doing all we can to work with the rest of the larger DNS community to bring about the full deployment of DNSSEC around the world.

Steve Crocker and I had a chance to jointly talk about this MoU and our combined effort at the Internet Society Advisory Council meeting held in Beijing in April. The photo accompanying this post shows us holding the signed MoU.  Russ Mundy was also there earlier in the week for the DNSSEC Workshop that we are all involved with that take place at ICANN meetings.

The signing of this MoU is an endorsement of the work we are already doing together – and a commitment by all three of us to work together to use the open multi-stakeholder process to involve even more people and organizations and to help the broader world understand how DNSSEC can significantly upgrade the security of the Internet.

We’re looking forward to continuing and expanding our work with Shinkuro and Parsons – and all of you!  Please join us… you can join the dnssec-coord mailing list, join into the DNSSEC communities on social networks or email, follow us on social networks, come to one of our ION conferences or the DNSSEC workshops at ICANN meetings… or just keep following us here on the site!

Let’s get to work and help get DNSSEC deployed everywhere!

Jul 15

Watch “DNSSEC For Everyone – A Beginner’s Guide” Live Today From ICANN47

ICANN 47 meeting in Durban, South AfricaWant to understand what DNSSEC is all about?  Would you like to understand how DNSSEC helps make DNS more secure?  And why DNSSEC is important?

Today (July 15, 2013) we’ll be streaming the “DNSSEC For Everyone – A Beginner’s Guide” session live out of ICANN 47 in Durban, South Africa. This is a fun session that takes a humorous view on DNSSEC… and includes a number of people (myself included) acting out a skit showing how DNS and DNSSEC work! :-)    Feedback from past sessions is that this all has helped people understand better how this all works – and so we encourage you to watch if you can.

You can watch the video and slides for the session at:

http://icann.adobeconnect.com/dur47-hall1b

An audio-only streaming option is also available from the session page on the ICANN 47 web site.

The session begins at 5:00pm in Durban, South Africa, which is also 5:00pm in central Europe and 11:00am in US Eastern time.

If you can’t watch the event live, I will be recording the video locally and will post a copy to the Deploy360 YouTube channel as soon as I can.

 

Jul 12

Africa DNS Forum Happening Today And Tomorrow – Live stream / webcast available

AfTLD logoInterested in learning about the state of the Domain Name System (DNS) in Africa?  As I mentioned previously, I’m in Durban, South Africa, for the next week for the Africa DNS Forum today and tomorrow and then ICANN 47 next week.  The first Africa DNS Forum is happening right now and you can watch live now:

http://icann.adobeconnect.com/dur47-hall1b

The Africa DNS Forum agenda is posted on the AfTLD website and includes these topics:

  • Trends, opportunities and challenges of the DNS industry
  • Registries Business: Registry Strategies for domain name growth
  • Registrar business: Registrar strategies in a competitive environment
  • Legal Issues: Cross-border domain registrations
  • Registrar Accreditation and accreditation in a borderless environment
  • Governments and ccTLD: Supporting the domain name growth

The sessions are happening today, July 12, 2013, from 8:30 – 17:30 and tomorrow, July 13, from 9:00 – 14:00.  South Africa Standard Time is UTC+2 which is currently the same time as Central European Summer Time and 6 hours ahead of US Eastern time.

Related to our work here at Deploy360, there will be a section of the first panel on Registries Business that will be focused on DNSSEC and how usage can be accelerated for ccTLDs in Africa. I’m looking forward to hearing the presentations and discussions happening over these next two days – many great and exciting things are happening for the Internet in Africa right now!

Jul 04

First Africa DNS Forum To Be Held July 12-13 In Durban, South Africa

AfTLD logoWhat can African registries and registrars do to grow the domain name business in Africa? What role can the African governments play to empower registries and registrars? What can be learnt from successful registries and registrars operating outside Africa and adapted to strengthen their African counterparts? How can cross-border collaborations be setup to strengthen the African DNS Industry? What policies can be implemented to ensure a robust domain name industry? What are the processes that should be implemented to support a structured ccTLD framework? What are the provisions that should exist in order to ensue trust amongst registrants?

These are some of the many questions that are planned for discussion at the first Africa DNS Forum to be held July 12-13, 2013, in Durban, South Africa, just prior to the ICANN 47 event the following week. The DNS Forum is organized by AfTLD and sponsored by the Internet Society and ICANN and is looking to be quite a good event with a program agenda very focused on how to grow business usage of the Internet within Africa.

I (Dan York) will be there attending the event and am looking forward to speaking with people from the region.  I’ll be moderating one of the panels and will also be looking to talk to people informally about DNSSEC and how we can get more African ccTLDs using DNSSEC. I’ll also be encouraging people to attend the DNSSEC workshops that will be part of the ICANN 47 event the following week.

If you are already planning to be in Durban for ICANN 47 I’d encourage you to come a few days early and attend this DNS Forum.  Registration is open to all interested.

Jul 03

Comments? Olle’s Thoughts on SIP (VoIP) and DNSSEC / DANE

How you you think DNSSEC and specifically DANE could be used with the Session Initiation Protocol (SIP) to provide an added layer of security to voice / video communications over IP? (a.k.a. “VoIP”)   I started raising this question back in a presentation at SIPNOC 2013 and again in a recent VUC interview about DNSSEC and VoIP, but today to my delight Olle Johansson dove a bit deeper with a set of slides about SIP and DNSSEC / DANE he posted up on SlideShare. These are just his “brainstorming” a bit about how DNSSEC/DANE could work with SIP – and he has posted them for comment and feedback:

I like that he went deeper than I had done into precisely where in the SIP interactions DNSSEC / DANE could play a role.  Olle is definitely looking for comment which you can leave in many different places (such as SlideShare, this blog post, anywhere it’s posted on social networks) or can send directly to Olle or send out on the DANE working group mailing list.

I’m pleased to see the continued evolution of this discussion… and I look forward to seeing more work happen in this space.  (Note that I’ve set up a page here about DNSSEC and VoIP to track where some of this work is happening (and am always looking for items to add).)