Category: DNSSEC

Jun 24

Missed The VUC Hangout About DNSSEC and VoIP? Watch The Recording…

Interested in learning more about how DNSSEC can potentially work with VoIP?  If you missed the VoIP Users Conference (VUC) Hangout in Google+ back on May 3 where I discussed this topic, you can now watch the archive at:

It was a very enjoyable presentation and I do thank VUC host Randy Resnick for having me on the show.

I’ll note that I also have posted a set of slides about DNSSEC and VoIP, and we’ve now set up a “DNSSEC and IP Communications” page here on Deploy360 where we will continue to add resources as we become aware of them.

Jun 14

InfoWorld Promotes DNSSEC To Boost Internet Security

InfoWorldWe were very pleased to see InfoWorld publishing this week an article by Roger Grimes titled “Boost your Internet security with DNSSec” that lays out the case for implementing DNSSEC and explains the validation side of DNSSEC.  Given the large audience that InfoWorld has it is good to see DNSSEC getting this coverage.

I’d suggest another useful resource for people reading that article would be SURFNet’s white paper about enabling DNSSEC validation in DNS resolvers as that paper provides step-by-step guidance to enabling validation in BIND, Unbound and Windows Server 2012.

I’d also note for people wanting to experiment with DNSSEC validation, Google’s Public DNS servers do now support DNSSEC and so you can at least temporarily point your system to Google’s servers to try out validation.  As we’ve also noted in the past, anyone who is a Comcast subscriber in North America also has DNSSEC validation happening by default, as do people using many of the ISPs in Sweden, Brazil and the Czech Republic.

As I noted at the beginning, the article covers the validation side of DNSSEC, but for that to really work we also need to get more domains signed with DNSSEC.  I would encourage people to look at our tutorials on how to sign your domain using common registrars – and to ask your registrar when they will let you use DNSSEC if they are not on the list of DNSSEC-capable registrars maintained by ICANN.

Again, it’s great to see InfoWorld covering DNSSEC and I do hope they’ll provide more such articles in the future.  If we can get DNSSEC deployed more widely we’ll go very far in upgrading the security of the Internet!

P.S. I was also intrigued by Grimes’ link to this video of a DNSSEC app for Android from back in 2011.  It looks like a basic browser to check the DNSSEC status of sites.  I may have to investigate a bit more..

Jun 13

DNSSEC Test Sites

If you have a new application or service where you want to test how DNSSEC validation works, the sites listed below are ones you can use.  If you want to test validation of the DANE protocol, please see our separate page of DANE test sites.

Note that the sites below are domain names and websites with either good or deliberately mis-configured DNSSEC signatures.  If you are looking for web sites offering tools or services where you can test the status of DNSSEC, please see our list of DNSSEC tools.

Sites With Good DNSSEC Signatures

Today there are millions of domain names out there with valid DNSSEC signatures and so you have many, many options.  Two of the domains you can use to obtain valid signatures are:

  • internetsociety.org
  • ietf.org

If you are testing web validation, the addresses are:

Sites With Bad DNSSEC Signatures

The more interesting tests to perform are with domains that are bad and will generate an error in your application or service.  The following sites have been deliberately mis-configured with bad DNSSEC signatures:

  • dnssec-failed.org   (operated by Comcast)
  • rhybar.cz        (operated by CZ.NIC)

On the web, they are:

The DNSSEC Tools site at http://www.dnssec-tools.org/ also provides a test in that if you connect to the site and do not perform DNSSEC validation you will see an image appear on the page telling you that you are connecting insecurely.

Adding More Sites

If you have a site with an interesting DNSSEC configuration you think would be useful for others to use in testing, please contact us so that we can consider adding it to this list.

Please note that our list of DANE test sites includes sites and domains that are also signed with DNSSEC.

Jun 10

Seeking DNSSEC Speaking Proposals For ICANN 47 DNSSEC Workshop in Durban, South Africa

ICANN 47 meeting in Durban, South AfricaInterested in sharing your experience implementing DNSSEC?  Have a new tool or service for DNSSEC you would like to demonstrate? Are you experiencing a challenge with getting DNSSEC implemented that you think the larger community should be aware of? Have you found a new and interesting use for DNSSEC?  Or done something new with the DANE protocol?

If so, and if you are planning to attend ICANN 47 in Durban, South Africa, the program committee (of which I am a member) for the DNSSEC Workshop at ICANN 47 is actively seeking proposals to include in the workshop.  As noted in the Call For Participation, we are seeking presentation ideas on topics such as:

  • DNSSEC Activities in Africa
  • The Operation Realities of Running DNSSEC
  • DNSSEC and Enterprise Activities
  • When Unexpected DNSSEC Events Occur
  • Preparing for Root Key Rollover
  • DNSSEC: Regulative, Legislative and Persuasive Approaches to Encouraging Deployment
  • DANE and Other DNSSEC Applications
  • Use of DNSSEC in the Reverse Space

Please see the Call For Participation for more details.

We are also open to presentations related to DNSSEC that don’t fit exactly in one of these listed topics.  We’ve already got a great list of presentations but we still could add a few more.

You can view the program and presentations from the ICANN 46 DNSSEC Workshop in Beijing to understand the kind of presentations we are seeking. I’ll note that we’re changing the format a bit for ICANN 47 to have fewer presentations for longer periods of time. We felt it was a bit rushed in the Beijing workshop.

If you are interested, all you need to do is send a brief description (1-2 sentences) of your proposed presentation to dnssec-durban@shinkuro.com, ideally by today, June 10th, as we are working to finalize the program to publish it on the website.

Thanks – and we’re looking forward to another great event in Durban!  If you are not able to attend in person, the event will be streamed live and also archived for later viewing.

May 24

Great news! .TV and .CC Now Signed With DNSSEC

Great news out of Verisign today – they have signed the .TV and .CC domains with DNSSEC!

verisign-tv-cc

Per ICANN’s TLD DNSSEC report, this means that we’re now at 107 TLDs out of 317 with DS anchors in the root zone.  Great to see!

So now… if you have a domain in the .TV or .CC TLDs, you, too, can benefit from the increased security of DNSSEC and can ensure that people connecting to your domain are in fact getting to the servers and sites you want them to connect to.

Given that the TLDs were just signed today, it may take a few days for registrars and DNS hosting providers to support connecting .TV and .CC domains into the global chain of trust… but it can’t hurt to ask those registrars and providers when they will provide this support! ;-)   For more information, see:  How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars.

Kudos to the teams at Verisign, .TV and .CC for making this happen!

May 22

Video: My Discussion of DNSSEC and DANE with VoIP / SIP on The VUC

What role could DNSSEC potentially play to help better secure voice-over-IP (VoIP)? How could the DANE protocol help provide a stronger level of security to SSL/TLS certificates used in VoIP? What VoIP software out there right now works with DNSSEC?

Back on May 3, 2013, I participated in a VoIP Users Conference (VUC) call on precisely these questions. In the call that went for close to 90 minutes I outlined what DNSSEC and DANE are all about, how they work in a web browser world and how they could potentially work in a world of VoIP with SIP. We also discussed the current support for DNSSEC in the Jitsi softphone and the Kamailio SIP server. There was also a healthy question and answer period where we went off on different tangents. I referenced a presentation I made at SIPNOC 2013 and the slides for that presentation as well as other resources are available from the Deploy360 DNSSEC and VoIP page.

It was a great call and the video is available on YouTube:

If you want to just listen to the audio, you can play or download it from the VUC episode page.

If you found this post interesting or useful, please consider either:

May 12

DNSSEC and DNS Security Talks At DNS-OARC Spring Forum Streaming Live Out of Dublin Today And Tomorrow

dns-oarcCan’t get to Dublin, Ireland, to attend the DNS-OARC Spring Forum 2013 but interested in all the DNS and DNSSEC-related talks?  The good news is that there is a webcast / livestream of the event via Adobe Connect at:

 http://icann.adobeconnect.com/dns-oarc/

As I wrote about last week, there are a good number of the talks related to DNSSEC and DNS security. The event has been extremely interesting so far today.

To watch the livestream, you should reference the DNS-OARC timetable – and remember that all times are Irish Standard Time (currently UTC/GMT+1).

Slides for the talks are also listed on the timetable page.

I’ll be speaking this afternoon at 5:35pm Dublin time about some of the challenges we’ve seen related to DNSSEC deployment and asking for feedback.

Tomorrow morning, Monday, May 13, the timetable is full of DNSSEC talks from 9:00 to 10:40 am that should make for good listening.

 

May 10

RIPE66 Next Week: Sessions on IPv6, DNS and Routing

RIPE 66 LogoNext week in Dublin, Ireland, the RIPE 66 Meeting will take place from May 13-17 and a number of Internet Society technical staff will be onsite including two of us from Deploy360: Jan Zorz and myself (Dan York).  The meeting plan has a great number of topics of interest, but two in particular that we’ll be tracking include:

Best Current Operational Practices – Efforts from the Internet Society
Monday, 13 May 16:00-17:00 (Irish Standard Time – currently UTC+1)
Jan will be speaking about the work he has been doing to explore how information from the operations community can best be made more widely available – and asking for feedback from those attending.

Panel: Seven Years of Anti-Spoofing: What Happened Since the RIPE Task Force and What Still Needs to be Done
Tuesday, 14 May 16:00-17:00
Our Internet Society colleague Andrei Robachevsky along with Benno Overeinder of NLnet Labs will be moderating this panel of network operators, security experts and vendors to dive into the issue of spoofed IP addresses and how they contribute to Distributed Denial-of-Service (DDoS) attacks.   Given that there are known mitigation approaches such as BCP 38, why are DDoS attacks still so common? What can the larger operator community be doing to combat IP spoofing?

This last session is extremely relevant to the new Routing Resiliency/Security section of the site that we are seeking to build out, so we’ll definitely be listening to the conversations and feedback.

Naturally we’ll also be paying attention to these working group sessions:

The event will be streamed live and as soon as we have that information we’ll update this post.

We’re very much looking forward to the RIPE 66 event – if you are going to be there please do say hello!

May 09

Excellent DNSSEC Sessions Coming Up At DNS-OARC Spring Forum This Weekend

dns-oarcThis weekend begins the “Spring Forum” of the Domain Name System Operations Analysis and Research Center, a.k.a. “DNS-OARC” and it once again represents a gathering of many of the prominent people within the DNS / DNSSEC community.  The event takes place in Dublin, Ireland, on the Sunday and Monday morning prior to the RIPE 66 meeting happening for the rest of the week.

In look at the list of contributions to the DNS-OARC Spring Forum, a number are related to DNSSEC and I’m quite looking forward to listening to them.  They include:

DNS Security: Beyond DNSSEC, A “He Must Be Nearing Retirement” Manifesto
Ed Lewis said on a call that he’s going to be talking about ways he thinks DNS can be better secured. Ed has been around the DNS/DNSSEC world for a long time, so I’m looking forward to his ideas.

Measuring DNSSEC
Geoff Huston recently published a long blog post about “Measuring DNSSEC Performance” that got quite deep into analysis. I am assuming Geoff and George Michaelson will be explaining their findings live at this event.

The Use of Elliptic Curve Cryptography in DNSSEC
This presentation by Francis Dupont should be an interesting view into the viewpoint that we ought to be doing more with elliptic curve cryptography (and specifically ECDSA) within DNSSEC.

GPU-based NSEC3 Hash Breaking
Based on the description, this appears to be about a tool that can be used to break the hashes used in NSEC3 records. Not entirely sure where this one is going… so I will be interested to hear it.

Next Steps In Accelerating DNSSEC Deployment
How do we get DNSSEC more rapidly deployed. I’ll be speaking about what we’ve found in the process of developing the DNSSEC side of Deploy360 as well as what has come up through the dnssec-coord mailing list / conference calls and other industry efforts.

Beyond those DNSSEC-related sessions, I’m definitely interested in the sessions around DNS amplification attacks, DNS monitoring and really all the other topics. Definitely a place for those of us interested in DNS and DNSSEC to gather!

I don’t believe there is a livestream, but I do believe the slides will be available as links off the agenda page as they become available.  If you are going to be there at the DNS-OARC Spring Forum, do say hello – and please do let me know your ideas around how we can help here at Deploy360 with resources related to DNSSEC deployment.

May 02

Speaking Live On VUC Podcast About DNSSEC And VoIP/UC on Friday, May 3

VUC logoWould you like to chat with me (Dan York) about DNSSEC and DANE and how they might work with voice-over-IP (VoIP) and unified communications (UC)? Or would you just like to listen to my views on the subject?

If so, you can join in to the live “VoIP Users Conference (VUC)” conference call / podcast at 1:00pm US Eastern on Friday, May 1, May 3, 2013.

Based off of some of the information I shared in my SIPNOC presentation last week about DNSSEC and VoIP, I’ll be giving an overview of both DNSSEC and DANE and then opening a conversation about what possibilities there might be to use DNSSEC/DANE to provide a higher level of security to VoIP and other forms of IP telecom.

I’ll also be pointing people to our new “DNSSEC and IP Communications” page where I’m starting to list some of the VoIP tools and services out there now that work with DNSSEC (and I’m looking for more items to add).

To join the call, you can either connect in to the Google+ Hangout at 1:00 pm US Eastern – or alternatively call in via the SIP, Skype or regular old phone numbers listed on the top of the VUC page for the episode. There is also an IRC backchannel where text chat occurs during the episodes.

If you can’t listen live, the show will be recorded and you can listen to it later.

I’ve been a participant in the VUC shows for several years and it’s a good group of people and always some interesting conversation. They happen every Friday normally at 12 noon US Eastern – but due to a scheduling conflict I’m going on at 1:00pm.  Do tune in tomorrow and join us in the conversation about DNSSEC and VoIP!