Category: DNSSEC

May 31 Deadline For $40,000 Cybersecurity Grant For DNSSEC, RPKI, BPG and more

ISOC Cybersecurity GrantDo you have an idea for a project related to DNSSEC, RPKI, BGP security or other security technologies? And will that project’s activities take place in the Asia-Pacific region?  (View the list of eligible countries and economies.)

If so, the Information Society Information Fund (ISIF) Asia is seeking proposals for projects that can be funded up to a maximum of $56,000 AUD (roughly $40,000 USD). This “Cybersecurity Grant” is sponsored by the Internet Society as part of our support for the Seed Alliance.

THE DEADLINE TO SUBMIT APPLICATIONS IS TUESDAY, MAY 31!

Please read the Cybersecurity Grant page for more information and follow the instructions for applying.  Please do remember that the project activities must be conducted within one of the economies that ISIF considers to be the Asia Pacific region.  ISIF also provides some guidelines for applicants and a FAQ.

As noted on the page, the focus is around practical solutions for resiliency and security in one of these areas:

  • Naming: innovative approaches to DNSSEC that enhance user confidence in Internet-based services.
  • Routing: support for wider deployment of secure routing technologies (RPKI, BGPSEC) and best practices (MANRS).
  • Measurement: investigate the nature and extent of deployment of security solutions on the Internet.
  • Traffic management: tools to measure Internet traffic congestion and/or traffic management practices OR analysis of traffic management policies and practices.
  • Confidential communications: strategies or solutions to enhance the confidentiality of Internet traffic.
  • Data security and integrity: options for improved data security and/or data breach detection and mitigation.
  • Internet of Things (IoT): security of IoT.
  • Critical Infrastructure: security of computer-controlled systems such as energy grids, transport networks, water supply, sewage, etc.) from cyber attacks.
  • End-user device security: options for improved end-user security.
  • Building security skills in your local community.

We hope that people and organizations within the AP region will apply for this excellent grant opportunity. The application period opened up February 24 – but we thought we’d give one final notice in case people weren’t aware.

We look forward to learning in September about how the recipients will work to make the Internet more secure and resilient!

Watch Live TODAY – DNSSEC Root KSK Ceremony 25 – 13:00 EDT – 17:00 UTC

DNSSEC badgeStarting in about 45 minutes, at 13:00 local time in Culpeper, Virginia, which is 17:00 UTC, you have the opportunity to watch the live stream of the Root KSK key-signing ceremony #25. More info can be found here:

and the direct link for watching is:

Internet Society CITO Olaf Kolkman will be among the participants as he is one of the 14 global “Crypto Officers” who has a role to play in the key signing ceremony. You can see the various roles in the KSK Ceremony 25 script, but perhaps better is to read this excellent description by Olafur Gudmundsson:

Olafur’s text, photos and graphics help explain what is going on.

If you can’t watch live but are interested in what happens, materials will be available after the fact including camera footage and more. (See the example of KSK Ceremony 24 from February 2016.)

While this may not necessarily be as exciting as a rocket launch, these public key signing ceremonies are important to ensure people understand and believe in the trustworthiness of the Root KSK that enables the overall DNSSEC global “chain of trust” to be reliable!

P.S. If you want to get started with DNSSEC yourself, please visit our Start Here page to find resources to help you!

Call for Participation – ICANN 56 DNSSEC Workshop in Helsinki, Finland on 27 June 2016

ICANN56 Helsinki logoDo you have an idea for an innovative use of DNSSEC or DANE? Did you develop a new tool or service that works with DNSSEC? Have you recently deployed DNSSEC or DANE and have some “lessons learned” that you could share? Have you enabled DNSSEC by default in your products? (And why or why not?) Do you have ideas about how to accelerate usage of new encryption algorithms in DNSSEC?

We are seeking presenters on all these topics and more for the DNSSEC Workshop on June 27, 2016, at ICANN 56 in Helsinki, Finland. The full “Call for Participation” is found below.

If you have an idea and will be at ICANN 56 (or can get there), please send a brief email to dnssec-helsinki@isoc.org by Wednesday, May 18.

Thank you!


Call for Participation — ICANN DNSSEC Workshop at ICANN 56 in Helsinki, Finland

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 56 meeting on 27 June 2016 in Helsinki, Finland. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN  55 meeting in Marrakech, Morocco, on 09 March 2016. The presentations and transcripts are available at: https://meetings.icann.org/en/marrakech55/schedule/wed-dnssec.

Examples of the types of topics we are seeking include:

1. DNSSEC Deployment Challenges

The program committee is seeking input from those that are interested in implementation of DNSSEC but have general or particular concerns with DNSSEC. In particular, we are seeking input from individuals that would be willing to participate in a panel that would discuss questions of the nature:
— What are your most significant concerns with DNSSEC, e.g., implementation, operation or something else?
— What do you expect DNSSEC to do for you and what doesn’t it do?
— What do you see as the most important trade-offs with respect to doing or not doing DNSSEC?

We are interested in presentations related to any aspect of DNSSEC such as zone signing, DNS response validation, applications use of DNSSEC, registry/registrar DNSSEC activities, etc.

2. DNSSEC by Default

As more and more applications and systems are available with DNSSEC enabled by default, the vast majority of today’s applications support DNSSEC but are not DNSSEC enabled by default. Are we ready to enable DNSSEC by default in all applications and services? We are interested in presentations by implementors on the reasoning that led to enable DNSSEC by default in their product or service. We are also interested in understanding those that elected not to enable DNSSEC by default and why, and what their plans are.

3. DNSSEC Encryption Algorithms

How do we make DNSSEC even more secure through the use of elliptic curve cryptography? What are the advantages of algorithms based on elliptic curves? And what steps need to happen to make this a reality? What challenges lie in the way? Over the past few months there have been discussions within the DNSSEC community about how we start down the path toward adding support for new cryptographic algorithms such as Ed25519 and Ed448. At ICANN 55 in Marrakech we had a panel session that explored why elliptic curve cryptography was interesting and some high level views on what needs to happen. At ICANN 56 we are interested in presentations that dive into greater detail about what needs to be done and how we start the process. More background information can be found in this document: https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-helsinki@isoc.org by Wednesday, 18 May 2016.

We hope that you can join us.

Thank you,
Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

Call for Participation – DNSSEC Workshop at ICANN 56 in Helsinki, Finland on 27 June 2016

ICANN56 - Helsinki logoThe DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 56 meeting on 27 June 2016 in Helsinki, Finland. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN  55 meeting in Marrakech, Morocco, on 09 March 2016. The presentations and transcripts are available at: https://meetings.icann.org/en/marrakech55/schedule/wed-dnssec.

Examples of the types of topics we are seeking include:

1. DNSSEC Deployment Challenges

The program committee is seeking input from those that are interested in implementation of DNSSEC but have general or particular concerns with DNSSEC. In particular, we are seeking input from individuals that would be willing to participate in a panel that would discuss questions of the nature:
— What are your most significant concerns with DNSSEC, e.g., implementation, operation or something else?
— What do you expect DNSSEC to do for you and what doesn’t it do?
— What do you see as the most important trade-offs with respect to doing or not doing DNSSEC?

We are interested in presentations related to any aspect of DNSSEC such as zone signing, DNS response validation, applications use of DNSSEC, registry/registrar DNSSEC activities, etc.

2. DNSSEC by Default

As more and more applications and systems are available with DNSSEC enabled by default, the vast majority of today’s applications support DNSSEC but are not DNSSEC enabled by default. Are we ready to enable DNSSEC by default in all applications and services? We are interested in presentations by implementors on the reasoning that led to enable DNSSEC by default in their product or service. We are also interested in understanding those that elected not to enable DNSSEC by default and why, and what their plans are.

3. DNSSEC Encryption Algorithms

How do we make DNSSEC even more secure through the use of elliptic curve cryptography? What are the advantages of algorithms based on elliptic curves? And what steps need to happen to make this a reality? What challenges lie in the way? Over the past few months there have been discussions within the DNSSEC community about how we start down the path toward adding support for new cryptographic algorithms such as Ed25519 and Ed448. At ICANN 55 in Marrakech we had a panel session that explored why elliptic curve cryptography was interesting and some high level views on what needs to happen. At ICANN 56 we are interested in presentations that dive into greater detail about what needs to be done and how we start the process. More background information can be found in this document: https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-helsinki@isoc.org by Wednesday, 18 May 2016.

We hope that you can join us.

Thank you,
Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

DNS-OARC 24 Streaming Live March 31 / April 1 from Buenos Aires

OARC 24

Today and tomorrow you have a great opportunity to listen to some of the newest research into the Domain Name System (DNS) operations and security through the live video stream of the 24th meeting of the DNS Operations Analysis and Research Center (DNS-OARC). You can watch live at:

https://www.youtube.com/c/DnsoarcNetPlus/live

and view the past recordings on the DNS-OARC YouTube channel.  The DNS-OARC 24 agenda covers a wide range of topics related to the overall operations of DNS.  Some of the sessions that Deploy360 readers may find of interest include:

  • Thursday, March 31
    • How we are developing a next generation DNS API for applications
    • State of the “DNS privacy” project: running code
    • QNAME minimisation in Unbound (DNS privacy)
  • Friday, April 1
    • Knot DNS Resolver
    • Threshold-Cryptography Distributed HSM
    • Review and analysis of attack traffic against A-root and J-root on November 30 and December 1, 2015
    • ECDSA – Reviewed
    • Rolling the Root Key
    • Algorithm roll-over experiences
    • Panel: DNSSEC algorithm flexibility

The last four sessions that I highlighted in bold all fit into the larger work of moving to use newer elliptic curve cryptographic algorithms within DNSSEC that I wrote about recently.  As I mentioned in that article, I’ll be moderating this final panel tomorrow afternoon.

I would encourage people to tune in and watch the sessions.  Do visit the DNS-OARC 24 timetable to find out the times when different sessions will be happening. All times are in Argentina time (ART) which is UTC-3.

And if you want to get started with DNSSEC yourself, please visit our Start here page to begin.

Image credit: a photo of the DNS-OARC 24 room I took this morning.

 

The Next Steps Toward Increasing The Security of DNSSEC with Elliptic Curve Cryptography

How do we make DNSSEC even more secure through the use of elliptic curve cryptography?  What are the advantages of algorithms based on elliptic curves?  And what steps need to happen to make this a reality?  What challenges lie in the way?

Over the past few months we’ve been discussing these questions within the community of people implementing DNSSEC, with an aim of increasing both the security and performance of DNSSEC.  Ondřej Surý of CZ.NIC Labs has been leading the way both with writing Internet drafts (draft-ietf-curdle-dnskey-ed25519 and draft-ietf-curdle-dnskey-ed448) and also in helping to organize sessions at various events.

Here’s a brief view of where that discussion has and will be taking place:

  • 9 March 2016 – a panel session at ICANN 55 DNSSEC Workshop in Marrakech, Morocco- (see below)
  • 1 April 2016 – a panel session at DNS-OARC in Buenos Aires
  • 5 April 2016 – a discussion of the drafts in the CURDLE Working Group at IETF 95
  • 6/8 April 2016 – a discussion of another draft in the DNSOP Working Group to reduce usage of older DNSSEC crypto algorithms
  • 23-27 May 2016 – a panel session at RIPE 72 in Copenhagen, Denmark
  • 27 June 2016 – a proposed panel session at the ICANN 56 DNSSEC Workshop in Helsinki, Finland

Let me provide a quick overview of what happened at ICANN 55 and then explain a new Internet draft that came out of that experience.

ICANN 55 DNSSEC Workshop

At ICANN 55 in Marrakech, we had a panel that I moderated where we presented several different viewpoints about how we go about implementing new DNSSEC algorithms and what are the challenges.  I started out with a presentation where I outlined some of the challenges in this set of slides:

I was then followed by four panelists (links are to the slide decks three of the four panelists had):

Geoff started out giving an overview of what APNIC’s research had found in the support of a current elliptic curve algorithm (ECDSA) in DNS resolvers (remembering that there are two sides to DNSSEC).  Jim Galvin then provided a view of DNSSEC algorithms from a registry perspective.  Olafur reported on the experience CloudFlare had rolling out ECDSA support and Ondřej wrapped up the session explaining the two new elliptic curve algorithms proposed for DNSSEC.  There were a good number of questions asked and it was a healthy discussion.

Our Internet Draft on new deploying DNSSEC algorithms

After that ICANN 55 session, I went back and wrote up a summary of what we learned out of that discussion and then incorporate further input from Ondřej, Ólafur and Paul Wouters and turned that into a new Internet-draft:

draft-york-dnsop-deploying-dnssec-crypto-algs

As I said in the abstract:

As new cryptographic algorithms are developed for use in DNSSEC signing and validation, this document captures the steps needed for new algorithms to be deployed and enter general usage. The intent is to ensure a common understanding of the typical deployment process and potentially identify opportunities for improvement of operations.

We are looking forward to further discussion – and welcome any and all feedback on the document.

The DNS-OARC panel on Friday, April 1

Which leads to a mention of the next discussion happening on this Friday, April 1, at the DNS-OARC 24th meeting happening in Buenos Aires right before IETF 95.  The very last session from 1700-1745 ART (UTC-3) will be on “DNSSEC algorithm flexibility” .  I’ll be moderating the panel again and the focus this time will be on software implementations and what needs to be done there to support more encryption algorithms.  Ondřej will be part of the panel along with Paul Wouters (Red Hat), Evan Hunt (ISC / BIND) and several others.

I’m told their will be a live stream of the DNS-OARC session and it should be accessible from the DNS-OARC Google+ page. I’ll update this post once I have an exact URL.

Our goal with all of this work is to lay out a solid path forward to bringing strong elliptic curve algorithms to DNSSEC – and then making that plan a reality.  The end goal is an even more secure DNSSEC infrastructure that brings about an even more trusted DNS.

We’d welcome your comments and assistance with this – please do send us comments on the Internet Draft (email addresses at the end) or comment here or on social media about any of this.  We need many different people helping move this forward!

P.S. If you are not yet using DNSSEC, please visit our Start Here page to begin!

Madagascar Signs .MG With DNSSEC As Part Of “Internet Day”

Madagascar DNSSEC

Last week the island country of Madagascar became the latest country-code top-level domain (ccTLD) to sign their .MG domain with DNSSEC.  As we note in the steps for signing a domain, having a signed TLD is critical so that your domain can tie into the global “chain of trust” that provides the added security of DNSSEC.

Now that this step has been completed, the next steps will involve the registrars and DNS hosting providers for .MG domains making DNSSEC signing accessible to .MG domain registrants.

I’ll note that the DNSSEC signing of .MG was part of a broader set of activities that took place on March 17, 2016, as part of “Internet Day 2016” withing Madagascar.  My colleague Michuki Mwangi was there and wrote about the activities that also included the launch of an Internet exchange point (IXP).  Judging by his photos, it looks like an interesting event!

We congratulate the .MG team for the signing!  It’s great to see the Africa part of our DNSSEC Deployment Maps get a bit more green – and we look forward to seeing even more ccTLDs sign their domains.

If you are interested in gaining the added level of trust in your domain that comes with DNSSEC, please visit our Start Here page to begin!

P.S. Madagascar will start appearing in our weekly DNSSEC deployment maps as green beginning next Monday, March 28, 2016.

WATCH LIVE Today – DNSSEC For Everybody: A Beginner’s Guide, from ICANN 55

ICANN 55 entrance

Want to learn about DNSSEC and how it helps add a layer of trust to DNS? Puzzled by how this all works?   If so, please join us today from 16:45 to 18:15 UTC for “DNSSEC for Everybody: A Beginner’s Guide” streaming live out of Marrakech, Morocco, in both audio and video on links found off of this page:

https://meetings.icann.org/en/marrakech55/schedule/sun-dnssec-everybody

(The video and slides are provided via the “Virtual Meeting Room Stream Live” link.)

The session consists of an introduction and then a skit where a group of us act out DNS operations – and then add DNSSEC into the picture.

Yes… you heard that right… a bunch of engineers acting out a skit about DNS!   :-)

Hey… you might as well have a bit of fun with it, eh?  And our history has told us that this skit has helped people tremendously in understanding DNS and DNSSEC.  We also have some other technical information and usually spend about half the session answering questions from participants.

Please do join us!

This tutorial today is part of a larger set of DNSSEC activities planned for this week.  As the session abstract says:


DNSSEC continues to be deployed around the world at an ever accelerating pace. From the Root, to both Generic Top Level Domains (gTLDs) and Country Code Top Level Domains (ccTLDs), the push is on to deploy DNSSEC to every corner of the internet. Businesses and ISPs are building their deployment plans too and interesting opportunities are opening up for all as the rollout continues.

Worried that you’re getting left behind? Don’t really understand DNSSEC? Then why not come along to the second ‘DNSSEC for Beginners’ session where we hope to demystify DNSSEC and show how you can easily and quickly deploy DNSSEC into your business. Come and find out how it all works, what tools you can use to help and meet the community that can help you plan and implement DNSSEC.

The session is aimed at everyone, so no technical knowledge is required. Come and find out what it’s all about…!


If you can’t view it live the session will be recorded for later viewing.  And if you want to get started today with DNSSEC, please see our Start Here page to begin!

 

DNSSEC and DANE Activities at ICANN 55 and Africa DNS Forum in Marrakech March 5-10

ICANN 55 logoStarting this Friday, March 5, I’ll be in Marrakech, Morocco, for a great bit of DNS security discussions at two events:  the Africa DNS Forum 2016 and the 55th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN).

Some great introductions to DNSSEC and DANE – and some outstanding technical presentations on Wednesday.  Two important changes from previous ICANN meetings:

  1. The “DNSSEC For Everybody” tutorial is now on Sunday instead of the usual Monday.
  2. The “DNSSEC Workshop” will be live streamed over YouTube in addition to the usual Adobe Connect (links are included below).

You can also follow along live on most social networks using these hashtags: #AfricaDNSForum, #ICANN55, #DNSSEC.

I also note at the end of the schedule below that I’ll be briefing ICANN staff and interested board members about the MANRS initiative to secure BGP and reduce IP spoofing as part of the Technical Experts Group (TEG) meeting at ICANN 55.

In addition to all of this technical and security work happening at ICANN 55, we at the Internet Society will also be extremely focused on the IANA Stewardship Transition process.  Please read this post from my colleague Konstantinos Komaitis where he explains why this upcoming meeting will be such a critical milestone.

Here are the  main activities – remote participation is available for all of them except one. Do note that all times are Western European Time (WET) which is the same as UTC.


Africa DNS Forum: Panel on DNS Tools

On Saturday, March 5, from 14:00 – 15:30 I will be talking about DNSSEC and DANE in a panel about “DNS and Internet Security Tools: DNSSEC, IPv6 and DANE“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016


Africa DNS Forum: Panel on emerging trends in DNS security

On Sunday, March 6, from 11:00 – 12:45 my colleague Michuki Mwangi will be moderating a panel on “Emerging Trends in DNS Security“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016

I will be in the audience listening to what looks to be a great set of panelists.


DNSSEC For Everybody: A Beginner’s Guide

On Sunday, March 6, we’ll have the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 16:45 – 18:15  where we’ll do our “skit” dramatizing DNS and DNSSEC. If you have been seeking to understand WHY this all matters, do join in to see! You can watch it remotely (or watch the archive later) at:

https://meetings.icann.org/en/marrakech55/schedule/sun-dnssec-everybody

And yes, I’ll be talking about blue smoke as I usually do – and this time I get to have a role in the skit!

NOTE: This session has historically taken place on the Monday afternoon of each ICANN meeting, but it was changed to Sunday as of this meeting as ICANN is in the process of consolidating tutorials on the Sunday of the event.


DNSSEC Implementers Gathering

On Monday, many of us who have been involved with deploying DNSSEC or DANE will travel to a nearby restaurant for the “DNSSEC Implementers Gathering” for food, drink and conversation from 19:00-20:00 IST.

Many thanks to Afilias for sponsoring the event.  This is the one event where there is no remote participation possible.


DNSSEC Workshop

As usual, the main event will be the DNSSEC Workshop on Wednesday, March 9, from 9:00 to 15:15 WET.

Remote participation information, slides, the agenda and more info can be found at:

https://meetings.icann.org/en/marrakech55/schedule/wed-dnssec

At the event the workshop will also be streamed live via YouTube at:

The sessions will be recorded on both YouTube and Adobe Connect if you would like to listen to them later. Slides will be posted to the workshop page before the event begins.

The current agenda includes:

0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts

  • Dan York, Internet Society
0915-0930 – Presentation: Update on the ‘Sunset’ of the DNSSEC Look-aside Validation Registry (DLV)

  • Victoria Risk, Internet Systems Consortium (ISC)
0930-1045 – Panel Discussion: DNSSEC Activities in the African Region

  • Moderator: Mark Elkins, DNS/ZACR
  • Panelists:
    • Alain Aina, AfriNIC
    • Landi Ahmed, KeNIC
    • Alex Corenthin and Khoudia Gueye Sy, .SN
    • Eberhard Lisse, .NA
1045-1100 – Break
1100-1130 –Presentation: DNSSEC SIGNER Switchover

  • Alain Aina, AfriNIC
1130-1200 – Presentation: DNSSEC At Scale

  • Dani Grant, Cloudflare
1200-1230 – Great DNS/DNSSEC Quiz

  • Dan York, Internet Society, presenting questions developed by Roy Ahrens, ICANN
1230-1315 – Lunch Break
1315-1415 – Panel Discussion: DNSSEC and Elliptic Curve Cryptography

  • Moderator and panelist: Dan York, Internet Society
  • Panelists:
    • Geoff Huston, APNIC
    • Jim Galvin, Afilias
    • Ólafur Guðmundsson, CloudFlare
    • Ondřej Surý, CZNIC
1415-1500 – Panel Discussion:  DNSSEC Root Key Signing Key (KSK) Rollover

  • Moderator: Russ Mundy, Parsons
  • Panelists
    • ICANN Root KSK Rollover Design Team members
    • Warren Kumari, Google
1500-1515 – Presentation: DNSSEC – How Can I Help?

  • Russ Mundy, Parsons and Dan York, Internet Society

ICANN Board with Technical Experts Group

After the 6+ hours of the DNSSEC Workshop are over, I’ll then head over to the meeting of the Technical Experts Group (TEG) from 15:30 – 17:00 where will I will be participating in the discussions meant to advise the ICANN staff and interested ICANN Board members about emerging trends in technology.  Toward the end of the session I will be presenting for about 15 minutes on the MANRS initiative to secure BGP and reduce IP spoofing in order to make the Internet’s routing infrastructure more resilient and secure.

Remote participation is available through the links found on the session page:

https://meetings.icann.org/en/marrakech55/schedule/wed-board-technical


If you will be there at either the Africa DNS Forum 2016 or  ICANN 55 please do say hello – you can find me in these sessions… or drop me a note at york@isoc.org and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!

Azerbaijan (.AZ) Becomes Latest ccTLD To Sign With DNSSEC

Azerbaijan signs .AZ with DNSSEC

Earlier this month Azerbaijan’s .AZ became the latest country-code top-level domain (ccTLD) to sign the domain with DNSSEC and complete the first step in allowing all domains underneath .AZ to obtain the higher level of security possible with DNSSEC.    This is, of course, just the first step.  As we outline in our tutorial, the next steps are that registrars and DNS hosting providers for .AZ need to now support the DNSSEC-signing of domains.  But it’s a good step to see!

We saw this signing come through on Rick Lamb’s DNSSEC Deployment Report and could easily verify it on the command-line using the command “dig dnskey az.” which shows the relevant DNSKEY records. (As well as “dig ds az.” that shows the existence of the DS record.)

A great step forward for Azerbaijan – and we look forward to seeing even more of the countries on our DNSSEC Deployment Maps filled in with green over the months ahead!

If you want to get started with DNSSEC, please visit our Start Here page to begin!