Category: DNSSEC

Congratulations to Argentina On DNSSEC-Signing of .AR!

Congratulations to Argentina on becoming the latest country to sign their country-code top-level-domain (ccTLD), with DNSSEC!  Today we are very pleased to update our DNSSEC Deployment Maps and give Argentina a shade of green for .AR!  Here’s how the maps looked between last Monday and today:

Argentina and DNSSEC

Awesome to see!

And obviously perfect timing for the ICANN 53 meeting next week in Buenos Aires where we’ll be talking all about DNSSEC at numerous sessions!

Congratulations to the whole team at NIC.AR for making this happen. Now all the people who register domains underneath .AR will at least have the possibility of adding the layer of security and trust that DNSSEC can provide. They will also be able to potentially use DANE and other new innovations that build upon DNSSEC.

The next step, of course, is for the registrars and DNS hosting providers who support .AR domains to allow registrants to use DNSSEC.  But that wouldn’t be possible without this first step of signing the .AR ccTLD.

Congrats and we’re looking forward to celebrating with the NIC.AR team in Buenos Aires!

P.S. If you would like to get started with DNSSEC, please visit our Start Here page to learn how to begin!   And if you would like to receive our weekly DNSSEC deployment maps, we have information about how you can subscribe.

Agenda Available for ICANN 53 DNSSEC Workshop on 24 June 2015 in Buenos Aires

ICANN 53 LogoIt’s time to talk DNSSEC and DANE in Latin America! The DNSSEC Workshop at ICANN 53 in Buenos Aires will take place on Wednesday, 24 June 2015, from 9:00 to 15:15 ART. NOTE THE LATER START TIME! Previously the workshops started at 8:30am but this time our start is 9:00.

Remote participation information, slides, the agenda and more info can be found at:

https://buenosaires53.icann.org/en/schedule/wed-dnssec

The sessions will be recorded if you would like to listen to them later. Slides will be posted as the date gets closer.

The current agenda includes (all times are Argentina Time (ART) which is UTC-3):

0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts

  • Dan York, Internet Society
0915-1030 – Panel Discussion: DNSSEC Activities in the Latin American Region

  • Moderator/Presenter: Luciano Munichin, NIC.AR
  • Panelists:
    • Luis Diego Espinoza, Consultant, Costa Rica
    • Carlos Martinez, LACNIC
    • Gonzalo Romero, .CO
    • Frederico Neves, .BR
    • Hugo Salgado, NIC.CL
1030-1100 – Presentation: Update on DNSSEC KSK Root Key Rollover

  • Ed Lewis, ICANN
1100-1115 – Break
1115-1215 – Panel Discussion: DNSSEC Automation

  • Moderator: Russ Mundy, Parsons
  • Panelists:
    • Eberhard Lisse, .NA – Proof of Concept on Smart Card HSM to Automate Key Signing
    • Robert Martin-Legène, Packet Clearing House — PCH DNSSEC Signing Service
    • Joe Waldron, Verisign – Verisign DNSSEC Signing Service
1215-1230 – Great DNS/DNSSEC Quiz

  • Paul Wouters, Fedora
1230-1330 – Lunch Break
1330-1445 – Demonstrations and Presentations: DANE and Applications

  • Moderator: Dan York, Internet Society
  • Panelists:
    • Jaap Akkerhuis, NLNetLabs – Demonstration on Opportunistic Encryption
    • Wes Hardaker — Presentation on Opportunistic SMTP Encryption
    • Jacques Latour, CIRA — Demonstration of DNSSEC Open PGP Keys and Encryption of Email
    • Danny McPherson, Verisign Labs — Demonstration of Running Code for DANE S/MIME and Practical Tools
    • Paul Wouters, Fedora – Opportunistic IPsec
1445-1500 – Presentation: Deploying New DNSSEC Algorithms

  • Dan York, Internet Society
1500-1515 – Presentation: DNSSEC – How Can I Help?

  • Russ Mundy, Parsons and Dan York, Internet Society

We look forward to seeing you there!

DNSSEC And DANE Activities At ICANN53 In Buenos Aires On 22-24 June

ICANN 53 LogoNext week we’ll be in Buenos Aires, Argentina, for the 53rd meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) and as per usual there will be a great about of DNS security activity happening.  Some great introductions to DNSSEC and DANE – and some outstanding technical talks (and demos!) on Wednesday. Here are the three main activities – remote participation is available for two of them.  Do note that all times are Argentina Time (ART) which is UTC-3.


DNSSEC For Everybody: A Beginner’s Guide

On Monday, 22 June 2015, we’ll have the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 17:00-18:30 ART where we’ll do our “skit” dramatizing DNS and DNSSEC.  If you have been seeking to understand WHY this all matters, do join in to see!  You can watch it remotely (or watch the archive later) at:

https://buenosaires53.icann.org/en/schedule/mon-dnssec-everybody

And yes, I’ll be talking about blue smoke as I usually do… and I’ll be in the skit because, why not? :-)


DNSSEC Implementers Gathering

After the DNSSEC For Everybody session on Monday, many of us who have been involved with deploying DNSSEC or DANE will travel to a nearby Irish pub (yes, in Argentina!) for the “DNSSEC Implementers Gathering” for food, drink and conversation from 19:30-21:30 ART.  Many thanks to CIRA, NIC.AR and SIDN for sponsoring this event.  If you will be at ICANN 53 and would like to join, please RSVP to Julie Hedlund by the end of the day on Thursday, 18 June.


DNSSEC Workshop

As usual, the main event will be the DNSSEC Workshop on Wednesday, 24 June 2015, from 9:00 to 15:15 ART. NOTE THE LATER START TIME! Previously the workshops started at 8:30am but this time our start is 9:00.

Remote participation information, slides, the agenda and more info can be found at:

https://buenosaires53.icann.org/en/schedule/wed-dnssec

The sessions will be recorded if you would like to listen to them later.  Slides will be posted as the date gets closer.

The current agenda includes:

0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts

  • Dan York, Internet Society
0915-1030 – Panel Discussion: DNSSEC Activities in the Latin American Region

  • Moderator/Presenter: Luciano Munichin, NIC.AR
  • Panelists:
    • Luis Diego Espinoza, Consultant, Costa Rica
    • Carlos Martinez, LACNIC
    • Gonzalo Romero, .CO
    • Frederico Neves, .BR
    • Hugo Salgado, NIC.CL
1030-1100 – Presentation: Update on DNSSEC KSK Root Key Rollover

  • Ed Lewis, ICANN
1100-1115 – Break
1115-1215 – Panel Discussion: DNSSEC Automation

  • Moderator: Russ Mundy, Parsons
  • Panelists:
    • Eberhard Lisse, .NA – Proof of Concept on Smart Card HSM to Automate Key Signing
    • Robert Martin-Legène, Packet Clearing House — PCH DNSSEC Signing Service
    • Joe Waldron, Verisign – Verisign DNSSEC Signing Service
1215-1230 – Great DNS/DNSSEC Quiz

  • Paul Wouters, Fedora
1230-1330 – Lunch Break
1330-1445 – Demonstrations and Presentations: DANE and Applications

  • Moderator: Dan York, Internet Society
  • Panelists:
    • Jaap Akkerhuis, NLNetLabs – Demonstration on Opportunistic Encryption
    • Wes Hardaker — Presentation on Opportunistic SMTP Encryption
    • Jacques Latour, CIRA — Demonstration of DNSSEC Open PGP Keys and Encryption of Email
    • Danny McPherson, Verisign Labs — Demonstration of Running Code for DANE S/MIME and Practical Tools
    • Paul Wouters, Fedora – Opportunistic IPsec
1445-1500 – Presentation: Deploying New DNSSEC Algorithms

  • Dan York, Internet Society
1500-1515 – Presentation: DNSSEC – How Can I Help?

  • Russ Mundy, Parsons and Dan York, Internet Society

The whole ICANN 53 should be a great event and I’m very much looking forward to it!  Beyond our work with DNSSEC, DANE and DNS security, there will also be a great amount of public policy work happening as well.

If you will be there at ICANN 53 please do say hello – you can find me in these sessions… or drop me a note at york@isoc.org and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!

DNS-OARC 2015 Spring Workshop This Weekend (May 9-10) Covers DNSSEC and DNS Security

dns-oarcThe 2015 Spring Workshop of the DNS Operations Analysis and Research Center (DNS-OARC) takes place this weekend, May 9-10, right before the RIPE 70 meeting in Amsterdam. As per usual the agenda is packed full of all sorts of sessions related to DNS in general, with a number getting into DNSSEC and overall DNS security.  Here’s the full agenda:

https://indico.dns-oarc.net/event/21/timetable/#all

There are currently 137 people scheduled to attended representing a broad range of participants across the DNS community.  I will not be there myself, but know a great number of the people who will be in the room.

Sessions of Interest

Saturday looks to have some great sessions related to operational experience with various attacks against the DNS, including distributed denial of service (DDoS) attacks.  These kind of actual case studies in handling attacks are incredibly useful to get out to the wider community.

Sunday morning begins with a series of DNSSEC-related talks:

  • Observations on DNSSEC and ECDSA in the wild – by Geoff Huston of APNIC
  • Effects of Increasing the Root Zone ZSK Size – by Duane Wessels of Verisign Labs
  • Signing DNSSEC answers on the fly at the edge: challenges and solutions! – by Olafur Gudmundsson of CloudFlare

All of those are ones I’d love to see – I’m hoping there will be a video recording as they start at 9:00 am in Amsterdam… which is 3:00 am here on the US East Coast where I live.  As much as I’d like to see them… well… I can’t see me getting up that early! :-)

The remainder of Sunday includes a great number of talks that I’d personally find interesting, diving into various tools, analytics, testing and more.  A couple of interest to those focused on DNSSEC include:

  • 14:30 – Plan for Decommissioning the DLV – by Jim Martin of ISC
  • 17:05 – Update on the DNS Root Key Rollover work – by Ed Lewis of ICANN

This last talk, in particular, should be useful to hear the status of the work related to the Root KSK rollover. (See our background page on why this matters.)

Remote Participation

I don’t see any information on the DNS-OARC website right now about remote participation, but the sessions are almost always streamed live.  Given that the event is co-located with RIPE 70, I suspect that they may make use of the RIPE 70 live streaming. I’d watch the RIPE 70 remote participation page or the main 2015 Spring Workshop page for more information.

The good news is that all the materials should be available from links off of the main agenda page, so at least we who are remote should be able to see what slides were discussed.

I also see Stéphane Bortzmeyer is among the attendees and when he is at an event he is usually tweeting out a good bit at https://twitter.com/bortzmeyer, so that’s another way to stay up to date, along with the #DNSOARC hashtag search.

If you are there in Amsterdam, I hope you do have a great DNS-OARC meeting and I look forward to hearing the results.

Another Great DNSSEC Statistics Site For Second-Level Domains – rick.eng.br

Want to know how many domains are signed with DNSSEC under each top-level domain (TLD)?  We now have another site to help!  For over a year now, every week I use a great site that Rick Lamb maintains at:

http://rick.eng.br/dnssecstat/

so that I can find out what new domains I need to add to our DNSSEC Deployment Maps database. By default he shows a reverse-chronological list of all the TLDs that are signed.

BUT…

… if you look over on the right side Rick has added something new!  Two new columns labeled “% Signed” and “Misc”.  These show you:

  • The percentage of total domains that are signed with DNSSEC;
  • The raw numbers of signed domains / total domains.

What’s very cool is that you can click on each heading to sort the columns. Click once to sort from lowest to highest. Click once more to sort from highest to lowest.

This second sort is where it gets interesting.

With the “% Signed” you have to scroll down a bit because of course brand new TLDs that only have one domain (often nic.TLD) and also have that domain signed score 100%.  But as you go down the list it starts to get more interesting.  Here’s a view part of the way down:

DNSSEC Statistics

What I find MUCH more interesting, though, is the raw numbers showing the number of DNSSEC-signed domains.  Click on the “Misc” heading cell twice and you get something like this:

DNSSEC stats

That shows us that .NL has the most with 2.4 million domains signed followed by .COM with 491 thousand domains and then .CZ, .SE and onwards.

What you will notice that is different here from the ntldstats DNSSEC stats site I wrote about last week is that Rick’s site pulls in data from some of the country-code TLDs (ccTLDs) and also some of the original generic TLDs (gTLDs) such as .COM, .NET, etc.    The ntldstats site is (understandably) only about the “new gTLDs” whereas Rick’s site covers the wider range of TLDs.

Notice that I said “some” of the ccTLDs and gTLDs.  Rick can only incorporate data from TLDs that provide some kind of feed he can use.  If you scroll on down the list you’ll see that there are TLDs there that have no numbers next to them:

DNSSEC stats

However, we know from NIC.BR’s statistics page that .BR has 747,000 domains signed with DNSSEC, which would move it into the second position above .COM in the listing.  Similarly .ORG has many signed domains, too.

Over time hopefully we can get these other TLDs to offer statistics feeds in a way that sites like Rick’s can consume them and help provide a more solid view of overall DNSSEC deployment.

Meanwhile, it’s fantastic that Rick has made these updates to his site and it is a great service to the larger Internet community that he maintains this info. (Thanks, Rick!)

I’m looking forward to seeing these numbers grow!

P.S. If you’d like to help these numbers grow, why not head over to our Start Here page and find out how can get started with signing your domains with DNSSEC?

nTLDStats Adds DNSSEC Statistics for New Generic Top-Level Domains (newgTLDs)

Hooray! The folks over at nTLDstats have now added a new tab that lets you see which of the 100s of new generic top-level domains (newgTLDs) are seeing the most second-level domains signed with DNSSEC. You can see the stats at:

https://ntldstats.com/dnssec

Here is a view of how it looks right now:

newgTLD DNSSEC stats

The site shows a number of interesting stats, including:

  • the percentage of newgTLDs with signed second-level domains in them (60.80% at the time I write this)
  • the number and percentage of signed zones as it relates to the overall number of registered domains within the newgTLDs
  • the number of zones (of those signed) that failed DNSSEC validation (indicating a configuration issue)
  • a trend line over time
  • the distribution of signed domains across the number of newgTLDs
  • breakdowns of signed domains by both newgTLD and also by registrar

While the overall number of signed domains today within the 5.2 million domains registered in the newgTLDs is a very small 0.95%, we now have a very easy way to see where DNSSEC signing is being actively used – and a way to measure which of the newgTLDs and also registrars are doing the most to support DNSSEC deployment.

I was intrigued to see that the leader of the newgTLDs is the .OVH TLD sponsored by a French hosting provider, OVH, with Afnic providing the back-end registry. According to their site, the OVH domain started as an April Fool’s joke in 2009 and then became a reality due to the interest.  Clicking through to their registrar site (they are apparently the only registrar for the .OVH domain), you can see why they have so many domains signed – they have a “Activate DNSSEC on this extension!” link directly on their registration page!

Looking at the Registrar Breakdown column, the OVH registrar leads in the number of DNSSEC-signed newgTLDs, presumably because they are again offering DNSSEC-signing to anyone who uses them for DNS hosting, regardless of what newgTLD they register under.

I was also curious as to why “.paris” was the second-highest newgTLD with 2,347 signed domains, but the probably answer could be quickly found by clicking through to the .paris page. It shows the top 2 registrars as “Gandi SAS” and “OVH sas”… my guess would be that many/most of the 2,347 signed domains could come from the 4,000 domains registered by OVH, given that they are actively promoting DNSSEC.

Another interesting element of this new page is that you can change the slider underneath the trend line to see more stats over time.  By moving the slider all the way to the left you can get a view of the trend in the newgTLDs:

dnssec signing trend chart

There’s a huge jump in October 2014.  Given the other stats and the information on the OVH web site, my guess would be that this was a result of the launch of the .OVH newgTLD.

Anyway… there’s probably a lot more we can learn from exploring the statistics in this way.  The key point is that now there is a very easy-to-use web interface that lets us track and be able to show which of the newgTLDs are doing the most to provide registrants the security provided by DNSSEC.  I’d note that this is all possible because all of the new gTLDs are required by ICANN to submit their zone files to the Centralized Zone Data Service (CZDS), allowing sites like nTLDstats to query the CZDS and build views such as these.

Kudos to the nTLDstats team for adding this page!  I will be adding it to our DNSSEC Statistics page and look forward to using it over time.

P.S. Want to get started with signing your domain?  Visit our Start Here page to learn how!

Internet.nl Provides An Easy Way To Test Your IPv6, DNSSEC and TLS

“Is Your Internet Up-To-Date?” Does your existing Internet connection work with IPv6 and DNSSEC? Do your web sites support IPv6, DNSSEC and TLS?  Is there a quick way to find out?

Earlier this month a new site, Internet.nl, was launched to make this all easy for anyone to test.  All you do is visit the site at en.internet.nl (also available in Dutch) and just follow the very easy links:

Internet.nl web siteAll you do is click “Test my internet connection” to find out if your current connection supports IPv6 and DNSSEC.  Enter any website address to test whether that site supports IPv6, DNSSEC and TLS.  And enter any email address to find out if it supports IPv6, DNSSEC and DKIM/SPF/DMARC.

Here was the response I received for one of my email accounts:

Internet.nl email test

You then have a link you can follow to get more details.

While there are obviously more detailed tests that can be performed, this site does a nice job giving a high level view of whether your connections are protected.  I also like the fact that it uses “regular” language to explain why someone should care about these tests, rather than using the technical acronyms.

The site is great to have out there and we’ll be adding it to our list of DNSSEC tools and other places within Deploy360.

Congratulations to the various organizations behind Internet.nl on the launch!  May this new site help many more people learn what they need to do to bring their Internet connections and sites up-to-date!

P.S. Please also read Olaf Kolkman’s post providing another perspective on the launch. And yes, both the Internet Society and our Internet Society Netherlands Chapter were involved with the launch.  If you would like to get started with IPv6, DNSSEC or TLS, please visit our Start Here page to begin!

 

 

At RSA Conference Apr 23: Can DNSSEC and DANE Add a Layer Of Trust to TLS and DNS?

RSA Conference LogoCan DNSSEC and DANE add a layer of trust to TLS and DNS? That will be the question up for discussion tomorrow, April 23, 2015, at the RSA Conference in San Francisco. As part of the “Peer2Peer” small discussion sessions, Wes Hardaker from Parsons will be facilitating a session from 9:10-10:00am (PDT) with the description:

If we agree that the existing Certificate Authority (CA) system for TLS is broken, how do we fix it? Can the DANE protocol (RFC 6698) and DNSSEC provide a solid mechanism to add a layer of trust to network connections that use TLS? What do we need to do to use DANE and to get DANE more widely deployed? Join other peers in this discussion about how the DANE protocol works, how it is currently being implemented, (particularly in email and XMPP systems) and how DANE might be used in different scenarios. Bring your ideas and criticisms, and be prepared for a lively discussion.

If you are there at the RSA Conference in San Francisco and interested in DNSSEC, DANE and/or how we secure TLS, I would encourage you to stop by and engage in the discussion.   It is not a session being live streamed or anything like that and so you need to be at the actual conference to participate.

I wish I could be there myself… but I’m on the other side of the continent and so I’ll just have to learn from Wes how it went.

P.S. If you want to get started yourself with deploying DNSSEC and DANE, please visit our Start Here page.

 

IANA DNSSEC Root Key Ceremony 21 Streaming Live Today

If you’re interested in the security at the root of DNSSEC, you can watch the IANA DNSSEC Root KSK Ceremony streaming live today – happening right now, in fact – from a data center in Culpeper, Virginia.  Just go to:

https://icann.adobeconnect.com/kskceremony

where you can connect to ICANN’s Adobe Connect streaming service.  There you can watch as the participants work their way through the 56-page script for today’s key ceremony.

KSK ceremonyThe key ceremony today began at 1:00pm US EDT (17:00 UTC) and will end at 5:00pm EDT (21:00 UTC).

The key ceremonies are part of the activities performed by the Internet Corporation for Assigned Names and Numbers (ICANN) under its contract to operate the Internet Assigned Numbers Authority (IANA). As explained on the overview page:

Ceremonies are usually conducted four times a year to perform operations using the Root Key Signing Key, and involving Trusted Community Representatives. In a typical ceremony, the KSK is used to sign a set of operational ZSKs that will be used for a three month period to sign the DNS root zone. Other operations that may occur during ceremonies include installing new cryptographic officers, replacing hardware, or generating or replacing a KSK.

This ceremony today is to use the “master” root Key Signing Key (KSK) to generate a set of Zone Signing Keys (ZSKs) that will then be used until the next key ceremony.  The “root key” is at the top of the “global chain of trust” that is used to ensure the correct validation of DNSSEC signatures (for more info see “The Two Sides of DNSSEC“) and so it is critical that the security and integrity of this root key be maintained.  Ceremonies such as the one today are a part of that effort.  If you are interested in learning more, today is a bit of a peek behind the curtain about how all of this happens.

This ceremony will be a bit different from other ones in that they will actually be replacing the Hardware Security Modules (HSMs) that are used to store the actual private key of the Root KSK.  This process was explained in detail in a March 2015 blog post: ICANN Announces 2015 Hardware Security Module Replacement Project for the Root Key Signing Key.  For those curious, the HSM replacement process starts on page 19 of today’s ceremony script.

Now, granted, occasionally watching people enter commands into a Linux command prompt may not necessarily be as exciting as watching rockets launch…

KSK ceremony command line

… but it’s still rather cool that we get to watch the whole process unfold remotely!

And… it’s much more than the command-line operations… you are also getting to see some of the people who hold parts of the keys at the root of DNSSEC do their parts in the actual ceremony.  Some of them you may recognize from when we’ve written about them or from some of the articles they written or presentations they’ve made.

KSK ceremony

You also get to see some of the steps of the process up close:

KSK_Ceremony

If you can’t watch it live, it is being recorded and you can always go back and view it.

P.S. If you want to learn more about how to get started with DNSSEC, please visit our “Start Here” page to find resources focused on your type of role or organization.

 

New DNSSEC Deployment Map Available In Global Internet Maps

Our DNSSEC Deployment Maps are now also available as part of a larger set of Global Internet Maps produced as part of our annual Global Internet Report.  My colleague Michael Kende wrote about these new maps earlier this month and explained a bit about them. This new DNSSEC deployment map is rather fun in that it is interactive and you can zoom around and hover over any country to see what stage the country code top-level domain (ccTLD) is at.  This map is based off of the 5 stages of DNSSEC deployment that we track as part of the weekly DNSSEC deployment maps we generate. (Click/tap the image to go to the site.)

DNSSEC maps in Global Internet Report

One note of caution – these Global Internet Maps are only updated periodically and so that DNSSEC deployment map will not necessarily be as up-to-date with ccTLDs as the weekly DNSSEC Deployment Maps.  The best place to get the most current maps is the archive of the dnssec-maps mailing list.  New maps get generated every Monday morning.

However, the Global Internet Map is current now (March 2015) with regard to ccTLDs – and it’s a very nice view of where we need to have more ccTLDs signed with DNSSEC.  Please do enjoy using it – while you are there, please do explore all the other maps that are made available.  These kind of visualizations are great to see!