Category: DNSSEC

Feb 02

Two Great Articles In ArsTechnica And Light Reading About ION Conferences, IPv6, DNSSEC

Ars Technica articleWe were pleased to see two great articles out today about our ION Conferences and our efforts to accelerate the deployment of IPv6 and DNSSEC.  The articles followed on our news release about the 2015 ION conferences and were:

and

Both articles do a great job of explaining what we’re trying to do.  I enjoyed that both writers liked the “broccoli” angle. Here was  Carol Wilson:

“It’s a little like getting people to eat their broccoli,” Grunderman admits. Network operators can’t charge more for services after deploying these standards, but their deployment makes the entire Internet experience better for everyone by adding security and resiliency.

Exactly!

Many thanks to both writers for taking the time to understand what we are doing and to write about it on their respective sites.

And if you would like to get started with IPv6 or DNSSEC, please visit our Start Here page to begin!

Jan 29

CloudFlare Seeks Help Testing Their DNSSEC Implementation

CloudFlare logoThis morning the team over at CloudFlare announced they have begun their DNSSEC implementation and asked for help in testing what they have done so far.

They also include a note at the bottom indicating that people interested in participating in their public beta program should contact them.

As we’ve written about several times in the past, CloudFlare continues to move ahead towards their goal of making DNSSEC available throughout their content distribution network (CDN) / DNS hosting service.  They’d originally had a goal of rolling it out by the end of 2014 but ran into some challenges that they are still working through.  As they note, they are getting closer.

This is great news to see – and we look forward to seeing their public beta program move ahead!  If you use CloudFlare, or just want to help them out, please do check out their blog post.

And if you want to get started with DNSSEC or DANE yourself, please visit our Start Here page to find resources to help you begin.

Jan 29

In Singapore for ICANN 52? Join Us At The DNSSEC Implementers Gathering

icann51-dnssec-implementers-gatheringIf you will be in Singapore on Monday, February 9, 2015, for ICANN 52 and you work with DNSSEC, you are invited to attend the informal “DNSSEC Implementers Gathering” at 19:30 at a nearby restaurant/pub.  These gatherings bring together people who have implemented DNSSEC or DANE in some way to engage in conversations and exchange information and ideas.  We’ve seen ideas for new projects come out of these gatherings in the past – and they have just generally helped deepen the connections between the community of people involved in getting DNSSEC widely deployed.

SPACE IS LIMITED so please RSVP as soon as possible to julie.hedlund@icann.org. We will be cutting off reservations by close-of-business on Thursday, 05 February 2015, but please let Julie know as soon as you can.

This is a unique opportunity to meet with and talk to key implementers, such as NominetUK, CNNIC, JPRS, NZNIC, CIRA, CZNIC, SIDN, and others.  We do ask that in order to participate you should come prepared to say a few words about your experiences.

We are grateful once again to Comcast, NBC Universal and the MPAA in providing funding to pay for this informal gathering.  The three companies sponsored the event at ICANN 51 in Los Angeles (pictured here) and we were able to stretch their sponsorships to cover this gathering in Singapore.  Thank you to the three organizations for helping with what has been an extremely useful event at ICANN meetings.  (We will, though, need new sponsors for ICANN 53.)

There are also two other DNSSEC-related events happening during the ICANN 52 week:

Monday, 09 February 1700-1830, DNSSEC for Everybody:
http://singapore52.icann.org/en/schedule/mon-dnssec-everybody

Wednesday, 11 February 0830-1445, DNSSEC Workshop:
http://singapore52.icann.org/en/schedule/wed-dnssec

If you are in Singapore and available Monday evening, 09 Feb 2015, please do join us for the DNSSEC Implementers Gathering!

P.S. It should perhaps be obvious, but this event will not be available for remote participation nor will it be live-streamed as it involves a group of people sitting down at a restaurant/pub and eating/drinking together.

Jan 28

Invitation – DNSSEC Implementers Gathering at ICANN 52 in Singapore

DNSSEC Implementers GatheringIf you will be in Singapore on Monday, February 9, 2015, for ICANN 52 and you work with DNSSEC, you are invited to attend the informal “DNSSEC Implementers Gathering” at 19:30 at a nearby restaurant/pub.  These gatherings bring together people who have implemented DNSSEC in some way to engage in conversations and exchange information and ideas.  We’ve seen ideas for new projects come out of these gatherings in the past – and they have just generally helped deepen the connections between the community of people involved in getting DNSSEC widely deployed.

SPACE IS LIMITED so please RSVP as soon as possible to julie.hedlund@icann.org. We will be cutting off reservations by close-of-business on Thursday, 05 February 2015, but please let Julie know as soon as you can.

This is a unique opportunity to meet with and talk to key implementers, such as NominetUK, CNNIC, JPRS, NZNIC, CIRA, CZNIC, SIDN, and others.  We do ask that in order to participate you should come prepared to say a few words about your experiences.

We are grateful once again to Comcast, NBC Universal and the MPAA in providing funding to pay for this informal gathering.  The three companies sponsored the event at ICANN 51 in Los Angeles (pictured here) and we were able to stretch their sponsorships to cover this gathering in Singapore.  Thank you to the three organizations for helping with what has been an extremely useful event at ICANN meetings.  (We will, though, need new sponsors for ICANN 53.)

There are also two other DNSSEC-related events happening during the ICANN 52 week:

Monday, 09 February 1700-1830, DNSSEC for Everybody:
http://singapore52.icann.org/en/schedule/mon-dnssec-everybody

Wednesday, 11 February 0830-1445, DNSSEC Workshop:
http://singapore52.icann.org/en/schedule/wed-dnssec

If you are in Singapore and available Monday evening, 09 Feb 2015, please do join us for the DNSSEC Implementers Gathering!

P.S. It should perhaps be obvious, but this event will not be available for remote participation nor will it be live-streamed as it involves a group of people sitting down at a restaurant/pub and eating/drinking together.

Jan 22

Watch Live Today – DNSSEC Root KSK Ceremony 20 at 12:15 PST / 20:15 UTC

IANA logoStreaming live today from El Segundo, CA, will be the 20th “key ceremony” related to the Key Signing Key (KSK) for the Root zone of DNSSEC.  The page containing all the relevant links is at:

https://www.iana.org/dnssec/ceremonies/20

The ceremony starts at 12:15pm US Pacific Standard Time (20:15 UTC) and will conclude at 5:00 pm PST (01:00+1day UTC).  If you are interested in understanding more about the security of the overall DNSSEC system, the ceremony shows the process and care taken to administer the DNSSEC keys of the root of DNS.

The key ceremonies are part of the activities performed by the Internet Corporation for Assigned Names and Numbers (ICANN) under its contract to operate the Internet Assigned Numbers Authority (IANA). As explained on the overview page:

Ceremonies are usually conducted four times a year to perform operations using the Root Key Signing Key, and involving Trusted Community Representatives. In a typical ceremony, the KSK is used to sign a set of operational ZSKs that will be used for a three month period to sign the DNS root zone. Other operations that may occur during ceremonies include installing new cryptographic officers, replacing hardware, or generating or replacing a KSK.

This ceremony today is to use the “master” root Key Signing Key (KSK) to generate a set of Zone Signing Keys (ZSKs) that will then be used until the next key ceremony.

There is a lengthy script that outlines the process that will be used today:

http://data.iana.org/ksk-ceremony/20/KC20_Scripts.pdf

The process is open via the live video stream for all to see. The video recording will also be archived for later viewing.

P.S. If you want to learn more about how to get started with DNSSEC, please visit our “Start Here” page to find resources focused on your type of role or organization.

Jan 14

Over 600 Top-Level Domains Now Signed With DNSSEC

As I was entering in data for the weekly DNSSEC Deployment Maps, I was struck by the fact that we are now at the point where 615 of the 793 top-level domains (TLDs) are now signed with DNSSEC. You can see this easily at Rick Lamb’s DNSSEC statistics site:

DNSSEC statistics

This represents 77% of all current TLDs!

Now, granted, most of that amazing growth in the chart is because all of the “new generic TLDs” (newgTLDs) are required to be signed with DNSSEC, but we are still seeing solid growth around the world.  If you look at the most recent DNSSEC Deployment Maps you can see that much of the world is being shown as “green” as more and more country-code Top Level Domains (ccTLDs) sign with DNSSEC:

ccTLD dnssec deployment map

Of course, having a TLD signed doesn’t mean that the second-level domains will be signed with DNSSEC. As various DNSSEC statistics sites will show, the percentage of signed second-level domains varies widely, from around 80% in .GOV down to tiny percentages in other TLDs.

BUT… the key point is that the first step in signing your domain is to be sure that your TLD is signed!

After the TLD has been signed, THEN steps can be taken to get more DNSSEC deployment happening underneath that TLD.  Look at how successful Norway has been with .NO after they recently signed the domain!

With some of the work that is happening via various DNSSEC Workshops,  ICANN’s DNSSEC training and other forums I know that we’ll see more and more of the TLDs being signed in the months ahead.  The excuse that “TLDs are not signed with DNSSEC” can no longer be used as an excuse for NOT working with DNSSEC and DANE!

Great to see!

P.S. If you want to get started with DNSSEC, please visit our Start Here page to find resources to help you begin.

Jan 12

In 5 Days, ION Sri Lanka Will Cover IPv6, DNSSEC, DANE, BGP, TLS, BCOP and more

ION Sri Lanka logoComing up in just over 5 days, our ION Sri Lanka event will take place in Kandy, Sri Lanka, on Sunday, January 18, 2015, beginning at 10:00 am India Standard Time (IST, UTC+5:30).  As our agenda shows, we have an ambitious list of sessions covering pretty much all of the topics we cover here at Deploy360. Sessions include:

  •  Welcome from the Internet Society Sri Lanka Chapter, Prof. Gihan Dias (Internet Society Sri Lanka Chapter)
  • Two Years After World IPv6 Launch: Are We There Yet?, Vivek Nigam (APNIC)
  • Why Implement DNSSEC?, Jitender Kumar (Afilias)
  • Deploying DNSSEC: A .LK Case Study, Sashika Suren (LK Domain Registry)
  • DANE: The Future of Transport Layer Security (TLS), Dan York (Internet Society)
  • Lock it Up: TLS for Network Operators, Chris Grundemann (Internet Society)
  • What’s Happening at the IETF? Internet Standards and How to Get Involved, Dan York (Internet Society) and Thilini Rajakaruna (former IETF Fellow)
  • Operators & the IETF, Chris Grundemann (Internet Society)
  • Best Current Operational Practices – An Update, Jan Žorž (Internet Society)
  • IPv6 Success Stories– Network Operators Tell All!, Asela Galappattige (Sri Lanka Telecom); Senevi Herath (LEARN); Matsuzaki Yoshinobu (IIJ)

We have an excellent set of speakers and are very much looking forward to this event!

REGISTRATION IS FREE! If you can get to the Amaya Hills Hotel in Kandy, Sri Lanka, there is no additional cost to attend ION Sri Lanka.  You do need to register by filling out the SANOG registration form.

If you will not be able to get to the ION Sri Lanka location, we’ll be offering a live video stream / webcast of the event via YouTube Live events. Do note that all events happen on Sunday, January 18, starting at 10:00 am India Standard Time (IST).  Given that this is UTC+5:30, the start of ION Sri Lanka may actually be in the late hours of Saturday, January 17, for people in the United States.  Here are some examples:

  • 10:00 am, Sunday, Jan 18 – IST, Kandy, Sri Lanka
  • 5:30 am, Sunday, Jan 18 – CET, central Europe
  • 4:30 am, Sunday, Jan 18 – UTC
  • 11:30 pm, Saturday, Jan 17EST, east coast, USA
  • 8:30 pm, Saturday, Jan 17PST, west coast, USA

You may find it helpful to use one of the time/date conversion tools to ensure your timing is correct. All the sessions will be recorded for later viewing and the slides will be available online as well.

To stay up-to-date about ION Sri Lanka you can also join:

If you are on Twitter, you can follow @Deploy360 and use hashtag #IONConf for all things ION!

We’re looking forward to seeing many people at the ION Sri Lanka event and joining in the other SANOG 25 activities happening there.  If you are in Sri Lanka (or can get there), please do join us for ION Sri Lanka!

P.S. And if you want to get started today with IPv6, DNSSEC or other topics, please visit our Start Here page to begin – why wait for ION Sri Lanka?  Why not start now?

Jan 07

DNSSEC Makes The Front Cover of SC Magazine

Front cover of SC magazineIt’s not every day that the topic of DNSSEC makes the front cover of a print magazine… but it did with the January 2015 issue of SC Magazine.   In an article titled “Keys to the Internet“, Tony Morbin, Editor-in-Chief of SC Magazine interviews Anne-Marie Eklund Löwinder of .SE about the global deployment of DNSSEC.  It’s a good article and Tony Morbin was kind enough to include some of the comments I’d provided about the two sides of DNSSEC. There’s also a side article from Jim Galvin about the registrar-related themes he’s been discussing lately.

Congrats to Anne-Marie on the article and I do hope this will help SC Magazine readers and others understand how important it is that we get DNSSEC more widely deployed.  As I was quoted in the article:

The reality is that despite the additional requirements, DNSSEC provides the best mechanism we have today to add more trust and security to DNS.

We need to get DNSSEC and DANE more widely deployed to increase the overall security of the Internet.  At the minimum, we need more people enabling DNSSEC validation, which often involves only changing a line in a DNS server configuration file.

Want to know how YOU can help?  Please visit our Start Here page to find resources tailored to your type of organization or role.

Jan 02

Are You Protected By DNSSEC? A Quick Way To Check

Want a quick way to check if you have DNSSEC validation working at your site? Just go to:

https://www.dnssec-tools.org/test/

You’ll see either a thumbs-up or a thumbs-down:

Thumbs Up DNSSEC Tools Thumbs Down

If you get a thumbs-up then all the DNS queries were validated with DNSSEC.  If you get a thumbs-down then your local DNS resolver is either not validating with DNSSEC or is not validating all queries.  Time to figure out what’s wrong!

If you need to configure DNSSEC validation, we recommend SURFnet’s white paper that includes easy steps for common DNS resolvers.

And if you know very little about DNSSEC and want to learn more, please visit our Start Here page to begin!

Jan 01

Happy New Year! Do Your 2015 Plans Include IPv6, DNSSEC or TLS?

2015Happy New Year!  It’s 2015 … what are you going to do differently this year?  Will you get your websites working over IPv6?  Will you sign your domains with DNSSEC and enable validation?  Will you use TLS for all your websites and applications?

We’re looking forward to a great 2015. We’ll be holding ION conferences around the world, including ION Sri Lanka coming up shortly on January 18. We’ll be writing on our blog and posting video, audio, slides and more to all our various sites and services. We’ll be speaking and participating at events from ICANN, IETF and many, many more.  We’ll be helping get more BCOP documents written and doing whatever we can to improve communication between network operators and the IETF.

2015 is going to be a great year!

If you haven’t yet made technical plans for 2015, may we suggest some ideas?  How about:

  • Set up your DNS resolvers to perform DNSSEC validation – there’s a great whitepaper that shows how easy this is!
  • Join the MANRS Initiative and declare publicly that your network will help keep the Internet’s routing infrastructure clean! See the MANRS document for more info.

Why not make one of these your resolution for the year and see what can happen?

We’re here to help… check out our Start Here page to find resources that may work for you… and please let us know if you can’t find what you are looking for!

Let’s make 2015 amazing!