Category: Domain Name System Security Extensions (DNSSEC)

Rough Guide to IETF 101: DNSSEC, DANE, DNS Security and Privacy

It’s going to be a crazy busy week in London next week in the world of DNS security and privacy! As part of our Rough Guide to IETF 101, here’s a quick view on what’s happening in the world of DNS.  (See the full agenda online for everything else.)

IETF 101 Hackathon

As usual, there will be a good-sized “DNS team” at the IETF 101 Hackathon starting tomorrow. The IETF 101 Hackathon wiki outlines the work (scroll down to see it). Major security/privacy projects include:

  • Implementing some of the initial ideas for DNS privacy communication between DNS resolvers and authoritative servers.
  • Implementation and testing of the drafts related to DNS-over-HTTPS (from the new DOH working group).
  • Work on DANE authentication within systems using the DNS Privacy (DPRIVE) mechanisms.

Anyone is welcome to join us for part or all of that event.

Thursday Sponsor Lunch about DNSSEC Root Key Rollover

On Thursday, March 22, at 12:30 UTC, ICANN CTO David Conrad will speak on “Rolling the DNS Root Key Based on Input from Many ICANN Communities“. As the abstract notes, he’ll be talking about how ICANN got to where it is today with the Root KSK Rollover – and about the open comment period on the plan to roll the KSK in October 2018.

David’s session will be streamed live for anyone wishing to view remotely.

DNS Operations (DNSOP)

The DNS sessions at IETF 101 really begin on Tuesday, March 20, with the DNS Operations (DNSOP) Working Group from 15:50 – 18:20 UTC. Several of the drafts under discussion will relate to the Root KSK Rollover and how to better automate and monitor key rollovers. DNSOP also meets on Thursday, March 22, from 18:10-19:10, where one draft of great interest will be draft-huque-dnsop-multi-provider-dnssec. This document explores how to deploy DNSSEC in environments where multiple DNS providers are in use. As per usual, given the critical role DNS plays, the DNSOP agenda has many other drafts up for discussion and action.

DNS PRIVate Exchange (DPRIVE)

The DPRIVE working group meets Wednesday afternoon from 13:30-15:00 UTC.  As shown on the agenda, there will be two major blocks of discussion. First, Sara Dickinson will offer recommendations for best current practices for people operating DNS privacy servers. This builds off of the excellent work she and others have been doing within the DNS Privacy Project.

The second major discussion area will involve Stephane Bortzmeyer discussing how to add privacy to the communication between a DNS recursive resolver and the authoritative DNS server for a given domain.  When the DPRIVE working group was first chartered, the discussion was whether to focus on the privacy/confidentiality between a stub resolver and the local recursive resolver; or between the recursive resolver and authoritative server; or both. The discussion was to focus on the stub-to-recursive-resolver connection – and that is now basically done from a standards perspective. So Stephane is looking to move the group on into the next phase of privacy. As a result, the session will also include a discussion around re-chartering the DPRIVE Working Group to work on this next stage of work.

Extensions for Scalable DNS Service Discovery (DNSSD)

On a similar privacy theme, the DNSSD Working Group will meet Thursday morning from 9:30-12:00 UTC and include a significant block of time discussing privacy and confidentiality.  DNSSD focuses on how to make device discovery easier across multiple networks. For instance, helping you find available printers on not just your own network, but also on other networks to which your network is connected. However in doing so the current mechanisms expose a great deal of information. draft-ietf-dnssd-privacy-03 and several related drafts explore how to add privacy protection to this mechanism. The DNSSD agenda shows more information.

DNS-Over-HTTPS (DOH)

IETF 101 will also feature the second meeting of one of the working groups with the most fun names – DNS Over HTTPS or… “DOH!” This group is working on standardizing how to use DNS within the context of HTTPS. It meets on Thursday from 13:30-15:30. As the agenda indicates, the focus is on some of the practical implementation experience and the work on the group’s single Internet-draft: draft-ietf-doh-dns-over-https.

DOH is an interesting working group in that it was formed for the express purpose of creating a single RFC. With that draft moving to completion, this might be the final meeting of DOH – unless it is rechartered to do some additional work.

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

DANE and DNSSEC will also appear in the TLS Working Group’s Wednesday meeting. The draft-ietf-tls-dnssec-chain-extension will be presented as a potential way to make DANE work faster by allowing both DANE and DNSSEC records to be transmitted in a single exchange, thus reducing the time involved with DANE transactions. Given the key role DNS plays in the Internet in general, you can also expect DNS to appear in other groups throughout the week.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 101:

DNSOP (DNS Operations) WG
Tuesday, 20 March 2018, 15:50-18:30 UTC, Sandringham
Thursday, 22 March 2018, 18:10-19:10 UTC, Sandringham

Agenda: https://datatracker.ietf.org/meeting/101/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

DPRIVE (DNS PRIVate Exchange) WG
Wednesday, 21 March 2018, 13:30-15:00 UTC, Balmoral
Agenda: https://datatracker.ietf.org/meeting/101/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Thursday, 22 March 2018, 9:30-12:00 UTC, Buckingham
Agenda: https://datatracker.ietf.org/meeting/101/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: http://tools.ietf.org/wg/dnssd/charters/

DOH (DNS over HTTPS) WG
Thursday, 22 March 2018, 13:30-15:30 UTC, Blenheim
Agenda: https://datatracker.ietf.org/meeting/101/agenda/doh/
Documents: https://datatracker.ietf.org/wg/doh/
Charter: http://tools.ietf.org/wg/doh/charters/

Follow Us

It will be a busy week in London, and whether you plan to be there or join remotely, there’s much to monitor. Read the full series of Rough Guide to IETF 101 posts, and follow us on the Internet Society blogTwitter, or Facebook using #IETF101 to keep up with the latest news.

The post Rough Guide to IETF 101: DNSSEC, DANE, DNS Security and Privacy appeared first on Internet Society.

DNSSEC Activities at ICANN 61 in San Juan on March 11-14, 2018

Sunday marks the beginning of the DNSSEC activities at the ICANN 61 meeting in San Juan, Puerto Rico. As per usual there will be a range of activities related to DNSSEC or DANE. Two of the sessions will be streamed live and will be recorded for later viewing. Here is what is happening.

All times below are Atlantic Standard Time (AST), which is UTC-4.


DNSSEC For Everybody: A Beginner’s Guide – Sunday, 11 March

On Sunday, March 11, we’ll have our “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.

Please come with your questions and prepare to learn all about DNSSEC!


DNSSEC Workshop – Wednesday, 14 March

Our big 6-hour workshop will take place on Wednesday, March 14, from 09:00 – 15:00 in Room 208-BC. Lunch will be included. Thank you to our lunch sponsors: Afilias, CIRA, and SIDN.

The very full agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities, including representatives of .CA, .PR and .BR
  • A Sentinel for Detecting Trusted Keys in DNSSEC
  • Experience with DNSSEC Validation at CPE
  • DNSSEC HSM, Signer and KSK Rollover
  • Negative Trust Anchors
  • Real World DANE Inter-Domain Email Transport
  • Panel: Current State of Root KSK Rollover and What’s Next?
  • DNSSEC – How Can I Help?

It should be an outstanding session!


DNSSEC Implementers Gathering – 14 March

On the evening of Wednesday, March 14, after the DNSSEC Workshop is all over, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. Invitations have gone out to various DNSSEC mailing lists – if you are interested in attending please send a message to me at york@isoc.org. We thank Afilias for their generous sponsorship of this gathering at ICANN 61!


As I am not able to travel to ICANN 61, I want to thank Jacques Latour for stepping in to help with some of the emceeing and other meeting facilitation duties that I often do.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

The post DNSSEC Activities at ICANN 61 in San Juan on March 11-14, 2018 appeared first on Internet Society.

ICANN Postpones DNSSEC Root KSK Rollover – October 11 will NOT be the big day

People involved with DNS security no longer have to be focused on October 11. News broke yesterday that ICANN has decided to postpone the Root KSK Rollover to an unspecified future date.
To be clear:

The Root KSK Rollover will NOT happen on October 11, 2017.

ICANN’s announcement states the the KSK rollover is being delayed…

…because some recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover. The availability of this new data is due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured.

Getting More Information

Discussion on the public DNSSEC-coord mailing list indicates more info may be available in a talk Duane Wessels is giving at the DNS-OARC meeting tomorrow (Friday, September 29). The abstract of his session is:


A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

RFC 8145 (“Signaling Trust Anchor Knowledge”) was published in April 2017. This RFC describes how recursive name servers can signal, to authoritative servers, the trust anchors that they have configured for Domain Name System Security Extensions (DNSSEC) validation. Shortly after its publication, both Unbound and BIND implemented the specification. As organizations begin to deploy the new software versions, some of this “key tag data” is now appearing in queries to the root name servers.

This is useful data for Key Signing Key (KSK) rollovers, and especially for the root. Since the feature is very new, the number of recursive name servers providing data is not as significant as one might like for the upcoming root KSK rollover. Even so, it will be interesting to look at the data. By examining this data we can understand whether or not the technique works and hopefully inspire further adoption in advance of future KSK rollovers.


If you, like me, will not be in San Jose for this session, there will be a webcast / live stream. The link should be available tomorrow morning on the DNS-OARC event page. Or you can follow the #oarc27 hashtag or @dnsoarc onTwitter.

Per the OARC 27 timetable, Duane’s talk begins at 9:40am PDT (UTC-7). (Side note: for those involved with DNS, there are many other excellent sessions on the timetable!)

Apparently whatever data ICANN received through this research convinced them that not enough ISPs were ready to go with the new KSK and so a postponement was necessary.

Understandable caution

I do understand why ICANN would step back and delay the KSK roll. If there are significant sections of the Internet that will experience issues with resolving DNSSEC-signed domains on October 11, it is prudent to wait to assess the data and potentially reach out to affected ISPs and other network operators. Particularly when, as we noted in our State of DNSSEC Deployment 2016 report last year, the number of domains signed with DNSSEC continues to grow around the world.

I look forward to working with ICANN and the rest of the DNSSEC community to set a new date. As I wrote (along with my colleague Andrei Robachevsky) in our comments back in April 2013, we believe that the Root KSK should be rolled soon – and rolled often – so that we gain operational experience and make Root KSK rollovers just a standard part of operations.  (Note: our CITO Olaf Kolkman submitted similar comments, although at the time he was with NLnet Labs.)

Updating the DNS infrastructure is hard

The challenge ICANN faces is that updating the global DNS infrastructure is hard to do. The reality is that DNS resolvers and servers are massively DE-centralized and controlled by millions of individual people. You probably have one or more DNS resolvers in your home in your WiFi router and other devices.

The success of DNS is that generally it “just works” – and so IT teams often set up DNS servers and then don’t pay much attention to them. At a talk I gave yesterday to about 180 security professionals at the ISC2 Security Congress in Austin, TX, I asked how many people had updated the software on their DNS resolvers within the past year – only a few hands were raised.

All of the latest versions of the major DNS resolvers support the new Root KSK. Recent versions all generally support the automated rollover mechanism (RFC 5011). But… people need to upgrade.

And in the example of a home WiFi router, the vendor typically needs to upgrade the software, then the service provider has to push that out to devices… which can all take a while.

A group of us looking to expand the use of elliptic curve cryptography in DNSSEC wrote an Internet Draft recording our observations on deploying new crypto algorithms. Updating the root KSK as a trust anchor faces a similar set of issues – although a bit easier because the focus is primarily on all the DNS resolvers performing DNSSEC validation.

The critical point is – upgrading the global DNS infrastructure can take some time. ICANN and members and of the DNSSEC community (including us here at the Internet Society) have been working on this for several years now, but clearly the new data indicates there is still work to do.

Next Steps

The good news is that companies now have more time to ensure that their systems will work with the new key.  The new Root KSK is published in the global DNS, so that step has at least been done. More information is available on ICANN’s site:

https://www.icann.org/kskroll

I would recommend two specific pages:

The time to do this is NOW to be ready for the Root KSK Roll when it does happen.

For more information about DNSSEC in general, please see our Deploy360 DNSSEC page.


Image credit: Lindsey Turner on Flickr. CC BY 2.0

P.S. And no, that is NOT what the “Root key” looks like!

The post ICANN Postpones DNSSEC Root KSK Rollover – October 11 will NOT be the big day appeared first on Internet Society.

Rough Guide to IETF 99: DNS Privacy and Security, including DNSSEC

There’s a good bit of DNS secrurity and privacy activity happening at IETF 99 next week in Prague, although not all of that is in working groups. Here is a view of what is going on.

IETF 99 Hackathon

Once again there will be a good-sized “DNS team” at the IETF 99 Hackathon over the weekend (15-16 July). The IETF 99 Hackathon wiki outlines the work (scroll down to see it). From a security point of view, major projects include:

  • Continuing work on how DNS implementations deal with the impending KSK rollover in October 2017.
  • RFC 5011 compliance testing (related to the KSK rollover)
  • Implementation of the new elliptic curve crypto algorithm, Ed25519, defined in RFC 8080.

There is also work on multiple other DNS records and tools, including a new packet capture format focused on DNS. Anyone is welcome to join us for part or all of that event.

DNS Privacy Tutorial

On Sunday, July 16, there will be a “DNSPRIV Tutorial” from 12:30-13:30 CEST (UTC+2). This will explain the work of the DPRIVE working group to add a layer of confidentiality to DNS queries. Much of this involves sending DNS queries over TLS.

It is possible (and I’ll update the post if it is) that this tutorial may be streamed out over the IETF YouTube channel and recorded. The www.ietf.org/live page doesn’t have it listed yet, but I would check there to see closer to the date.

DNS PRIVate Exchange (DPRIVE)

On the same theme, the DPRIVE working group meets Tuesday morning from 9:30-12:00 CEST.  The draft agenda shows their should be good discussion on several of the current working group drafts. I am also looking forward to the discussion about DNS over the QUIC protocol. The group will also discuss measuring the usage of DNS-over-TLS and talk about what comes next.

DNS Operations (DNSOP)

The DNS Operations (DNSOP) Working Group meets twice in Prague. First on Tuesday, July 18, from 15:50-17:50 CEST, and then on Thursday, July 20, from 18:10-19:10.

The agenda isn’t out yet, but two drafts related to DNSSEC that might be up for discussion include:

There are a range of the other documents related to DNS security or privacy – or that can have impacts on those topics. We’ll have to see what gets onto the agenda.

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

The DNS-SD working group will also have a brief discussion of DNS-SD Privacy drafts. Agendas aren’t posted yet, but the Using TLS in Applications (UTA) working group often has drafts of interest, as does the Security Area Open Meeting (SAAG). The thing about DNS is that it is so critical to every service that it often shows up in many different groups.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 99:

DPRIVE (DNS PRIVate Exchange) WG 
Tuesday, 18 July 2017, 09:30-12:00 CEST (UTC+2), Congress Hall III
Agenda: https://datatracker.ietf.org/meeting/99/agenda/dprive/ 
Documents: https://datatracker.ietf.org/wg/dprive/ 
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSOP (DNS Operations) WG 
Tuesday, 18 July 2017, 15:50-17:50 CEST (UTC+2), Congress Hall II
Agenda: https://datatracker.ietf.org/meeting/99/agenda/dnsop/ 
Documents: https://datatracker.ietf.org/wg/dnsop/ 
Charter: http://tools.ietf.org/wg/dnsop/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG 
Wednesday, 19 July 2017, 15:20 – 16:50 CEST (UTC+2), Athens/Barcelona
Agenda: https://datatracker.ietf.org/meeting/99/agenda/dnssd/ 
Documents: https://datatracker.ietf.org/wg/dnssd/ 
Charter: http://tools.ietf.org/wg/dnssd/charters/

Follow Us

There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blogTwitterFacebookGoogle+, via RSS, or see http://www.internetsociety.org/rough-guide-ietf99.

The post Rough Guide to IETF 99: DNS Privacy and Security, including DNSSEC appeared first on Internet Society.

Watch LIVE – ICANN 59 DNSSEC Workshop – June 26 at 7:00am UTC

ICANN 59 logoWant to learn more about DNSSEC deployment challenges? Interested in learning about a DANE middlebox for HTTPS? Curious about how the upcoming DNSSEC Root Key Rollover will affect systems? And have you heard about the CDS and CDNSKEY records for DNS? What are they – and what impact will they have on ICANN policies?

If you answered yes to any of the above, you can tune in live to the ICANN 59 DNSSEC Workshop streaming out of Johannesburg, South Africa, on:

Monday, June 26, 2017 at 9:00am local time (UTC+2)

The schedule, which includes links to slides, is at:

The direct live stream link using Adobe Connect is:

THE SESSION WILL BE RECORDED if you are unable to watch live. (Which will include me, as I’m not at this event and 3:00am US Eastern time is a bit too early for me to get up to watch!)

The talks from 9:00 – 12 noon SAST (UTC+2) include:

  • Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel Discussion: DNSSEC Deployment Challenges
  • Middlebox DANE for HTTPS
  • Tutorial/Panel Discussion: Root Key Signing Key Rollover Test Bed
  • Panel Discussion: CDS and CNS Implementation – What are the policy impacts?
  • DNSSEC: How Can I Help?
  • The Great DNS/DNSSEC Quiz

It should be a great event filled with DNSSEC and DANE education and information. The Workshop will be followed by a lunch sponsored by Afilias, CIRA and SIDN and then the “Tech Day” presentations in the afternoon.

Meanwhile, if you are interested in learning more about how to begin using DNSSEC for a higher level of security, please visit our Start Here page to get started!

The post Watch LIVE – ICANN 59 DNSSEC Workshop – June 26 at 7:00am UTC appeared first on Internet Society.

Call for Participation – DNSSEC Workshop at ICANN 59 in Johannesburg, South Africa

ICANN 59 logoWould you like to share your ideas about DNSSEC or DANE with the wider community? Have you created a new tool or service? Have you found a way to use DNSSEC to secure some other service? Do you have new statistics about the growth or usage of DNSSEC, DANE or other related technology?

If so, and if you will be in Johannesburg, South Africa, for ICANN 59 in June 2017 (or can get there), please consider submitting a proposal to speak at the ICANN 59 DNSSEC Workshop!

Please send a brief (1-2 sentence) description of your proposed presentation to dnssec-johannesburg@isoc.org by Friday, 19 May 2017.

As with all of these sessions at ICANN meetings, it will be streamed live so that you can participate remotely if you will not be there in South Africa. (And I will note that this time I will not be attending in person.)

The full Call for Participation with more information and examples is below.


Call for Participation — ICANN DNSSEC Workshop at ICANN59 Policy Forum in Johannesburg, South Africa

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN59 Policy Forum 26-29 June 2017 in Johannesburg, South Africa. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the last Policy Forum DNSSEC Workshop was at the ICANN meeting in Helsinki, Finland on 27 June 2016. The presentations and transcripts are available at: https://icann562016.sched.com/event/7NCj/dnssec-workshop-part-1.

The DNSSEC Workshop Program Committee is close to finalizing the 3-hour program. Proposals will be considered for the following topic areas and included if space permits. In addition, we welcome suggestions for additional topics either for inclusion in the ICANN59 workshop, or for consideration for future workshops.

1. DNSSEC Deployment Challenges

The program committee is seeking input from those that are interested in implementation of DNSSEC but have general or particular concerns with DNSSEC. In particular, we are seeking input from individuals that would be willing to participate in a panel that would discuss questions of the nature:
— What are your most significant concerns with DNSSEC, e.g., implementation, operation or something else?
— What do you expect DNSSEC to do for you and what doesn’t it do?
— What do you see as the most important trade-offs with respect to doing or not doing DNSSEC?
We are interested in presentations related to any aspect of DNSSEC such as zone signing, DNS response validation, applications use of DNSSEC, registry/registrar DNSSEC activities, etc.

2. Preparation for Root Key Signing Key (KSK) Rollover

In preparation for the root KSK rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you. For more information on the root KSK rollover see the guide at: https://www.icann.org/en/system/files/files/ksk-rollover-quick-guide-prepare-systems-03apr17-en.pdf.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-johannesburg@isoc.org by Friday, 19 May 2017

Thank you,
Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

Mark Elkins, DNS/ZACR
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

The post Call for Participation – DNSSEC Workshop at ICANN 59 in Johannesburg, South Africa appeared first on Internet Society.

Rough Guide to IETF 98: DNS Privacy and Security, including DNSSEC

It is a remarkably quiet week for DNS security and privacy topics at the IETF 98 meeting in Chicago next week. Both the DANE and DPRIVE working groups are moving along very well with their work on their mailing lists and so chose not to meet in Chicago. Similarly, with DNSSEC deployment steadily increasing (as we outlined in the 2016 State of DNSSEC Deployment report in December), the work to be discussed in DNS Operations (DNSOP) is more about exploring ideas to make DNSSEC even more secure.

Here is a quick view of what is happening in Chicago.

IETF 98 Hackathon

Over the weekend (25-26 March) we’ll have a good-sized “DNS team” in the IETF 98 Hackathon working on various projects around DNSSEC, DANE, DNS Privacy, using DNS over TLS and much more. This time the work will include a team looking at how some DNS toolkits can work with the impending Root KSK Rollover in October 2017. More specific information is in the IETF 98 Hackathon wiki. Anyone is welcome to join us for part or all of that event.

DNS Operations (DNSOP)

The DNS Operations (DNSOP) Working Group meets on Monday afternoon from 13:00-15:00 CDT. The DNSOP agenda includes the following items related to DNSSEC:

Some of the other discussions, such as DNS over TCP, also have potential impacts on DNS security and privacy.

DNS Service Discovery (DNSSD)

On Tuesday, the  Extensions for Scalable DNS Service Discovery (DNSSD) Working Group meets from 16:40-18:40 CDT. DNSSD is not one of the groups we regularly follow as its focus is around how DNS can be used to discover services available on a network (for example, a printer or file server). However, in Chicago the DNSSD agenda specifically has a discussion around “Privacy Extensions” (see draft-ietf-dnssd-privacy).

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

Right before the DNSSD Working Group on Tuesday, the Using TLS in Applications (UTA) WG will meet from 14:50 – 16:20 and will be covering several ideas for “Strict Transport Security” (STS) for email. While not directly tied to DNSSEC or DANE, they do use DNS for these security mechanisms. And then in the final session on Friday, from 11:50-13:20, the IPSECME WG will have a discussion about “split DNS” and how that impacts VPNS (see draft-ietf-ipsecme-split-dns).

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 98:

DNSOP (DNS Operations) WG 
Monday, 27 March 2017, 13:00-15:00 CDT (UTC-5), Zurich D
Agenda: https://datatracker.ietf.org/meeting/98/agenda/dnsop/ 
Documents: https://datatracker.ietf.org/wg/dnsop/ 
Charter: http://tools.ietf.org/wg/dnsop/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG 
Tuesday, 28 March 2017, 16:40 – 18:40 CDT (UTC-5), Zurich B
Agenda: https://datatracker.ietf.org/meeting/98/agenda/dnssd/ 
Documents: https://datatracker.ietf.org/wg/dnssd/ 
Charter: http://tools.ietf.org/wg/dnssd/charters/

Follow Us

There’s a lot going on in Chicago, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blogTwitterFacebookGoogle+, via RSS, or see http://www.internetsociety.org/rough-guide-ietf98.

The post Rough Guide to IETF 98: DNS Privacy and Security, including DNSSEC appeared first on Internet Society.

DNSSEC and DANE Activities at ICANN 58 in Copenhagen, March 12-15, 2017

ICANN 58 LogoNext week in Copenhagen, Denmark, ICANN 58 will include some great technical info about DNSSEC and DANE happening in several sessions. Here is the plan…

All times below are Central European Time (CET), which is UTC+1.


DNSSEC For Everybody: A Beginner’s Guide – Sunday, 12 March

On Sunday, March 12, 2017, we’ll have the “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.

Please come with your questions and prepare to learn all about DNSSEC!


Tech Day – Monday, 13 March

The Monday of most ICANN meetings includes the ccNSO “Tech Day”. While the current agenda does not include anything specific to DNSSEC or DANE, there is a session about DNS Privacy (DPRIVE) that may of of interest to some.  See this link for more information:


Root Key Signing Key Rollover: Changing the Keys to the Domain Name System – Tuesday, 14 March

On Tuesday, March 14, ICANN staff will offer a special session talking about the Root Key Rollover process. While we’ll also have some of this info in the Wednesday DNSSEC Workshop, this special session may be of interest to some. The abstract is:

The keys to the Domain Name System are changing for the first time ever. ICANN operates the root zone key signing key (KSK), which is the “master” key for DNS Security Extensions (DNSSEC). This cryptographic key was created when the root zone was signed in 2010. In this session, members of ICANN’s Technical Team will provide an update on the KSK rollover and answer community questions. This session will be of particular interest to Internet service providers, enterprise network operators and others who have enabled DNSSEC validation.


DNSSEC Implementers Gathering –  TUESDAY, 14 March

Later in the evening of Tuesday, March 14, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. We’ll gather at a local restaurant / pub in the city of Copenhagen. Invitations have gone out to various DNSSEC mailing lists – if you are interested in attending please send a message to me at york@isoc.org.  We thank DK Hostmaster for their generous sponsorship of this gathering at ICANN 58!

Please note: This gathering takes place on Tuesday evening in Copenhagen versus the usual Monday evening. As may be obvious, there is no remote participation option.


DNSSEC Workshop – 15 March

Our main 6-hour workshop will take place on Wednesday, 15 March, from 09:00 – 15:00 in Hall A3. Lunch will be included.

THANK YOU TO OUR LUNCH SPONSORS: Afilias, CIRA, and SIDN.

The very full agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities in the European Region
  • Update on IETF DNSSEC Activities
  • Root Key Rollover Update
  • Panel: Validation in ISPs – Root Key Rollover Preparation
  • Demonstration: Opportunistic IPsec using DNSSEC implementation
  • State of ECDSA adoption in (cc)TLDs
  • The Great DNSSEC/DNS Quiz
  • Trusted Email Services
  • Demonstration: SMILLA, an SMIMEA aware MILTER-program for SMTP servers
  • DNSSEC – How Can I Help?

It should be an excellent session!


I will be there in Copenhagen and am looking forward to giving multiple presentations during the Wednesday session. It’s always a great gathering of some of the best technical people involved with DNS.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

The post DNSSEC and DANE Activities at ICANN 58 in Copenhagen, March 12-15, 2017 appeared first on Internet Society.

Comments? Internet Draft on DNSSEC Crypto Algorithm Agility

DNSSEC badgeWhat are the challenges in deploying new cryptographic algorithms for DNSSEC? As we look to move to using new crypto algorithms such as ECDSA, what are the barriers to getting those new algorithms rolled out? And how can we overcome those barriers?

A few of us wrote an Internet Draft on this topic:

and with IETF 98 fast approaching I am considering whether we need to publish a revision.  So I’m curious – what do you think? Are there  topics that we missed? Text that we could make a bit more clear? Additional points to consider?

We’d welcome any and all feedback. You can leave comments here on the blog post, or on social media where this appears… or you could just do that old-fashioned email thing.

Thanks in advance!

The post Comments? Internet Draft on DNSSEC Crypto Algorithm Agility appeared first on Internet Society.

New report: “State of DNSSEC Deployment 2016”

State of DNSSEC Deployment 2016

What is the current state of deployment of the DNS Security Extensions? (DNSSEC) How many domains are secured with DNSSEC? What actual usage are we seeing on the Internet? What software is available to help?

For years there have been many statistics about DNSSEC available, but it’s been hard to get an overall picture of deployment. To help with this, we’ve worked over the past few months to pull together as much information as possible into one document:

We encourage you to please read the document – and share it widely with people who need to understand more about the security of the Domain Name System.

We also welcome feedback on questions such as:

  • How helpful did you find the report?
  • What sections were particularly helpful? (or not?)
  • Is there additional information you’d like to see included in a future report?

You can post the feedback here as a comment – or send it to me directly via email.

Our intent is that this will be the first in an ongoing annual series of reports for at least the next few years until DNSSEC is more widely deployed.  Our goal is for the “State of DNSSEC Deployment 2017” report to be ready in time for the ICANN 60 DNSSEC Workshop happening in early November 2017 in Abu Dhabi.

I’d like to thank Chip Sharp for all his hard work assembling this report and incorporating feedback. I also want to thank the group of people who provided a quick final review and proofreading in the last weeks of December (noted in the final Acknowledgements section). And I want to thank everyone within the larger DNSSEC community who continue to share their information, statistics and more.

Please do share this State of DNSSEC Deployment 2016 report with others – and if you haven’t done anything with DNSSEC on your own networks or domains, please visit our Start Here pages to learn how you can begin! Together we can make the DNS – and through that the wider Internet – a bit more secure and trusted.

The post New report: “State of DNSSEC Deployment 2016” appeared first on Internet Society.