Category: ICANN50

Report on ICANN50 DNSSEC Workshop: CloudFlare, HSMs, OTR Demos and more…

ICANN 50 logoWe had an outstanding DNSSEC Workshop last Wednesday, June 25 ,2014, at ICANN 50 in London.  This was the “big” session of the DNSSEC activities at ICANN 50 and had a big turnout!  I counted around 120 people in the room at one point, many of whom stayed for most of the day, and we seemed to have 20-25 remote participants in the Adobe Connect room for much of the day.  It was great to have so many people there and there was an excellent amount of interaction and engagement throughout the day – lots of questions and lots of discussions!

The schedule, slides and archived video and audio can be found at:

In the section below, I’ll walk through a bit of what happened during the day.  First, though, here is one photo of what the room looked like:

ICANN 50 DNSSEC Workshop

… and there were more people sitting behind where I took the photo and on the sides.  I have many more photos that at some point I’ll try to get into our Flickr account or somewhere.

Introduction and Challenges/Opportunities for DNSSEC

I (Dan York) began the session with the normal introduction session and review of the latest DNSSEC deployment statistics.  Much of this is drawn from the weekly DNSSEC deployment maps we now generate but we also had a good discussion about how we’d like to go to the next level and start generating more second-level statistics.

I followed that with a 2014 view into the Challenges and Opportunities in DNSSEC Deployment and Usage where I looked back on a presentation I gave in 2012 and assessed how far we’ve come in the time since then. I also covered newer issues that have emerged since that time.

DNSSEC Activities in the European Region

We then had the first panel of the day with Cath Goulding of NominetUK moderating a set of presentations from country-code top-level-domain (ccTLD) operators from across Europe:

I think many of us were taking copious notes because these were really case studies of how different ccTLDs were deploying DNSSEC… what they’d done, what they hadn’t done… the success they’d had – or not.   Lots of great info ranging from .CZ’s YouTube videos to Afnic’s deployment guide to .AT’s “bump-in-the-wire” signing service and much, much more.  You can expect to see some of this info turn up in blog posts here on the Deploy360 site!  The discussion was great and the sharing among participants was quite good to see.

DNSSEC Key Rollovers and Transfers

Next up Jim Galvin of Afilias talked about the challenges that with ensuring that a DNSSEC-signed domain remains valid during the transition from one DNS hosting provider to another.  In particular he pointed out the challenge of the “5 day grace period” that comes into play with registrars.  This is a critical challenge  that we will continue to be discussing until we can collectively agree on a solution to make this work.

CloudFlare – DNSSEC and DNS Proxying

Following Jim was the presentation that many of us were very much looking forward to. John Graham-Cumming of CloudFlare spoke about the challenges of using DNSSEC in an environment such as a content-distribution network (CDN) where DNS proxying and redirection plays such a pivotal role. This is important as the lack of DNSSEC support in CDNs is one of the major blockages right now for many content providers to sign their websites with DNSSEC.  John provided some solid information about the challenges they’ve seen, the tools they’ve developed and their plans for the future.

He very clearly stated that CloudFlare will support DNSSEC by the end of 2014 and is aiming to make it as easy for their customers as they have made IPv6 (which initially was a toggle button and now is on by default).

We certainly hope they will follow through on this – and doing so will immediately help secure a great number of web sites… and bring pressure on other CDN providers to follow suit.

Hardware Security Modules (HSMs) Benefits and Challenges

Next up we dove a bit down into crypto geekery and explored different options for the HSMs that are used by some to generate keys for DNSSEC. Roy Arends of NominetUK moderated and the presenters included:

Rick Lamb kicked off the panel with an overview of why you might want to consider HSMs and what risk they are protecting against.  Mark Southam followed with some info about his Keyper HSM product and then Roland van Rijswijk-Deij talked about the SoftHSM project aimed at letting you do all of this in software without requiring any specific hardware.

Operational Realities of Running DNSSEC

The final presentation before lunch was from Haya Schulman of the Technische Universität Darmstadt. She actually had two presentations although both were in a single slide deck.  Her first presentation focused on measurements of recursive authoritative name servers and the methods that she undertook in her research.  Given that a number of people in the audience were also involved with DNSSEC measurement her presentation generated some good discussion and questions.  Her second presentation was on “Cipher-Suite Negotiation for DNSSEC” and presented ideas around how DNSSEC clients could know a servers algorithms and priorities.  This again generated some good discussion.

Lunch Break

After Haya’s presentations we had lunch in the room, thanks to the generous sponsors of the event (THANK YOU!):

  • Afilias
  • CIRA
  • Dyn
  • Microsoft
  • .SE
  • SIDN

Having the food right there enabled many great conversations to continue – and allowed us to not have to find our way back to the room that was tucked in an odd part of the hotel.

DANE and DNSSEC Applications

After lunch we had our large panel session that involved multiple demos and running code!  I was the moderator and the panelists included:

Guido Witmond started off providing an overview of the DANE protocol and how it could be used to add a layer of trust to TLS certificates. He then went into a specific use case where he sees DANE and DNSSEC helping prevent phishing.  Next Willem Toorop gave an overview of the getDNS API – this is really an important area and I would strongly encourage people to both view Willem’s slides and also view the getDNS API web site. I think this new API has some real promise to make it much easier for applications to interact with DNS and DNSSEC.

Willem continued with a second presentation around measuring DNSSEC validation using the RIPE Atlas probe network.  This is important as we continue to search for meaningful ways to measure ongoing DNSSEC deployment.  With Geoff Huston of APNIC Labs there in the room, who also does some DNSSEC measurements, there was some good discussion about how best to measure DNSSEC validation.

Paul Hoffman then took us back into application development with his presentation about DNSharness, a framework for testing name server implementations.  While most people in the room were not aware of this open source work funded by VeriSign Labs, a good number expressed their interest in using the test framework when they returned to their regular organizations.

We then entered into that ever-risky segment of live demos with Iain Learmonth going first with a demo of a “Off-the-Record” (OTR) private instant messaging app based on draft-wouters-dane-otrfp. Iain used the dnskeys library for python in a modified version of Gajim’s OTR plugin to have a secure encrypted chat session with Willem sitting right next to him.  It was very cool to see and while the demo was live Iain did provide some slides with screenshots so you can get a sense of what he was doing.

Joost van Dijk of SURFnet closed out the session with a live demo of how they integrated DANE into their service portal for their customers to automatically generate DANE’s TLSA record.  Again, the demo was live but Joost provided a few slides that talk about what they did and some of the challenges they found.

All in all it was a great afternoon session with lots of technical meat for developers!  Always great when you have running code inside of a workshop!

Wrapping Up

Finally, I ended the day thanking the participants and talking about how people in the session can help get DNSSEC deployed in different environments.

And then… after over 6.5 hours of intense focus on DNSSEC… we left the room to go back into all the other madness of a typical ICANN meeting!

On Toward ICANN 51 in Los Angeles on October 15…

With ICANN 51 behind us, the ICANN DNSSEC Workshop Program Committee is already looking forward to the next DNSSEC Workshop that will take place on Wednesday, October 15, 2014, at ICANN 51 in Los Angeles.  The call for participation will be out soon, but I can see that in particular we are going to be looking for people who want to present on:

  • NewgTLDs and DNSSEC – case studies, implementation details and more
  • Email/SMTP and DANE/DNSSEC – we are seeing a great amount of interest in DANE from email providers and want to bring together people operating email services using DANE and also those involved with developing email servers and applications
  • Root Key Rollover Potential Impacts – many of us are very concerned about the need to have a Root Key Rollover happen and want to talk more about potential impacts and also mitigation strategies.

Plus we are always looking for great DNSSEC or DANE case studies, measurements, cool tools or demos and other similar topics.  Stay tuned for the announcement… but in the meantime start thinking about what YOU would like to present at ICANN 51 in LA!

P.S. If you haven’t yet started using DNSSEC, please check our “Start Here” page to find resources to help you out!

ICANN 50 DNSSEC Workshop Streaming Live TODAY From London

ICANN 50 logoAs we mentioned last week,  the DNSSEC Workshop at ICANN50 will take place from 8:30 – 14:45 London time TODAY, June 25, 2013 and will be streamed live via audio or via Adobe Connect (combined audio, slides and video).  More info can be found at:

The links for remote listening can be found there, as can the presentation slides.  The session will be recorded for later viewing if you can’t see it live.  This is the week’s big session on DNSSEC and covers topics such as:

  • Introduction and DNSSEC Deployment Around the World
  • DNSSEC Activities in the European region
  • The Operational Realities of Running DNSSEC
  • DANE and DNSSEC Applications
  • DNSSEC Automation
  • Panel Discussion/Demonstrations on Hardware Security Modules (HSMs)

We’ll also have a presentation from CDN provider Cloudflare about their plans for DNSSEC, a session about key rollovers and some great demos of new tools and services.  It should be quite an interesting and educational day!

Getting to the room for the DNSSEC Workshop

If you are here in London it turns out that finding the room where the DNSSEC Workshop will be held is a bit of a challenge.  The location is “Hilton 1-6″ on the third floor of the Tower Wing (the wing in the middle). The directions are as follows:

  1. Go right after exiting the elevators on the third floor and take an immediate right again (there will be a sign on the wall for Hilton rooms 1-17)
  2. Take a left at the next corridor.
  3. Take a right at a wide corridor where there are some tables on the right (there will be a sign on the wall for Hilton rooms 1-17)
  4. Go down the stairs under the sign “Hilton Meeting Room Business Center”

From this point there are two ways to enter at the back of the room (there is a third way but it is harder to describe):

  1. Go straight ahead through the ICANN staff breakfast/lunch area to the door marked Hilton 1.
  2. Go down the left-hand corridor to the door on the right marked Hilton 3

When in doubt, ask any Hilton staff person or ICANN staff person.  We hope to see you there!

More information

All the slides for today’s session can be found on the ICANN web page for the session.

To learn more about DNSSEC, please visit our “Start Here” page to find resources tailored to your type of organization.

Reminder – “DNSSEC For Everybody” Streamed Live From ICANN 50 Today

ICANN 50 logoJust a quick reminder that, as we mentioned last week, the DNSSEC For Everybody: A Beginner’s Guide session today at ICANN 50 in London will be streamed live via audio or via Adobe Connect (combined audio, slides and video).  This is a fun session where we step back to caveman days to try to explain DNSSEC in the simplest of terms… and also add some skits into the mix as well (yes, DNSSEC engineers doing a skit!).  It is happening from 17:00 to 18:30 British Summer Time (local time in London). More info can be found at:

The links for remote listening can be found there, as can the slides and handout for download.  The session will be recorded for later viewing if you can’t see it live.

If you want an even deeper dive into DNSSEC, plan to attend (remotely or here at ICANN 50) the DNSSEC Workshop happening most of the day on this coming Wednesday, June 25, where we’ll be starting at 8:30am and covering a wide range of topics related to DNSSEC.

To learn more about DNSSEC, please visit our “Start Here” page to find resources tailored to your type of organization.

Great To See Full (And Faster) IPv6 At ICANN 50 In London

Here at ICANN 50 in London (where I am focused on DNSSEC sessions) it was great to connect to the WiFi network and find that that I had full IPv6 connectivity.  Here’s a shot of the IPvFoo plugin for Chrome when I went to the main ICANN 50 website:


Even more fascinating was how much faster the IPv6 connectivity is here versus IPv4, undoubtedly because most of the 2,200+ 3,300+ attendees are using primarily IPv4.  Using Comcast’s Speedtest we wrote about back in February, I was amazed to see the dramatically different speeds:

ICANN 50 IPv6 Speed Test

I was so surprised that I had to run Comcast’s speed test several more times and test against multiple different servers. (Yes, I’m a network geek who is fascinated by this kind of thing!)  All of them gave similar results… one even offering an even higher IPv6 upload speed:


Sadly, I don’t have any large videos I need to upload to YouTube or anything like that, because clearly this ICANN 50 network would be the place to do so! (Assuming the sites were all over IPv6, as YouTube is.)

To double-check, I also went to’s speed test, where IPv4/IPv6 is also differentiated, and again saw a difference (it seems to only test download speed):

IPv6 test from

All in all it is great to see that not only is ICANN offering IPv6 connectivity to all attendees… but it is faster than that over IPv4.

Way to go, ICANN!

UPDATE: Article updated with the information that there are now over 3,300 registrants at this ICANN meeting!

3 DNSSEC Sessions At ICANN 50 In London Next Week

ICANN 50 logoNext week (June 23-26, 2014), we’ll be at ICANN 50 in London for the usual excellent DNSSEC sessions, two of which will be streamed live for remote participants.

The three activities are…

DNSSEC For Everybody: A Beginner’s Guide

First up on Monday, June 23, 2014, in the late afternoon from 17:00 – 18:30 BST (London time) will be the DNSSEC For Everybody: A Beginner’s Guide session where we start at the very basic level of why should anyone care about DNSSEC and get into what kind of problem we are trying to solve.  This session includes a skit (seriously!) where we act out DNS and DNSSEC transactions and talk about blue smoke (seriously!).  It’s a good bit of fun and people tell us that it definitely helps them understand DNS and DNSSEC – or maybe they just like watching a bunch of DNS geeks act out in a skit. :-)

You can listen remotely via an audio stream or listen and view the slides via a a virtual meeting room.  Details are on the program page.

DNSSEC Implementers Gathering

Next, on Monday evening from 19:30-21:30 (or later) some of us will join in an “informal gathering of DNSSEC implementers” at a nearby restaurant/bar. This is a time to share experiences, exchange information and just generally interact with other people involved with deploying DNSSEC.  As ICANN’s Julie Hedlund wrote in a note to various email lists:

DNSSEC Implementers are invited to attend an informal gathering to discuss and exchange information on their DNSSEC implementation experiences during the ICANN meeting in London, sponsored by Nominet UK. This is a unique opportunity to meet with and talk to key implementers, such as Nominet UK, CNNIC, JPRS, NZNIC, CIRA, CZNIC, SIDN, and others. We do ask that in order to participate you should come prepared to say a few words about your experiences. This is a peer-to-peer event for implementers.

It’s been a fun time at past events and generated both good conversations and connections for future work activities after the meetings are over.

It should perhaps be obvious but this event will NOT be available for remote participation.  If you will be in London, though, and are interested in interacting with others who are deploying DNSSEC, you are welcome to join us.  As Julie requests, RSVP by close of business on this Thursday, June 19, 2014.

DNSSEC Workshop

The BIG event of the week is the DNSSEC Workshop on Wednesday, June 25, where we meet from 8:30 – 14:45 London time for this detailed session diving into many different aspects of DNSSEC.  I’m on the Program Committee for the workshop and I can tell you that there will be some excellent presentations at this session.  The slides and full agenda will be available soon, but the major areas of discussion will include:

  • Introduction and DNSSEC Deployment Around the World
  • DNSSEC Activities in the European region
  • The Operational Realities of Running DNSSEC
  • DANE and DNSSEC Applications
  • DNSSEC Automation
  • Panel Discussion/Demonstrations on Hardware Security Modules (HSMs)

The workshop continues to attract some of the best technical people involved with DNSSEC and the conversations and discussions that happen there provide outstanding value to those interested in these topics.  If you’re interested in DNSSEC and how it can make the Internet more secure, I highly recommend you tuning in!

You can listen remotely via an audio stream or listen and view the slides via a a virtual meeting room.  Details are on the program page.

Rough Guide To ICANN 50

These DNSSEC events are just a part of all the many activities happening at ICANN 50 that we at the Internet Society are interested in.  To understand all of what is happening at ICANN 50 that lines up with our organization’s priorities, please see the Internet Society Rough Guide to ICANN 50.

Say Hello!

I (Dan York) will be there in London.  Please do say hello – you can find me at any of these events and also around other areas of ICANN. You can also email me at if you’d like to meet with me.  You can also contact us via Twitter, Facebook or Google+.

Call For Participation – ICANN 50 DNSSEC Workshop on 25 June In London

ICANN 50 LogoAre you planning to attend the ICANN 50 meeting in London in June?  If so, would you like to share your experience with deploying DNSSEC?  As noted below, we are seeking proposals for presentations to be given during the DNSSEC Workshop that will happen on Wednesday, June 25, 2014, during the ICANN week.

The full list of topic areas for which we are seeking proposals is included below. If you have an idea for a presentation, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-london at as soon as possible – but no later than by Friday, 09 May 2014.  You can send an idea now if you would like… even if you have an idea you are not sure about, you are welcome to send it in and ask if it is appropriate.  These are great sessions and the agenda tends to fill up pretty quickly, so if you want to be included  please do send in a proposal as soon as possible!


Call for Participation — ICANN DNSSEC Workshop 25 June 2014

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN meeting in London on 25 June 2014. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Singapore on 26 March 2014. The presentations and transcripts are available at:

We are seeking presentations on the following topics:

1. DNSSEC Activities in the European region:

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in the European region and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC?

2. The Operational Realities of Running DNSSEC:

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

3. DNSSEC Automation:

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. Topics for which we would like to see presentations include:

  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • Where in the various pieces that make up DNSSEC signing and validation are the best opportunities for automation?
  • What are the costs and benefits of different approaches to automation?

4. When Unexpected DNSSEC Events Occur:

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

5. DANE and DNSSEC Applications:

The DNS-based Authentication of Named Entitites (DANE) protocol is an exciting development where DNSSEC can be used to provide a strong additional trust layer for traditional SSL/TLS certificates. There is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?
  • How soon could DANE and other DNSSEC applications become a deployable reality?
  • How can the industry used DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE applications and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6. DNSSEC and DANE In The Enterprise:

Similar to ISPs, enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the enterprises’s own domains. We are seeking presentations from enterprises who have implemented DNSSEC on either or both validation and signing and can address questions such as:

  • What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
  • What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
  • How should an enterprise best prepare its IT staff and network to implement DNSSEC?
  • What tools and systems are available to assist enterprises in the deployment of DNSSEC?
  • How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

7. Guidance for Registrars in Supporting DNSSEC:

The 2013 Registrar Accreditation Agreement (RAA) for Registrars and Resellers requires the support of DNSSEC beginning on January 1, 2014. We are seeking presentations discussing:

  • What are the specific technical requirements of the RAA and how can registrars meet those requirements?
  • What tools and systems are available for registrars that include DNSSEC support?
  • What information do registrars need to provide to resellers and ultimately customers?

We are particularly interested in hearing from registrars who have signed the 2013 RAA and have either already implemented DNSSEC support or have a plan for doing so.

8. Implementing DNSSEC Validation At Internet Service Providers (ISPs):

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:

  • What does an ISP need to do to prepare its network for implementing DNSSEC validation?
  • How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
  • What measurements are available about the degree of DNSSEC validation currently deployed?
  • What tools are available to help an ISP deploy DNSSEC validation?
  • What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, cpu, bandwidth, technical support, etc.)?

9. APIs Between the Registrars and DNS Hosting Operators:

One specific area that has been identified as needing focus is the communication between registrars and DNS hosting operators, specifically when these functions are provided by different entities. Right now the communication, such as the transfer of a DS record, occurs primarily by way of the domain name holder copying and pasting information from one web interface to another. How can this be automated? We would welcome presentations by either registrars or DNS hosting operators who have implemented APIs for the communication of DNSSEC information – or from people with ideas around how such APIs could be constructed.

10. Panel Discussion/Demonstrations on Hardware Security Modules (HSMs):

HSMs are a key element in DNSSEC deployment, particularly in maintaining the security of the Zone Signing Key (ZSK). We are interested in demonstrations of HSMs as well as presentations on HSM challenges and benefits.

11. Preparing for Root Key Rollover

For this topic we are seeking input on issues relating to root key rollover. In particular, we are seeking comments from vendors, ISPs, and the community that will be affected by distribution of new root keys.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-london at by Friday, 09 May 2014

We hope that you can join us.

Thank you,
Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

  • Steve Crocker, Shinkuro
  • Mark Elkins, DNS/ZACR
  • Cath Goulding, Nominet UK
  • Jean Robert Hountomey, AfricaCERT
  • Jacques Latour, .CA
  • Xiaodong Lee, CNNIC
  • Luciano Minuchin, NIC.AR
  • Russ Mundy, Sparta/Parsons
  • Ondřej Surý, CZ.NIC
  • Yoshiro Yoneya, JPRS
  • Dan York, Internet Society