Category: MANRS

DNSSEC and DANE Activities at ICANN 55 and Africa DNS Forum in Marrakech March 5-10

ICANN 55 logoStarting this Friday, March 5, I’ll be in Marrakech, Morocco, for a great bit of DNS security discussions at two events:  the Africa DNS Forum 2016 and the 55th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN).

Some great introductions to DNSSEC and DANE – and some outstanding technical presentations on Wednesday.  Two important changes from previous ICANN meetings:

  1. The “DNSSEC For Everybody” tutorial is now on Sunday instead of the usual Monday.
  2. The “DNSSEC Workshop” will be live streamed over YouTube in addition to the usual Adobe Connect (links are included below).

You can also follow along live on most social networks using these hashtags: #AfricaDNSForum, #ICANN55, #DNSSEC.

I also note at the end of the schedule below that I’ll be briefing ICANN staff and interested board members about the MANRS initiative to secure BGP and reduce IP spoofing as part of the Technical Experts Group (TEG) meeting at ICANN 55.

In addition to all of this technical and security work happening at ICANN 55, we at the Internet Society will also be extremely focused on the IANA Stewardship Transition process.  Please read this post from my colleague Konstantinos Komaitis where he explains why this upcoming meeting will be such a critical milestone.

Here are the  main activities – remote participation is available for all of them except one. Do note that all times are Western European Time (WET) which is the same as UTC.

Africa DNS Forum: Panel on DNS Tools

On Saturday, March 5, from 14:00 – 15:30 I will be talking about DNSSEC and DANE in a panel about “DNS and Internet Security Tools: DNSSEC, IPv6 and DANE“. The live stream will be available at:

Africa DNS Forum: Panel on emerging trends in DNS security

On Sunday, March 6, from 11:00 – 12:45 my colleague Michuki Mwangi will be moderating a panel on “Emerging Trends in DNS Security“. The live stream will be available at:

I will be in the audience listening to what looks to be a great set of panelists.

DNSSEC For Everybody: A Beginner’s Guide

On Sunday, March 6, we’ll have the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 16:45 – 18:15  where we’ll do our “skit” dramatizing DNS and DNSSEC. If you have been seeking to understand WHY this all matters, do join in to see! You can watch it remotely (or watch the archive later) at:

And yes, I’ll be talking about blue smoke as I usually do – and this time I get to have a role in the skit!

NOTE: This session has historically taken place on the Monday afternoon of each ICANN meeting, but it was changed to Sunday as of this meeting as ICANN is in the process of consolidating tutorials on the Sunday of the event.

DNSSEC Implementers Gathering

On Monday, many of us who have been involved with deploying DNSSEC or DANE will travel to a nearby restaurant for the “DNSSEC Implementers Gathering” for food, drink and conversation from 19:00-20:00 IST.

Many thanks to Afilias for sponsoring the event.  This is the one event where there is no remote participation possible.

DNSSEC Workshop

As usual, the main event will be the DNSSEC Workshop on Wednesday, March 9, from 9:00 to 15:15 WET.

Remote participation information, slides, the agenda and more info can be found at:

At the event the workshop will also be streamed live via YouTube at:

The sessions will be recorded on both YouTube and Adobe Connect if you would like to listen to them later. Slides will be posted to the workshop page before the event begins.

The current agenda includes:

0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts

  • Dan York, Internet Society
0915-0930 – Presentation: Update on the ‘Sunset’ of the DNSSEC Look-aside Validation Registry (DLV)

  • Victoria Risk, Internet Systems Consortium (ISC)
0930-1045 – Panel Discussion: DNSSEC Activities in the African Region

  • Moderator: Mark Elkins, DNS/ZACR
  • Panelists:
    • Alain Aina, AfriNIC
    • Landi Ahmed, KeNIC
    • Alex Corenthin and Khoudia Gueye Sy, .SN
    • Eberhard Lisse, .NA
1045-1100 – Break
1100-1130 –Presentation: DNSSEC SIGNER Switchover

  • Alain Aina, AfriNIC
1130-1200 – Presentation: DNSSEC At Scale

  • Dani Grant, Cloudflare
1200-1230 – Great DNS/DNSSEC Quiz

  • Dan York, Internet Society, presenting questions developed by Roy Ahrens, ICANN
1230-1315 – Lunch Break
1315-1415 – Panel Discussion: DNSSEC and Elliptic Curve Cryptography

  • Moderator and panelist: Dan York, Internet Society
  • Panelists:
    • Geoff Huston, APNIC
    • Jim Galvin, Afilias
    • Ólafur Guðmundsson, CloudFlare
    • Ondřej Surý, CZNIC
1415-1500 – Panel Discussion:  DNSSEC Root Key Signing Key (KSK) Rollover

  • Moderator: Russ Mundy, Parsons
  • Panelists
    • ICANN Root KSK Rollover Design Team members
    • Warren Kumari, Google
1500-1515 – Presentation: DNSSEC – How Can I Help?

  • Russ Mundy, Parsons and Dan York, Internet Society

ICANN Board with Technical Experts Group

After the 6+ hours of the DNSSEC Workshop are over, I’ll then head over to the meeting of the Technical Experts Group (TEG) from 15:30 – 17:00 where will I will be participating in the discussions meant to advise the ICANN staff and interested ICANN Board members about emerging trends in technology.  Toward the end of the session I will be presenting for about 15 minutes on the MANRS initiative to secure BGP and reduce IP spoofing in order to make the Internet’s routing infrastructure more resilient and secure.

Remote participation is available through the links found on the session page:

If you will be there at either the Africa DNS Forum 2016 or  ICANN 55 please do say hello – you can find me in these sessions… or drop me a note at and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!

Deploy360@IETF91, Day 4: TLS, 6TISCH, DNSSD, IDR, SAAG, DHC and DBOUND

Chris Grundemann at IETF 91On the fourth day of IETF 91 we on the Deploy360 return to a focus on the routing / securing BGP side of our work as well as TLS and a number of DNS-related sessions that are not strictly DNSSEC-related, along with a small bit of IPv6 for “Internet of Things” (IoT) mixed in. There are many other working groups meeting at IETF 91 today but the ones I’ll mention below line up with the topics we cover here on the Deploy360 site.

Read on for more information…

NOTE: If you are not in Honolulu but would like to follow along, please view the remote participation page for ways you can listen in and participate.  In particular, at this IETF meeting all the sessions will have Meetecho coverage so you can listen, watch and chat through that web interface.  All agenda times are in HST, which is UTC-10 (and five hours earlier than US Eastern time for those in the US). I suggest using the “tools-style” agenda as it has easy links to the chat room, Meetecho and other documents for each session.

In the morning 9:00-11:30 block two working groups are of interest.  The TLS Working Group continues the evolution of the TLS protocol and we’ll be monitoring that session in Coral 5 to understand where TLS is going.  Meanwhile over in the Hibiscus room, the 6TISCH Working Group will be continuing their work on ensuring that IPv6 works well in low-power networks on devices using IEEE 802.15.4 low-power radios.  We haven’t really covered this work much here on Deploy360, but as the 6TISCH charter indicates, the work is aimed at “low-power and lossy networks” (LLNs) among devices that we often commonly talk of these days as the “Internet of Things” (IoT). As we increasingly connect everything to the Internet, this work should prove very useful.

During the lunch period, there looks to be a fascinating speaker on the topic of “Open Standards, Open Source, Open Loop“,  but the timing is such that several of us will be at an informal (and open) meeting about the Mutually Assured Norms for Routing Security (MANRS) document, part of the ongoing Routing Resilience Manifesto project headed by our colleague Andrei Robachevsky (and he discussed MANRS in his Rough Guide post).

In the 13:00-15:00 HST block there are two groups we’ll be watching: DNSSD and IDR.  As I described in my Rough Guide post about DNSSEC, the DNSSD group is looking at how to extend DNS service discovery beyond a local network – and we’re of course curious about how this will be secured.  DNSSEC is not directly on the agenda, but security issues will be discussed.  Simultaneously the Inter-Domain Routing (IDR) is meeting about improving the Internet’s routing infrastructure, although the security focus will primarily be in tomorrow’s (Friday) IDR meeting. Because of that, our attention may be more focused on the Security Area Open Meeting where there are a couple of drafts about routing security including one that surveyed the different kinds of censorship seen around the world.

Finally, in the 16:40-19:10 HST block the Dynamic Host Configuration (DHC) WG will meet to continue their work on optimizing DHCP for IPv6. Today’s agenda includes some discussions around privacy that should fit in well with the ongoing themes of privacy and security at this IETF meeting.

At the same time as DHC, there will also be a side meeting of the DBOUND (Domain Boundaries) effort that took place at an earlier IETF meeting.  It starts at 16:40 (not 14:40 as went out in email) in the South Pacific II room.  As described in the problem statement, this effort is looking at how “domain boundaries” can be defined for efforts such as the Public Suffix List. From the abstract:

Various Internet protocols and applications require some mechanism for determining whether two Domain Name System (DNS) names are related. In this document we formalize the types of domain name relationships, identify protocols and applications requiring such relationships, review current solutions, and describe the problems that need to be addressed.

While not directly related to the work we do here on Deploy360, it’s interesting from a broader “DNS security perspective”.

And with all of that…  day 4 of IETF 91 will draw to a close for us.  If you are around at IETF 91 in Honolulu, please do find us and say hello!

P.S. Today’s photo is of our own Chris Grundemann making at point at the microphone in the Administrative plenary…

See also:

Relevant Working Groups

We would suggest you use the “tools-style” agenda to find links to easily participate remotely in each of these sessions.

6TISCH (IPv6 over the TSCH mode of IEEE 802.15.4e) WG
Thursday, 13 November 2014, 0900-1130 HST, Hibiscus

TLS (Transport Layer Security) WG
Thursday, 13 November 2014, 0900-1130 HST, Coral 5

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Thursday, 13 November 2014, 1300-1500 HST, Coral 4

SAAG (Security Area Open Meeting) WG
Thursday, 13 November 2014, 1300-1500 HST, Coral 3

IDR (Inter-Domain Routing Working Group) WG
Thursday, 13 November 2014, 1300-1500 HST, Kahili

DHC (Dynamic Host Configuration) WG
Thursday, 13 November 2014, 1640-1910 HST, Kahili

For more background on what is happening at IETF 91, please see our “Rough Guide to IETF 91″ posts on the ITM blog:

If you are here at IETF 91 in Honolulu, please do feel free to say hello to a member of the Deploy360 team.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

IETF 91 Rough Guide On Routing Resilience And Security – De-aggregation, Route Leaks and more

IETF LogoWhat will be happening next week at IETF 91 with regard to improving the security and resilience of the Internet’s routing infrastructure?

Our colleague Andrei Robachevsky tackles this question in his post this week: “Rough Guide to IETF 91: Routing Resilience & Security“.

Andrei explains that one of the major issues in routing right now is the growth in the size of the global routing tables and the growth of “de-aggregation”… and the challenges that lie therein.  He also writes about “route leaks” and what is being done to address this issue and he writes about the ongoing work related to RPKI in the SIDR working group.

He finishes up talking about the MANRS initiative announced yesterday  and how that can help with overall routing security and resiliency.

Please do read Andrei’s Rough Guide post … and then do check out our topic areas on Securing BGP and Anti-spoofing to learn more about how you can secure your routing infrastructure.  We will look forward to seeing some of you next week at IETF 91!

Show Your Commitment To Routing Security – Join the MANRS Initiative!

MANRS logo

Do you want to make the Internet’s routing infrastructure more secure?  Have you implemented anti-spoofing techniques to help protect against attacks such as DDoS attacks?  Have you secured your use of BGP on your network?

If so, why not consider publicly showing your support by signing up as a participant in the MANRS initiative?

This new routing security initiative, launched today, aims to promote better collaboration between network operators to make the Internet more secure and resilient.  As the home page says:

How can we work together to improve the security and resilience of the global routing system?

Originally called the “Routing Resilience Manifesto”, the initiative published today the “Mutually Agreed Norms for Routing Security” (MANRS) at:

With the announcement came news of an initial set of participants that includes some of the largest global network operators such as Comcast, Level 3 and NTT.  More companies will be added and signups are already coming in!

To participate, a network operator needs to agree to at least 2 (and ideally all 4) of these actions:

Basically you could think of this as a “code of conduct” for network routing… an agreement that companies publicly say they are going to follow to help the overall Internet’s routing infrastructure be more resilient and secure.

Our colleague Andrei Robachevsky has been heading this project and working with a team of people from network operators around the world (some of whom have already signed on as formal participants, others who hope to do so soon).  It’s great to see this out there and we look forward to seeing the list of participants grow.

Please do read the MANRS document and sign up if your network can undertake those actions.  If every network operator can mind their MANRS, we’ll all have a much safer, more secure and more resilient Internet!

P.S. If you are looking for information about how to get started with anti-spoofing or securing BGP, please see our Network Operators Start Here page to get started.


News Release Announcing MANRS – And Asking Network Operators To Sign Up!

MANRS logo square 150 pxWe are pleased to announce that the MANRS document was officially launched this morning, November 6, 2014.

Or read the text below…  and better yet, check out the list of participants and then sign up!


Mutually Agreed Norms for Routing Security (MANRS) recommendations provide a coordinated approach to improve global routing system

[Washington, D.C., USA and Geneva, Switzerland] – 6 November 2014 – Leading network operators around the world today announced that they have implemented a package of recommended measures that help improve the security and resilience of the global Internet.

Working together, network operators have developed a tightly defined set of concrete actions to improve the global Internet routing system. The recommendations, called Mutually Agreed Norms for Routing Security (MANRS) recognize the interdependent nature of the global routing system and integrate best current practices related to routing security and resilience. More network operators from across the globe are encouraged to sign onto the movement and participate by visiting the website and completing the form.

Organized by the Internet Society, and building on the demonstrated success of coordinated industry activities such as World IPv6 Day and World IPv6 Launch, MANRS represents a significant step forward towards building a more resilient and secure Internet infrastructure.

“The security of the Internet as a network of networks often relies on specific collaborative action. This initiative increases the security of the Internet by improving resiliency and stability of the underlying routing infrastructure,” commented Olaf Kolkman, the Internet Society’s Chief Internet Technology Officer. “Participating network operators committed to the MANRS initiative are taking actions that address problems with incorrect routing information and spoofed traffic, demonstrating their collective responsibility to a healthy and secure Internet ecosystem. We encourage and look forward to other network operators around the world publicly taking these steps.”

Participating network operators have taken one or several of the expected actions defined by the MANRS framework. These include preventing propagation of incorrect routing information, preventing traffic with spoofed IP addresses, and facilitating global operational communication and coordination between network operators. Committed network operators are:


● Claranet

● Comcast


● Level 3


● RUNNet

● SpaceNet

● SURFnet

Several of the participating network operators commented on their actions and today’s announcement:

“Adherence to MANRS is an important commitment that operators make back to the Internet community. Together we aim to remove the havens from which miscreants maintain the freedom and anonymity to attack our network and our customers.”
– David Freedman, Claranet Group

”Comcast is committed to helping drive improvements to the reliability of the Internet ecosystem. We are thrilled to be engaged with other infrastructure participants across the spectrum and around the globe in pursuit of these goals.”
– Jason Livingood, Vice President, Internet Services, Comcast

“Good network routing practice is the fundamental requirement for trust between providers, and ultimately creates a safer and stronger Internet for customers. KPN is committed to providing secure and trustworthy communications, and by joining partners in MANRS, we continue to improve security and resiliency for all.”
– Jaya Baloo, Chief Information Security Officer, KPN

“As one of the most connected Internet providers in the world, security of the Internet is top-of-mind at Level 3 Communications. We are dedicated to supporting and protecting the Internet ecosystem and work each day to safeguard customers’ critical communications. The Internet is a shared responsibility, and only through these important collaborative efforts can we continue to ensure the protection of this collective infrastructure.”
– Dale Drew, Senior Vice President, Chief Security Officer at Level 3 Communications

“SURFnet is a big supporter of these initiatives to make the Internet more secure. Committing to the actions as outlined in the MANRS document will make routing on the Internet safer. This impacts every day usage of the Internet and helps with a free, open, and more secure Internet for all users.”
– Erik Huizer, CTO, SURFnet

For more information about MANRS and the Routing Resilience Manifesto visit:

About the Internet Society

The Internet Society ( is the trusted independent source for Internet information and thought leadership around the world. It is also the organizational home for the Internet Engineering Task Force (IETF). With its principled vision, substantial technological foundation and its global presence, the Internet Society promotes open dialogue on Internet policy, technology, and future development among users, companies, governments, and other organizations. Working with its members and Chapters around the world, the Internet Society enables the continued evolution and growth of the Internet for everyone.

Media Contact
Greg Wood

New MANRS Graphic Available For Usage (And Do You Have A Better Suggestion?)

manrs-300x150Given that it is useful to have a graphic that can be used in articles about this initiative, we created a basic MANRS graphic that you are free to download and use however you see fit under a Creative Commons Attribution 3.0 Unported license.  The graphic is available as a JPEG image in the following formats and sizes:



Please note – IF YOU HAVE A BETTER SUGGESTION for a graphic / logo that we can use to promote the MANRS initiative, we’d love to hear from you!  We created this one because we needed something … but we’re definitely open to other ideas.  Ideally we’d like to have a variety of badges and logos along the lines of what was created for the World IPv6 Launch so that supporters can show their support for the MANRS initiative on their websites, blogs, social media, etc.

Video: Andrei Robachevsky Introduces MANRS At RIPE 69

At the RIPE 69 meeting today in London, Andrei Robachevsky gave a lightning talk about “How Can We Work Together to Improve the Security and Resilience of the Global Routing System?” where he introduced the MANRS document and asked people to join the initiative.  You can view his slides and watch the video of his presentation:

andrei-ripe69If you are interested in being added to the growing list of participants, please sign up!