Category: Transport Layer Security (TLS)

Listen to the Hedge Podcast 39 to Learn about the Open Standards Everywhere Project

logo from the Hedge podcast episode 39 featuring Dan York and open standards everywhere

What is our Open Standards Everywhere (OSE) project all about? How did it get started? What are the project goals? What are some of the challenges web server operators face? How can we work together to make web servers more secure and available?

Recently Russ White and his team interviewed me on The Hedge Podcast Episode 39 to discuss all these questions and much more. I’ve known Russ for a good number of years and it was fun to talk with him and his co-hosts Eyvonne Sharp and Tom Ammon about all things related to the OSE project. I hope you enjoy listening to the episode as much as we enjoyed having the conversation!

Listen now

I would encourage you to listen to some of the other Hedge podcast episodes, too, as they have some great content. A few I personally enjoyed included: episode 37 about DNS privacy; episode 31 about network operator groups (NOGs); and episode 30 with Ethan Banks from the Packet Pushers Network about why understanding the fundamentals of networking is so important.

Thank you to Russ, Eyvonne, and Tom for having me on the show!

Want to be more involved with the Open Standards Everywhere project?

The post Listen to the Hedge Podcast 39 to Learn about the Open Standards Everywhere Project appeared first on Internet Society.

Watch Live Today! DNS Privacy Workshop Streaming from NDSS 2017


Want to learn the latest about DNS privacy? About the latest research and techniques to protect the confidentiality of your DNS info and queries?

Starting at 8:55 am PST (UTC-8) today, there will be what looks to be an outstanding workshop on DNS Privacy streaming live out of the Network and Distributed System Security Symposium (NDSS) in San Diego, California.

View the agenda of the DNS Privacy Workshop to see all the excellent sessions.  You can then join live at:

(Other remote connection options can be found at the bottom of the agenda page.)

Note – this workshop is not about DNSSEC, which is a method to protect the integrity of DNS (to ensure DNS info is not modified in transit), but rather new work being done within the IETF to improve the confidentiality of DNS.

The sessions include:

  • How DNS Works in Tor & Its Anonymity Implications
  • DNS Privacy through Mixnets and Micropayments
  • Towards Secure Name Resolution on the Internet – GNS
  • Changing DNS Usage Profiles for Increased Privacy Protection
  • DNS-DNS: DNS-based De-NAT Scheme
  • Can NSEC5 be practical for DNSSEC deployments?
  • Privacy analysis of the DNS-based protocol for obtaining inclusion proof
  • Panel Discussion: The Tension between DNS Privacy and DNS Service Management
  • The Usability Challenge for DNS Privacy and End Users
  • An Empirical Comparison of DNS Padding Schemes
  • DNS Service Discovery Privacy
  • Trustworthy DNS Privacy Services
  • EIL: Dealing with the Privacy Problem of ECS
  • Panel Discussion: DNS-over-TLS Service Provision Challenges: Testing, Verification,

If you are not there in person (as I will not be), you can also follow along on the #NDSS17 hashtag on Twitter. There will also be tweets coming out of:

Stéphane Bortzmeyer will also be attending (and speaking at) the workshop – and he is usually a prolific tweeter at @bortzmeyer.

The sessions will also be recorded for later viewing. I’m looking forward to seeing the activity coming out of this event spur further activity on making DNS even more secure and private.

Please do follow along remotely – and please do share this information with other people you think might be interested. Thank you!

Image from Unsplash – I thought about showing the wide beaches, but the reality is that the conference participants won’t really get a chance to visit them. I thought “Lifeguard” was appropriate, though, because lifeguards are all about protecting people and keeping things safe.

The post Watch Live Today! DNS Privacy Workshop Streaming from NDSS 2017 appeared first on Internet Society.

Deploy360@IETF92, Day 1: SIDR, 6MAN, DPRIVE and UTA

ROW workshop at IETF 92On this first day of IETF 92 in Dallas, our attention as the Deploy360 team is on securing the Internet’s routing infrastructure, improving the IPv6 protocol and securing the privacy and confidentiality of DNS queries.

NOTE: If you are unable to attend IETF 92 in person, there are multiple ways to participate remotely.

The day begins with two sessions in the 0900-1130 CDT block.  In the Parisian room the SIDR working group will be working through a good number of Internet Drafts relating to both RPKI and BGPSEC.  Both of these are some of the tools we view as important in securing BPG and making the routing infrastructure more resilient and secure.  Our colleague Andrei Robachevsky dived into more detail in his recent Rough Guide post.  Also on the agenda is the release of results about a survey about RPKI and DNSSEC deployment undertaken last fall by researchers at the Freie Universitaet Berlin which could be interesting to learn about.

At the same time over in the International Room, the 6MAN working group has a long agenda relating to various points discovered during the ongoing deployment of IPv6.   Given that we keep seeing solid growth each month in IPv6 deployment measurements, it’s not surprising that we’d see documents brought forward identifying ways in which the IPv6 protocol needs to evolve.  This is great to see and will only help the ongoing deployment.

Moving on to the 1300-1500 CDT session block, there are two working groups that are not ones we primarily follow, but are still related to the overall themes here on the site:

  • the TRANS working group is looking to standardize “Certificate Transparency” (CT), a mechanism to add a layer of checking to TLS certificates;
  • the DNSSD working group continues its work to standardize DNS-based service discovery beyond a simple single network.  Our interest here is really that this kind of service discovery does need to be secured in some manner.

In the 1520-1650 CDT session block, a big focus for us will be the newer DPRIVE working group that is looking into mechanisms to make DNS queries more secure and confidential.  As I wrote in my Rough Guide post, a concern is to make it harder for pervasive monitoring to occur and be able to track what a user is doing through DNS queries.  DPRIVE has a full agenda, and knowing some of the personalities I expect the debate to be passionate.

Simultaneously, over in the Parisian Room, the Using TLS In Applications (UTA) working group will continue it’s work to make it easier for developers to add TLS to applications.  The UTA agenda at IETF 92 shows a focus on one mechanism for email privacy.

After all of this, we’ll be heading to the Technical Plenary from 1710-1910 CDT where the technical topic is on “Smart Object Architecture” which sounds interesting.  You can watch a live video stream of the Technical Plenary at

For some more background, please read these Rough Guide posts from Andrei, Phil, Karen and myself:

Relevant Working Groups:

For more background on what is happening at IETF 92, please see our “Rough Guide to IETF 92″ posts on the ITM blog:

If you are at IETF 92 in Dallas, please do feel free to say hello to our Chris Grundemann.  And if you want to get started with IPv6, DNSSEC or one of our other topics, please visit our “Start Here” page to find resources appropriate to your type of organization.

Image: a photo by Chris Grundemann of the ROW workshop on the Sunday prior to IETF 92.

The post Deploy360@IETF92, Day 1: SIDR, 6MAN, DPRIVE and UTA appeared first on Internet Society.

At IETF92 Next Week, Much Happening With IPv6, DNSSEC, DANE, TLS and more…

Dallas skylineNext week is IETF 92 in Dallas, Texas, and there will be a great amount of activity happening with the topics we cover here on Deploy360: IPv6, DNSSEC (and DANE), TLS, anti-spoofing and securing BGP.  As part of the Rough Guide to IETF 92, several of us have written posts outlining what’s happening in the various topic areas:

In each of those posts you’ll find a summary of what’s happening and a list of the relevant working groups and the associated links about how to learn more.  More information about IETF 92 in general can be found on the main Rough Guide to IETF 92 page at:

Beyond all of that, Chris Grundemann will also be talking about our “Operators and the IETF” work and discussing Best Current Operational Practices (BCOP) with people as well.

If you can’t get to Dallas next week, you can attend remotely!  Just visit the IETF 92 remote participation page or check out for more options.

To that end, as a bit of a change both Megan Kruse and I (Dan York) will be participating in this IETF 92 remotely.  It’s very strange to not be attending an IETF meeting in person, but different circumstances have made it not possible for both of us.  Jan Žorž will also be remote having just returned from v6 World Congress in Paris and about to head off to another event.   Chris Grundemann will be there on site in Dallas, though, and so if you have any questions about Deploy360 activities or want to get more involved, please contact Chris!

We’re looking forward to the usual crazy busy blur of a week that is an IETF meeting… and we’re looking forward to learning what else we can do to help accelerate the deployment of these key Internet technologies to make the Internet work better, faster and be more secure!

An audio commentary about IETF 92 is also available from our SoundCloud account:

The post At IETF92 Next Week, Much Happening With IPv6, DNSSEC, DANE, TLS and more… appeared first on Internet Society.

Want To Quickly Create A TLSA Record For DANE / DNSSEC?

Generate-TLSA-Record-3Would you like to use the DANE protocol to secure your SSL/TLS certificate via DNSSEC?  If so, the first step is to generate and publish a “TLSA record” in DNS – and that record generation can be a stumbling block for some people.  While there are command-line tools such as just the basic “openssl” or Paul Wouter’s “hash-slinger“, Shumon Huque recently released a web interface that lets you easily create a TLSA record.  As Shumon writes about on his blog, the tool is at:

All you need to do is to set the type of TLSA record you want to create, paste in the X.509 certificate, and enter the appropriate port number, protocol and domain name.  Shumon’s script then generates the appropriate TLSA record that you can paste into your DNS zone file.

Last year, Shumon wrote a post on “DNSSEC and Certificates” where he walked through how to do this using openssl on the command line – this latest post now builds on that to make it even easier.

It’s excellent that Shumon has made this tool available and we look forward to seeing many more TLSA records out there!  (If you have a SSL/TLS cert for your website, how about adding a TLSA record today?)

The post Want To Quickly Create A TLSA Record For DANE / DNSSEC? appeared first on Internet Society.