Category: Tutorials


WATCH LIVE Today – DNSSEC For Everybody: A Beginner’s Guide, from ICANN 55

ICANN 55 entrance

Want to learn about DNSSEC and how it helps add a layer of trust to DNS? Puzzled by how this all works?   If so, please join us today from 16:45 to 18:15 UTC for “DNSSEC for Everybody: A Beginner’s Guide” streaming live out of Marrakech, Morocco, in both audio and video on links found off of this page:

(The video and slides are provided via the “Virtual Meeting Room Stream Live” link.)

The session consists of an introduction and then a skit where a group of us act out DNS operations – and then add DNSSEC into the picture.

Yes… you heard that right… a bunch of engineers acting out a skit about DNS!   :-)

Hey… you might as well have a bit of fun with it, eh?  And our history has told us that this skit has helped people tremendously in understanding DNS and DNSSEC.  We also have some other technical information and usually spend about half the session answering questions from participants.

Please do join us!

This tutorial today is part of a larger set of DNSSEC activities planned for this week.  As the session abstract says:

DNSSEC continues to be deployed around the world at an ever accelerating pace. From the Root, to both Generic Top Level Domains (gTLDs) and Country Code Top Level Domains (ccTLDs), the push is on to deploy DNSSEC to every corner of the internet. Businesses and ISPs are building their deployment plans too and interesting opportunities are opening up for all as the rollout continues.

Worried that you’re getting left behind? Don’t really understand DNSSEC? Then why not come along to the second ‘DNSSEC for Beginners’ session where we hope to demystify DNSSEC and show how you can easily and quickly deploy DNSSEC into your business. Come and find out how it all works, what tools you can use to help and meet the community that can help you plan and implement DNSSEC.

The session is aimed at everyone, so no technical knowledge is required. Come and find out what it’s all about…!

If you can’t view it live the session will be recorded for later viewing.  And if you want to get started today with DNSSEC, please see our Start Here page to begin!


Watch Live TODAY – DNSSEC For Everybody: A Beginner’s Guide at ICANN53

ICANN 53 LogoIn about 35 minutes, at 17:00 Argentina time (UTC-3), we will be streaming live out of ICANN 53 in Buenos Aires, Argentina, with the “DNSSEC For Everybody: A Beginner’s Guide” session.  You can watch and listen live at this link:

The session goes for 90 minutes today, roughly half of which is the actual program and the remainder is what usually turns into a live Q&A session.  We’ll have some introductory remarks that I’ll do, then we’ll have a skit that dramatizes DNS and DNSSEC interactions, then Russ Mundy will dive into a bit deeper detail about DNSSEC… and then we’ll go to Q&A.

Note that remote participants can ask questions through the Adobe Connect interface.

If you’d like a quick way to understand more about DNS and DNSSEC… join us!

It will be archived for later viewing, too, if you can’t watch it live.

P.S.  If you’d like to get started with DNSSEC, visit our Start Here page to begin!

CloudFlare Publishes Excellent Introduction To DNSSEC

CloudFlare logoThe team over at CloudFlare published an excellent introduction to DNSSEC today that is well worth a read.  CloudFlare has developed a reputation for writing blog posts that provide a solid level of technical depth and this one certainly does.  Nick Sullivan starts by walking through the basics of DNS and including some packet captures and nice illustrations. Then he gets into man-in-the-middle (MITM) attacks and provides a great graphic that very succinctly shows a MITM attack against DNS:

CloudFlare MITM example

Even better, Sullivan nicely explains the “Kaminsky Attack” and the situation that makes the attack possible.    He then plunges into DNSSEC, explains RRsets and RRSIGs, ZSKs and KSKs, and touches on the value of NSEC/NSEC3 to prove that records don’t exist.

All in all it is an excellent introduction and we’re very pleased to see CloudFlare publishing this piece.  Thanks to Nick Sullivan and his team for getting this out there!

As we’ve written about before, CloudFlare has been saying since the ICANN 50 DNSSEC Workshop back in July that they would have DNSSEC available for their customers by the end of 2014.  Their post today says “in the next six months”… but we’ll hope it comes in on the sooner side of that. :-)  It was also great to see the official announcement that CloudFlare has hired Olafur Gudmundsson, one of the developers of the first DNSSEC implementation many, many years ago and currently one of the co-chairs of the DANE Working Group within the IETF.  We’ve been working with Olafur over the past few years through our partnership with Shinkuro, Inc., where he worked before, and we’re delighted that he’s now working on DNSSEC at CloudFlare.

All great to see – and this will only help get DNSSEC much more widely deployed!

If you want to get started with DNSSEC today, please visit our Start Here page to find resources targeted at your role or type of organization. Help us make the Internet more secure today!

A Quick Ebook To Learn About IPv6: The Consumer Guide

IPv6_HongKong_ISOCAre you looking for a quick way to learn more about IPv6 and how to get started?  Would you like to quickly set up a computer to test out IPv6 and learn how to use it?

If so, check out the Consumer Guide: All About IPv6.  Published by the Internet Society Hong Kong Chapter, this ebook gives a basic introduction to IPv6, then provides tutorials for configuring IPv6 on consumer devices. It explains what IPv6 is all about by explaining IPv4 exhaustion and other benefits of IPv6 adoption. It also includes tutorials detailing how to enable and configure IPv6 and 6in4 tunneling on typical consumer software including Windows 7, Apple’s OS X, VPN clients, and home routers.

The book is a well-done basic introduction to IPv6 that is easy to read and understand.  It is available both as a PDF that can be printed or read in an ebook reader or on a tablet or smartphone – or as a website for desktop viewing, complete with a clickable table of contents and other controls.

Thanks to the ISOC Hong Kong Chapter for creating such a useful guide!

If you are looking for more resources to get started with IPv6, please visit our “Start Here” pages that can guide you to resources appropriate to your type of organization or activity.

Microsoft Publishes Guide To Deploying DNSSEC In Windows Server 2012

Microsoft DNSSEC GuideDo you work in an enterprise using Microsoft Windows Server 2012 and are interested in either deploying DNSSEC validation to provide better security to your users – and/or securing your own DNS zones using DNSSEC?

If so, the good folks at Microsoft just recently released a new guide “DNSSEC in Windows Server 2012” that guides you through what you need to do to deploy DNSSEC in Windows Server 2012 and Windows Server 2012 R2.  I’d note that it covers both the validation and signing sides of DNSSEC.

The document has four major sections:

  • Overview of DNSSEC
  • DNSSEC in Windows
  • DNSSEC Deployment Planning
  • Deploy DNSSEC with Windows Server 2012

as well as few appendices.  The document goes into quite a deep level of detail with how DNSSEC is integrated into various aspects of Windows Server 2012.  The “Deployment Planning” section seemed quite useful, too, as it explored some of the performance requirements and also suggested a process for staging a deployment.

In reading through the document, I was quite impressed by the “Deploy DNSSEC with Windows Server 2012″ section that includes many different checklists to help administrators know precisely what they need to be doing.  While I don’t personally work with a Windows Server 2012, the checklists seemed to be covering the areas that I would want them to cover.

As we look to get more enterprises doing DNSSEC validation and also signing their own zones, it is great to see this document come out of Microsoft!    If you work with Microsoft Windows Server 2012, definitely do give it a look – and start deploying DNSSEC today!


Video: Cisco’s Hangout on “Enabling IPv6 In Your Network”

It’s the second day of 2014. Are you at work looking to get started with deploying IPv6 in your network? Or are you at home on holiday break and looking for something educational to watch online?  Was deploying IPv6 one of your New Year’s Resolutions?

If so, you might be interested in watching this Google+ Hangout recorded by the folks at Cisco Systems in December 2013 where Cisco’s Harpreet Singh provided an outline of what changes with IPv6, what you need to think about in your network, what kind of planning you need to do for the migration and similar topics.  While the video is of course from a vendor of networking equipment, the session and slides do provide a good general overview of IPv6 transition issues. Great to see Cisco making these kinds of sessions available!

Free Ebook: IPv6 for IPv4 Experts (in English and Russian)

IPv6 for IPv4 Experts bookLooking for some reading over the holiday break? Want to learn more about IPv6 and how you can be a part of the ongoing transition of the Internet?

If so, Yar Tikhiy has written a free ebook, “IPv6 for IPv4 Experts” that is available from:

The book is available in English in two forms of PDF and in Russian in PDF, HTML and EPUB.

I’ve not had a chance to thoroughly review the document yet, but on an initial glance through it looks to be quite an excellent resource for people looking to learn more about IPv6.  We’ve added it to our list of IPv6 resources and encourage you to check it out.

At a very high level, the overall structure of the book is:


1. Defining the Problem

2. IPv6 Address

3. IPv6 Packet

4. IPv6 in the Protocol Stack

5. Neighbor Discovery Protocol

6. Advanced IPv6



If you look at one of the PDF files, you can see from the table of contents that there is a good amount of detail included in the ebook.

It’s great to see this kind of content being made available and we thank Yar Tikhiy for writing this!

Ebook: IPv6 for IPv4 Experts (Available In English And Russian)

IPv6 for IPv4 Experts bookIn September 2013, Yar Tikhiy released a free ebook titled “IPv6 for IPv4 Experts” available at:

The ebook is available in English in multiple PDF sizes and in Russian in PDF, EPUB and HTML.  In an A4 paper size the document comes in at 402 pages and at a high level has this structure:


1. Defining the Problem

2. IPv6 Address

3. IPv6 Packet

4. IPv6 in the Protocol Stack

5. Neighbor Discovery Protocol

6. Advanced IPv6



The ebook is marked as a draft and some errata have been noted.


Watch/Listen Live TODAY to “DNSSEC For Everybody – A Beginner’s Guide” at ICANN 48

icann48Want to quickly learn about DNSSEC and how it can make the Internet more secure?  Want to see an easy illustration of how DNSSEC works? Want to understand why DNSSEC is so important to strengthen the Internet against attackers? If so, tune in TODAY at 5:00 pm / 17:00  Buenos Aires time ( 20:00 UTC, 3:00 pm US Eastern) for the “DNSSEC For Everybody – A Beginner’s Guide” session where a group of people involved with DNSSEC will answer all these questions and more.  Information is at:

There are audio streams available in 7 languages and a “Virtual Meeting Room Stream Live” that will get you video and the slides.  The slides and session notes are also available at the bottom of that web page.

The overview of the session is:

DNSSEC continues to be deployed around the world at an ever accelerating pace. From the Root, to both Generic Top Level Domains (gTLDs) and Country Code Top Level Domains (ccTLDs), the push is on to deploy DNSSEC to every corner of the internet. Businesses and ISPs are building their deployment plans too and interesting opportunities are opening up for all as the rollout continues. Worried that you’re getting left behind? Don’t really understand DNSSEC? Then why not come along to the second ‘DNSSEC for Beginners’ session where we hope to demystify DNSSEC and show how you can easily and quickly deploy DNSSEC into your business. Come and find out how it all works, what tools you can use to help and meet the community that can help you plan and implement DNSSEC.

These are great sessions and usually I am participating but this week my travel schedule won’t get me to ICANN 48 until tomorrow. (Warren Kumari thankfully was able to cover my usual role.)  You don’t need any knowledge of DNSSEC to participate and it talks about DNSSEC in a fun and interesting way.  (And yes, there’s actually a skit involved! )

Look for the blue smoke… :-)

P.S. If you can’t watch live, the session will be recorded and available later at that same URL for viewing.


Deployment Guide: DNSSEC for Internet Service Providers (ISPs)

An Internet Service Provider needs to offer high value while containing costs. One way to increase your services’ value is to ensure your customers get to the intended websites, protecting them from going to phishing sites or sites that distribute malware.

One way to offer such protection at relatively little cost is through DNS Security Extensions, an Internet standard commonly known as “DNSSEC“. By deploying “DNSSEC-validating” DNS resolvers within your network, you will provide a higher level of security and trust to your customers and help prevent certain types of attacks and redirection. You also will enable customers to use innovative services that are now becoming available to add more trust and integrity protection to Web certificates (SSL/TLS).

DNSSEC ensures that the information your users retrieve from the DNS is the same information that the domain’s operator entered into the DNS. It verifies that this information was not modified so that your users are directed to their intended destinations.

DNSSEC has two components: the signing of DNS records for a domain and the validation of those cryptographic signatures by caching recursive nameservers. For an ISP, the deployment of DNSSEC-validating DNS resolvers is the most critical element of DNSSEC adoption and this document explains what is necessary to roll out DNSSEC validation support to your customers.

Initial deployment of DNSSEC validation is usually quite inexpensive, requiring a relatively small investment in new hardware and software and only a modest time investment; typical deployment may be completed with as little as a week of total effort by experienced system administrators, depending on how many recursive nameservers and end users are involved.

Hardware and Software

Caching recursive nameservers are the most important part of a DNSSEC validation deployment since they cache and validate answers to DNS queries submitted by end users. Modern, off-the-shelf server hardware is sufficiently powerful to operate a DNSSEC-validating caching recursive nameserver. In addition, it is perfectly feasible to operate such a nameserver on a virtual machine.

Your choice of nameserver and its vintage are important to your success with DNSSEC. DNS infrastructures based on the BIND DNS server should run at least version 9.7, whose features simplify DNSSEC management. All versions of Unbound natively support DNSSEC validation, although version 1.4 and later have features that simplify DNSSEC management.

Microsoft Windows Server 2012 now includes full DNSSEC support, allowing administrators to retrieve the necessary root trust anchors via command-line instructions. A whitepaper by Netherlands DNSSEC authority Surfnet explains this process; you can download the PDF of their guide to DNSSEC installation here.

Effects on Network

In your planning, you should be aware that DNSSEC traffic has several effects on network traffic:

  • DNSSEC adds digital signatures to DNS response packets, which often exceed 1,500 bytes. While large DNS responses are also possible without DNSSEC, you must consider the additional bandwidth demands that DNSSEC places on the network, and ensure that only legitimate hosts are allowed to query your recursive nameservers.
  • Traditionally, the DNS relies on the UDP protocol to transmit queries and responses, but if a DNS response exceeds the maximum allowed packet size, TCP may be used and even required for DNSSEC validation. Check with your firewall vendor and system administrators to ensure your network allows DNS over TCP.
  • Your network equipment must be able to handle large UDP packets (>512 bytes, ≤4,000 bytes).

Pre-Deployment Checklist

This checklist can help you to plan your deployment:

  • Software supports DNSSEC: BIND version 9.7+, Unbound version 1.4+, Microsoft Windows Server 2012, Knot DNS 1.4.0, PowerDNS 3.0+
  • Server systems are sufficiently modern
  • Network infrastructure can handle DNSSEC requirements
  • DNS over TCP is allowed
  • Large UDP DNS packets are allowed through firewall
  • UDP fragments are not blocked by firewall

Beginning Your Deployment

After your install your recursive caching nameservers (or have existing nameservers where you want to start validating), they must be configured with a “trust anchor” in order to validate DNSSEC signatures. You can obtain the trust anchor for the root of the DNS from sources such as You can check the trust anchor’s validity by obtaining it from multiple independent sources (i.e. multiple root servers) and comparing the files.

When you enable DNSSEC validation on your recursive caching nameserver you may see validation failures in the log files. While these errors could be signs of a cache-poisoning attack, they may also result from operational errors (particularly in these early days of DNSSEC deployment). This could be something as simple as a zone owner’s failure to re-sign their zone information.

Validation failures for a zone will mean that your users will not be able to connect to that domain. When errors of this type appear it is far better to inform users about the source of the problem and how they were protected from using potentially insecure information, rather than disabling validation in order to provide continued access to the “broken” domain. Standards concerning how to perform this notification continue to evolve, though some organizations have used a dedicated website or social-media channel to post notifications of current validation failures. Regardless of what system you create, it is important that your customers and customer-support team can easily find the information.

Certain ISPs may also install a temporary “negative trust anchor” for broken sites while notifying the zone’s operators of problems or errors that will probably severely degrade their users’ Internet experience. An Internet Draft document is available that explains this process.

While feedback from people currently operating validating caching recursive nameservers show that enabling DNSSEC validation does not necessarily increase user help-desk calls, it is still sensible to train help-desk staff concerning DNSSEC and potentially provide them with tools (i.e. a non-validating resolver) to help with debugging.


DNSSEC rollout is progressing steadily on the Internet, and deployment of validating caching recursive nameservers is an important part of this trend. By deploying DNSSEC within your network you will increase your customers’ Internet security. Doing so provides significant benefits at a minimal cost, and we urge you to begin this process today.