Category: Tutorials

Tutorials

“Introduction To DNSSEC” Animated Videos Uploaded To YouTube

With the buzz over Google’s news about DNSSEC yesterday, we’ve seen a large surge of visitors to our DNSSEC-related resources and in the midst of that someone pointed out that the excellent introduction to DNSSEC video from Shinkuro, Inc., was no longer available on YouTube. Given that we work well with the Shinkuro team, we reached out to them and found out that while they maintain a copy of the video on their site, they had not been responsible for the YouTube version.  With their permission, we have now uploaded the video to our Deploy360 YouTube channel and can make it available for embedding and viewing:

The silent animated video was created back in 2006 but continues to be an excellent illustration of how the DNSSEC process works and the threats it protects again.  Thanks again to Shinkuro for making the video available.

As we note on our resource page about the video, there is also a second version that doesn’t include the text narration on the right side that some of you may find useful if you want to show a video about DNSSEC and provide your own narration.  (In fact… it might be an interesting exercise to take this second video and create versions with voice-overs in a number of different languages – if you do that and create a version, let us know and we’ll look at linking to your video.)

 

Excellent whitepaper/tutorial from SURFnet on deploying DNSSEC-validating DNS servers

SURFnet whitepaper on deploying DNSSECHow do you get started with deploying DNSSEC-validating DNS servers on your network?  What kind of planning should you undertake?  What are the steps you need to go through?

The team over at SURFnet in the Netherlands recently released an excellent whitepaper that goes into the importance of setting up DNSSEC validation, the requirements for using validation, the planning process you should use, etc.

As we note on our resource page about the whitepaper, the document then walks through the specific steps for setting up DNSSEC validation in three of the common DNS resolvers:

  • BIND 9.x
  • Unbound
  • Microsoft Windows Server 2012

For us to get DNSSEC widely available we need to have DNS resolvers on networks performing the actual validation of DNS queries using DNSSEC.  This guide is a great way to get started.

Have you enabled DNSSEC validation on your network?

Deploying DNSSEC: Validation on recursive caching name servers

SURFnet whitepaper on deploying DNSSECWhy should you deploy DNSSEC-validating DNS resolvers on your network?  What kind of planning should you do to prepare? What steps do you need to do?

The team at SURFnet has published a whitepaper titled “Deploying DNSSEC: Validation on recursive caching name servers” (PDF) that answers these specific questions and much more.  The document covers:

  • Cost and benefits of deploying DNSSEC
  • DNS architecture
  • Requirements before deployment
  • Planning your deployment
  • Operational requirements and practices

The document then gets into specific step-by-step instructions for three of the most common DNS resolvers:

  • BIND 9.x
  • Unbound
  • Microsoft Windows Server 2012

For people looking to deploy DNSSEC-validation within their network, this guide provides an excellent way to get started.

Video from CO ISOC: IPv6: What is it, why do I need it, and how do I get it?

What is IPv6 all about? Why do you need it? How do you get it? These are the questions a recent event hosted by the Colorado (US) chapter of the Internet Society on August 28, 2012, sought to answer. The session began with a keynote by Scott Hogg, Director,Technology Solutions, Global Technology Resources (GTRI) and then was followed by a panel including:

  • Jeff Doyle, President, Jeff Doyle and Associates
  • Chris Grundemann, Network Architect, CableLabs
  • Cricket Liu, VP, Architecture & Technology,Infoblox
  • Shannon McFarland, Principal Engineer, Corporate Consulting Engineering Group, Cisco
  • Scott Hogg, Director,Technology Solutions, Global Technology Resources (GTRI)

More information and bios of the presenters can be found at: https://coisocipv6.eventbrite.com/

The session itself is available on YouTube and comes in around 1 hour and 46 minutes:

IPv6 Friday: IPv6 for beginners

What are some good steps for someone just beginning with IPv6? Over on his IPv6 Friday site, Olle Johansson published an “IPv6 for beginners” post today that provides a nice checklist for individuals who want to get started.

Olle’s primary focus is on suggesting you set up an IPv6 tunnel so that you can get IPv6 into your home network – even if your local Internet Service Provider does not support IPv6.    I can say myself that this works great as it is how I get IPv6 connectivity into my home office in Keene, New Hampshire.  As Olle notes, there are now a number of different IPv6 tunnel providers. Hurricane Electric (HE) and SixXS are probably the best known out there, but others exist too.

Olle also answers a number of other questions and points to a number of resources out there for learning more about IPv6, including Deploy360. (Thanks, Olle!)

It’s good to see more tutorial info like this out there and I do hope it encourages more people to try out getting IPv6 into their local networks.

P.S. If you live in the US or Canada, this is probably a long weekend for the Labo(u)r Day holiday… if you need a geeky distraction, why not try getting IPv6 set up on your home network? :-)

Video Tutorial: Using FTP over IPv6

The folks at RhinoSoft recently published a video on YouTube showing how their “Serv-U” FTP server and “FTP Voyager” FTP client all work with IPv6. While obviously focused on one vendor’s implementation, it provides an interesting view into how IPv6 can work with FTP. Kudos to the team at RhinoSoft for making this video available.

As with any reference we make to commercial products, we at the Internet Society Deploy360 Programme are not explicitly endorsing this product but rather providing a view of what this vendor is doing with FTP and IPv6. If we find other similar vendors providing services over IPv6 we are glad to consider posting about their videos, too. (And suggestions are always welcome.)

Want to understand DNSSEC? Watch this excellent 1-hour elearning video.

Want to understand DNSSEC and how it can help secure the Internet?  The folks at SIDN, the registry behind the .NL country code top-level domain (ccTLD), have put together a truly excellent 1-hour video e-learning session available in either English or Dutch at:

http://www.dnsseccourse.nl/

The course touches on the basics of DNS then explains the role of DNSSEC, how it works and the steps that need to be done.  It also has some solid points about things you need to think about and also business impacts of DNSSEC.  Perhaps most usefully, the course includes a number of animations that really illustrate how DNSSEC works, as well as a few examples of what DNS zone files really look like with DNSSEC involved.

The video’s target audience is really for domain name registrars who would enable DNSSEC for their customers (domain name registrants). However, SIDN created the video in such a way that it’s quite a useful introduction to DNSSEC for anyone interested in the topic.

I found the elearning user interface quite nice in that you could skip around between sections, return to past sections, stop/start the sections and skip ahead as well.  The “Notes” tab also includes the text of what was said in each section, which I could see being quite valuable particularly for those for whom English or Dutch is not a native language.  It was also nice to have the video introductions from Bert Hubert interspersed with the slides and animations.

DNSSEC course

My one issue with the user interface was that when a section was done you have to press the “Next” button to move on to the next section.  Given that there are 74 sections, I soon found myself wishing there was an “auto-advance” that would just keep on playing the video.  A minor quibble, perhaps. Otherwise I was quite pleased.

On a technical level, my only issue was that the course oversimplified one aspect of the DNSSEC infrastructure. It states that a copy of the public key for your zone (the DNSKEY record) is stored in the parent zone as the DS record.

In fact, the DS record is a digest of the DNSKEY, as defined in section 5 of RFC 4034 and shown as an example in section 5.4.

I realize that the video couldn’t go into every detail and had to simplify some aspects in order to keep it within the presentation timeframe.  I also realize that the idea is quite similar. However, if someone left this video thinking that the DS record in the parent zone was simply the DNSKEY record from the child zone, they would be extremely surprised when the do a “dig” on the records for a DNSSEC-signed domain and see that they are quite different.

Regardless, I still see this as an outstanding introduction to DNSSEC and commend the folks at SIDN for creating this elearning video.  If you want a quick way to understand DNSSEC, definitely do check it out!

 

Video/Slides: IPv6 Autoconfiguration Tutorial

Want to understand more about how IPv6 addresses are configured using SLAAC and DHCPv6? (Want to understand what “SLAAC” is?) If so, Fred Bovy recently posted a video of a presentation he did about IPv6 autoconfiguration.  In the hour-long video, he explains how autoconfiguration works, provides some examples in Linux and then later gets into mobile IPv6 and other mechanisms involved with IPv6 addressing.  If you are looking for a deep dive on IPv6 address autoconfiguration, you may find this very helpful.

Fred’s slides are also available from SlideShare:

Chris Grundemann’s Excellent “Introducing IPv6″ Article Series

Over on his “don’t panic” blog, Chris Grundemann has started an excellent series of articles on the topic of “Introducing IPv6″.  You can see the articles he’s written so far:

http://chrisgrundemann.com/index.php/category/ipv6/introducing-ipv6/

In his first post in the 4-part series, Understanding IPv6 Addresses, Chris goes down to a bit level to explain exactly why we wound up writing IPv6 addresses in hexadecimal notation, and then explains some of the shortcuts we use.  In part 2, Classifying IPv6 Addresses, Chris takes a look at the different types of IPv6 addresses and walks through each of them works.  In part 3, IPv6 Headers, he looks at what is different in IPv6 headers and how extension headers work… and his final part 4 will cover “Neighbor Discovery and SLAAC“.

Chris has a great writing style that’s very easy to understand.  It’s great that he’s writing this series and I look forward to seeing more of these kinds of IPv6 posts coming our way from Chris!

Introducing IPv6

ENISA: Good Practices Guide For Deploying DNSSEC

In March 2010, the European Network and Information Security Agency (ENISA) issued their “Good Practices Guide For Deploying DNSSEC” with the abstract:

Deploying DNSSEC requires a number of security details and procedures to be defined and followed with specific requirements as to timing. This guide addresses these issues from the point of view of information security managers responsible for defining a policy and procedures to secure the DNS services of a company or an organisation, and from the point of view of competent authorities defining or regulating requirements for deployment.

While the document was created prior to the signing of the root zone in July 2010, the concise 29-page guide still provides a good overview of what is involved with working with DNSSEC and provides good guidelines for using and implementing DNSSEC.

The Table of Contents for the document is:

  • DNSSEC practices statement
  • Signing your zone
    • Value of a signed zone
    • Designing a signing system
    • Signing in a test environment
    • Checking the DNS servers
    • Key generation and management
    • Physical security
    • Use of NSEC3
    • Key rollovers
    • Performance issues
    • Publication of keys
    • Change of registrar
    • Change a zone from signed to unsigned
    • Change of domain holder (registrant)
  • Selecting a product
  • Outsourcing
  • Change of DNS provider
  • Validating DNS queries
    • Configure trust anchors
    • Routers, firewalls and other network equipment
  • Conclusions
  • ANNEX 1: Contents of a TAR’s policy and practices
  • ANNEX 2: Support of DNSSEC on commonly used nameservers
  • Reference

The document is available for free download in PDF form from the ENISA website.