Categories
Domain Name System Security Extensions (DNSSEC) Improving Technical Security

Call for Participation – ICANN DNSSEC Workshop at ICANN64 in Kobe, Japan

Will you be at the ICANN 64 meeting in March 2019 in Kobe, Japan? If so (or if you can get to Kobe), would you be interested in speaking about any work you have done (or are doing) with DNSSEC, DANE or other DNS security and privacy technologies?  If you are interested, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-kobe@isoc.org before  07 February 2019.


Call for Participation

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN64 meeting held from 09-14 March 2019 in Kobe, Japan. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.

For reference, the most recent session was held at the ICANN Annual General Meeting in Barcelona, Spain, on 24 October 2018. The presentations and transcripts are available at: https://63.schedule.icann.org/meetings/901549https://63.schedule.icann.org/meetings/901554, and https://63.schedule.icann.org/meetings/901555.

At ICANN64 we are particularly interested in live demonstrations of uses of DNSSEC, DS automation or DANE. Examples might include:

  • DNSSEC automation and deployment using CDS, CDNSKEY, and CSYNC
  • DNSSEC/DANE validation in browsers and in applications
  • Secure email / email encryption using DNSSEC, OPENPGPKEY, or S/MIME
  • DNSSEC signing solutions and innovation (monitoring, managing, validation)
  • Tools for automating the generation of DNSSEC/DANE records
  • Extending DNSSEC/DANE with authentication, SSH, XMPP, SMTP, S/MIME or PGP/GPG and other protocols

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.
We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE. Examples of the types of topics we are seeking include:

1. DNSSEC Panel (Regional and Global)

For this panel, we are seeking participation from those who have been involved in DNSSEC deployment in the region and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. DS Automation

We are looking at innovative ways to automate the parent child synchronization CDS / CDNSKEY and methods to bootstrap new or existing domains. We are also interested in development or plans related to CSYNC, which are aimed at keeping the glue up to date.
We would like to hear from DNS Operators what their current thoughts on CDS/CDNSKEY automation are.

3. DNSSEC/DANE Support in the browsers

We would be interested in hearing from browser developers what their plans are in terms of supporting DNSSEC/DANE validation.

4. DANE Automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?
  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to
dnssec-kobe@isoc.org  before ** 07 February 2019 **

We hope that you can join us.
Thank you,
Kathy Schnitt

On behalf of the DNSSEC Workshop Program Committee:
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Russ Mundy, Parsons
Ondřej Filip, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society
Mark Elkins, DNS/ZACR


Image credit:  ICANN

Categories
Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC)

Watch Live – DNSSEC Workshop on October 24 at ICANN 63 in Barcelona

What can we learn from recent success of the Root KSK Rollover? What is the status of DNSSEC deployment in parts of Europe – and what lessons have been learned? How can we increase the automation of the DNSSEC “chain of trust”? And what new things are people doing with DANE?

All these topics and more will be discussed at the DNSSEC Workshop at the ICANN 63 meeting in Barcelona, Spain, on Wednesday, October 24, 2018. The session will begin at 9:00 and conclude at 15:00 CEST (UTC+2).

The agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities
    • Includes presenters from these TLDs: .DK, .DE, .CH, .UK, .SE, .IT, .ES, .CZ
  • Report on the Execution of the .BR Algorithm Rollover
  • Panel: Automating Update of DS records
  • Panel: Post KSK Roll? Plan for the Next KSK Roll?
  • DANE usage and use cases
  • DNSSEC – How Can I Help?

It should be an outstanding session!  For those onsite, the workshop will be room 113.

 

Lunch will be served between the second and third sessions.

Thank you to our lunch sponsors: Afilias, CIRA, and SIDN.


Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

Image credit: ICANN

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

Call for Participation – ICANN DNSSEC Workshop at ICANN63 Barcelona

Do you have a great idea about DNSSEC or DANE that you’d like to share with the wider community? If so, and you’re planning to be in Barcelona, Spain for ICANN63 in October 2018, submit a proposal to present your idea at the DNSSEC Workshop!

Send a brief (1-2 sentence) description of your proposed presentation to dnssec-barcelona@isoc.org by Friday, 07 September 2018.

For more information, read the full Call for Participation below.

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN63 meeting held from 20-25 October 2018 in Barcelona, Spain. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.

For reference, the most recent session was held at the ICANN Policy Forum in Panama City, Panama on 25 June 2018. The presentations and transcripts are available at:https://62.schedule.icann.org/meetings/699560, and https://62.schedule.icann.org/meetings/699556
At ICANN63 we are particularly interested in live demonstrations of uses of DNSSEC, DS automation or DANE. Examples might include:
* DNSSEC automation and deployment using CDS, CDNSKEY, and CSYNC
* DNSSEC/DANE validation in browsers and in applications
* Secure email / email encryption using DNSSEC, OPENPGPKEY, or S/MIME
* DNSSEC signing solutions and innovation (monitoring, managing, validation)
* Tools for automating the generation of DNSSEC/DANE records
* Extending DNSSEC/DANE with authentication, SSH, XMPP, SMTP, S/MIME or PGP/GPG and other protocols
Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.
We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE. Examples of the types of topics we are seeking include:
1. DNSSEC Panel (Regional and Global)
For this panel we are seeking participation from those who have been involved in DNSSEC deployment in the region and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.
2. Post KSK Rollover
Following the Root Key Rollover, we would like to bring together a panel of people who can talk about lessons learned from this KSK Rollover and lessons learned for the next time
3. DS Automation
We are looking at innovative ways to automate the parent child synchronization CDS / CDNSKEY and methods to bootstrap new or existing domains.  We are also interested in development or plans related to CSYNC, which are aimed at keeping the glue up to date.
We would like to hear from DNS Operators what their current thoughts on CDS/CDNSKEY automation are.
3 DNSSEC/DANE Support in the browsers 
We would be interested in hearing from browser develop what their plans are in terms of supporting DNSSEC/DANE validation.
4. DANE Automation
For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:
* How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?
* What tools, systems and services are available to help automate DNSSEC key management?
* Can you provide an analysis of current tools/services and identify gaps?
* What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
* What tools and services are now available that can support DANE usage?
We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.
If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-barcelona@isoc.org by **07 September 2018 **
We hope that you can join us.
Thank you,
Kathy Schnitt
On behalf of the DNSSEC Workshop Program Committee:
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Russ Mundy, Parsons
Ondřej Filip, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society
Mark Elkins, DNS/ZACR
Categories
Building Trust Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC) Improving Technical Security

Watch Live On Monday, 25 June – DNSSEC Workshop at ICANN 62 in Panama

With the DNSSEC Root Key Rollover coming up on October 11, how prepared are we as an industry? What kind of data can we collect in preparation? What is the cost benefit (or not) of implementing DANE? What can we learn from an existing rollover of a cryptographic algorithm?

All those questions and more will be discussed at the DNSSEC Workshop at the ICANN 62 meeting in Panama City, Panama, on Monday, June 25, 2018. The session will begin at 9:00 and conclude at 12:15 EST (UTC-5). [Note: this is one hour different than current US Eastern Daylight Time – Panama does not change to daylight savings time – and so this will begin at 10:00 EDT (UTC-4).]

The agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities and Post Key Signing Key Rollover Preparation
  • DANE: Status, Cost Benefits, Impact from KSK Rollover
  • An Algorithm Rollover  (case study from CZ.NIC)
  • Panel: KSK Rollover Data Collection and Analysis
  • DNSSEC – How Can I Help?
  • The Great DNSSEC/DNS Quiz

It should be an outstanding session!  For those onsite, the workshop will be in Salon 4, the ccNSO room.

Lunch will follow. Thank you to our lunch sponsors: Afilias, CIRA, and SIDN.


The DNSSEC Workshop will be followed by the “Tech Day” set of presentations from 13:30 – 18:30 EST. Many of those may also be of interest. They will also be streamed live at the same URL.

As this is ICANN’s smaller “Policy Forum” schedule, there will not be either the “DNSSEC for Everybody” session nor the “DNSSEC Implementer’s Gathering” as there is at the other two ICANN meetings each year. Also, as I am not able to travel to ICANN 62, I want to thank Jacques Latour for stepping in to help with the usual presenting and emceeing that I do.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

Image credit: ICANN

Categories
Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC)

Call for Participation – ICANN DNSSEC Workshop at ICANN62, Panama City

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN62 meeting held from 25-28 June 2018 in Panama City, Panama.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to  dnssec-panamacity@isoc.org by Friday, 4 May 2018

The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.  For reference, the most recent session was held at the ICANN Community Forum in San Juan, Puerto Rico on 14 March 2018. The presentations and transcripts are available at:

As this is the shorter “Policy Forum” format for ICANN meetings, the DNSSEC Workshop Program Committee is developing a 3-hour program.  Proposals will be considered for the following topic areas and included if space permits.  In addition, we welcome suggestions for additional topics either for inclusion in the ICANN62 workshop, or for consideration for future workshops

1. DNSSEC Activities Panel (Regional and global)

For this panel, we are seeking participation from those who have been involved in DNSSEC deployment in the region and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment, including Root Key Signing Key (KSK) Rollover activities.   Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, questions of interest include:

  • What have we learned about how we manage DNSSEC?
  • What is the best practice around key rollovers?
  • How often do you review your disaster recovery procedures?
  • Is there operational familiarity within your customer support teams?
  • What operational statistics have we gathered about DNSSEC?
  • Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

2. DNSSEC Deployment Challenges

The program committee is seeking input from those that are interested in implementation of DNSSEC but have general or particular concerns with DNSSEC.  In particular, we are seeking input from individuals that would be willing to participate in a panel that would discuss questions of the nature:

  • Are there any policies directly or indirectly impeding your DNSSEC deployment? (RRR model, CDS/CDNSKEY automation)
  • What are your most significant concerns with DNSSEC, e.g., complexity, training, implementation, operation or something else?
  • What do you expect DNSSEC to do for you and what doesn’t it do?
  • What do you see as the most important trade-offs with respect to doing or not doing DNSSEC?

We are interested in presentations related to any aspect of DNSSEC such as zone signing, DNS response validation, applications use of DNSSEC, registry/registrar DNSSEC activities, etc.  In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to  dnssec-panamacity@isoc.org by **Friday, 4 May 2018**

 

Thank you,

The DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Ondrej Filip, CZ.NIC
Julie Hedlund, ICANN
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, Chinese Academy of Sciences (CAS)
Russ Mundy, Parsons
Kathy Schnitt, ICANN
Yoshiro Yoneya, JPRS
Dan York, Internet Society

Categories
Deploy360 Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC)

DNSSEC Activities at ICANN 61 in San Juan on March 11-14, 2018

Sunday marks the beginning of the DNSSEC activities at the ICANN 61 meeting in San Juan, Puerto Rico. As per usual there will be a range of activities related to DNSSEC or DANE. Two of the sessions will be streamed live and will be recorded for later viewing. Here is what is happening.

All times below are Atlantic Standard Time (AST), which is UTC-4.


DNSSEC For Everybody: A Beginner’s Guide – Sunday, 11 March

On Sunday, March 11, we’ll have our “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.

Please come with your questions and prepare to learn all about DNSSEC!


DNSSEC Workshop – Wednesday, 14 March

Our big 6-hour workshop will take place on Wednesday, March 14, from 09:00 – 15:00 in Room 208-BC. Lunch will be included. Thank you to our lunch sponsors: Afilias, CIRA, and SIDN.

The very full agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities, including representatives of .CA, .PR and .BR
  • A Sentinel for Detecting Trusted Keys in DNSSEC
  • Experience with DNSSEC Validation at CPE
  • DNSSEC HSM, Signer and KSK Rollover
  • Negative Trust Anchors
  • Real World DANE Inter-Domain Email Transport
  • Panel: Current State of Root KSK Rollover and What’s Next?
  • DNSSEC – How Can I Help?

It should be an outstanding session!


DNSSEC Implementers Gathering – 14 March

On the evening of Wednesday, March 14, after the DNSSEC Workshop is all over, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. Invitations have gone out to various DNSSEC mailing lists – if you are interested in attending please send a message to me at york@isoc.org. We thank Afilias for their generous sponsorship of this gathering at ICANN 61!


As I am not able to travel to ICANN 61, I want to thank Jacques Latour for stepping in to help with some of the emceeing and other meeting facilitation duties that I often do.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

If you would like more information about DNSSEC or DANE, please visit our Start Here page to begin.

Categories
Deploy360 Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC)

ICANN seeking public comment on Root KSK rollover process for DNSSEC

On 11 October 2018, should ICANN roll the Root Key Signing Key (KSK) that is at the heart of DNSSEC? ICANN is planning to restart the rollover process for the Root KSK and is therefore seeking public review of their new plan.  It includes more publicity about the need to be prepared for the rollover, and analysis of data indicating the level of preparedness.

The Plan for Continuing the Root KSK Rollover describes how ICANN intends to roll the root key signing key (KSK), and is based on input from the technical community following their decision to postpone the rollover last year.

Further input is requested by 2 April 2018. This will be used to prepare a final plan that will be presented to the ICANN Board for approval. ICANN is seeking public comments and we encourage you to read the plan and submit your views.

Learn how to submit your comments to ICANN

The Root KSK was originally planned to be rolled over on 11 October 2017, but ICANN postponed the rollover due to collected data that showed that a significant number of resolvers used by network operators were not ready for this. This meant that significant sections of the Internet could experience issues with resolving DNSSEC-signed domains following the rollover, so it was considered prudent to wait and reach out to affected network operators.

ICANN manages the Root Key Signing Key (KSK) that acts as the trust anchor for DNSSEC in the global Domain Name System. This key is used to sign the VeriSign-managed Root Zone Signing Key (ZSK) that validates the Top-Level Domains (TLDs). The Root KSK needs to be configured in DNSSEC-aware resolvers to allow validation of the chain-of-trust, and by extension all cryptographically-secured records in the DNS.

The current Root KSK has been used since the DNS Root Zone was first signed in 2010, and it’s good practice to change keys periodically. ICANN wanted to attempt this rollover under normal rather than comprised conditions, so it was not imperative that the rollover happened as planned in 2017, and clearly sufficient DNSSEC resolvers need to have the new trust anchor configured if this process is to be a smooth undertaking.

RFC 8145 (“Signaling Trust Anchor Knowledge”) was published in April 2017, and specifies how recursive name servers can signal to authoritative servers, the trust anchors that they have configured for their DNSSEC validation. This was implemented by both Unbound and BIND shortly afterwards, and as organisations began to deploy the new software versions, some of this “key tag data” started appearing in queries to the root name servers. This is useful information for the KSK rollovers, especially for the root, but it would seem that the number of recursive name servers providing this data was not as high as one might like for the planned root KSK rollover last year.

Further Information

For more information on DNSSEC and how to deploy it, please see our Start Here page for more information!

Categories
Deploy360 Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC)

ICANN Postpones DNSSEC Root KSK Rollover – October 11 will NOT be the big day

People involved with DNS security no longer have to be focused on October 11. News broke yesterday that ICANN has decided to postpone the Root KSK Rollover to an unspecified future date.
To be clear:

The Root KSK Rollover will NOT happen on October 11, 2017.

ICANN’s announcement states the the KSK rollover is being delayed…

…because some recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover. The availability of this new data is due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured.

Getting More Information

UPDATE – 4 Oct 2017 – 

Discussion on the public DNSSEC-coord mailing list indicates more info may be available in a talk Duane Wessels is giving at the DNS-OARC meeting tomorrow (Friday, September 29). The abstract of his session is:


A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

RFC 8145 (“Signaling Trust Anchor Knowledge”) was published in April 2017. This RFC describes how recursive name servers can signal, to authoritative servers, the trust anchors that they have configured for Domain Name System Security Extensions (DNSSEC) validation. Shortly after its publication, both Unbound and BIND implemented the specification. As organizations begin to deploy the new software versions, some of this “key tag data” is now appearing in queries to the root name servers.

This is useful data for Key Signing Key (KSK) rollovers, and especially for the root. Since the feature is very new, the number of recursive name servers providing data is not as significant as one might like for the upcoming root KSK rollover. Even so, it will be interesting to look at the data. By examining this data we can understand whether or not the technique works and hopefully inspire further adoption in advance of future KSK rollovers.


If you, like me, will not be in San Jose for this session, there will be a webcast / live stream. The link should be available tomorrow morning on the DNS-OARC event page. Or you can follow the #oarc27 hashtag or @dnsoarc onTwitter.

Per the OARC 27 timetable, Duane’s talk begins at 9:40am PDT (UTC-7). (Side note: for those involved with DNS, there are many other excellent sessions on the timetable!)

Apparently whatever data ICANN received through this research convinced them that not enough ISPs were ready to go with the new KSK and so a postponement was necessary.

Understandable caution

I do understand why ICANN would step back and delay the KSK roll. If there are significant sections of the Internet that will experience issues with resolving DNSSEC-signed domains on October 11, it is prudent to wait to assess the data and potentially reach out to affected ISPs and other network operators. Particularly when, as we noted in our State of DNSSEC Deployment 2016 report last year, the number of domains signed with DNSSEC continues to grow around the world.

I look forward to working with ICANN and the rest of the DNSSEC community to set a new date. As I wrote (along with my colleague Andrei Robachevsky) in our comments back in April 2013, we believe that the Root KSK should be rolled soon – and rolled often – so that we gain operational experience and make Root KSK rollovers just a standard part of operations.  (Note: our CITO Olaf Kolkman submitted similar comments, although at the time he was with NLnet Labs.)

Updating the DNS infrastructure is hard

The challenge ICANN faces is that updating the global DNS infrastructure is hard to do. The reality is that DNS resolvers and servers are massively DE-centralized and controlled by millions of individual people. You probably have one or more DNS resolvers in your home in your WiFi router and other devices.

The success of DNS is that generally it “just works” – and so IT teams often set up DNS servers and then don’t pay much attention to them. At a talk I gave yesterday to about 180 security professionals at the ISC2 Security Congress in Austin, TX, I asked how many people had updated the software on their DNS resolvers within the past year – only a few hands were raised.

All of the latest versions of the major DNS resolvers support the new Root KSK. Recent versions all generally support the automated rollover mechanism (RFC 5011). But… people need to upgrade.

And in the example of a home WiFi router, the vendor typically needs to upgrade the software, then the service provider has to push that out to devices… which can all take a while.

A group of us looking to expand the use of elliptic curve cryptography in DNSSEC wrote an Internet Draft recording our observations on deploying new crypto algorithms. Updating the root KSK as a trust anchor faces a similar set of issues – although a bit easier because the focus is primarily on all the DNS resolvers performing DNSSEC validation.

The critical point is – upgrading the global DNS infrastructure can take some time. ICANN and members and of the DNSSEC community (including us here at the Internet Society) have been working on this for several years now, but clearly the new data indicates there is still work to do.

Next Steps

The good news is that companies now have more time to ensure that their systems will work with the new key.  The new Root KSK is published in the global DNS, so that step has at least been done. More information is available on ICANN’s site:

https://www.icann.org/kskroll

I would recommend two specific pages:

The time to do this is NOW to be ready for the Root KSK Roll when it does happen.

For more information about DNSSEC in general, please see our Deploy360 DNSSEC page.


Image credit: Lindsey Turner on Flickr. CC BY 2.0

P.S. And no, that is NOT what the “Root key” looks like!

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events To archive

Watch LIVE – ICANN 59 DNSSEC Workshop – June 26 at 7:00am UTC

ICANN 59 logoWant to learn more about DNSSEC deployment challenges? Interested in learning about a DANE middlebox for HTTPS? Curious about how the upcoming DNSSEC Root Key Rollover will affect systems? And have you heard about the CDS and CDNSKEY records for DNS? What are they – and what impact will they have on ICANN policies?

If you answered yes to any of the above, you can tune in live to the ICANN 59 DNSSEC Workshop streaming out of Johannesburg, South Africa, on:

Monday, June 26, 2017 at 9:00am local time (UTC+2)

The schedule, which includes links to slides, is at:

The direct live stream link using Adobe Connect is:

THE SESSION WILL BE RECORDED if you are unable to watch live. (Which will include me, as I’m not at this event and 3:00am US Eastern time is a bit too early for me to get up to watch!)

The talks from 9:00 – 12 noon SAST (UTC+2) include:

  • Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel Discussion: DNSSEC Deployment Challenges
  • Middlebox DANE for HTTPS
  • Tutorial/Panel Discussion: Root Key Signing Key Rollover Test Bed
  • Panel Discussion: CDS and CNS Implementation – What are the policy impacts?
  • DNSSEC: How Can I Help?
  • The Great DNS/DNSSEC Quiz

It should be a great event filled with DNSSEC and DANE education and information. The Workshop will be followed by a lunch sponsored by Afilias, CIRA and SIDN and then the “Tech Day” presentations in the afternoon.

Meanwhile, if you are interested in learning more about how to begin using DNSSEC for a higher level of security, please visit our Start Here page to get started!

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

Call for Participation – DNSSEC Workshop at ICANN 59 in Johannesburg, South Africa

ICANN 59 logoWould you like to share your ideas about DNSSEC or DANE with the wider community? Have you created a new tool or service? Have you found a way to use DNSSEC to secure some other service? Do you have new statistics about the growth or usage of DNSSEC, DANE or other related technology?

If so, and if you will be in Johannesburg, South Africa, for ICANN 59 in June 2017 (or can get there), please consider submitting a proposal to speak at the ICANN 59 DNSSEC Workshop!

Please send a brief (1-2 sentence) description of your proposed presentation to dnssec-johannesburg@isoc.org by Friday, 19 May 2017.

As with all of these sessions at ICANN meetings, it will be streamed live so that you can participate remotely if you will not be there in South Africa. (And I will note that this time I will not be attending in person.)

The full Call for Participation with more information and examples is below.


Call for Participation — ICANN DNSSEC Workshop at ICANN59 Policy Forum in Johannesburg, South Africa

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN59 Policy Forum 26-29 June 2017 in Johannesburg, South Africa. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the last Policy Forum DNSSEC Workshop was at the ICANN meeting in Helsinki, Finland on 27 June 2016. The presentations and transcripts are available at: https://icann562016.sched.com/event/7NCj/dnssec-workshop-part-1.

The DNSSEC Workshop Program Committee is close to finalizing the 3-hour program. Proposals will be considered for the following topic areas and included if space permits. In addition, we welcome suggestions for additional topics either for inclusion in the ICANN59 workshop, or for consideration for future workshops.

1. DNSSEC Deployment Challenges

The program committee is seeking input from those that are interested in implementation of DNSSEC but have general or particular concerns with DNSSEC. In particular, we are seeking input from individuals that would be willing to participate in a panel that would discuss questions of the nature:
— What are your most significant concerns with DNSSEC, e.g., implementation, operation or something else?
— What do you expect DNSSEC to do for you and what doesn’t it do?
— What do you see as the most important trade-offs with respect to doing or not doing DNSSEC?
We are interested in presentations related to any aspect of DNSSEC such as zone signing, DNS response validation, applications use of DNSSEC, registry/registrar DNSSEC activities, etc.

2. Preparation for Root Key Signing Key (KSK) Rollover

In preparation for the root KSK rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you. For more information on the root KSK rollover see the guide at: https://www.icann.org/en/system/files/files/ksk-rollover-quick-guide-prepare-systems-03apr17-en.pdf.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-johannesburg@isoc.org by Friday, 19 May 2017

Thank you,
Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

Mark Elkins, DNS/ZACR
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

ICANN to host DNS Symposium

ICANN will be hosting its first DNS Symposium on Saturday, 13 May 2017 at the NH Collection Eurobuilding in Madrid, Spain. This is being held in conjunction with DNS-OARC’s 26th Workshop, the 6th Registry Operations Workshop (ROW), and the ICANN GDD Industry Summit, so there should be plenty to interest those involved in the DNS technical community.

The event is aimed at those with an in-depth understanding of the DNS, and will focus on DNS security, research and root server operation. The aim is to make this a regular event, with each event covering a different theme such as operations, engineering and standards development.

Various ICANN departments will attend, including the Office of the CTO, DNS Engineering (responsible for L-root operations), PTI/IANA and the Global Domains Division (gTLDs).  Remote participation will also be available if you can’t make it in person.

More Information:

In the meantime, if you haven’t already deployed DNSSEC then please take a look at our DNSSEC pages to understand how you can get started with this critical technology.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

Call for Participation – ICANN DNSSEC Workshop at ICANN58 in Copenhagen

ICANN 58 LogoDo you have new information about DNSSEC or DANE that you would like to share with the wider community? Have you created a new tool or service? Have you found a way to use DNSSEC to secure some other service? Do you have new statistics about the growth or usage of DNSSEC, DANE or other related technology?

If so, and if you will be in Copenhagen, Denmark, for ICANN 58 in March 2017 (or can get there), please consider submitting a proposal to speak at the ICANN 58 DNSSEC Workshop! Please send a brief (1-2 sentence) description of your proposed presentation to dnssec-copenhagen@isoc.org by 15 January 2017.

The full Call for Participation with more information and examples is below.


The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN58 meeting held from 11-16 March 2017 in Copenhagen, Denmark.  The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.  For reference, the most recent session was held at the ICANN meeting in Hyderabad, India on 07 November 2016. The presentations and transcripts are available at:
https://icann572016.sched.org/event/8czs/dnssec-workshop-part-1,
https://icann572016.sched.org/event/8czt/dnssec-workshop-part-2, and
https://icann572016.sched.org/event/8czu/dnssec-workshop-part-3.

At ICANN58 we are particularly interested in live demonstrations of uses of DNSSEC or DANE.  Examples might include:

  • Email clients and servers using DNSSEC, OPENPGPKEY, or S/MIME for secure email.
  • Tools for automating the generation of DNSSEC/DANE records.
  • Services for monitoring or managing DNSSEC signing or validation.
  • Tools or services for using DNSSEC/DANE along with other existing protocols and services such as SSH, XMPP, SMTP, S/MIME or PGP/GPG.
  • Innovative uses of APIs to do something new and different using DNSSEC/DANE.
  • S/MIME and Microsoft Outlook integration with active directory.

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.

We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE.  Examples of the types of topics we are seeking include:

1.  DNSSEC activities in Europe

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Europe and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment.  In particular, we will consider the following questions:  Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do?  What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC?  We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2.  Preparation for Root Key Rollover

In preparation for the Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys.  We would like to be able to offer suggestions out of this panel to the wider technical community.  If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3.  Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers.  We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world.  We are interested in presentations on topics such as:

  • Can you describe your experiences with negative Trust Anchors and operational realities?
  • What does an ISP need to do to prepare its network for implementing DNSSEC validation?
  • How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
  • What measurements are available about the degree of DNSSEC validation currently deployed?
  • What tools are available to help an ISP deploy DNSSEC validation?
  • What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

4. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

5.  DANE and DNSSEC application automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • What tools, systems and services are available to help automate DNSSEC key management
  • Can you provide an analysis of current tools/services and identify gaps?
  • Where are the best opportunities for automation within DNSSEC signing and validation processes?
  • What are the costs and benefits of different approaches to automation?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?
  • How soon could DANE and other DNSSEC applications become a deployable reality?
  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services.  For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome.  Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6.  When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

7.  DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:

  • What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
  • What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
  • How should an enterprise best prepare its IT staff and network to implement DNSSEC?
  • What tools and systems are available to assist enterprises in the deployment of DNSSEC?
  • How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

8. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-copenhagen@isoc.org by 15 January 2017.

We hope that you can join us.

Thank you,
Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Filip, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society