Categories
Deploy360 Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC) IETF Improving Technical Security Open Internet Standards Technology

Rough Guide to IETF 101: DNSSEC, DANE, DNS Security and Privacy

It’s going to be a crazy busy week in London next week in the world of DNS security and privacy! As part of our Rough Guide to IETF 101, here’s a quick view on what’s happening in the world of DNS.  (See the full agenda online for everything else.)

IETF 101 Hackathon

As usual, there will be a good-sized “DNS team” at the IETF 101 Hackathon starting tomorrow. The IETF 101 Hackathon wiki outlines the work (scroll down to see it). Major security/privacy projects include:

  • Implementing some of the initial ideas for DNS privacy communication between DNS resolvers and authoritative servers.
  • Implementation and testing of the drafts related to DNS-over-HTTPS (from the new DOH working group).
  • Work on DANE authentication within systems using the DNS Privacy (DPRIVE) mechanisms.

Anyone is welcome to join us for part or all of that event.

Thursday Sponsor Lunch about DNSSEC Root Key Rollover

On Thursday, March 22, at 12:30 UTC, ICANN CTO David Conrad will speak on “Rolling the DNS Root Key Based on Input from Many ICANN Communities“. As the abstract notes, he’ll be talking about how ICANN got to where it is today with the Root KSK Rollover – and about the open comment period on the plan to roll the KSK in October 2018.

David’s session will be streamed live for anyone wishing to view remotely.

DNS Operations (DNSOP)

The DNS sessions at IETF 101 really begin on Tuesday, March 20, with the DNS Operations (DNSOP) Working Group from 15:50 – 18:20 UTC. Several of the drafts under discussion will relate to the Root KSK Rollover and how to better automate and monitor key rollovers. DNSOP also meets on Thursday, March 22, from 18:10-19:10, where one draft of great interest will be draft-huque-dnsop-multi-provider-dnssec. This document explores how to deploy DNSSEC in environments where multiple DNS providers are in use. As per usual, given the critical role DNS plays, the DNSOP agenda has many other drafts up for discussion and action.

DNS PRIVate Exchange (DPRIVE)

The DPRIVE working group meets Wednesday afternoon from 13:30-15:00 UTC.  As shown on the agenda, there will be two major blocks of discussion. First, Sara Dickinson will offer recommendations for best current practices for people operating DNS privacy servers. This builds off of the excellent work she and others have been doing within the DNS Privacy Project.

The second major discussion area will involve Stephane Bortzmeyer discussing how to add privacy to the communication between a DNS recursive resolver and the authoritative DNS server for a given domain.  When the DPRIVE working group was first chartered, the discussion was whether to focus on the privacy/confidentiality between a stub resolver and the local recursive resolver; or between the recursive resolver and authoritative server; or both. The discussion was to focus on the stub-to-recursive-resolver connection – and that is now basically done from a standards perspective. So Stephane is looking to move the group on into the next phase of privacy. As a result, the session will also include a discussion around re-chartering the DPRIVE Working Group to work on this next stage of work.

Extensions for Scalable DNS Service Discovery (DNSSD)

On a similar privacy theme, the DNSSD Working Group will meet Thursday morning from 9:30-12:00 UTC and include a significant block of time discussing privacy and confidentiality.  DNSSD focuses on how to make device discovery easier across multiple networks. For instance, helping you find available printers on not just your own network, but also on other networks to which your network is connected. However in doing so the current mechanisms expose a great deal of information. draft-ietf-dnssd-privacy-03 and several related drafts explore how to add privacy protection to this mechanism. The DNSSD agenda shows more information.

DNS-Over-HTTPS (DOH)

IETF 101 will also feature the second meeting of one of the working groups with the most fun names – DNS Over HTTPS or… “DOH!” This group is working on standardizing how to use DNS within the context of HTTPS. It meets on Thursday from 13:30-15:30. As the agenda indicates, the focus is on some of the practical implementation experience and the work on the group’s single Internet-draft: draft-ietf-doh-dns-over-https.

DOH is an interesting working group in that it was formed for the express purpose of creating a single RFC. With that draft moving to completion, this might be the final meeting of DOH – unless it is rechartered to do some additional work.

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

DANE and DNSSEC will also appear in the TLS Working Group’s Wednesday meeting. The draft-ietf-tls-dnssec-chain-extension will be presented as a potential way to make DANE work faster by allowing both DANE and DNSSEC records to be transmitted in a single exchange, thus reducing the time involved with DANE transactions. Given the key role DNS plays in the Internet in general, you can also expect DNS to appear in other groups throughout the week.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 101:

DNSOP (DNS Operations) WG
Tuesday, 20 March 2018, 15:50-18:30 UTC, Sandringham
Thursday, 22 March 2018, 18:10-19:10 UTC, Sandringham

Agenda: https://datatracker.ietf.org/meeting/101/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

DPRIVE (DNS PRIVate Exchange) WG
Wednesday, 21 March 2018, 13:30-15:00 UTC, Balmoral
Agenda: https://datatracker.ietf.org/meeting/101/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Thursday, 22 March 2018, 9:30-12:00 UTC, Buckingham
Agenda: https://datatracker.ietf.org/meeting/101/agenda/dnssd/
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: http://tools.ietf.org/wg/dnssd/charters/

DOH (DNS over HTTPS) WG
Thursday, 22 March 2018, 13:30-15:30 UTC, Blenheim
Agenda: https://datatracker.ietf.org/meeting/101/agenda/doh/
Documents: https://datatracker.ietf.org/wg/doh/
Charter: http://tools.ietf.org/wg/doh/charters/

Follow Us

It will be a busy week in London, and whether you plan to be there or join remotely, there’s much to monitor. Read the full series of Rough Guide to IETF 101 posts, and follow us on the Internet Society blogTwitter, or Facebook using #IETF101 to keep up with the latest news.

Categories
Domain Name System Security Extensions (DNSSEC) IETF Improving Technical Security Privacy

Rough Guide to IETF 93: DNSSEC, DANE, DPRIVE and DNS Security

Wow! There is a crazy amount of DNS activity happening at IETF 93 next week in Prague! Beyond the usual working groups we follow such as DNSOP and DANE, there are a wide range of other groups where DNS security and privacy are under discussion. It’s going to be a VERY busy week for all of us involved with DNS!  (And, there’s also the IETF 93 Hackathon starting on Saturday and Sunday where several of us will be working on code related to DNSSEC, DANE and more.)

Let’s walk through the week…

NOTE: If you are unable to attend IETF 93 in person, there are multiple ways to participate remotely and listen to these sessions. Also, all times below are Central European Summer Time (CEST) which is UTC+2.

DNS Operations (DNSOP)

Monday turns out to be a big DNS day with DNSOP starting off the back-to-back marathon in the 15:20 to 17:20 block. The major piece of DNSSEC-related work will be two different drafts from Joe Abley and Warren Kumari around publication of DNSSEC trust anchors. Both of these are work items out of the ongoing work around how we successfully perform a key rollover with critical DNSSEC keys such as the Key Signing Key at the root of DNS. After that, DNSOP will continue the ongoing discussion related to “special-use” names which, while not directly connecting to DNS security, should still be quite interesting.

Domain Boundaries (DBOUND)

Next up on Monday in the 17:40 to 18:40 session will be the DBOUND group. This group is look at the boundaries used to determine when an address being requested in DNS is “private” versus “public”. This impacts security policies.

DNS-based Authentication of Named Entities (DANE)

Finally in the 18:50 – 19:50 slot on Monday, the working group looking after the DANE protocol will be meeting to focus on three drafts:

  • TLS extension for DNSSEC
  • Client Certificates in DANE TLSA Records
  • DANE and SMIME

Given the amount of activity with using DANE in email communication these days, I expect there to be some good discussion.

Tuesday is TLS Day

Tuesday turns out to be “TLS Day” with both the core Transport Layer Security (TLS) and the Using TLS in Applications (UTA) groups meeting. Because of the connection to DANE, the TLS meeting is important to understand in terms of the evolution of the protocol with TLS 1.3 and beyond. There is packed agenda for the TLS WG and it spans two days – both Tuesday and Wednesday. If time permits, there is also a specific presentation for the group about DNSSEC and DANE validation chains. The UTA working group has a lighter agenda this time, but again is something we’ll follow because of the connection to TLS and DANE.

DNS Service Discovery (DNSSD)

Wednesday morning will begin with the 9:00-11:30 session having both the second session of the TLS Working Group and also the only session of DNSSD. The key reason to mention the group this time is that the DNSSD agenda includes a discussion of the threat model and security considerations for multicast DNS (mDNS).

Crypto Forum Research Group (CFRG)

Wednesday afternoon from 13:00-15:30 brings the meeting of the CFRG which has nothing specific to DNS security on its agenda, but there looks to be a lengthy discussion planned about the use of elliptic curve cryptography (ECC). This is something we’ve certainly been looking at within the DNSSEC space with regard to using ECDSA and other algorithms for DNSSEC signatures. It will be interesting to see what emerges out of this discussion in terms of future directions for IETF crypto algorithms.

Extensible Provisioning Protocol Extensions (EPPEXT)

In the last session slot on Wednesday from 17:40-19:40 the EPPEXT group will be meeting to discuss extensions to the EPP protocol used between DNS registrars, registries and similar entities.  An agenda has not yet been published but several of the past documents have related to exchanging DNSSEC-related information.

Thursday is for TRANS

The only working group we’re tracking on Thursday related to DNS or TLS is the Public Notary Transparency (TRANS) group meeting in the 17:40-19:10 block at the end of the day. No agenda yet, so it’s not clear what will be discussed.  Certificate Transparency is one of the number of technologies that are working to make TLS more secure and so this remains of interest.

DNS PRIVate Exchange (DPRIVE)

In the unenviable slot of Friday morning from 9:00-11:30 will be the third meeting of the DPRIVE Working Group that is chartered to develop: “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” A great bit of work has been going on and the DPRIVE agenda shows discussion being planned for several possible solutions to provide this level of privacy and confidentiality.

It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 93:

DNSOP (DNS Operations) WG
Monday, 20 July 2015, 1520-1720 CEST, Congress Hall II
Agenda: https://datatracker.ietf.org/meeting/93/agenda/dnsop/ 
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

DBOUND (Domain Boundaries) WG
Monday, 20 July 2015, 1740-1840 CEST, Athens/Barcelona
Agenda: https://datatracker.ietf.org/meeting/93/agenda/dbound/ 
Documents: https://datatracker.ietf.org/wg/dbound/
Charter: http://tools.ietf.org/wg/dbound/charters/

DANE (DNS-based Authentication of Named Entities) WG 
Monday, 20 July 2015, 1850-1950 CDT, Venetian
Agenda: https://datatracker.ietf.org/meeting/93/agenda/dane/
Documents: https://datatracker.ietf.org/wg/dane/
Charter: http://datatracker.ietf.org/wg/dane/charter/

EPPEXT (Extensible Provisioning Protocol Extensions) WG 
Wednesday, 22 July 2015, 1740-1940 CEST, Karlin III
Agenda: https://datatracker.ietf.org/meeting/93/agenda/eppext/ 
Documents: https://datatracker.ietf.org/wg/eppext/ 
Charter: https://datatracker.ietf.org/wg/eppext/charter/

DPRIVE (DNS PRIVate Exchange) WG
Friday, 24 July 2015, 0900-1130 CEST, Karlin I/II
Agenda: https://datatracker.ietf.org/meeting/93/agenda/dprive/ 
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

Follow Us

There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf93.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events IETF IPv6 Transport Layer Security (TLS)

At IETF92 Next Week, Much Happening With IPv6, DNSSEC, DANE, TLS and more…

Dallas skylineNext week is IETF 92 in Dallas, Texas, and there will be a great amount of activity happening with the topics we cover here on Deploy360: IPv6, DNSSEC (and DANE), TLS, anti-spoofing and securing BGP.  As part of the Rough Guide to IETF 92, several of us have written posts outlining what’s happening in the various topic areas:

In each of those posts you’ll find a summary of what’s happening and a list of the relevant working groups and the associated links about how to learn more.  More information about IETF 92 in general can be found on the main Rough Guide to IETF 92 page at:

https://dev.internetsociety.org/rough-guide-ietf92

Beyond all of that, Chris Grundemann will also be talking about our “Operators and the IETF” work and discussing Best Current Operational Practices (BCOP) with people as well.

If you can’t get to Dallas next week, you can attend remotely!  Just visit the IETF 92 remote participation page or check out http://www.ietf.org/live/ for more options.

To that end, as a bit of a change both Megan Kruse and I (Dan York) will be participating in this IETF 92 remotely.  It’s very strange to not be attending an IETF meeting in person, but different circumstances have made it not possible for both of us.  Jan Žorž will also be remote having just returned from v6 World Congress in Paris and about to head off to another event.   Chris Grundemann will be there on site in Dallas, though, and so if you have any questions about Deploy360 activities or want to get more involved, please contact Chris!

We’re looking forward to the usual crazy busy blur of a week that is an IETF meeting… and we’re looking forward to learning what else we can do to help accelerate the deployment of these key Internet technologies to make the Internet work better, faster and be more secure!


An audio commentary about IETF 92 is also available from our SoundCloud account:

Categories
Deploy360 To archive

Video: DANEs Don’t Lie – DANE/SMTP (RIPE 68)

How can we secure communications between SMTP mail servers? Simply using TLS between servers will not prevent Man In The Middle(MITM) attacks. DNSSEC and DANE to the rescue! Using DANE, SMTP servers can validate X.509 certificates tied to TLS using DNSSEC lookups. In this lightning talk from Carsten Strotmann, learn how this all works and the current status of implementations. His talk, entitled “DANEs don’t lie – DANE/SMTP” is now available for viewing from the RIPE 68 site, and the slides are available for download.

CarstenStrotmannDANEsDontLie

After watching, check out our resources on DNSSEC and DANE.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Got A DNSSEC Project That Needs Funding? Apply to NLnet Foundation Before Dec 1

NLNet FoundationDo you have an open source project (or the idea for one) related to DNSSEC that needs funding? Perhaps a new tool that will make it easier to use DNSSEC?  Or perhaps new software that supports the DANE protocol to increase the security of TLS/SSL? A browser plugin?  A program that makes it easier for registrars to pass DS records?  A measurement tool for DNSSEC usage?

Or do you want to add DNSSEC capabilities to an existing program, like the Jitsi team did when added DNSSEC validation to VoIP?  Would you like to build DNSSEC validation into your tool or service?  Would you like to add DANE support to your browser or other tool?  Would you like to add DANE support to another service beyond the web?  Do you have a use case where DNSSEC-signed TLS/SSL certificates would greatly add another level of security?

If you have any ideas along these lines, the NLnet Foundation is funding projects through their “DNS Security Fund” and THE NEXT APPLICATION DEADLINE IS DECEMBER 1, 2012 at 12:00 Central European Time (CET).  You can read more and find out how to apply at:

http://www.nlnet.nl/dnssec/

That page lists at the bottom some of the many projects that the NLnet Foundation has funded.  Their most recent “Open call for funding” gets into more details.  There is one very important note:

There is one important condition which is that any software or hardware that a project produces must be available under a valid open source licence (GPL, BSD, Apache, etc.).

As long as you are fine with that, you may be able to get some level of funding through NLnet Foundation.

We’d definitely appreciative of all the great work that the NLnet Foundation has funded to date. Tools like Unbound, DNSSEC-Trigger and the multiple DNSSEC developer libraries they have supported have made it so much easier to get DNSSEC deployed.

Now it’s your turn – what can you develop to help get DNSSEC more widely deployed?    If you’ve got an idea, the NLnet Foundation may be able to help… apply before December 1 to see if they can!

P.S. Note also that if you can’t apply before December 1, the NLnet Foundation accepts proposals six times a year, with deadlines of February 1, April 1, June 1, August 1, October 1, December 1.