Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Watch Live NOW – DNSSEC Workshop From ICANN52 In Singapore

ICANN 52 - SingaporeWhat is happening with DNSSEC in the Asia-Pacific region? What are DNSSEC and DANE all about, anyway? What challenges are large DNS operators encountering when deploying DNSSEC?

As I mentioned last week,  all these questions are being discussed TODAY (in fact right now) at the DNSSEC Workshop at ICANN 52 in Singapore.  You can watch and listen live at:

http://singapore52.icann.org/en/schedule/wed-dnssec

You can also download the slides that will be presented today.  As you look at the agenda, please note that all times are Singapore Time which is UTC+8. (So, for instance, the 8:30 am SGT start time of the DNSSEC Workshop on Wednesday, 11 Feb, will be 1:30am Wednesday in Central European Time and 7:30pm Tuesday evening in US Eastern time.)   Here is a view from the room today:

ICANN DNSSEC Workshop

The sessions for today will be:

  1. Introduction and DNSSEC Deployment Around the World
  2. DNSSEC Deployment in the Asia Region
  3. 10th Anniversary of DNSSEC Workshops
  4. Reverse DNS and DNSSEC in Japan
  5. ccTLD Deployment Experiences
  6. The Operational Realities of Running DNSSEC
  7. When Unexpected DNSSEC Events Occur
  8. DNSSEC and DNS Operators

As a member of the Program Committee, I am very pleased with the presentations and speakers we have and I’m very much looking forward to the event. The last panel, in particular, is of interest to me as it will involve a number of DNS operators, including CloudFlare, talking about challenges they have encountered while rolling out large-scale DNSSEC and looking to identify solutions within the community. It should be a very interesting session. I also always enjoy the DNSSEC case studies from the regional panels.

If you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

Categories
Internet Governance

ISOC at ICANN52, Thursday: Public Forums and IANA Transition and Accountability

On this final day of ICANN 52 in Singapore, the main events will be the Public Forum and the Public Meeting of the ICANN Board. Both of these are events where any member of the ICANN community can ask questions of the ICANN Board, staff and other leaders. They operate under very strict timelines (2 minutes per speaker) and usually provide an interesting view into the concerns and interests of the wider ICANN community. You can follow along remotely at:

All times are Singapore Time which is UTC+8. The meetings will all be recorded for later viewing if you are unable to watch them live.

I’ll note that 13 Internet Society chapters are among the groups acting as “Remote Hubs” to allow gatherings of members to view the public meetings and also contribute questions remotely. If you live in one of these regions you can join from the remote hub locations.

Before the Public Forum, though, there will still be several sessions related to the IANA transition and accountability points Konstantinos Komaitis outlined in his post last week. Additionally, there will be an Internet Governance session where our own Sally Wentworth will be participating. The full schedule is online, but you can follow these specific sessions at these links:

On the technology side, the primary activity is the morning meeting of ICANN’s Security and Stability Advisory Committee (SSAC). In this public meeting, SSAC leaders will explain the group’s recent activities and ask for advice of the community:

And with that, our time at ICANN 52 will draw to a close. It’s been great meeting so many of you a the sessions – and if you have not been following along with what we’ve been doing this week, please also view our other public policy posts and technology posts related to ICANN 52.

Internet Society Board of Trustees Meeting

While the ICANN 52 activities will end today, our Internet Society work in Singapore will continue with our ISOC Board of Trustees meeting taking place on Saturday and Sunday. Several Internet Society staff members as well as the Board of Trustees will be around from today through the weekend.

See you all at ICANN 53 in Buenos Aires!

Photo: A photo I took of part of Singapore during an early morning run this week.

Categories
Domain Name System (DNS) Domain Name System Security Extensions (DNSSEC) Improving Technical Security Internet Governance

ISOC at ICANN52, Wednesday: The DNSSEC Workshop And Other Technology Topics

As happens on every Wednesday of an ICANN week, a major focus today will be the 6+ hour DNSSEC Workshop that will bring together some of the greatest DNS-related technical minds from across the industry for a session focused on how we continue to move DNSSEC forward and make the Internet more secure.  Attendees will learn about the current state of DNSSEC deployment within the region, about new tools and services and will discuss some of the current challenges and work together to discussion potential solutions.  Organized by the ICANN Security and Stability Advisory Committee (SSAC), the DNSSEC Deployment Initiative and our own Deploy360 Programme, the workshop begins at 8:30am Singapore Time and goes all the way through 2:15pm.  You can join in remotely at:

http://singapore52.icann.org/en/schedule/wed-dnssec

You can also download from that link the many presentations that will be discussed today – and if you can’t watch the event live a recording will be available after the event.  As I discussed last week, the sessions today will include:

  1. Introduction and DNSSEC Deployment Around the World
  2. DNSSEC Deployment in the Asia Region
  3. 10th Anniversary of DNSSEC Workshops
  4. Reverse DNS and DNSSEC in Japan
  5. ccTLD Deployment Experiences
  6. The Operational Realities of Running DNSSEC
  7. When Unexpected DNSSEC Events Occur
  8. DNSSEC and DNS Operators

The regional panel always provides an interesting view into current case studies and several of the other sessions will discuss some new tools and some new ways to use the DANE protocol.  The last panel of the day about DNS Operators should produce some very lively discussion about a challenge that has been identified by CloudFlare and others about how they can automate the large-scale DNSSEC signing of domains.  This should provoke some vigorous discussion as we collectively work to identify a solution.  Along the way we’ll also join in celebrating the 10th anniversary of these DNSSEC Workshops!

After the DNSSEC Workshop is over, I will also be participating with others in a joint meeting of the ICANN Board and the Technical Experts Group (TEG) in a more “forward-looking” session to discuss technologies such as the Internet of Things (IoT) and how that might impact the overall Domain Name System.  You are welcome to follow along at:

http://singapore52.icann.org/en/schedule/wed-board-technical

On the public policy side, our team members here will be continuing to engage in discussions related to the topics Konstantinos Komaitis wrote about last week.  If you look at the ICANN52 schedule for today you can see that the themes of the IANA transition and accountability continue to be discussed across many different groups.

During the day we will also have a lunch meeting with members of our Advisory Council who are here this week and will engage in a great number of individual meetings.  If you are here in Singapore and want to meet with us, please do find us in one of the sessions – or email me directly at york@isoc.org and I can connect you with the right person.

P.S. Please also read our posts from Monday and Tuesday, and our other ICANN52 public policy and technology posts, for more information about what we are doing here in Singapore this week.

Photo: a group picture from the Internet Society Members Meeting that occurred on Tuesday evening.

Categories
Internet Governance

ISOC At ICANN52, Tuesday: Constituency Day and A Meeting of Internet Society Members

Tuesday at ICANN 52 is what is usually called “constituency day” within the ICANN community as all the various supporting organizations, stakeholder groups and constituency groups hold their individual meetings. You can see this quite clearly if you look at the ICANN schedule for today.

From an Internet Society point of view, our interests continue to be around the IANA transition and accountability points Konstantinos Komaitis outlined in a post last week. Today provides an opportunity to learn more about what the different groups within ICANN think about those issues – and also learn what other concerns the different groups have. Some of our team will be attending the meetings of individual groups, while others will be attending the joint meetings of the ICANN Board with the various groups. These sessions with the ICANN Board provide a good view into what the groups view as their highest priorities and concerns. You can follow along at these links:

All times are Singapore Time which is UTC+8. The meetings will all be recorded for later viewing if you are unable to watch them live.

ISOC@ICANN Members Meeting

As we have done at ICANN meetings for quite some time now, we’ll hold our Tuesday evening “ISOC@ICANN Members Meeting” from 19:00-21:00 in the Morrison Room of the Swissotel. This meeting provides an excellent opportunity for all Internet Society members and chapter leaders who are attending ICANN52 to gather together, share information and learn more about ISOC-related activities. The event page in our Connect site has more information and we look forward to an enjoyable evening of conversation and collaboration. The meeting will be streamed live on Livestream.com for any members wishing to join in remotely.

As Tuesday draws to a close, many of us will naturally head to the “Music Night” sponsored by Afilias and the Public Interest Registry (PIR), before we get ready for a busy day on Wednesday. If you are here at ICANN 52, please do say hello if you see us in any of the sessions – and we look forward to meeting with many of you at the Members Meeting tonight.

P.S. Please also view our other public policy posts and technology posts related to ICANN 52.

Photo: IETF Chair Jari Arrko speaking at the ICANN 52 Welcome Ceremony on Monday morning.

Categories
Domain Name System Security Extensions (DNSSEC) Improving Technical Security Internet Governance

ISOC At ICANN52, Monday: A Great Amount Of IANA Transition Discussion With A Bit of Cybersecurity and DNSSEC, Too

Greetings from Singapore! As the 52nd meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) gets formally underway this morning on Monday, February 9, 2015, we thought we’d give you an idea of what we’ll be focusing on today from an Internet Society point of view as well as provide links so that you can join in and follow along remotely.

To understand our public policy interests here at ICANN 52, you need to read what Konstantinos Komaitis wrote in a post last week. As he noted, a great amount of discussion here will be focused on the twin inter-related issues of the IANA transition and ICANN accountability. Already over the weekend these topics have received significant focus at lengthy meetings of the IANA Coordination Group (ICG), the Government Advisory Council (GAC) and the Generic Names Supporting Organization (GNSO).

Today those two topics will continue to receive much discussion. While there are a great number of meetings today on the full ICANN 52 schedule, here are the ones that we’ll be focused on from a public policy perspective. If you follow each of these links you can find out how to listen in remotely to audio streams or to join the live stream of the “Virtual Meeting Room”:

All times are Singapore Time which is UTC+8. The meetings will all be recorded for later viewing if you are unable to watch them live.

On the technology side, last week I wrote about the many DNSSEC-related activities happening here and two of those events will take place today: the DNSSEC for Everybody tutorial workshop and the DNSSEC Implementers Gathering. There will also be a number of DNSSEC and security-related topics in the Tech Day (see agenda). The Public Safety Workshop will also bring together law enforcement attendees and others to discuss issues related to cybersecurity and the overall security and stability of the DNS.

You can follow along with the technology sessions at these links:

UPDATE: The Public Safety Workshop was changed to start at 1530.

These events will also be recorded for later viewing. As I noted in my earlier post, the DNSSEC Implementers Gathering is an informal meeting at a local restaurant to which there is no remote participation.

With that the first formal day of ICANN 52 will draw to a close. If you are interested in meeting with any Internet Society staff, you will be able to find us in these sessions above. You are also welcome to contact ISOC staff by email or send me an email at york@isoc.org and I can connect you to the right person.

Photo: The Government Advisory Council (GAC) meeting on Sunday, February 8, 2015.

Categories
Internet Governance Technology

Return to Singapore: From chili crabs to names, numbers and protocol parameters

(Photo: SG skyscrapers – CC BY-SA)

Almost a year ago, the National Telecommunications and Information Administration (NTIA) announced its intent to transition key Internet domain name functions to the global multistakeholder community. The process was officially kicked off at the ICANN 49 meeting. That was March 2014. And the place? Singapore.

Fast-forward a year later and we are again on our way to Singapore for an ICANN meeting. We are eleven months into the IANA transition process and a great deal of work has already been accomplished by the affected communities; thousands of emails have been sent and read, and individuals from the global multistakeholder Internet community have spent countless hours talking, deliberating and debating an IANA transition plan. So far, an impressive amount of information has been shared, many ideas have been generated amongst all interested parties, and concrete progress has been made towards developing a transition plan.

It is quite remarkable to see the interest and attention this process has generated. This should not be surprising. Those of us following the IANA discussions since the early days knew this moment would come. The US Government has long intended to phase out its legacy involvement in the management of the Domain Name System. This was clearly indicated in the 1998 White Paper,[1] which stated: “Under the Green Paper proposal, the US Government would continue to participate in policy oversight until such time as the new corporation [which was what became ICANN] was established and stable, phasing out as soon as possible, but in no event later than September 30, 2000”.

The transition might have been announced later than expected, but between 2000 and now, we had:

  • two World Summits on the Information Society (WSIS),
  • a World Conference on International Telecommunications (WCIT),
  • an ITU Plenipotentiary meeting and a myriad of other meetings, including nine global Internet Governance Forum (IGF) meetings—as well as many more regional IGFs.

Along the way, we have learned how to work closer together in a fast-paced, multi-faceted and multistakeholder environment—even as the Internet itself has grown and evolved tremendously. It is the case therefore that now, more than ever, the Internet community appears ready to apply what it has learned and collaborate in a meaningful and inclusive way.

Over the past eleven months, discussions on IANA have been happening around the world and on the Internet. And the forthcoming ICANN meeting will be no exception. This year’s ICANN Singapore meeting is packed with workshops and main sessions on the IANA transition process as well as issues of accountability. This demonstrates the commitment of all stakeholders’ interest in working towards the globalization of the IANA functions.

So, this ICANN meeting offers another opportunity to further strengthen collaboration and extend the bridges we have built already. It is a good opportunity for the community to revisit, reflect and deliberate on what has been discussed; it is a good opportunity to think of what challenges lie ahead.

Retaining the appropriate focus and asking the right questions will be key as we move through the various timelines set by the IANA Coordination Group (ICG), towards the September 30, 2015 deadline.

Like other stakeholders, the Internet Society will be present at the IANA discussions in Singapore. The ICANN agenda offers a variety of sessions on the IANA transition process (the ICANN schedule). Just preceding the ICANN meeting, on 6 and 7 February, the ICG is having its face-to-face meeting. And, shortly after the ICANN meeting – on February 25, 2015, at 14:00 UTC, we will be hosting a webinar seeking to continue the dissemination of information about the IANA process to as many Internet users as possible. Follow this link to get information about the IANA webinar.


Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

Many DNSSEC and DANE Activities At ICANN52 Next Week In Singapore

ICANN 52 - SingaporeWhat is happening with DNSSEC in the Asia-Pacific region?  What are DNSSEC and DANE  all about, anyway?  What challenges are large DNS operators encountering when deploying DNSSEC?   All of these questions and many more will be discussed next week at ICANN 52 in Singapore.  Here is the quick guide – please note that all times are Singapore Time which is UTC+8.  (So, for instance, the 8:30 am SGT start time of the DNSSEC Workshop on Wednesday, 11 Feb, will be 1:30am Wednesday in Central European Time and 7:30pm Tuesday evening in US Eastern time.)


DNSSEC For Everybody: A Beginner’s Guide

The week starts off on Monday, 9 February, 2015, with the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 17:00 – 18:30 SGT where we’ll be explaining what DNSSEC is all about and also putting on our “skit” dramatizing what happens with DNS and DNSSEC.  I don’t know if we’ll be awarded an Emmy anytime soon for our performance… but we have a good bit of fun with it and people have commented that it has really helped them understand how DNS and DNSSEC work.

You can follow along remotely (or watch it later) at:

http://singapore52.icann.org/en/schedule/mon-dnssec-everybody

Oh, and you get to see me talk about DNSSEC and blue smoke…


DNSSEC Implementers Gathering

As we noted previously, on Monday evening from 19:30-21:30 some number of us will be heading to a nearby pub for the “DNSSEC Implementers Gathering” where we’ll be talking informally amongst ourselves and figuring out how we can work together to accelerate DNSSEC and DANE adoption.  For perhaps obvious reasons, there is no remote participation available, but if you are in Singapore you are welcome to join us – we just ask for your RSVP by the end of the day tomorrow, Thursday, February 6, 2015.  Thanks to Comcast, NBC Universal and the MPAA for making this gathering possible, as they also did at ICANN 51 in L.A.


DNSSEC Workshop

The BIG event for the week is of course the DNSSEC Workshop on Wednesday, 11 February 2015, starting at 8:30 and ending at 14:45 SGT.  It will be streamed live and you can join in at this address:

http://singapore52.icann.org/en/schedule/wed-dnssec

The slides and other information will be up soon, but I can tell you the agenda will be this:

  1. Introduction and DNSSEC Deployment Around the World
  2. 10th Anniversary of DNSSEC Workshops
  3. DNSSEC Deployment in the Asia Region
  4. Reverse DNS and DNSSEC in Japan
  5. ccTLD Deployment Experiences
  6. The Operational Realities of Running DNSSEC
  7. When Unexpected DNSSEC Events Occur
  8. DNSSEC and DNS Operators

As a member of the Program Committee, I am very pleased with the presentations and speakers we have and I’m very much looking forward to the event.  The last panel, in particular, is of interest to me as it will involve a number of DNS operators, including CloudFlare, talking about challenges they have encountered while rolling out large-scale DNSSEC and looking to identify solutions within the community.  It should be a very interesting session.   I also always enjoy the DNSSEC case studies from the regional panels.


There will be a number of other side meetings and other discussions going on, but these are the main sessions.  I also understand there will be some DNSSEC activity happening at Tech Day on Monday, 9 February, but the agenda has not yet been posted.  We’ll publish an update once we know more.

If you are at ICANN 52 in Singapore please do find me at one of the events and say hello, or drop me an email message and we can arrange a time to connect.  You will of course find info on our Deploy360 social media channels during the events next week.  You can also follow along with our ICANN 52 blog posts as we publish them next week.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

In Singapore for ICANN 52? Join Us At The DNSSEC Implementers Gathering

icann51-dnssec-implementers-gatheringIf you will be in Singapore on Monday, February 9, 2015, for ICANN 52 and you work with DNSSEC, you are invited to attend the informal “DNSSEC Implementers Gathering” at 19:30 at a nearby restaurant/pub.  These gatherings bring together people who have implemented DNSSEC or DANE in some way to engage in conversations and exchange information and ideas.  We’ve seen ideas for new projects come out of these gatherings in the past – and they have just generally helped deepen the connections between the community of people involved in getting DNSSEC widely deployed.

SPACE IS LIMITED so please RSVP as soon as possible to julie.hedlund@icann.org. We will be cutting off reservations by close-of-business on Thursday, 05 February 2015, but please let Julie know as soon as you can.

This is a unique opportunity to meet with and talk to key implementers, such as NominetUK, CNNIC, JPRS, NZNIC, CIRA, CZNIC, SIDN, and others.  We do ask that in order to participate you should come prepared to say a few words about your experiences.

We are grateful once again to Comcast, NBC Universal and the MPAA in providing funding to pay for this informal gathering.  The three companies sponsored the event at ICANN 51 in Los Angeles (pictured here) and we were able to stretch their sponsorships to cover this gathering in Singapore.  Thank you to the three organizations for helping with what has been an extremely useful event at ICANN meetings.  (We will, though, need new sponsors for ICANN 53.)

There are also two other DNSSEC-related events happening during the ICANN 52 week:

Monday, 09 February 1700-1830, DNSSEC for Everybody:
http://singapore52.icann.org/en/schedule/mon-dnssec-everybody

Wednesday, 11 February 0830-1445, DNSSEC Workshop:
http://singapore52.icann.org/en/schedule/wed-dnssec

If you are in Singapore and available Monday evening, 09 Feb 2015, please do join us for the DNSSEC Implementers Gathering!

P.S. It should perhaps be obvious, but this event will not be available for remote participation nor will it be live-streamed as it involves a group of people sitting down at a restaurant/pub and eating/drinking together.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

Want To Speak About Your DNSSEC Or DANE Work, Tool or Service? (ICANN52 CFP)

ICANN 52 Singapore logoWill you be attending ICANN 52 in Singapore in February 2015?  If so, and if you work with DNSSEC or DANE , we are seeking speakers for the ICANN 52 DNSSEC Workshop to be held on Wednesday, February 11, 2015.

The full Call for Participation is included below, but the key point is – we are looking for proposals from people who want to talk about interesting, innovative and new ways they are using DNSSEC or DANE … new tools… new services… new research … new case studies… demos of new tools/services…  basically any new information that can help people understand better the value of DNSSEC and DANE and also the ways in which it can be more easily implemented and used.

Speaking at an ICANN DNSSEC Workshop is a great way to get your ideas and information out to members of the DNSSEC technical community – and the sessions are also archived and viewed by people long after the event is over.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-singapore@isoc.org by Wednesday, 10 December 2014.  (Updated deadline – originally it was December 3.)


Call for Participation — ICANN DNSSEC Workshop at ICANN 52 in Singapore

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 52 meeting on 11 February 2015 in Singapore. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Los Angeles on 15 October 2014. The presentations and transcripts are available at: http://la51.icann.org/en/schedule/wed-dnssec.

We are seeking presentations on the following topics:

1. DNSSEC activities in Asia

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Asia and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. Potential impacts of Root Key Rollover

Given many concerns about the need to do a Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3. New gTLD registries and administrators implementing DNSSEC

With the launch of the new gTLDs, we are interested in hearing from registries and operators of new gTLDs about what systems and processes they have implemented to support DNSSEC. As more gTLDs are launched, is there DNSSEC-related information that can be shared to help those launches go easier?

4. Guidance for Registrars in supporting DNSSEC

The 2013 Registrar Accreditation Agreement (RAA) for registrars and resellers requires them to support DNSSEC from January 1, 2014. We are seeking presentations discussing:
* What are the specific technical requirements of the RAA and how can registrars meet those requirements?
* What tools and systems are available for registrars that include DNSSEC support?
* What information do registrars need to provide to resellers and ultimately customers?

We are particularly interested in hearing from registrars who have signed the 2013 RAA and have either already implemented DNSSEC support or have a plan for doing so.

5. APIs between the Registrars and DNS hosting operators

One specific area that has been identified as needing focus is the communication between registrars and DNS hosting operators, specifically when these functions are provided by different entities. Currently, the communication, such as the transfer of a DS record, often occurs by way of the domain name holder copying and pasting information from one web interface to another. How can this be automated? We would welcome presentations by either registrars or DNS hosting operators who have implemented APIs for the communication of DNSSEC information, or from people with ideas around how such APIs could be constructed.

6. Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:
* What does an ISP need to do to prepare its network for implementing DNSSEC validation?
* How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
* What measurements are available about the degree of DNSSEC validation currently deployed?
* What tools are available to help an ISP deploy DNSSEC validation?
* What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

7. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

8. DNSSEC automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. Topics for which we would like to see presentations include:
* What tools, systems and services are available to help automate DNSSEC key management?
* Can you provide an analysis of current tools/services and identify gaps?
* Where are the best opportunities for automation within DNSSEC signing and validation processes?
* What are the costs and benefits of different approaches to automation?

9. When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

10. DANE and DNSSEC applications

There is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:
* What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
* What tools and services are now available that can support DANE usage?
* How soon could DANE and other DNSSEC applications become a deployable reality?
* How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE applications and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

11. DANE / DNSSEC as a way to secure email

The DNS-based Authentication of Named Entities (DANE) protocol is an exciting development where DNSSEC can be used to provide a strong additional trust layer for traditional SSL/TLS certificates. We are both pleased and intrigued by the growing usage of DANE and DNSSEC as a means of providing added security for email. Multiple email servers have added support for DANE records to secure TLS/SSL connections. Some email providers are marketing DNSSEC/DANE support. We would like to have a panel at ICANN 51 focusing on this particular usage of DANE. Are you a developer of an email server or client supporting DANE? Do you provide DANE / DNSSEC support in your email service? Can you provide a brief case study of what you have done to implement DANE / DNSSEC? Can you talk about any lessons you learned in the process?

12. DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:
* What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
* What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
* How should an enterprise best prepare its IT staff and network to implement DNSSEC?
* What tools and systems are available to assist enterprises in the deployment of DNSSEC?
* How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

13. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-singapore@isoc.org by Wednesday, 03 December 2014

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events

Call For Participation – DNSSEC Workshop at ICANN 52 in Singapore

ICANN 52 Singapore logoWill you be attending ICANN 52 in Singapore in February 2015?

If so, and if you work with DNSSEC or DANE , we are seeking speakers for the ICANN 52 DNSSEC Workshop to be held on Wednesday, February 11, 2015.

The full Call for Participation is included below, but the key point is – we are looking for proposals from people who want to talk about interesting, innovative and new ways they are using DNSSEC or DANE … new tools… new services… new research … new case studies… demos of new tools/services…  basically any new information that can help people understand better the value of DNSSEC and DANE and also the ways in which it can be more easily implemented and used.

Speaking at an ICANN DNSSEC Workshop is a great way to get your ideas and information out to members of the DNSSEC technical community – and the sessions are also archived and viewed by people long after the event is over.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-singapore@isoc.org by Wednesday, 03 December 2014.

[UPDATE: The deadline has been extended to Wednesday, 10 December 2014.


Call for Participation — ICANN DNSSEC Workshop at ICANN 52 in Singapore

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 52 meeting on 11 February 2015 in Singapore. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Los Angeles on 15 October 2014. The presentations and transcripts are available at: http://la51.icann.org/en/schedule/wed-dnssec.

We are seeking presentations on the following topics:

  1. DNSSEC activities in Asia

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Asia and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

  1. Potential impacts of Root Key Rollover

Given many concerns about the need to do a Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

  1. New gTLD registries and administrators implementing DNSSEC

With the launch of the new gTLDs, we are interested in hearing from registries and operators of new gTLDs about what systems and processes they have implemented to support DNSSEC. As more gTLDs are launched, is there DNSSEC-related information that can be shared to help those launches go easier?

  1. Guidance for Registrars in supporting DNSSEC

The 2013 Registrar Accreditation Agreement (RAA) for registrars and resellers requires them to support DNSSEC from January 1, 2014. We are seeking presentations discussing:
* What are the specific technical requirements of the RAA and how can registrars meet those requirements?
* What tools and systems are available for registrars that include DNSSEC support?
* What information do registrars need to provide to resellers and ultimately customers?

We are particularly interested in hearing from registrars who have signed the 2013 RAA and have either already implemented DNSSEC support or have a plan for doing so.

  1. APIs between the Registrars and DNS hosting operators

One specific area that has been identified as needing focus is the communication between registrars and DNS hosting operators, specifically when these functions are provided by different entities. Currently, the communication, such as the transfer of a DS record, often occurs by way of the domain name holder copying and pasting information from one web interface to another. How can this be automated? We would welcome presentations by either registrars or DNS hosting operators who have implemented APIs for the communication of DNSSEC information, or from people with ideas around how such APIs could be constructed.

  1. Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:
* What does an ISP need to do to prepare its network for implementing DNSSEC validation?
* How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
* What measurements are available about the degree of DNSSEC validation currently deployed?
* What tools are available to help an ISP deploy DNSSEC validation?
* What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

  1. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

  1. DNSSEC automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. Topics for which we would like to see presentations include:
* What tools, systems and services are available to help automate DNSSEC key management?
* Can you provide an analysis of current tools/services and identify gaps?
* Where are the best opportunities for automation within DNSSEC signing and validation processes?
* What are the costs and benefits of different approaches to automation?

  1. When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

  1. DANE and DNSSEC applications

There is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:
* What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
* What tools and services are now available that can support DANE usage?
* How soon could DANE and other DNSSEC applications become a deployable reality?
* How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE applications and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

  1. DANE / DNSSEC as a way to secure email

The DNS-based Authentication of Named Entities (DANE) protocol is an exciting development where DNSSEC can be used to provide a strong additional trust layer for traditional SSL/TLS certificates. We are both pleased and intrigued by the growing usage of DANE and DNSSEC as a means of providing added security for email. Multiple email servers have added support for DANE records to secure TLS/SSL connections. Some email providers are marketing DNSSEC/DANE support. We would like to have a panel at ICANN 51 focusing on this particular usage of DANE. Are you a developer of an email server or client supporting DANE? Do you provide DANE / DNSSEC support in your email service? Can you provide a brief case study of what you have done to implement DANE / DNSSEC? Can you talk about any lessons you learned in the process?

  1. DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:
* What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
* What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
* How should an enterprise best prepare its IT staff and network to implement DNSSEC?
* What tools and systems are available to assist enterprises in the deployment of DNSSEC?
* How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

  1. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-singapore@isoc.org by Wednesday, 03 December 2014

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society