Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

The Next Steps Toward Increasing The Security of DNSSEC with Elliptic Curve Cryptography

How do we make DNSSEC even more secure through the use of elliptic curve cryptography?  What are the advantages of algorithms based on elliptic curves?  And what steps need to happen to make this a reality?  What challenges lie in the way?

Over the past few months we’ve been discussing these questions within the community of people implementing DNSSEC, with an aim of increasing both the security and performance of DNSSEC.  Ondřej Surý of CZ.NIC Labs has been leading the way both with writing Internet drafts (draft-ietf-curdle-dnskey-ed25519 and draft-ietf-curdle-dnskey-ed448) and also in helping to organize sessions at various events.

Here’s a brief view of where that discussion has and will be taking place:

  • 9 March 2016 – a panel session at ICANN 55 DNSSEC Workshop in Marrakech, Morocco- (see below)
  • 1 April 2016 – a panel session at DNS-OARC in Buenos Aires
  • 5 April 2016 – a discussion of the drafts in the CURDLE Working Group at IETF 95
  • 6/8 April 2016 – a discussion of another draft in the DNSOP Working Group to reduce usage of older DNSSEC crypto algorithms
  • 23-27 May 2016 – a panel session at RIPE 72 in Copenhagen, Denmark
  • 27 June 2016 – a proposed panel session at the ICANN 56 DNSSEC Workshop in Helsinki, Finland

Let me provide a quick overview of what happened at ICANN 55 and then explain a new Internet draft that came out of that experience.

ICANN 55 DNSSEC Workshop

At ICANN 55 in Marrakech, we had a panel that I moderated where we presented several different viewpoints about how we go about implementing new DNSSEC algorithms and what are the challenges.  I started out with a presentation where I outlined some of the challenges in this set of slides:

Challenges To Deploying New DNSSEC Cryptographic Algorithms from Deploy360 Programme (Internet Society)

I was then followed by four panelists (links are to the slide decks three of the four panelists had):

Geoff started out giving an overview of what APNIC’s research had found in the support of a current elliptic curve algorithm (ECDSA) in DNS resolvers (remembering that there are two sides to DNSSEC).  Jim Galvin then provided a view of DNSSEC algorithms from a registry perspective.  Olafur reported on the experience CloudFlare had rolling out ECDSA support and Ondřej wrapped up the session explaining the two new elliptic curve algorithms proposed for DNSSEC.  There were a good number of questions asked and it was a healthy discussion.

Our Internet Draft on new deploying DNSSEC algorithms

After that ICANN 55 session, I went back and wrote up a summary of what we learned out of that discussion and then incorporate further input from Ondřej, Ólafur and Paul Wouters and turned that into a new Internet-draft:

draft-york-dnsop-deploying-dnssec-crypto-algs

As I said in the abstract:

As new cryptographic algorithms are developed for use in DNSSEC signing and validation, this document captures the steps needed for new algorithms to be deployed and enter general usage. The intent is to ensure a common understanding of the typical deployment process and potentially identify opportunities for improvement of operations.

We are looking forward to further discussion – and welcome any and all feedback on the document.

The DNS-OARC panel on Friday, April 1

Which leads to a mention of the next discussion happening on this Friday, April 1, at the DNS-OARC 24th meeting happening in Buenos Aires right before IETF 95.  The very last session from 1700-1745 ART (UTC-3) will be on “DNSSEC algorithm flexibility” .  I’ll be moderating the panel again and the focus this time will be on software implementations and what needs to be done there to support more encryption algorithms.  Ondřej will be part of the panel along with Paul Wouters (Red Hat), Evan Hunt (ISC / BIND) and several others.

I’m told their will be a live stream of the DNS-OARC session and it should be accessible from the DNS-OARC Google+ page. I’ll update this post once I have an exact URL.

Our goal with all of this work is to lay out a solid path forward to bringing strong elliptic curve algorithms to DNSSEC – and then making that plan a reality.  The end goal is an even more secure DNSSEC infrastructure that brings about an even more trusted DNS.

We’d welcome your comments and assistance with this – please do send us comments on the Internet Draft (email addresses at the end) or comment here or on social media about any of this.  We need many different people helping move this forward!

P.S. If you are not yet using DNSSEC, please visit our Start Here page to begin!

Categories
Internet Governance

A note to the ISOC Community: Marking our success, building on IANA momentum to keep Internet on track

I have just returned from Marrakech where we marked a historic milestone for the multistakeholder model of Internet governance. Following the original request from the U.S. Government, the ICANN Board transmitted to the U.S. Department of Commerce National Telecommunications and Information Administration (NTIA) the plan to transition stewardship of the IANA functions to the Internet Community. The Plan was developed through the engagement, energy, dedication, and diligence of many, diverse people around the world. Many of you participated in important ways to reach the consensus recommendations that form the basis of a new era for the Internet Community. I applaud your work, dedication and persistence. I especially want to thank Narelle Clark and Demi Getschko, who served as the ISOC’s representatives on the ICG.

The Internet Society strongly supports the plan as an important step in ensuring the continued uninterrupted operation of the global Internet.

What the community has delivered is quite remarkable. Together, we validated the process that has been at the core of the Internet’s success through the persistent commitment of the community. We produced consensus-based recommendations to ensure the continued coordination of key technical functions of the Internet. We strengthened our community’s foundation for working together in the future. We have reason to feel the pride of accomplishment.

But we are not yet done. Hard work remains ahead of us to turn the promise of the plan into reality. Service Level Agreements must be signed. Intellectual Property arrangements have to be finalized. ICANN must be responsive to its own community to ensure it continues to be a strong steward of IANA. And, of course, the proposal must successfully make its way through review by the U.S. government.

As part of that review, later this week the House of Representative’s Energy & Commerce Committee will hold a hearing on the IANA stewardship transition. People representing diverse stakeholders that participated in developing the plan have been asked to testify, including the Internet Society’s Sally Wentworth. At the same time, the NTIA is beginning its review.

In fact the plan will soon be examined by individuals in many organizations around the world. We feel confident it meets the criteria set forth by the NTIA and that it is good for the Internet and its billions of users, today and in the future. We know that the plan is stronger because of the processes through which it was developed. And, after the final acclimation in Marrakech, we trust it has broad support from the Internet community. These aspects will be extremely important in the face of the scrutiny it will—and should—receive over the next several months. Most importantly, through all of this, we must keep an eye towards completing review and implementation by the time the contract expires in September of this year.

So, while we have reached a significant milestone, we need to finish the job. We already know some of what must be done. Along the way we will discover other things we need to do. The Internet Society is committed to seeing this most important transition through to its finish. Together, with the dedication and persistence that is our hallmark, I am confident we will get there together.


Image credit: ICANN Photos on Flickr CC BY NC

Categories
Growing the Internet

Internet Society expresses support for IANA Stewardship Transition Plan

Kathy Brown, President & CEO, provided the following statement to the ICANN Board of Trustees on Thursday, March 10, 2016 during the Public Forum session at ICANN 55 in Marrakech. Read more about ISOC’s view on our IANA Stewardship Transition page.


The Internet Society believes that the IANA Stewardship Transition package has the broad community backing it deserves. We strongly support it.

Importantly, we believe it does two things:

  1. It ensures the continued stability of key technical functions that are a core part of the smooth operation of the Internet, and
  2. It provides the path forward for strengthening the stewardship role of the ICANN community.

What the community has delivered is quite remarkable.

It has taken courage to persist in the face of our differences and diverse interests – courage to do what is necessary to achieve our common goal together and courage to stay with the process.

Today’s outcome confirms the strength of the multistakeholder process in tackling issues important to the continued growth and evolution of the Internet. The Internet way we call it. Indeed, it is the ONLY way in our complex ecosystem.

But, we are not done. Hard work still remains ahead of us to turn the promise of the plan into reality. The community now has a responsibility to ensure the plan is faithfully implemented in a timely way.

Again, I would like to congratulate the Internet community for reaching this critical milestone. The Internet Society remains fully engaged in seeing this most important transition to its finish.


You can watch Kathy’s remarks below:

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) To archive Tutorials

WATCH LIVE Today – DNSSEC For Everybody: A Beginner's Guide, from ICANN 55

ICANN 55 entrance

Want to learn about DNSSEC and how it helps add a layer of trust to DNS? Puzzled by how this all works?   If so, please join us today from 16:45 to 18:15 UTC for “DNSSEC for Everybody: A Beginner’s Guide” streaming live out of Marrakech, Morocco, in both audio and video on links found off of this page:

https://meetings.icann.org/en/marrakech55/schedule/sun-dnssec-everybody

(The video and slides are provided via the “Virtual Meeting Room Stream Live” link.)

UPDATE: It turns out that unfortunately there will NOT BE VIDEO in the room that ICANN assigned for us.  You can still listen by audio and watch the slides – but you will unfortunately not see any video.

The session consists of an introduction and then a skit where a group of us act out DNS operations – and then add DNSSEC into the picture.

Yes… you heard that right… a bunch of engineers acting out a skit about DNS!   🙂

Hey… you might as well have a bit of fun with it, eh?  And our history has told us that this skit has helped people tremendously in understanding DNS and DNSSEC.  We also have some other technical information and usually spend about half the session answering questions from participants.

Please do join us!

This tutorial today is part of a larger set of DNSSEC activities planned for this week.  As the session abstract says:


DNSSEC continues to be deployed around the world at an ever accelerating pace. From the Root, to both Generic Top Level Domains (gTLDs) and Country Code Top Level Domains (ccTLDs), the push is on to deploy DNSSEC to every corner of the internet. Businesses and ISPs are building their deployment plans too and interesting opportunities are opening up for all as the rollout continues.

Worried that you’re getting left behind? Don’t really understand DNSSEC? Then why not come along to the second ‘DNSSEC for Beginners’ session where we hope to demystify DNSSEC and show how you can easily and quickly deploy DNSSEC into your business. Come and find out how it all works, what tools you can use to help and meet the community that can help you plan and implement DNSSEC.

The session is aimed at everyone, so no technical knowledge is required. Come and find out what it’s all about…!


If you can’t view it live the session will be recorded for later viewing.  And if you want to get started today with DNSSEC, please see our Start Here page to begin!

 

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

DNSSEC and DANE Activities at ICANN 55 and Africa DNS Forum in Marrakech March 5-10

ICANN 55 logoStarting this Friday, March 4, I’ll be in Marrakech, Morocco, for a great bit of DNS security discussions at two events:

There will be some great introductions to DNSSEC and DANE – and some outstanding technical presentations on Wednesday.  Two important changes from previous ICANN meetings:

  1. The “DNSSEC For Everybody” tutorial is now on Sunday instead of the usual Monday.
  2. The “DNSSEC Workshop” will be live streamed over YouTube in addition to the usual Adobe Connect (links are included below).

You can also follow along live on most social networks using these hashtags: #AfricaDNSForum, #ICANN55, #DNSSEC.

I also note at the end of the schedule below that I’ll be briefing ICANN staff and interested board members about the MANRS initiative to secure BGP and reduce IP spoofing as part of the Technical Experts Group (TEG) meeting at ICANN 55.

In addition to all of this technical and security work happening at ICANN 55, we at the Internet Society will also be extremely focused on the IANA Stewardship Transition process.  Please read this post from my colleague Konstantinos Komaitis where he explains why this upcoming meeting will be such a critical milestone.

Here are the  main activities – remote participation is available for all of them except one. Do note that all times are Western European Time (WET) which is the same as UTC.


Africa DNS Forum: Panel on DNS Tools

On Saturday, March 5, from 14:00 – 15:30 I will be talking about DNSSEC and DANE in a panel about “DNS and Internet Security Tools: DNSSEC, IPv6 and DANE“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016


Africa DNS Forum: Panel on emerging trends in DNS security

On Sunday, March 6, from 11:00 – 12:45 my colleague Michuki Mwangi will be moderating a panel on “Emerging Trends in DNS Security“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016

I will be in the audience listening to what looks to be a great set of panelists.


DNSSEC For Everybody: A Beginner’s Guide

On Sunday, March 6, we’ll have the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 16:45 – 18:15  where we’ll do our “skit” dramatizing DNS and DNSSEC. If you have been seeking to understand WHY this all matters, do join in to see! You can watch it remotely (or watch the archive later) at:

https://meetings.icann.org/en/marrakech55/schedule/sun-dnssec-everybody

And yes, I’ll be talking about blue smoke as I usually do – and this time I get to have a role in the skit!

NOTE: This session has historically taken place on the Monday afternoon of each ICANN meeting, but it was changed to Sunday as of this meeting as ICANN is in the process of consolidating tutorials on the Sunday of the event.


DNSSEC Implementers Gathering

On Monday, many of us who have been involved with deploying DNSSEC or DANE will travel to a nearby restaurant for the “DNSSEC Implementers Gathering” for food, drink and conversation from 19:00-20:00 IST.

Many thanks to Afilias for sponsoring the event.  This is the one event where there is no remote participation possible.


DNSSEC Workshop

As usual, the main event will be the DNSSEC Workshop on Wednesday, March 9, from 9:00 to 15:15 WET.

Remote participation information, slides, the agenda and more info can be found at:

https://meetings.icann.org/en/marrakech55/schedule/wed-dnssec

At the event the workshop will also be streamed live via YouTube at:

The sessions will be recorded on both YouTube and Adobe Connect if you would like to listen to them later. Slides will be posted to the workshop page before the event begins.

Thank you to Afilias, CIRA, Dyn and SIDN for sponsoring the DNSSEC Workshop series in 2016.

The current agenda includes:

0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts

  • Dan York, Internet Society
0915-0930 – Presentation: Update on the ‘Sunset’ of the DNSSEC Look-aside Validation Registry (DLV)

  • Victoria Risk, Internet Systems Consortium (ISC)
0930-1045 – Panel Discussion: DNSSEC Activities in the African Region

  • Moderator: Mark Elkins, DNS/ZACR
  • Panelists:
    • Alain Aina, AfriNIC
    • Landi Ahmed, KeNIC
    • Alex Corenthin and Khoudia Gueye Sy, .SN
    • Eberhard Lisse, .NA
1045-1100 – Break
1100-1130 –Presentation: DNSSEC SIGNER Switchover

  • Alain Aina, AfriNIC
1130-1200 – Presentation: DNSSEC At Scale

  • Dani Grant, Cloudflare
1200-1230 – Great DNS/DNSSEC Quiz

  • Dan York, Internet Society, presenting questions developed by Roy Ahrens, ICANN
1230-1315 – Lunch Break
1315-1415 – Panel Discussion: DNSSEC and Elliptic Curve Cryptography

  • Moderator and panelist: Dan York, Internet Society
  • Panelists:
    • Geoff Huston, APNIC
    • Jim Galvin, Afilias
    • Ólafur Guðmundsson, CloudFlare
    • Ondřej Surý, CZNIC
1415-1500 – Panel Discussion:  DNSSEC Root Key Signing Key (KSK) Rollover

  • Moderator: Russ Mundy, Parsons
  • Panelists
    • ICANN Root KSK Rollover Design Team members
    • Warren Kumari, Google
1500-1515 – Presentation: DNSSEC – How Can I Help?

  • Russ Mundy, Parsons and Dan York, Internet Society

ICANN Board with Technical Experts Group

After the 6+ hours of the DNSSEC Workshop are over, I’ll then head over to the meeting of the Technical Experts Group (TEG) from 15:30 – 17:00 where will I will be participating in the discussions meant to advise the ICANN staff and interested ICANN Board members about emerging trends in technology.  Toward the end of the session I will be presenting for about 15 minutes on the MANRS initiative to secure BGP and reduce IP spoofing in order to make the Internet’s routing infrastructure more resilient and secure.

Remote participation is available through the links found on the session page:

https://meetings.icann.org/en/marrakech55/schedule/wed-board-technical


If you will be there at either the Africa DNS Forum 2016 or  ICANN 55 please do say hello – you can find me in these sessions… or drop me a note at york@isoc.org and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!

Categories
Internet Governance

The IANA Stewardship Transition: All Eyes Turn Toward Marrakech (ICANN 55)

When in March 14, 2014, the NTIA announced its intention to step away from its historical oversight role over the IANA functions, something extraordinary happened. A global dialogue immediately ensued.

The first part of this dialogue is expected to come to an end in the forthcoming ICANN annual meeting in Marrakech next week. After two years of vigorous discussions, the Internet community says it is now ready to move to the next part of the process – implementation. But, before we start thinking about this next, crucial part of this process, let’s pause for a moment and think what the Internet community has achieved so far.

First, it has demonstrated that collaboration is key for the Internet. It is very difficult to imagine another way of discussing IANA other than the one employed by the various communities. Very soon it became very clear that answers to the complex questions about IANA could only come from the collaboration of as many stakeholders as possible. So, in terms of bringing diverse communities and ideas forward, what the discussions have achieved is really unprecedented.

The second thing this process did was to reaffirm the value of consensus. Consensus works in blocks – you start with an issue and you work through each block via consensus until the issue is exhausted. It is a slow, yet efficient, way to address complex issues. Consensus also works through compromise and a shared goal. In this case, the goal of a successful transition has become the focal point around which stakeholders have assembled for the past two years.

Then, there is the coordination that took place. Small and large working groups, email lists, teleconferences and face-to-face meetings were set as part of a well-coordinated effort to ensure that information was equally distributed. Coordination amongst groups grew organically and allowed for more focus. The IANA Coordination Group (ICG) took on the task to produce the final proposal, while the various communities were going through their individual processes.

These processes have all been transparent, inclusive and accountable. Stakeholders conducted their discussions in an open manner; if you wanted to be part of the dialogue, the only thing you had to do was just join. Anything less would just not have worked. This realization accompanied the participants throughout the entire process.

Given these takeaways, next week the community should trust itself and submit the final proposal to the NTIA. There is no time for more delays – the NTIA has to receive the proposal so it starts its own process of review and the necessary implementation details are worked out before the contract expires.

With a High Level Governmental meeting and numerous sessions on IANA and ICANN accountability scheduled and, an expectation that part I of the IANA journey we be ending on March 10, over the next week all eyes of the entire Internet community will turn to Marrakech.


To stay up-to-date on Internet Society activities in Marrakech, please visit our ICANN 55 event page throughout the week.

Image credit: Sofiane Belghali on Flickr CC BY NC

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Got a DNSSEC or DANE Story or Tool To Share? Submit a Proposal For ICANN 55 DNSSEC Workshop

ICANN 55 logoDo you have an idea for a new way to use DNSSEC or DANE to make the Internet more secure?  Have you recently installed DNSSEC and have a great case study you can share of lessons learned?  Do you have a new tool or service that makes DNSSEC or DANE easier to use or deploy?

If you do, and if you will be attending ICANN 55 in Marrakech, Morocco (or can get there), we are now seeking proposals for the ICANN 55 DNSSEC Workshop that will take place on Wednesday, 9 March 2016.  Anyone is welcome to send in a brief (1-2 sentences) description of what you would like to talk about to:

dnssec-marrakech@isoc.org

The deadline is Monday, 14 December 2015.

Any ideas related to DNSSEC or DANE are welcome.  To provide some suggestions, the full Call for Presentations is included below with a list of different ideas.  You can also view the agenda of the recent ICANN 54 DNSSEC Workshop in October in Dublin to get a sense of what we talk about at these events.

These DNSSEC Workshops are great ways to bring ideas to the wider DNSSEC community.  All sessions are recorded as well so that people get a chance to view them later.

If you are doing anything interesting with DNSSEC or DANE, I’d strongly encourage you to submit a proposal!

The full call for participation is below…


The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 55 meeting on 09 March 2016 in Marrakech, Morocco.  The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.  For reference, the most recent session was held at the ICANN meeting in Dublin, Ireland on 21 October 2015. The presentations and transcripts are available at: https://meetings.icann.org/en/dublin54/schedule/wed-dnssec.

At ICANN 55 we are particularly interested in live demonstrations of uses of DNSSEC or DANE.  Examples might include:

* Email clients and servers using DNSSEC, OPENPGPKEY, or S/MIME for secure email.
* Tools for automating the generation of DNSSEC/DANE records.
* Services for monitoring or managing DNSSEC signing or validation.
* Tools or services for using DNSSEC/DANE along with other existing protocols and
services such as SSH, XMPP, SMTP, S/MIME or PGP/GPG.
* Innovative uses of APIs to do something new and different using DNSSEC/DANE.
* S/MIME and Microsoft Outlook integration with active directory.

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.

We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-marrakech@isoc.org by **Monday, 14 December 2015**

Examples of the types of topics we are seeking include:

1.  DNSSEC activities in Africa

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Africa and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment.  In particular, we will consider the following questions:  Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do?  What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC?  We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2.  Potential impacts of Root Key Rollover

Given many concerns about the need to do a Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys.  We would like to be able to offer suggestions out of this panel to the wider technical community.  If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3.  Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers.  We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world.  We are interested in presentations on topics such as:
* Can you describe your experiences with negative Trust Anchors and operational realities?
* What does an ISP need to do to prepare its network for implementing DNSSEC validation?
* How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
* What measurements are available about the degree of DNSSEC validation currently deployed?
* What tools are available to help an ISP deploy DNSSEC validation?
* What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

4. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

5.  DANE and DNSSEC application automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations  on topics such as:
* What tools, systems and services are available to help automate DNSSEC key management?
* Can you provide an analysis of current tools/services and identify gaps?
* Where are the best opportunities for automation within DNSSEC signing and validation processes?
* What are the costs and benefits of different approaches to automation?
* What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
* What tools and services are now available that can support DANE usage?
* How soon could DANE and other DNSSEC applications become a deployable reality?
* How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services.  For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome.  Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6.  When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

7.  DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:
* What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
* What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
* How should an enterprise best prepare its IT staff and network to implement DNSSEC?
* What tools and systems are available to assist enterprises in the deployment of DNSSEC?
* How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

8. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-marrakech@isoc.org by **Monday, 14 December 2015**

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society