Deploy360 9 October 2014

A Great Amount Of DNSSEC/DANE Activity At ICANN 51 In L.A. Next Week

By Dan YorkDirector, Internet Technology

ICANN 51 Los AngelesStarting in just a few days there is going to be a great amount of activity related to DNSSEC and DANE happening in conjunction with the ICANN 51 meeting in Los Angeles from October 12-16, 2014.

As usual, there will be the large DNSSEC Workshop on Wednesday, October 15 that always happens with ICANN meetings, as well as the “DNSSEC for Everybody” and “DNSSEC Impelementer’s Gathering” on Monday.

However, at ICANN 51 there will be three other activities:

Due to some schedule conflicts I will be unfortunately missing the DNS-OARC meetings but I’ll be out there on Monday afternoon and look forward to seeing many of you there!

To walk through the activities, let me break it down day by day.

Saturday and Sunday, October 11-12

DNS-OARC will be holding its 2014 Fall Workshop and Annual General Meeting this weekend.  Saturday the 11th is primarily focused on organizational matters but on Sunday the 12th the group gets into detailed technical discussions.  Some of the sessions that may be of interest to Deploy360 readers include:

  • Measuring the cost of DNSSEC
  • Improved NSEC3 performance in DNSSEC
  • NSEC5: Provably Preventing DNSSEC Zone Enumeration
  • A Survey of Current DANE/TLSA Deployment

Many of the other sessions look quite fascinating as well (to a “DNS geek” such as myself!). Per the Overview page, you can participate remotely using these means:

Monday, October 13

10:30 – 17:00 PDT – Tech Day (combined ccNSO/DNS-OARC)

On every Monday of an ICANN week the ccNSO (for country-code top-level domains (ccTLDs)) holds a “Tech Day” full of technical presentations on a wide range of topics. For ICANN 51 they have combined with DNS-OARC and the result is an excellent session full of DNS and DNSSEC talks.  Remote participation info is available at:

although the actual agenda is on the DNS-OARC site.  Some of the sessions that may be of interest to Deploy360 readers include:

  • DNSViz – powerful and extensible DNS analysis
  • Low-Cost Threshold Cryptography HSM for OpenDNSSEC
  • DNS Bake-off

This last “bake-off” session I mention is one in which the different vendors/organizations behind various DNS servers all get up in front of the room and talk about what is new or different in their latest software. When this panel has happened before at Tech Day it’s been a great way to learn what is new with the different DNS software implementations.

A number of other sessions will probably be quite interesting and the opening keynote at 11:00 by Paul Mockapetris should be quite educational as well.

17:00 – 18:30 PDT – DNSSEC for Everybody: A Beginner’s Guide

In this session we’ll once again go back to the caveman days and talk about blue smoke in a light-hearted session aimed at helping people understand DNSSEC.  We’ll also do our “skit” acting out DNS and DNSSEC again… and typically answer a great number of questions from people.  You can participate remotely and view the handout at:

19:30 – 21:30 (or later) PDT – DNSSEC Implementers Gathering

After that session is over there will be a smaller informal gathering at a nearby restaurant where people who are actually involved in deploying DNSSEC and/or creating the tools to deploy DNSSEC will gather together for food, drinks and conversation to explore what more can be done to accelerate DNSSEC deployment. These sessions have created strong connections and usually generated new projects and ideas for further work.

Alas, there is no way that anyone can participate remotely. 🙂  We would like to thank Comcast, NBC Universal and the MPAA for providing sponsorship money so that we could hold this gathering and make it accessible to all who will attend.  (Attendance has now been closed due to space limitations.)

Wednesday, October 15

08:30 – 14:45 PDT – DNSSEC Workshop

This is the BIG session of the week related to all things about DNSSEC and DANE.  The full agenda, slides and remote participation information can be found at:

(Slides and detailed agenda are not online yet but should be soon.)

The bulk of the session includes 5 panels for which we have assembled an excellent collection of speakers:

  • DNSSEC Activities in North America
  • Impact of Root Key Rollover
  • DNSSEC Deployment in Operating Systems
  • DNS/DNSSEC Monitoring
  • DANE and Email Services

Additionally I’ll be providing some DNSSEC deployment statistics and the beginning and wrapping it up with a “How You Can Help” session at the end.

These DNSSEC Workshop sessions bring together an outstanding group of technical people involved with DNS and DNSSEC and are well worth attending either in person or remotely.

09:00 – ? – Root KSK Rollover Interoperability Testing

At the same time as the public DNSSEC Workshop is taking place, there will be a private meeting of service providers, vendors, application developers and others who will be focused on performing some actual interoperability testing to determine what exactly will be some of the technical issues when we as a community roll (or change) the “Root Key Signing Key (KSK)” that is at the top of the global “chain of trust” in DNSSEC.

This closed interop workshop will then lead to…

Thursday, October 16

09:00 – 12:00 DNSSEC Key Rollover Workshop

ICANN Chief Technology Officer (CTO) David Conrad is organizing a public discussion about issues related to changing the Root KSK.  This will be a chance to publicly discuss what we collectively see as potential issues when the Root KSK is rolled or changed and what we need to do about those issues.  This is a critically important topic and so it is great to see ICANN holding this session.  Information about how to participate remotely can be found at:

(Note: the times on that page have not yet been updated.  The workshop will only be from 09:00-12:00.)

I would expect some of the discussion will involve the results of the interop testing happening on Wednesday but the intent is to have it be a wider discussion during this workshop.  If you are interested in this topic, you can join ICANN’s “ksk-rollover” mailing list and read the archives.

It is also worth noting that ICANN’s Security and Stability Advisory Committee (SSAC) will hold its public meeting from 08:00 – 09:00 immediately prior to this workshop.  The SSAC public meetings usually include topics of interest to those of us working with DNSSEC and “DNS security” in general.

And… after all of that we’ll all make our journeys home rather exhausted from so much conversation about DNSSEC! 🙂

Seriously, though, it will be an excellent week full of DNSSEC and DANE conversations.  If you are out at ICANN 51 please do find me at one of the events and say hello, or drop me an email message and we can arrange a time to connect.  You will of course find info on our Deploy360 social media channels during the events next week.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?

See (some of) you in L.A.!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...