Deploy360 22 May 2017

CaribNOG 13: Let’s Encrypt & DANE

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

The 13th Caribbean Network Operators’ Group (CaribNOG 13) was held on 18-19 April 2017 in Barbados. Around 30 participants from around the Caribbean came together to discuss operational issues and share expertise about evolving the Internet in the region, which was sponsored by the Internet Society along with others.

Kevin Meynell from the Deploy360 team attended the event and presented on Let’s Encrypt which is a free, automated and open Certificate Authority (CA) that’s encouraging the deployment of TLS and encrypted Internet communications. The aim is to have 100% of Internet encrypted, and CAs are currently need to validate domains and link them with the public keys used to establish encrypted connections.

The other benefit of Let’s Encrypt is that it uses the Automated Certificate Management Environment (ACME) to provide an API for requesting, validating, revoking and otherwise managing certificates. This is also currently being standardised through the IETF.

The inherent weakness of using any CA though, is they’re third parties that are able to issue certificates for any name or organisation. DANE is a protocol that instead allows certificates to be cryptographically bound to DNS names, and as we’ve discussed before, can be used in conjunction with Let’s Encrypt certificates to facilitate encrypted communications between hosts validated with DNSSEC.

There were a couple of other presentations with Deploy360 relevance. Kevon Swift (LACNIC) provided an overview on IPv6 Deployment and Impact in the LAC region. IPv6 deployment in the LAC region still remained fairly low, although Ecuador, Peru, and Trinidad and Tobago were in the Top 20 countries for IPv6 deployment with rates between 15 and 20%.

LACNIC had therefore commissioned a report in conjunction with the Development Bank of Latin America to examine IPv6 deployment in the region. This had led to several recommendations that included adjustments to regulatory frameworks and policies to facilitate IPv6 deployment, more support for research and education networks who were agents for innovation, and develop road maps to encourage timely transition to IPv6.

The other presentation was from Mark Kosters (ARIN) about Cloud Computing and DNSSEC Considerations. This discussed the issues of using DNSSEC with shared systems and how to ensure you have the right connections for sensitive information. How also does a cloud provider ensure isolation between clients?

Last but not least, we should also mention that our colleague Shernon Osepa from ISOC’s Latin America and Caribbean Bureau was at the meeting too, and provided an update on our activities in the Caribbean.

All the presentations from the meeting can be found on the CaribNOG website.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...