Report on ICANN50 DNSSEC Workshop: CloudFlare, HSMs, OTR Demos and more…

ICANN 50 logoWe had an outstanding DNSSEC Workshop last Wednesday, June 25 ,2014, at ICANN 50 in London.  This was the “big” session of the DNSSEC activities at ICANN 50 and had a big turnout!  I counted around 120 people in the room at one point, many of whom stayed for most of the day, and we seemed to have 20-25 remote participants in the Adobe Connect room for much of the day.  It was great to have so many people there and there was an excellent amount of interaction and engagement throughout the day – lots of questions and lots of discussions!

The schedule, slides and archived video and audio can be found at:

In the section below, I’ll walk through a bit of what happened during the day.  First, though, here is one photo of what the room looked like:

ICANN 50 DNSSEC Workshop

… and there were more people sitting behind where I took the photo and on the sides.  I have many more photos that at some point I’ll try to get into our Flickr account or somewhere.

Introduction and Challenges/Opportunities for DNSSEC

I (Dan York) began the session with the normal introduction session and review of the latest DNSSEC deployment statistics.  Much of this is drawn from the weekly DNSSEC deployment maps we now generate but we also had a good discussion about how we’d like to go to the next level and start generating more second-level statistics.

I followed that with a 2014 view into the Challenges and Opportunities in DNSSEC Deployment and Usage where I looked back on a presentation I gave in 2012 and assessed how far we’ve come in the time since then. I also covered newer issues that have emerged since that time.

DNSSEC Activities in the European Region

We then had the first panel of the day with Cath Goulding of NominetUK moderating a set of presentations from country-code top-level-domain (ccTLD) operators from across Europe:

I think many of us were taking copious notes because these were really case studies of how different ccTLDs were deploying DNSSEC… what they’d done, what they hadn’t done… the success they’d had – or not.   Lots of great info ranging from .CZ’s YouTube videos to Afnic’s deployment guide to .AT’s “bump-in-the-wire” signing service and much, much more.  You can expect to see some of this info turn up in blog posts here on the Deploy360 site!  The discussion was great and the sharing among participants was quite good to see.

DNSSEC Key Rollovers and Transfers

Next up Jim Galvin of Afilias talked about the challenges that with ensuring that a DNSSEC-signed domain remains valid during the transition from one DNS hosting provider to another.  In particular he pointed out the challenge of the “5 day grace period” that comes into play with registrars.  This is a critical challenge  that we will continue to be discussing until we can collectively agree on a solution to make this work.

CloudFlare – DNSSEC and DNS Proxying

Following Jim was the presentation that many of us were very much looking forward to. John Graham-Cumming of CloudFlare spoke about the challenges of using DNSSEC in an environment such as a content-distribution network (CDN) where DNS proxying and redirection plays such a pivotal role. This is important as the lack of DNSSEC support in CDNs is one of the major blockages right now for many content providers to sign their websites with DNSSEC.  John provided some solid information about the challenges they’ve seen, the tools they’ve developed and their plans for the future.

He very clearly stated that CloudFlare will support DNSSEC by the end of 2014 and is aiming to make it as easy for their customers as they have made IPv6 (which initially was a toggle button and now is on by default).

We certainly hope they will follow through on this – and doing so will immediately help secure a great number of web sites… and bring pressure on other CDN providers to follow suit.

Hardware Security Modules (HSMs) Benefits and Challenges

Next up we dove a bit down into crypto geekery and explored different options for the HSMs that are used by some to generate keys for DNSSEC. Roy Arends of NominetUK moderated and the presenters included:

Rick Lamb kicked off the panel with an overview of why you might want to consider HSMs and what risk they are protecting against.  Mark Southam followed with some info about his Keyper HSM product and then Roland van Rijswijk-Deij talked about the SoftHSM project aimed at letting you do all of this in software without requiring any specific hardware.

Operational Realities of Running DNSSEC

The final presentation before lunch was from Haya Schulman of the Technische Universität Darmstadt. She actually had two presentations although both were in a single slide deck.  Her first presentation focused on measurements of recursive authoritative name servers and the methods that she undertook in her research.  Given that a number of people in the audience were also involved with DNSSEC measurement her presentation generated some good discussion and questions.  Her second presentation was on “Cipher-Suite Negotiation for DNSSEC” and presented ideas around how DNSSEC clients could know a servers algorithms and priorities.  This again generated some good discussion.

Lunch Break

After Haya’s presentations we had lunch in the room, thanks to the generous sponsors of the event (THANK YOU!):

  • Afilias
  • CIRA
  • Dyn
  • Microsoft
  • .SE
  • SIDN

Having the food right there enabled many great conversations to continue – and allowed us to not have to find our way back to the room that was tucked in an odd part of the hotel.

DANE and DNSSEC Applications

After lunch we had our large panel session that involved multiple demos and running code!  I was the moderator and the panelists included:

Guido Witmond started off providing an overview of the DANE protocol and how it could be used to add a layer of trust to TLS certificates. He then went into a specific use case where he sees DANE and DNSSEC helping prevent phishing.  Next Willem Toorop gave an overview of the getDNS API – this is really an important area and I would strongly encourage people to both view Willem’s slides and also view the getDNS API web site. I think this new API has some real promise to make it much easier for applications to interact with DNS and DNSSEC.

Willem continued with a second presentation around measuring DNSSEC validation using the RIPE Atlas probe network.  This is important as we continue to search for meaningful ways to measure ongoing DNSSEC deployment.  With Geoff Huston of APNIC Labs there in the room, who also does some DNSSEC measurements, there was some good discussion about how best to measure DNSSEC validation.

Paul Hoffman then took us back into application development with his presentation about DNSharness, a framework for testing name server implementations.  While most people in the room were not aware of this open source work funded by VeriSign Labs, a good number expressed their interest in using the test framework when they returned to their regular organizations.

We then entered into that ever-risky segment of live demos with Iain Learmonth going first with a demo of a “Off-the-Record” (OTR) private instant messaging app based on draft-wouters-dane-otrfp. Iain used the dnskeys library for python in a modified version of Gajim’s OTR plugin to have a secure encrypted chat session with Willem sitting right next to him.  It was very cool to see and while the demo was live Iain did provide some slides with screenshots so you can get a sense of what he was doing.

Joost van Dijk of SURFnet closed out the session with a live demo of how they integrated DANE into their service portal for their customers to automatically generate DANE’s TLSA record.  Again, the demo was live but Joost provided a few slides that talk about what they did and some of the challenges they found.

All in all it was a great afternoon session with lots of technical meat for developers!  Always great when you have running code inside of a workshop!

Wrapping Up

Finally, I ended the day thanking the participants and talking about how people in the session can help get DNSSEC deployed in different environments.

And then… after over 6.5 hours of intense focus on DNSSEC… we left the room to go back into all the other madness of a typical ICANN meeting!

On Toward ICANN 51 in Los Angeles on October 15…

With ICANN 51 behind us, the ICANN DNSSEC Workshop Program Committee is already looking forward to the next DNSSEC Workshop that will take place on Wednesday, October 15, 2014, at ICANN 51 in Los Angeles.  The call for participation will be out soon, but I can see that in particular we are going to be looking for people who want to present on:

  • NewgTLDs and DNSSEC – case studies, implementation details and more
  • Email/SMTP and DANE/DNSSEC – we are seeing a great amount of interest in DANE from email providers and want to bring together people operating email services using DANE and also those involved with developing email servers and applications
  • Root Key Rollover Potential Impacts – many of us are very concerned about the need to have a Root Key Rollover happen and want to talk more about potential impacts and also mitigation strategies.

Plus we are always looking for great DNSSEC or DANE case studies, measurements, cool tools or demos and other similar topics.  Stay tuned for the announcement… but in the meantime start thinking about what YOU would like to present at ICANN 51 in LA!

P.S. If you haven’t yet started using DNSSEC, please check our “Start Here” page to find resources to help you out!

July 3rd, 2014 by | Posted in DNSSEC, Events | Tags: , , | 2 Comments

2 Responses to Report on ICANN50 DNSSEC Workshop: CloudFlare, HSMs, OTR Demos and more…

  1. Cellulose says:

    Does DNSSEC still break NAT64? NAT64 is the only cost-effective way of deploying IPv6 on the corporate network, so it’s a colossal problem for IPv6 in the long run. When I ask about this the common reply is that DNS64 creates new DNS entries and so should be expected to break DNSSEC validation, but that’s like a WWII aircraft designer saying that the forward gun should be expected to shoot the propeller off when you fire it. The full IPv4 host address is embedded within the synthetic AAAA record, so there’s no good reason that DNSSEC can’t be smart enough to know it should be validating against that and not against the whole record.

  2. […] no surprise, this reaffirms what CloudFlare’s John Graham-Cumming stated back in June at the ICANN 50 DNSSEC Workshop in London where he presented a set of slides that are available for download.  From what Graham-Cumming […]

Leave a Reply

Your email address will not be published. Required fields are marked *