![Page 1: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/1.jpg)
DNSSEC Workshop Dan York, Internet Society | ICANN 54 | October 2015
![Page 2: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/2.jpg)
| 2
Remote Participation
Slides and audio streams at: • https://meetings.icann.org/en/dublin54/
schedule/wed-dnssec Live video stream via YouTube at: • http://bit.ly/dnssec54am • http://bit.ly/dnssec54pm
![Page 3: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/3.jpg)
| 3
Program Committee
• Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT • Jacques Latour, CIRA • Xiaodong Lee, CNNIC • Luciano Minuchin, NIC.AR • Russ Mundy, SPARTA, A Parsons Company • Ondřej Surý, CZNIC • Yoshiro Yoneya, JPRS • Dan York, Internet Society • Julie Hedlund and Kathy Schnitt, ICANN
![Page 4: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/4.jpg)
| 4
Luncheon Sponsors
• Afilias • CIRA • Dyn • .SE • SIDN
NOTE: One new sponsor will be needed for 2016!
![Page 5: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/5.jpg)
| 5
DNSSEC Implementer’s Gathering Sponsors
The Program Committee held a DNSSEC Implementers Gathering on 19 October sponsored by:
• Afilias
![Page 6: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/6.jpg)
| 6
DNSSEC Implementer’s Gathering
Thanks to: • Afilias
Who can sponsor the gathering at ICANN 55 in Marrakesh?
![Page 7: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/7.jpg)
| 7
Support
The DNSSEC Workshop and associated activities at ICANN are an organized activity of the:
• ICANN Security and Stability Advisory Committee (SSAC)
with additional assistance from the: • Internet Society
Deploy360 Programme
![Page 8: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/8.jpg)
| 8
Program
0900#0915&–&Presentation:&Dan&York,&Internet&Society&–&DNSSEC&Workshop&Introduction,&Program,&Deployment&Around&the&World&–&Counts,&Counts,&Counts&0915#1045&–&Panel&Discussion:&DNSSEC&Activities&in&the&European&Region!1045#1100&–&Coffee&Break&1100#1215&–&Panel&Discussion&–&DNSSEC&on&the&Edge&1215#1230&–&Great&DNS/DNSSEC&Quiz&1230#1315&–&Lunch&Break&1315#1430&–&Demonstrations&and&Presentations:&DNSSEC&and&Applications&1430#1500–&Presentation:&Services&to&Stimulate&DNSSEC&Validation!1500#1515&–&Presentation:&DNSSEC&A&How&Can&I&Help?!!
![Page 9: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/9.jpg)
DNSSEC Deployment Around the World: Counts, Counts, Counts Dan York, Internet Society | ICANN 54 | October 2015
![Page 10: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/10.jpg)
| 10 10
http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=0&r=0&w=7&r=1
![Page 11: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/11.jpg)
| 11 11
http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=0&w=7&r=1
![Page 12: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/12.jpg)
| 12 12
http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=0&w=7&r=1
![Page 13: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/13.jpg)
| 13 13
https://rick.eng.br/dnssecstat/
![Page 14: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/14.jpg)
| 14 14
https://rick.eng.br/dnssecstat/
Note: Only includes the TLDs for which Rick Lamb can get sta=s=cs. (Example, .GOV is not listed.)
![Page 15: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/15.jpg)
| 15
TLD DNSSEC Implementation Status
Experimental – internal experiments Announced – Public commitment to deploy Partial – Zone is signed but not in operation DS in Root Operational – Accepting signed delegations
![Page 16: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/16.jpg)
| 16
![Page 17: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/17.jpg)
| 17
Zambia -‐ .ZM October 2015
![Page 18: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/18.jpg)
| 18
![Page 19: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/19.jpg)
| 19
![Page 20: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/20.jpg)
| 20
Mexico -‐ .MX July 2015
Uruguay -‐ .UY August 2015
![Page 21: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/21.jpg)
| 21
![Page 22: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/22.jpg)
| 22
Receiving the DNSSEC Deployment Maps
The DNSSEC Deployment Maps are now published via email every Monday morning through the Internet Society Deploy360 Programme. To subscribe, visit: www.internetsociety.org/deploy360/dnssec/maps/
![Page 23: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/23.jpg)
| 23
DNSSEC Event Calendar
New calendar to track DNSSEC/DANE-related events. Two views – event listing: https://www.dnssec-deployment.org/events/ Calendar view: http://www.dnssec-deployment.org/calendar/ Send event submissions to [email protected]
![Page 24: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/24.jpg)
| 24
IETF 93 Hackathon – Project Summary
Web Server
Web Browser & stub resolver
https://example.com/
web page
DNS Resolver
+ Valida=on
10.1.1.123 DNSKEY RRSIGs
125
6
DNS Svr example.com
DNS Svr .com
DNS Svr root
3
10.1.1.123
4
example.com NS DS
.com NS DS
example.com?
INTEGRITY – DNSSEC TRUST IN TLS - DANE CONFIDENTIALITY - DPRIVE
![Page 25: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/25.jpg)
| 25
IETF 93 Hackathon
• Visual interface to show what DNSSEC algorithms are supported by a DNS resolver
• Tool to test for DNSSEC roadblocks – dra\-‐ie]-‐dnsop-‐dnssec-‐roadblock-‐avoidance
• Prototype web server implementa@on – TLS extension to deliver DNSSEC authen@ca@on chain to client – dra\-‐shore-‐tls-‐dnssec-‐chain-‐extension
• DNS confiden@ality/privacy (DPRIVE) – Fixed opportunis=c TLS in both getdns and Unbound to be strict authen=cated TLS
1. Added func=onality to getdns API to authen=cate TLS server. 2. Patched Unbound server: forward-‐secret key exchange; enabled
sending full TLS cer=ficate chain in handshake • JSON interface to IANA registry of DNSSEC algorithms
![Page 26: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/26.jpg)
| 26
IETF 93 Hackathon - Public releases
• Visual interface to check DNSSEC algorithms – hdps://github.com/ogud/DNSSEC_ALG_Check – hdps://github.com/getdnsapi/IETF93HackathonNode
• Tool to test for DNSSEC roadblock avoidance – hdps://www.ie].org/registra=on/Mee=ngWiki/wiki/dnsresolvercapabili=es
– hMps://getdnsapi.net/roadblock.php – hdps://github.com/getdnsapi/IETF93HackathonPHP
• DNS confiden=ality/privacy -‐ TLS – Patches going into next release of getdns API – Patch available for Unbound
• JSON interface to IANA registry of DNSSEC algorithms – hdps://github.com/danyork/dnssec-‐algs-‐json
![Page 27: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/27.jpg)
| 27
IETF 94 Hackathon
Sat/Sun, Oct 31 / Nov 1, 2015 – Yokohama – IETF 94 • hdps://www.ie].org/hackathon/94-‐hackathon.html
• hdps://www.ie].org/registra=on/Mee=ngWiki/wiki/94hackathon
• Opportunity to work on new tools or services for DNSSEC / DANE / DNS Privacy
• Join us!
![Page 28: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/28.jpg)
| 28
IETF 94 Hackathon
Sat/Sun, Oct 31 / Nov 1, 2015 – Yokohama – IETF 94 • hdps://www.ie].org/hackathon/94-‐hackathon.html
• hdps://www.ie].org/registra=on/Mee=ngWiki/wiki/94hackathon
• Opportunity to work on new tools or services for DNSSEC / DANE / DNS Privacy
• Join us!
![Page 29: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/29.jpg)
| 29
DNSSEC History Project
The DNSSEC History Project is an ongoing project to collect and record the history of the work that went into bringing about the deployment of DNSSEC. To view – or to contribute – please see: https://wiki.tools.isoc.org/DNSSEC_History_Project
![Page 30: DNSSEC Workshop - ICANN · | 3 Program Committee • Steve Crocker, Shinkuro, Inc. • Mark Elkins, DNS/ZACR • Cath Goulding, Nominet • Jean Robert Hountomey, AfricaCERT](https://reader031.vdocuments.net/reader031/viewer/2022022518/5b0e80de7f8b9a5d528bc308/html5/thumbnails/30.jpg)
Thank you and Questions
Dan York, Internet Society | ICANN 54 | October 2015