Internet Performance Delivered right to your inbox

The Status of DNSSEC Rollout, DANE, World IPv6 Day

Last week, Jeremy gave us an introduction to DNS Inside Baseball, Dyn’s very own DNS industry insider event. Kyle followed up with his thoughts on the competitive, yet collaborative nature of our industry. This leaves the technical recap up to me.

Like last year, the event followed the Unconference format, taking some time to brainstorm the ideas and concepts people wanted to talk about and then diving in topic by topic. After a full 10 minutes of brainstorming, we had a whiteboard filled with things to discuss.

While we ultimately didn’t have enough time to cover every topic, we hit on a number of very important discussion topics and I’ll summarize some of the most important ones (the status of DNSSEC, DANE) below, as well as some notes on Wednesday’s World IPv6 Day!

The Status of DNSSEC Rollout

Not the first topic discussed, but certainly one of the most important. At last year’s event, we were excitedly anticipating the generation of the root KSK at ICANN’s first key generation ceremony in Culpepper, VA, with the root key being inserted into DNS shortly thereafter. A short year later, we have most, if not all, of the GTLD zones signed with DNSSEC and some registrars (including supporting trust anchor management for individual domains.

With domains being signed and recursive resolvers being instrumented with the root key’s DS record, recursives around the world are able to walk the full validation chain for DNSSEC signed zones in supported TLDs. Operators in the room mentioned that they have seen an uptick in the number of DNS queries requesting DNSSEC information.

This is great news, but there are still two major holes in the adoption of DNSSEC:

  • How do we, as an industry, encourage domain holders to sign and manage DNSSEC for the zones? The challenge today is that the operation of signing a zone, generating a DS record and uploading it to the requisite registry is too complicated of an operation for most domain holders to execute. Lacking no shortage of brainpower, the participants quickly performed some quick protocol engineering to develop a means for a more automatable trust anchor management scheme. It’s something our development teams will be looking into.
  • The second big point discussed what is being done to secure the DNS path between a stub client (i.e. workstation) and the validating DNS resolver. Just because we have security between DNS authoritative servers and DNS recursive resolvers, it doesn’t mean that the end-to-end path to a stub client is secure. The group spent a significant amount of time discussing the need for secure channels between recursive resolvers and stubs or the need for our stubs to become smarter, so that a stub can perform validation. The latter seems to be the group’s preferred method with work to update many of the POSIX-compliant DNS libraries is already underway.

DNS-based Authentication of Named Entities (DANE)

DANE is a prospective extension to the DNS system, to deliver transport level security (TLS) certificate data to end users over a DNSSEC validated communication channel. For those not familiar with TLS, think of SSL encryption (or HTTPS) as a nearly similar equivalent protocol. In both TLS and SSL, there is an initial key exchange performed over an insecure channel and once the key exchange is completed, the channel is secured.

With DANE, a web browser or other DANE-enabled client application can query the DNS to fetch initial key exchange material. By using DNSSEC validation, the validity of the key exchange material can be 100% validated against any form of man-in-the-middle attack.

There are significant benefits to this type of arrangement:

  • TLS key materials can now be delivered via DNS, a lighter weight protocol than HTTPS key exchange.
  • The material can be cached in recursive DNS servers around the world, shortening the time it takes to fetch key material and start up a secure connection.
  • Since the key material is validated using DNSSEC, the need for a central Certificate Authority (CA) is obsolete, greatly reducing the costs associated with adding TLS or SSL certificates to a website. Lastly, its an awesome use of the DNS and DNSSEC, so it’s just cool.

World IPv6 Day – June 8th, 2011

World IPv6 Day, sponsored by ISOC, is Wednesday with the goal to give the next generation IP protocol, IPv6, a 24-hour test drive under the notion of worldwide Internet amnesty in case things break. There is worldwide concern amongst both content and eyeball network operators that the deployment of IPv6 will break certain portions of the Internet and prior to World IPv6 Day, there has been hesitation on both sides of the operator coin to turn IPv6 on and see what breaks.

Can you imagine breaking IP connectivity for your customers just to try out a new protocol?!!!

On World IPv6 Day, we’re all going to give IPv6 a try and collect a lot of data about how the Internet reacts to having IPv6 enabled content available. Collecting and analyzing this data will enable network operators to continue to better prepare their networks for the migration to IPv6. (Side note: Our website will be IPv6 enabled on World IPv6 Day).

The DNS experts at Inside Baseball held a fairly universal opinion about World IPv6 Day: some things are going to break. Many experts believed that applications delivered over a web browser (IE, Firefox, Safari) are likely to work well, whereas more traditional client-server applications will be a source of problems. Many will be ready and watching on June 8th as this experiment is run!

Rounding Third And Headed For Home

The team at Inside Baseball hit on a variety of other topics including a number of Internet RFC drafts (such as draft-vandergaast-edns-client-ip), a discussion on ISC’s newest addition to BIND, BIND RPZ, and a general chat about ongoing security issues facing DNS operators. In addition, a few experts joined Cricket Liu of Infoblox (our host for the event) and Matt Larson of Verisign to record another expert-filled episode of the Ask Mr. DNS podcast.

After taking questions from their digital mailbag, we threw some fun “Stump The Chump” questions at Cricket and Matt, so be sure to download and listen for a few good laughs. And lastly, in true Inside Baseball tradition (two years counts, right?), we headed out at the end of our day to a San Jose Giants baseball game. Who won? Who knows?!!! We were all talking about DNS!

Share Now

Whois: Tom Daly

Tom Daly is a co-founder of Dyn, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.

To current Dyn Customers and visitors considering our Dynamic DNS product: Oracle acquired Dyn and its subsidiaries in November 2016. After June 29th, 2020, visitors to will be redirected here where you can still access your current Dyn service and purchase or start a trial of Dynamic DNS. Support for your service will continue to be available at its current site here. Sincerely, Oracle Dyn