Tag Archives: dnssec

Call for Participation – DNSSEC Workshop at ICANN 59 in Johannesburg

Do you have ideas about DNSSEC or DANE that you would like to share with the wider community? Have you created a new tool or service? Have you found a way to use DNSSEC to secure some other service? Do you have new statistics about the growth or usage of DNSSEC, DANE or other related technology?

If so, and if you will be in Johannesburg, South Africa, for ICANN 59 in June 2017 (or can get there), please consider submitting a proposal to speak at the ICANN 59 DNSSEC Workshop!

Please send a brief (1-2 sentence) description of your proposed presentation to dnssec-johannesburg@isoc.org by Friday, 19 May 2017.

As with all of these sessions at ICANN meetings, it will be streamed live so that you can participate remotely if you will not be there in South Africa. (And I will note that this time I will not be attending in person.)

The full Call for Participation with more information and examples is below.

* * *

Call for Participation – ICANN DNSSEC Workshop at ICANN59 Policy Forum in Johannesburg, South Africa

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN59 Policy Forum 26-29 June 2017 in Johannesburg, South Africa. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the last Policy Forum DNSSEC Workshop was at the ICANN meeting in Helsinki, Finland on 27 June 2016. The presentations and transcripts are available at: https://icann562016.sched.com/event/7NCj/dnssec-workshop-part-1.

The DNSSEC Workshop Program Committee is close to finalizing the 3-hour program. Proposals will be considered for the following topic areas and included if space permits. In addition, we welcome suggestions for additional topics either for inclusion in the ICANN59 workshop, or for consideration for future workshops.

1. DNSSEC Deployment Challenges

The program committee is seeking input from those that are interested in implementation of DNSSEC but have general or particular concerns with DNSSEC. In particular, we are seeking input from individuals that would be willing to participate in a panel that would discuss questions of the nature:

  • What are your most significant concerns with DNSSEC, e.g., implementation, operation or something else?
  • What do you expect DNSSEC to do for you and what doesn’t it do?
  • What do you see as the most important trade-offs with respect to doing or not doing DNSSEC?

We are interested in presentations related to any aspect of DNSSEC such as zone signing, DNS response validation, applications use of DNSSEC, registry/registrar DNSSEC activities, etc.

2. Preparation for Root Key Signing Key (KSK) Rollover

In preparation for the root KSK rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you. For more information on the root KSK rollover see the guide at: https://www.icann.org/en/system/files/files/ksk-rollover-quick-guide-prepare-systems-03apr17-en.pdf.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-johannesburg@isoc.org by Friday, 19 May 2017

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

Mark Elkins, DNS/ZACR

Jean Robert Hountomey, AfricaCERT

Jacques Latour, .CA

Xiaodong Lee, CNNIC

Russ Mundy, Parsons

Ondřej Surý, CZ.NIC

Yoshiro Yoneya, JPRS

Dan York, Internet Society

Note: an earlier version of this post appeared on the Internet Society’s Deploy360 blog.

Written by Dan York, Author and Speaker on Internet technologies – and on staff of Internet Society

Follow CircleID on Twitter

More under: DNS, DNS Security, ICANN, Security

Continue reading

Posted in circleid | Tagged , , , | Comments Off on Call for Participation – DNSSEC Workshop at ICANN 59 in Johannesburg

ICANN Complaint System Easily Gamed

ICANN’s WDPRS system has been defeated. The system is intended to remove or correct fraudulently registered domains, but it does not work anymore. Yesterday I submitted a memo to the leadership of the ICANN At-Large Advisory Committee (ALAC) and the greater At-Large community. The memo concerns the details of a 214-day saga of complaints about a single domain used for trafficking opioids. For those who are familiar with the cycle of WDPRS complaints, the time frame is supposed to be 45 days at a maximum. The 45-day window was defeated by the domain owner who constantly transferred the domain and changed the data which took it out of the hard-structured view of complaints processing. This is part of an ongoing series of articles and research into online opioids traffic and effectiveness of different enforcement procedures. The first complaint was submitted 4 August 2016 and the most recent response from ICANN on 6 March stated in part:

ICANN considers this matter now closed.

Wonderful. We should all feel so much safer. Unfortunately, this is just the continuation of a very long process failure. The domain in question, DRUGS-ORDER.NET (which I refer to in my handwritten notes as “DONT”) is still online and used for selling opioids without a prescription and without displaying a pharmacy license. The memo I submitted in response to these events is an analysis of the ICANN complaint system (WDPRS). The analysis uses this domain with false WHOIS as an example to better understand the issues with ICANN policy and procedure. In short, the ICANN WDPRS has been effectively circumvented. The domain has had 3 different sets of false WHOIS and simply transferred their domain each time a complaint was filed. The domain has been transferred to 4 different registrars and is currently operating selling narcotics. With nearly 3000 registrars there is no practical limit. In each case, the registrar largely followed the process and complied with ICANN. So ultimately it’s not a registrar issue, it’s an ICANN issue. The failure of the organization to understand how the process can be manipulated makes the process useless. ICANN compliance will likely respond by stating they are constrained by the contract. However, they are also apparently constrained by process innovation as well as real-world context.

This is an extremely urgent issue. Yesterday, here in Copenhagen at the CC session towards effective DNS abuse mitigation prevention mitigation some very smart and passionate experts (including APWG and global LE) discussed various threats on the Internet. One fact is clear from this discussion: the ability of criminals to obtain domains far outpaces the current ability to contain them. Even concerned and proactive registrars at the session complained that their compliance and cooperation with abuse mitigation is hampered by other factors out of their control. The various issues can be summed up in one word: complexity. The data is complex, but the process cannot accept that complexity.

All criminal and abusive operations should follow this cycle to stay in business: Obfuscate, Wait, Transfer, Repeat.

I will be presenting on these issues at the joint session of the Public Safety Working Group (PSWG) and the Verified TLD (vTLD) constituency. This meeting is scheduled for Tuesday 14 March from 18:30 to 19:30 (CET) in Hall B4.1 at ICANN58.

Written by Garth Bruen, Internet Fraud Analyst and Policy Developer

Follow CircleID on Twitter

More under: Cybercrime, DNS Security, Domain Names, Registry Services, Intellectual Property, ICANN, Internet Governance, Law, Policy & Regulation, Security, Top-Level Domains, Whois

Continue reading

Posted in circleid | Tagged , , , , , , , , , , , | Comments Off on ICANN Complaint System Easily Gamed

And the Wait Continues for .Corp, .Home and .Mail Applicants

On 6 March 2017, ICANN’s GDD finally responded to an applicant letter written on 14 August 2016 to the ICANN Board. This was not a response from the ICANN Board to the letter from 2016 but a response from ICANN staff. The content of this letter can bes… Continue reading

Posted in circleid | Tagged , , , , , | Comments Off on And the Wait Continues for .Corp, .Home and .Mail Applicants

Here is the DNSSEC Activity at ICANN 58 in Copenhagen March 12-15, 2017

Want to learn more about the current state of DNSSEC? Want to see demos of new software to secure email? Curious about the potential impact of the Root Key Rollover happening this year?

Next week in Copenhagen, Denmark, ICANN 58 will include some great technical info about DNSSEC and DANE happening in several sessions.

Here is the plan…

All times below are Central European Time (CET), which is UTC+1.

* * *

DNSSEC For Everybody: A Beginner’s Guide – Sunday, 12 March

On Sunday, March 12, 2017, we’ll have the “DNSSEC For Everybody: A Beginner’s Guide” session that will include our usual skit where a bunch of engineers act out how DNS and DNSSEC work! Yes, it’s a good bit of fun and people have told us it has helped tremendously.

Please come with your questions and prepare to learn all about DNSSEC!

* * *

Tech Day – Monday, 13 March

The Monday of most ICANN meetings includes the ccNSO “Tech Day”. While the current agenda does not include anything specific to DNSSEC or DANE, there is a session about DNS Privacy (DPRIVE) that may of of interest to some.  Visit this page for more information.

* * *

Root Key Signing Key Rollover: Changing the Keys to the Domain Name System – Tuesday, 14 March

On Tuesday, March 14, ICANN staff will offer a special session talking about the Root Key Rollover process. While we’ll also have some of this info in the Wednesday DNSSEC Workshop, this special session may be of interest to some. The abstract is:

The keys to the Domain Name System are changing for the first time ever. ICANN operates the root zone key signing key (KSK), which is the “master” key for DNS Security Extensions (DNSSEC). This cryptographic key was created when the root zone was signed in 2010. In this session, members of ICANN’s Technical Team will provide an update on the KSK rollover and answer community questions. This session will be of particular interest to Internet service providers, enterprise network operators and others who have enabled DNSSEC validation.

* * *

DNSSEC Implementers Gathering – TUESDAY, 14 March

Later in the evening of Tuesday, March 14, we’ll have our informal “DNSSEC Implementers Gathering” bringing together people who have implemented DNSSEC or DANE in some way for a time to share information, have conversation and light snacks. We’ll gather at a local restaurant / pub in the city of Copenhagen. Invitations have gone out to various DNSSEC mailing lists — if you are interested in attending please send a message to me at york@isoc.orgWe thank DK Hostmaster for their generous sponsorship of this gathering at ICANN 58!

Please note: This gathering takes place on Tuesday evening in Copenhagen versus the usual Monday evening. As may be obvious, there is no remote participation option.

* * *

DNSSEC Workshop – 15 March

Our main 6-hour workshop will take place on Wednesday, 15 March, from 09:00 – 15:00 in Hall A3. Lunch will be included.


The very full agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World — Counts, Counts, Counts
  • Panel: DNSSEC Activities in the European Region
  • Update on IETF DNSSEC Activities
  • Root Key Rollover Update
  • Panel: Validation in ISPs — Root Key Rollover Preparation
  • Demonstration: Opportunistic IPsec using DNSSEC implementation
  • State of ECDSA adoption in (cc)TLDs
  • The Great DNSSEC/DNS Quiz
  • Trusted Email Services
  • Demonstration: SMILLA, an SMIMEA aware MILTER-program for SMTP servers
  • DNSSEC — How Can I Help?

It should be an excellent session!

* * *

I will be there in Copenhagen and am looking forward to giving multiple presentations during the Wednesday session. It’s always a great gathering of some of the best technical people involved with DNS.

Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted!

Note: an earlier version appeared on the Deploy360 blog.

Written by Dan York, Author and Speaker on Internet technologies – and on staff of Internet Society

Follow CircleID on Twitter

More under: DNS, DNS Security, Security

Continue reading

Posted in circleid | Tagged , , | Comments Off on Here is the DNSSEC Activity at ICANN 58 in Copenhagen March 12-15, 2017

At the NCPH Intersessional, Compliance Concerns Take Centre Stage

The non-contracted parties of the ICANN community met in Reykjavík last week for their annual intersessional meeting, where at the top of the agenda were calls for more transparency, operational consistency, and procedural fairness in how ICANN ensures contractual compliance.

ICANN, as a quasi-private cooperative, derives its legitimacy from its ability to enforce its contracts with domain name registries and registrars. If it fails to implement the policies set by the community and to enforce its agreements with the contracted parties, the very legitimacy and credibility of the multistakeholder governance model would be threatened, and the ability of ICANN to ensure the stability and security of the Domain Name System could be questioned.

The Commercial and Non-Commercial Stakeholder Groups are not unified in their views on how ICANN should manage contractual compliance, but both largely agree that ICANN should be more open with the community regarding its internal operating procedures and the decisions that are made.

Some members of the Commercial Stakeholder Group desire an Internet policeperson, envisioning ICANN’s compliance department as taking an active role in content control, disabling access to an entire website on the mere accusation of copyright infringement. ICANN has previously said it is not a global regulator of Internet content, but there is a sentiment in some circles that through shadow regulation, well-resourced and politically-connected companies should be able to determine which domain names can resolve and which cannot.

The Non-Commercial Stakeholder Group believes that the Domain Name System works because Internet users trust it to redirect them to their intended destination. Likewise, if a registrant registers a domain name in good faith, they should expect to be able to use this Internet resource to disseminate the legal speech and expression of their choice. Domain names enable access to knowledge and opinions that sometimes challenge the status quo, but ultimately enable the fundamental human right to dissent and to communicate speech.

If a website is hosting illegal content, it is the courts that have the authority to make such a determination and to impose appropriate remedies — not private enterprises that have struck deals with registries, and certainly not ICANN.

The problem is, there is mission creep, and ICANN is indirectly regulating content by repossessing domain names from registrants sometimes without any investigation of fact.

During the intersessional, the Non-Commercial Stakeholders Group probed the compliance department to outline how complaints can be filed, how they are reviewed, and to describe how the interests of registrants are represented during the investigation of complaints.

The answers were very revealing: anyone can file a complaint with ICANN, even anonymously; there are no public procedures on the complaint process; and registrants can neither know that a complaint has been filed against them, nor can they feed into the decision-making process, nor challenge the decision. This is problematic, not least because ICANN staff admitted last November in Hyderabad that there has been abuse of the compliance department’s complaints form, with some entities having made bad faith attempts to have domain names taken down.

This is not a theoretical issue. In 2015, ICANN’s compliance department caused financial harm to a domain name registrant because of a minor, perceived inaccuracy in their domain name’s WHOIS records. In this instance, the registrant had a mailing address in Virginia and a phone number with a Tennessee area code. While both details were valid, and the registrant was contactable, a “violent criminal” filed a complaint with ICANN alleging that the details were inaccurate. The complaint was accepted by ICANN and passed along to the domain name registrar. The registrar, fearing a non-compliance notice from ICANN, suspended the domain name without performing any investigation into the claim, resulting in the registrant losing access to their business email account and website.

Representatives from the Non-Commercial Stakeholders Group argued during the intersessional that ICANN should not accept anonymous complaints. Anecdotally at least, there appears to be a pattern of domain names being taken down based on inaccuracies in WHOIS records, many of which the casual observer may perceive as being either very minor, or not a legitimate complaint. It is not simple to track patterns of abuse when you do not know who is submitting the complaints. Transparency does not necessarily mean transparency to the world. But it should be possible for the parties against whom a complaint has been made to request information on who has filed a complaint against them. They should also be able to feed into the complaint process, provide evidence, and have a mechanism of appealing the decision that a contracted party or ICANN’s compliance department has made. ICANN has been recruiting for a Consumer Safeguard Director for more than two years now; perhaps once this post is finally filled, registrants — the very parties paying for domain names year-after-year — will have more of a voice in ICANN’s complaint processes.

Because as things stand at present, if a domain name can be repossessed from a registrant for any reason at all, without any due process being followed, and in direct violation of Article 1 of the organisation’s bylaws, it might well be ICANN that is posing a threat to the security and stability of the Domain Name System.

Ayden Férdeline is a London-based Internet policy consultant. He was appointed to the Policy Committee of the Non-Commercial Stakeholders Group in January 2017.

Written by Ayden Férdeline, Internet Policy Consultant

Follow CircleID on Twitter

More under: DNS, DNS Security, Domain Names, ICANN, Internet Governance, Policy & Regulation, Whois

Continue reading

Posted in circleid | Tagged , , , , , , | Comments Off on At the NCPH Intersessional, Compliance Concerns Take Centre Stage