Posts categorized “DNSSEC”.

Episode 63

In this episode, Matt and Cricket are joined by Professor Casey Deccio, of DNSViz and now Brigham Young University fame. (Matt is embarrassed and sorry that he misremembered and called Casey’s magnum opus “DNSSECViz” by mistake.) They tackle a listener’s question about a recent “DNS outage,” examining the causes of both Facebook’s and Slack’s failures and how they might have been avoided. Then they dive into recent developments in sci-fi and fantasy, including “Dune” (thumbs-up from Cricket), “Foundation,” Charles Stross’s “The Merchant Princes” series, and Cixin Liu’s “Remembrance of Earth’s Past” trilogy.” (During this latter segment, Cricket might have gone on for a little too long about Rebecca Ferguson.)

 

Episode 61

In this episode, Matt and Cricket are joined by Kim Davies of ICANN and PTI (you’ll have to tune in to find out what that stands for).  Kim edifies us on key ceremonies and the Herculean efforts required to keep a key ceremony secure and transparent during what Matt referred to as a “global pandemic,” immediately regretting his use of the redundant phrase.  Later, Cricket is embarrassed to learn that Matt has already read both of the new books he’s reading (John Scalzi’s “The Last Emperox” and Martha Wells’s latest in the Murderbot series, “Network Effect“), and Kim laments that the end of business travel leaves him with no time to watch anything.  Oh, and the guys (or Matt, really) answer a really good question from Swapneel Patnekar about an ICANN paper on the effects of COVID-19 on the root name servers.

If you’ve already listened to the episode and are interested in the resources Kim referred to, here are the links:

Episode 53

This isn’t exactly an episode, but Matt and Cricket recently recorded a short promo for Infoblox’s DNS Awareness Day campaign, and they decided to keep recording because Cricket wanted to hear about the recent DNSSEC Key Ceremony, in which Matt had served as the Ceremony Administrator.  So if you’re curious about how new root keys are generated and the sort of security that’s involved, tune in!

Oh, and there’s video, for the first time!

Episode 50

In this episode, the 50th–their golden episode!–Matt and Cricket are joined by Dan York of the Internet Society, who brings them up to date on DNSSEC adoption.  Then the trio answer questions from Matt’s former colleague Rick Andrews about the use of underscores in domain names and from Ben Dash about how some companies get around the prohibition against adding CNAME records to zone apexes.  Apices.  Whatever.

Root DNSSEC Key Ceremony 27 Attestation


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday, October 27, I attended the Root DNSSEC Key Ceremony 27,
administered by Public Technical Identifiers (PTI), the administrator
of the IANA functions and an affiliate of ICANN, which was held in
PTI's key management facility (KMF) in Culpeper, Virginia, USA.

ICANN and PTI are in the process of rolling the root zone key-signing
key (KSK) and details about that project are available at:

https://www.icann.org/resources/pages/ksk-rollover

I attest that a new key intended to be the next root zone KSK was
generated at that ceremony, and that the following DS record
corresponds to the newly generated key:

. IN DS 20326 8 2 E06D44B80B8F1D39A95COBOD7C65D08458E880409BBC683457104237C7F8EC8D

The key will not be declared operationally ready until it is imported
into the hardware security modules (HSMs) in PTI's second KMF in El
Segundo, CA, at the next root key ceremony planned for February, 2017.
Provided that ceremony is successful and that subsequent root KSK
rollover plans proceed according to schedule, the key attested to
above will become the next root zone KSK and be used to sign the root
zone's key set on October 11, 2017.

I further attest that the ceremony followed the script published at
https://data.iana.org/ksk-ceremony/27/KC27_Script.pdf, with one minor
exception relating to the formatting of USB drives used to transport
signed material out of the ceremony room.

Disclosure: I am employed by ICANN as VP of Research and sometimes act
as a Ceremony Administrator (CA) for root key ceremonies.

Matt Larson
28 October 2017
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlgTpoMACgkQATXaA1CYG0VqFgCeINrlVQDIDAMZO0RtlftiNYMj
5CgAniFE+fdA9MQY/BE3VwG0dEvhHsU/
=sM6f
-----END PGP SIGNATURE-----

Episode 46

This episode, number 46, features a guest appearance from Roy Arends of ICANN, whom Matt, Roy’s boss, swears wasn’t forced to participate in our forsaken podcast after midnight Oxford time.  Roy’s worked on Unbound, fpdns, DNSSEC, and Nominet’s Turing product.  We answer questions from Jacob Evans about mismatched SOA records and name server support for IPv6 anycast, and from long-suffering listener Evaggelos Balaskas about Response Policy Zones and why he sees different responses to queries for A records for google.com.  Along the way, Matt announces his new job, and while tracing the origin of Matt’s pet phrase, “There has been no time,” a discussion of the term “shirt-tail relatives” ensues, during which Cricket forgets the word “commutativity.”

Episode 39

In this star-studded episode, Matt and Cricket take advantage of a meeting of the DNS Cabal–that is, the annual “Inside Baseball” event–to answer Donald Rudder’s question about whether synthesizing NXDOMAIN responses to avoid random subdomain attacks would work with NSEC3 as well as NSEC records.  This is followed by a wildly entertaining (by DNS standards, anyway) discussion of the future of DNS, new TLDs, communication in the event of attacks, and more.

Guest-starring some of the brightest lights in DNS, including Kris Beevers, Brian Brady, David Dagon, Casey Deccio, Rob Fleischman, Olafur Gudmundsson, Shumon Huque, David “Tale” Lawrence, and Duane Wessels.

Episode 38

In this episode, long-time (and likely now sole) listener Yiorgos Adamopoulos asks about the the process of signing the root zone, which Mr. DNS has some experience with.  Matt also recaps some of the goings-on at the latest DNS-OARC meeting in Amsterdam, omitting that which must stay in Amsterdam, but revealing some lapses from his DNSSEC RFC-editing days.

Episode 35

In this episode, Matt and Cricket wonder aloud whether they’ve lost their domestic audience, but then rally to answer questions from their remaining international listeners:  Evaggelos Balaskas’s question about SRV records, Joe’s questions about resolver and name server fallback to TCP, and Tommi Nikkilä’s question about multiple CNAME records attached to the same domain name.  And, oddly enough, they wrap up with a discussion of the joy of milk delivery.

Episode 33

Here, at long last, is Episode 33, in which Matt announces a “Development with a capital D” (and a lowercase “yn”), and Matt and Cricket answer questions from Jason Weber about how to deal with web hosting and a hosted DNS zone; from Chuck Nelis about split DNS; from Michael Simoni about the (waning?) need for multiple zones; and from Matt Pounsett about the dangers of mixing recursion and authority on a single name server.