Transcript: DNSSEC Executive Summit
Due to the difficulties capturing a live speaker's words, it is possible this transcript may contain errors and mistranslations. APNIC accepts no liability for any event or action resulting from the transcripts.
Monday, 21 February 2011 at 9.30 am
Desiree Ho: Good morning, everyone, and thank you very much for coming very early in the morning to be with us.
For the first session of today, this session is the Domain Name System Security Extensions Executive
Summit -- in short, the DNSSEC Executive Summit.
Today's discussion will be revolving around the protection of domain name system infrastructures and their interactions with customers.
This session is intended for those of you who want to understand the strategic importance of deploying
DNSSEC and the benefits you can expect from this deployment.
I have several announcements to make before we begin. Today's session will have audiovisual capturing.
Secondly, if you have any questions for the panel during the session today, please feel free to write your questions down on a sheet of paper.
You can write them both in English and Chinese and they will be translated and you can pass them over to Yannis at the back of the room.
Thirdly, the coffee break will be from 10.30 to
11 o'clock, at the first level, at the convention foyer.
Today we are very delighted to have Dr Vint Cerf,
President and Chief Internet Evangelist of Google today. Dr Vint Cerf will be opening an interactive session, with leaders from the Asian region, on internet security.
We are also very excited to have a very diverse panel with us today. We will be hearing from representatives from all around Asia, including
Japan, Korea, Malaysia and Singapore.
Before we hear from the panel, I'd like to invite
Mr Charles Mok, one of the local hosts of
APRICOT-APAN and Chairman of the Internet Society
Hong Kong, to say a few words for us.
Charles Mok: I promise it will really be a few words, because we have a lot more interesting thoughts and comments from our speakers, including
Dr Cerf, coming up.
I just want to say a few really brief words of thank you for all of you showing up here in the morning, before even our opening ceremony in the afternoon, where we will hear further from Dr Cerf and other speakers.
On behalf of the Internet Society Hong Kong and also DotAsia Organisation, our joint co-host for the whole APRICOT-APAN, I welcome you first and look forward to seeing you in the days to come in our conferences, meetings and socials.
Desiree Ho: Next up, let us invite Mr Edmon Chung, also one of the local hosts of APRICOT-APAN and CEO of DotAsia Organisation, to open for us.
Edmon Chung: Good morning, everyone.
Similar to Charles, I thank everyone for joining us today so early, even before the opening ceremony.
I see that a lot of people have computers here.
This is really an interactive session and I think the whole concept of APRICOT is about engineers around Asia getting together. So I'm really excited. This is a very important topic. I think
DNSSEC, especially for me, having been working in,
I guess, the DNS community for quite some time now,
DNS has always been something that seems to have been like a black box for a lot of engineers. But
I think with DNSSEC, you really have to open that black box and look into it. It has very deep implications into applications into a lot of things that a lot of people take for granted on the internet today.
I think this occasion, not only is it a session here at APRICOT-APAN 2011, but also we're working very closely with Afilias and many other partners and hope that this is the start of something that will continue, as we advocate about DNS security,
Previously, DotAsia have been working with ISOC
Hong Kong on a number of initiatives to promote IPv6 deployment; that is, ipv6world.asia. We're trying to use a similar concept and to promote DNSSEC around Asia, because I think the two of them together are really the biggest challenges for the internet today as we go forward.
In the ipv6world.asia, we have had very good support from the local government from here in
Hong Kong, from the Office of the Government Chief
I think that support is really important, because 2 in Asia, support from the government and the government taking the lead to implement IPv6 and to implement these critical technologies will be very important.
I'm really excited that, today, we also have the
Chief Information Officer from the government, from
OGCIO here with us. Let us give a round of applause to Stephen Mak to say a few words.
Stephen Mak: That's a great challenge.
Dr Cerf, Edmon, Charles, distinguished guests, ladies and gentlemen, good morning.
It gives me great pleasure to address you at this
DNSSEC Executive Summit, one of the parallel sessions of the prestigious APRICOT-APAN 2011 event.
The President and CEO of ICANN said last year in a conference that DNSSEC is the biggest structural improvement in the internet in 20 years, specifically since the introduction of the worldwide web. That's a great order.
By that, it reflects how important DNSSEC is being perceived by the industry. DNSSEC took 18 years to make it into production. It may not be perfect in solving all the problems associated with domain names resolution, but it surely does mark an important step towards strengthening internet security.
When conducting e-business on the internet, companies are often faced with various security issues and cyber threats. One such threats is the redirection to malicious websites by a fake DNS record. The result could be leakage of password or one's privacy, loss of the organisation's commercial data or even impact to critical services.
Like any core infrastructure components on the internet, DNS needs to be well protected. Through the use of PKI technology and digital signatures, trustworthy responses to DNS queries can be assured.
Now, I know I'm talking to the converted. We know that DNSSEC does not come with no cost. DNSSEC affects various components of the internet infrastructure ecosystem. One of the key issues that may lead to the currently more conservative approach for deployment is that DNSSEC relies on verification of digital signatures of trusted domains throughout the entire path to achieve what is called the chain of trust from the route of the internet.
Digital signing of the top level domains only marks the beginning of deployment and we still have a rather long way to go.
The effective deployment of DNSSEC for the benefit of the whole society, will require the involvement and collaboration of all stakeholders in the internet community.
The Hong Kong Government understands and appreciates the security benefits of DNSSEC to the healthy growth of the internet, especially in respect of the domain name regime.
Ever since the development of Hong Kong's Digital
21 Strategy for ICT Development back in 1998, government has placed security among the top considerations in every major IT policy and initiative that we consider.
Hong Kong also prides itself in having a sound legal framework to secure secure electronic transactions. Through the Electronic Transactions
Ordinance, we have facilitated the development of a robust public infrastructure, as well as a voluntary recognition scheme for certification authorities.
Under this scheme, both public and private recognised certification authorities provide a range of certification services in support of Hong Kong's e-business internally and with the rest of the world.
Through government-level collaboration and support, we are taking forward pilot projects involving industry on mutual recognition of digital certificates between Hong Kong and the mainland of China.
As I speak, our public CA, Hongkong Post
Certification Authority, is preparing its tender to continue its outsourcing of operations.
No doubt, the ready availability of PKI-based certification services will also facilitate our transition to DNSSEC in a timely manner.
We support the best use of ICT to develop
Hong Kong into an inclusive, knowledge-based society. With the advent of technologies and major shifts in user behaviour, security is an indispensable component in support of this laudable objective.
Since 2005, the government has established a liaison group involving local internet infrastructure stakeholders, with a view to building up closer communication and cooperation on information, intelligence and security alert exchange, best practices and management experience 3 collaboration on incident response.
We have also set up resourceful websites on internet security and electronic authentication for public access, with the ultimate goal of enhancing awareness and technical know-how of the general public, including various sizes of public and private sector organisations on security protection in the cyber world. Under these initiatives, security of our PKI and domain name system is a key area of attention.
Now, I congratulation the organisers of this summit for staging this event and letting me speak.
I'm sure you have a very informative panel discussion and interactive session lined up for you.
I should not stand between you and Dr Cerf any more. Thank you.
Desiree Ho: Thank you, Stephen.
Now I would like to invite Dr Vint Cerf, President and Chief Internet Evangelist of Google, to the stage, to share his views on internet security with us. Dr Vint Cerf, please.
Vinton Cerf: Good morning, everyone. I consider it a great honour to be able to participate here.
I need some assistance, I think, from whoever owns the laptop on the lecturn, because I don't know the password of that person. But if you'll just give me a moment here, I can probably work it out.
While we're waiting for the laptop to be activated, let me first of all congratulate
Stephen Mak on a remarkably thoughtful presentation -- succinct, but filled with a great deal of thought about how to make use of these technologies.
I must say that not very many government officials, in my experience, have the kind of articulate view that you have and one which I think is quite commendable. So congratulations to those of you who work in the Hong Kong environment.
You're very fortunate to have Stephen among your number.
I would also like to convey Stephen Crocker's wish that he could be here. He's been very much involved in the deployment of DNSSEC as the Head of the
Security and Stability Advisory Committee at ICANN and now the Vice-Chairman of ICANN. He finds himself in Europe at the moment. So he conveys his congratulations to you on choosing this topic this morning.
I have only about 10 minutes or so to introduce this topic and to convey some of its importance to you, so let me go ahead.
Let me start out by observing -- this is a 10-year old image of the internet, but what it conveys to you is two things. It's generated automatically by looking at the global routing tables. The different colours are different operators of parts of the internet.
The point I want to make here is that it's a gigantic collaboration. There's no top-down requirement that people be interconnected. They choose to do so. They do so using open standards that have been developed to allow equipment and systems to interoperate. The same thing is going to be true of DNSSEC. It's very important that we all voluntarily decide to use this technology to strengthen the domain name system.
The number of machines on the internet has been growing over time. It's well over 800 million now, and probably many more than that, because a lot of them are not visible. They're hiding behind firewalls, some of them are only episodically connected -- for example, laptops and desktops and now, increasingly, mobiles.
The number of people on the net has approached about 2 billion, of which a rather significant number are here in Asia. This data is all, of course, approximate. There's no central location where you have to register to be a user of the internet, but I observe that even at 21 per cent penetration of the general population, there are
800 million people in Asia using the internet today and about half of those, possibly more than half, are in mainland China.
The rest of the world is, as you see, distributed, but this statistic is very important. You should recognise -- those of you sitting in this room, who are participant in the Asian internet evolution, that you will be the largest and you are now the largest population on the internet.
So you have a certain responsibility to help lead its evolution in the future, because there are so many of you who are both depending on it and contributing to it.
So I look to you in sessions like this and the joint APRICOT-APAN meetings, as opportunities to show leadership and to show a certain degree of creativity, to help the internet continue to grow. 4 internet, as you all know. IPv6 is one of them, because we've now completed the ICANN level allocation of IPv4 address space. I'll be speaking on this subject later on this week, but it's a very important change, in addition to the introduce of
Internationalised domain names, which should be of great interest to people here, because you can now express domain names in scripts other than Latin, is relevant to many of the non-Latin languages that are spoken in this region and of course DNSSEC, about which we're speaking today. Stephen mentioned earlier, RPKI as well, another important in the security of the internet's routing system. Today, it's too easy to hijack address space, because you basically announce what you are connected to and people believe you -- or maybe not. And what we would like is a stronger basis on which to believe announcements in the routing system. Again, very much dependent on the use of digital signature technology. This again emphasises the importance of that particular system and the need to continue to evolve it, in order to deal with the fact that increasing computational resources make some public key infrastructure weak by comparison with the computational resources available to break it, which means larger key sizes and, in some cases, new kinds of technology.
There are other things that are happening in the internet which should be visible to you. Censor networks are becoming an increasing part of it, which increases the total population of devices on the net, also increasing the need for IPv6.
In the US, there's a Smart Grid program to put electrical devices on the net, so that they can be more carefully controlled as to their use of electrical power and, of course, mobiles are everywhere.
We already talked about v4 address exhaustion, so
I'm going to skip over that slide.
Here you see some examples of the non-Latin character set top level domains, some others which either have been proposed or maybe, by this time, have been approved.
I draw your attention to, if you can see it at all, on the left-hand side, you'll see a series of four square boxes. That represents the failure of my laptop to have the correct font to display
Sinhala. This problem is going to be not uncommon.
We are all going to be experiencing cases where we can't actually see the top level domains in the scripts they were intended for because we haven't been outfitted to do that. This is just an example of the consequences of introducing this richness in the domain name system that we see.
Stephen briefly alluded to problems of security.
There is a list here which is not, I would say, exhaustive, but it just underscores the fact that we have this gigantic collaboration of networks and computers and devices all interacting with each other and they have vulnerabilities. Part of our job, as netizins in the internet, is to try to do something to remove some of those vulnerabilities and improve on the ability of the system to resist some of the abuses that we now see in the network environment.
I don't intend to go through all the details here of the different kinds of problems. I only want to underscore that they exist and that we collectively have a responsibility to do something about it.
In some cases, we can individually do something.
Many people use very, very poorly chosen passwords, for example, to protect themselves. Some people still use the word "password" as their password, because it's easy to remember. The problem is everyone else can remember that too and that's not a good thing if you're trying to protect yourself.
I want to underscore the last bullet on the slide.
If you can't see it, it says, "Spectacular Human
Error". Many of the worst things that happen to the internet are not a consequence of a vulnerablity that's been exploited; it's a consequence of someone using a mistake -- usually in some configuration.
I could not underscore strongly enough how hard it is to make sure that a configuration is correct or to detect that a configuration is going to lead to a serious vulnerability or a serious failure.
It's so easy for humans to make mistakes and we need to find better ways of configuring systems so that they don't end up chopping half of the internet off by accident.
There isn't much technology that helps us there, so if you have occasion to talk to students looking for PhD dissertation topics, this is one of them. figuring out how to detect a bad configuration would be a good thing.
There are lots of reasons why we have these vulnerabilities. Our operating systems can be penetrated, the browsers ingest software which they 5 could easily lead to infections, worms, viruses and the like, ending up turning your computer into a zombie, to become part of a botnet. So there are lots of different problems.
The last bullet here is the one DNSSEC is deliberately aimed at and that's trying to detect and defend against a compromised domain name system resolver or name server.
There are lots of research problems. I'm going to skip over these because there are too many of them.
But I want to emphasise something about DNSSEC.
It's not just a question of verifying that the binding of a domain name and an IP address has not changed. To maintain the integrity and to verify that the answer you get back when you do a DNS look-up hasn't been altered by some intervening resolver or name server or by some change to those systems.
That's an important part of DNSSEC, but it's not the only thing that we can do with it. Once the infrastructure is in place, it creates an anchor, so that we can do other kinds of authentication. One of the things that I think is very important is being able to identify ourselves to each other or our ability to verify that we're talking to the correct computer.
Did I really get to the web server of the bank
I was expecting to or not? Am I really talking to
Charles Mok? Am I really talking to Stephen Mak or not?
These trust authenticators that can be embedded in the domain name system may turn out to be even more secure than the use of conventional certificate authorities. Certificate authorities have to be trusted in order to generate the certificates that we use, using public key cryptography. You can imagine there are a large number of certificate authorities and it's not out of the question to imagine that some of them might have become compromised and might be issuing certificates that misstate the identity of the party who's using that mechanism for authentication.
So I want to emphasise how valuable the installation of DNSSEC can be as a basis for extending authentication to other applications besides just the domain names.
I'm going to stop with one other observation and that is that there are an increasingly large number of devices coming on to the internet, none of which
I ever anticipated in the 30-some-odd years ago that
I was working on the internet with my partner, Bob
Kahn. Things like refrigerators and picture frames are now part of our internet environment. But the one which I repeatedly am amazed at the most is the internet-enabled surfboard.
Someone in the Netherlands, I'm told, was sitting on the water, I guess, waiting for the next big wave, thinking: you know, if I put a laptop in my suftboard, I could be surfing the internet while I'm waiting for the next wave. So he built the laptop into his surfboard, put a WiFi service on the rescue shack back on the beach and now he sells this as a product. So if you're interested in surfing the internet while you're out on the water, now you can know where to go to get that.
I want to end simply by reinforcing the importance of this particular executive session, the importance of DNSSEC, the importance of cooperating to work together in order to improve the internet's infrastructure.
I certainly appreciate your time and attention and
I hope that the panel will be an interactive one.
You should raise issues and challenge the people on the panel, in order to see where they want the internet to go.
Thank you very much.
Desiree Ho: Thank you very much, Dr Vint Cerf.
I would now like to invite Dr Jim Galvin from
Afilias to moderate our panel session.
James Galvin: Good morning and good evening.
One of our speakers here today is remote and will be joining us through Skype.
It is really a pleasure. I really enjoy, I'm very happy to be here. It's exciting to see this room full of people.
DNSSEC has been around for a long time and it is truly an honour to join with DotAsia to sponsor this event and make this opportunity for all of us to get together to talk about the value and importance and significance of DNSSEC.
I have been around DNSSEC for a long time. DNSSEC started in 1992. I know because I was there and part of those hallway conversations that kicked off this work. That means that we have been at this for
19 years -- or 18 years if you count that the working group really was formally started at the end of 1993. It's a long time to get to production use, 6 something really valuable and really important.
And that's what we're here to talk about today.
We're not here to talk about history and what we went through and how we got to where we are. This is about where we can go and what we're going to do with DNSSEC and what our individual plans are in order to achieve success and to realise the benefits of the things that we heard about that Vint and
Stephen were talking about this morning, in terms of the future.
One comment that I want to make is when DNSSEC first started, it was originally just about protecting the DNSSEC and trying to make it a better, more secure resource for use in the internet. And I think that that's important and that's a natural and obvious thing to understand.
DNS is a critical infrastructure resource, much more now than it was in the early 1990s. I mean, that pre-dated the web back then. The web is really what made the internet what it is today and what we expect and what we have come to use, to want and to need in every bit of our daily lives.
So we use the DNS. As Vint said, it's about the address bindings. It's about knowing where you're going. We reference everything that we do on the internet. Virtually anything that you want to do, you do with a name. Nobody uses an IP address, so you need the DNS to make that binding. Even if you're using search engines, you're typing in key words and your search engine is going to give you links and they're going to be based on a name, they're not going to be based on an address.
So you need the DNS and this is what it takes to get to where you want to go. It's an ordinary and natural evolution of our critical infrastructure to want to protect it.
The discussion today is not about DNSSEC itself, it's about what the internet can be or should be or is going to be, what we're going to get from DNSSEC going forward.
As Vint was just saying, it's an alternative to certification authorities and those particular certificate infrastructures. DNSSEC is the opportunity to be a trust anchor for other network resources. It's about what we're going to do with this technology and where we're going to go from here, now that we've making the internet a much better place than it's been.
What I want to do is introduce each of our speakers and I want to start off here with Edmon
Chung and invite him to come up and take a seat.
Each of our speakers is going to come up first and say a few words about -- I asked all of the speakers to answer two questions and give some thought to two things.
One was why they had decided to move forward with
DNSSEC and, you know, what value they expect to get from having deployed it and ask them to speak about that and talk about their plans and their arrangements, where they are with DNSSEC.
We'll go through each of our speakers, give them a chance to make a position statement and say some words and then I'm hoping that we'll have a nice interactive session with questions from the audience.
We will have microphones out, so that you can ask a question directly. I also would encourage you, if you have questions, you can make a note. Yannis is again standing up in the back of the room. But in any case, she'll be back here at this corner table.
If you have a question, if you bring them to her, write them down, she'll be very happy to take them and she'll bring them up here and I will read out the questions. You can submit them anonymously, if that is better for you, or not, whatever works for you.
In the meantime, let me start with Edmon Chung.
He's the CEO of DotAsia, of course, one of the principal organisers of this conference and this particular summit here, and give him an opportunity to talk about DotAsia and the fact that it is now
Edmon Chung: Thank you, Jim.
I thought I wasn't going first, so I'm still going through in my mind what I was going to say.
I guess back to your question, in terms of why
DotAsia implemented DNSSEC. I think we went through a series of discussions. Actually, in terms of
DNSSEC, there are really three things that I want to talk about. First of all -- and it relates to why we decided to implement DNSSEC and sign the DotAsia zone.
I think in about early last year or the year before, we were looking into DNSSEC. At that time,
I always thought that DNSSEC -- it is unquestioned that we will implement it. But at that time, we felt that the application layers are very important.
Because, right now, for example, your browsers or your devices that connects to the internet, because 7 it's implemented in the registry, then the end user really doesn't see anything different and, therefore, it really doesn't provide enough information.
In fact, there is a potential issue for even a sort of false sense of security, because maybe the
DNSSEC came back and said: no, we can't authenticate it, but because the browser doesn't support it, it still gives you the website.
There was some hesitation there. But what really made the difference was, you know, we're realising the critical-ness of DNSSEC, as we move forward, as the internet becomes really an inseparable part of our daily lives today and as DotAsia moving forward.
The critical difference that was made was that we realised that as a registry, as a sort of, I guess, some of what is leading the internet community, it is our responsibility to come in first.
It has always been a chicken and egg issue because the applications are not ready, the registries shouldn't sign yet, don't need to sign yet, because it's not relevant. But I think there comes a point in time, and I think the time has arrived, that the deployment of DNSSEC should happen and the registries should take a lead in making it happen.
I'm happy to see so many people in this room, and just to say that because only the registries deploying DNSSEC is not really the full solution.
Which brings me to the second point which I want to make, which is that the whole chain, the whole
DNS industry and the whole DNS community really needs to look into this. And when I talk about the
DNS community, it's not only just those who are offering domain names for sale, but also every one of you who are using the DNS. Even as I mentioned earlier on, even as you tend to perhaps, in the past, treat it as a black box or as a service taken for granted, I think DNS offers us an opportunity to re-look at the DNS and how important and how precious it is and how important it is that we have the chain of trust. That goes to, I guess, as a challenge to registrars as well around the world who do offer domain names for sale.
Because it is through this network of commercial activity, which is selling of domain names, that
DNSSEC needs to be deployed as well. Because without the support from registrars who are selling domain names and, therefore, bringing the DNSSEC -- implementing at that level and allowing the engineers to provide the DNS records into the registry, it won't happen, it cannot happen. So
I think these are the two main points.
Then the third point is, I think both Jim mentioned and also Vint mentioned, the reason why again I think I challenge the engineers to open the
DNS black box is that DNSSEC, I think, will have the opportunity to change the chain of trust on the internet and how we utilise it with applications.
I can totally envision, in future, applications utilising DNSSEC information or the structure and the chain of trust that is already there, that increased or enhanced security can be established, you know, without being disrespectful to a lot of the certificate authorities, but also, as Vint mentioned, because the digital certificates today, with the SSL and the web certificate, that is not as much based on a structure that has international governance around it. Whereas in the DNS structure, today we have, you know, people might arguably say, you know, how effective ICANN is, but as a participant of ICANN for over 10 years now, at least I think there is some accountability in the framework for internet governance under that structure and that provides an important part, an important piece of the puzzle, I think, in terms of enhancing the chain of trust through the DNSSEC and through that deployment and I think application users around the world really should take note and hopefully make use of the DNSSEC, not only for authenticating the domain name and the IP address, but also using the infrastructure and the hierarchy to do something even more exciting in the future.
James Galvin: Thank you, Edmon.
I'd like to introduce our next panellist, Lance
Wolak, from .org. At the time, .org was one of the early adopters also of DNSSEC and have been actively involved and, of course, they were, at the time, the larger gTLD to be signed, up until the recent addition of .net and soon to be .com.
Lance joins us remotely. We do have you up here, broadcasting live for all of us, Lance. So please go ahead.
Lance Wolak: Thank you, Jim. Hopefully the audio is coming across well.
I would like to thank DotAsia and Afilias for the invitation to participate. And good morning, everyone.
You know, every month, I'm informed of a number of 8
DNSSEC ready, as well as registrars moving forward with DNSSEC. This is really good news for the industry, to watch many registries, registrars and other infrastructure providers adopt DNSSEC.
Going back just a few years ago, the picture was quite different. In 2008, there were the well-known application developers continuing their R&D effort preparing their products and technology for DNSSEC.
But at that time, very few registries were involved with the DNSSEC deployment.
So it was in 2008 that .org, the public interest registry, decided to take the lead among gTLDs and move forward with our DNSSEC development and launch.
We felt it was a natural for us. We're known worldwide as being a trusted domain, so it seemed natural to adopt DNSSEC and move forward with that.
So in June 2008, we were given the OK by ICANN to proceed. At that time, there were many in support of this move and yet many casting doubt on DNSSEC, in general.
Within a year of announcing our intentions, we signed our zone and became the first and largest open gTLD to do so. Getting to that point, though, required a tremendous effort to pull together the best people across multiple companies.
We felt that the best path forward would be to form a DNSSEC coalition. Technologists from other registries, registrars and application developers, all to share best practices and work together as a family in an industry movement.
As we signed our zone, we entered into a formal beta test period, to involve registrars to test name signing, to test name transfers and to generally replicate the real world in this controlled test environment.
Then in June 2010, after a year of beta testing, we officially launched DNSSEC. We began accepting signed delegations from registrars. We had some interesting lessoned learned along the way.
The first lesson, involve other organisations in your development and testing. This is an industry-wide effort, so go forward as an industry participant, not as a lone organisation.
Secondly, implement a formal product launch process, with major phase get readiness reviews.
Move forward only when you think you're ready. Do not drive yourself to artificial deadlines and involve all levels of your management team in signing off on the readiness at each phase.
Third lesson learned, implement a beta test period. Determine all the points of possible failure and proceed to build safeguards in the technology and in the use of policy to avoid these problem scenarios.
Finally, tell the world of your success. Good news encourages more organisations to follow all of our lead.
I hope this DNSSEC Executive Summit is productive for you and thanks again and I look forward to this morning.
James Galvin: Thank you, Lance.
So the third speaker I would like to bring up is
Joao Damas, from ISC/BIND. BIND, of course, is the number 1 used name server and resolver software in the world, so I thought it was important to bring one of the significant players in providing the technology for use to all of you, as you consider to move forward and make plans, to say a few words about DNSSEC.
Joao Damas: Thank you very much for having us here.
As Jim said, most people know ISC because of BIND, the software produced, but ISC, I think, likes to see itself more as an enabler than just a simple software vendor. An enabler in all senses, including the case of DNSSEC. By promoting the initial development of the standards, then making the software available so people could test whether the standards actually work or not, providing the first hands-on experience, so that people could actually get enough confidence that not only the protocol was OK, but their procedures could be adopted to the use of the DNSSEC.
We see DNSSEC as a valuable addition to the internet protocols in itself, but also, as has been mentioned earlier today, as the value that it can add once it's in place and working and people have learned how to use it and trust it.
In that respect, for instance, I like to put the example of the Brazilian registry, which has taken a kind of imaginative initiative in creating a sub-domain inside their main TLD, the .br TLD, that's dedicated exclusively to banks.
In order to get a domain name in that sub-domain, you have to sign the zone with DNSSEC. So it kind of provides a very visible value-added feature to everyone involved -- to the banks, because they are always concerned about security, obviously; to the 9 can be assured that their information is secure and to everyone in the middle, because they can provide better service to their customers.
This actually brings me to the next point. We have seen a lot of discussion and progress being made in the authoritative side of things. The registries are enabling DNSSEC, signing their zones, putting things out, talking about it. So now the information is out there, you can even verify information through several steps -- in particular like .org, you can follow DNSSEC validation, all the way from the route through the TLD, down to the final websites in many cases. But we have still some challenges ahead and in particular, the validation is currently a big area where more work is needed.
The work is not only technological, of course.
I also mentioned earlier, there is a very important part in all of this, which is the human factor.
We are going to have to think about how to train everyone that's involved in actually operating this system, so that the end result is that the system, as a whole, is more resilient, more robust and safer and not more brittle, which could happen if the proper measures are not put in place.
Humans, of course, need to know what they're doing, but they also need the tools. That's the next challenge that we see.
We started by facilitating early deployment of validators using the zone that we created. It was at the time called DLV, domain lookaside validation, which enabled the use of DNSSEC in an actual real internet, even in the absence of a complete chain of trust, to get to a specific domain.
Its relevance is diminishing as we get more and more domains signed and that's a good thing.
We're still going to be around for a while, because I think it provides a very valuable means of testing and early evaluation of validation in early deployment scenarios, which I think is, as I said before, one of the big issues we have to address now.
It's fine to produce the information. It's necessary to produce the information, but now the next step is that we have to start using it, in order to derive all benefits that DNSSEC can bring with it. Thank you.
James Galvin: Thank you, Joao.
The next person I'd like to introduce is
Dr Xiaodong Lee, who comes to us from CNNIC, to talk about their plans and their issues with DNSSEC.
Xiaodong Lee: Good morning. I'm Xiaodong Lee.
DNSSEC, I think, is a great thing. It enabled the security. But it doesn't mean that all security things should be solved by DNSSEC.
But for .cn, I think, up to now, there are over maybe 50 top level domains have signed their domain names with DNSSEC, but up to now, .cn haven't done that.
.cn is the biggest ccTLD in Asia Pacific. We have a very big zone. One year ago, we have 30 million
.cn domain names, so it's a very big zone. If we sign DNSSEC, it means that we need to do a lot of works. But we start the test beta for DNSSEC for many years.
You know, from our test, we think that to deploy the DNSSEC, it does mean more security, more time.
It does mean you need more money. The traffic for
DNSSEC is not only double, it will be triple. You need more facilities to support DNSSEC.
All of the facilities and all of the bandwidths should be upgraded. You also get the new opportunity to be attacked. DNSSEC mean that you should maybe support the EDS0 and TCB, so that means you have a big risk to be attacked. So many concerns for .cn. So the deployment of DNSSEC on
.cn is very serious and careful.
In past years, there's an incident for DNSSEC deployment. In this month, also the route server of
... there's an incident from that, to deploy the
DNSSEC. So I think that there's so many problems to be solved for DNSSEC.
Of course for .cn, we have some special concerns.
You know, up to now, there are no one open source to choose for DNSSEC signing. Even if I see they have done a lot of work about DN signing, but if you sign the zone for your own zone, if you not are not a top level domain, if you don't have so many domain names, if the domain name doesn't update dynamically many times, I think it's not a big problem for you.
But for the top level domain, if you have so many domain names, then wish the very frequently dynamic update, so to sign the DNSSEC is little bit big problem.
You know, the performance and the efficiency should be a concern for top level domain registry.
So in the past two years, we have done work on
DNSSEC signing. You know, we develop the software and system by ourselves. We cannot buy some device 10
Because the device is related to security, so some countries cannot sell the device to China. I think that is a very big issue, so we should develop the software and device by ourselves. It maybe delay our deployment for DNSSEC.
But anyway, I think from my own point of view,
I try to deploy the DNSSEC this year. Of course, should have other kind of reasons to deploy DNSSEC in China, but I think I try to finish this work in this year, but it's not a promise. I try to do that.
You know, I think the last sentence I want to say, that DNSSEC is not only all the things about security issues of DNS, it's only one. As mentioned by Vint Cerf, it only authenticate the IP address, it really should be ... it should not be -- haven't been intercepted by others, by hackers, but you should take care more things about the DN security, especially DNSSEC, also DNSSEC deployment, also we need all of the environment except for the DN server, including the routers, switch and also some software or device to support DNSSEC. It's very important. If they don't support the DNSSEC perfectly, the DNSSEC will be only on testing. It doesn't mean you can use that. I think it's my big concern.
So in the end, I want to thank James to chair this session.
James Galvin: Thank you.
So we have had four panellists so far. We have two more: Siamak Hadinia from APNIC and Yoshiro
Yoneya from JPRS.
What I'd like to do is take a few minutes and just summarise a couple of key points. I remind people, if you have questions, you will have an opportunity to stand up at a microphone, if you like, but please feel free to write questions down. Yannis is again standing in the back of the room. You can hand them to her and bring them back. You can also write them in Chinese, if that's easier for you, and then
I will read out questions from up here.
I think that Stephen Mak and Vint Cerf both reminded us about the broad picture of DNSSEC.
Stephen in particular talked about how it affects our entire ecosystem and Vint talked about DNSSEC being an alternative for CAs and a potential trust anchor for other net resources. I want to emphasise those facts and just sort of keep that in mind.
Our speakers so far today have been talking about, you know, how to get things started and who has to go first.
Edmon mentioned the chicken and egg problem.
Somebody has to start the process.
When Stephen Mak talked about DNSSEC affecting our entire ecosystem, it's not just about the people sitting up here at this panel and telling you about their part. The next step in DNSSEC deployment and its success is really going to come from the rest of you and your participation in wanting to protect your zones.
Lance talked about needing to have a very structured and careful deployment system. You want to do this when it's right, not just because you're on some kind of artificial deadline.
Joao talked about wanting to be an enabler of this technology, making it accessible for other people and emphasised the human factor problem that is sort of part of our next step in getting this deployment going.
Xiangdong here mentioned specifically performance issues. But one comment I want to make about his emphasis on performance issues is those things are very important and they're not to be ignored. But they're more important for the people who are sitting up here at this panel.
There comes a time when you, as an individual, with your domain, you have to decide how important your DNS is to you and your business.
There will be an opportunity for you to look for outsourcing opportunities for people to do your DNS, so you don't necessarily have to have that expertise in-house, you don't necessarily have to deal with those performance issues directly.
You could choose to do it yourself if you have a smaller infrastructure and that's all that you need or you have other opportunities. So that's something I wanted to give you to think about.
At this point, it is actually just after 10.30.
I wanted to actually separate the panel and continue with the break on schedule. The break is actually an APRICOT break, so it's important to stay on that schedule.
Rather than extend the speakers, we'll pick up with the last couple of speakers at 11 o'clock, after the break is over.
Let me just remind you again, if you have questions, you can bring them to Yannis or please come back at 11 and we'll have our last two speakers and then we'll open the session for question and
Monday, 21 February 2011 at 11:00 am
James Galvin: Welcome back. We're all here and ready to go. I see our room thinned out a little bit. I'm sure people are going to trickle back in as the break comes to an end and make your way back in.
I think that this again is just a very important and essential opportunity for folks to really talk about what we can do to improve our internet security and internet safety and make the world a better place for all of us.
Just a reminder again if you have questions, please we will have a microphone, a roaming mic, so you can just raise your hand and speak into the mic and if you'd like, you can just write questions out and please hand them to
Yannis at the back. She is at the back table in the far back corner over here. You can bring a piece of paper over there, I'm sure they'll take it from you.
Our next speaker here to start off the second half and to lead us into our discussion period will be Yoshiro Yoneya from JPRS. He's going to talk to us about their experience and what they've been doing to deploy DNSSEC in .jp. Please go ahead.
Yoshiro Yoneya: My name is Yoshiro Yoneya from JPRS.
It is a JP registry. Today I introduce our action toward introducing DNSSEC in JP, work with JPRS and some ISPs and community activities.
There are similar actions we took. The first one is technical evaluation before the DNSSEC signing to the zone. The background of the activity was that -- this is very distinguishing to Japan, but there are lots of ISPs and registrars. So that to introduce successful DNSSEC into the JP zone, their cooperation is very required.
But it is difficult to contact all of them and to contact all of them.
So JPRS quote for participation in technical evaluation to some major ISPs and JP registrars. Because their transparency in the market is very high. So to do evaluation with them is very efficient.
JPRS conducted monthly face-to-face meetings to promote and progress the evaluation.
We did about five, six months evaluation with them and we published four documents to the public. One is DNS function instruction and the other is DNSSEC performance and construction. And we published two reports, one is function and performance JP edition, and the other is operation designing edition. Those summaries I will explain at the DNS conference on Wednesday, so please come to the conference.
There are other activities that is community activity.
DNSSEC Japan is a non-profit organisation established in
Japan in 2009, November. As I said, there are lots of stakeholders for the DNSSEC to educate and share the knowledge among them. They need a Japanese document for the DNSSEC because some language barriers laying to the
So DNSSEC Japan is an organisation to share the information about the DNSSEC and DNSSEC Japan introduced very informative things to the Japanese communities, especially who wished to start DNSSEC service. DNS Japan is to DNSSEC interaction phase.
Japan has another organisation named DNS Operators Group or DNS Ops, which is a mother organisation of DNS Japan.
It will take place after the DNSSEC operation is in daily use.
I will skip this. Some actions JPRS did before the
DNSSEC, there was similar things we did, but I don't speak this in detail, I just only introduce the fact that many actions. So we did adjustment for DNSSEC introduction schedule one year before we started the
DNSSEC service. We did technical evaluation with some
ISPs and registrars and JPRS published DNSSEC parameters and practise statement that will be very useful for the
JP users. And we prepared hardwares, softwares and network for the DNSSEC.
Finally, we started DNSSEC service in JP zone. That means DS registration in .jp. And that was this January
16th. We are now doing DNSSEC operations.
The issues we found before DNSSEC started is, one thing
I'd like to share with you. So there is a fear for zone vanishing in the process. Zone vanishing means when the
DNSSEC validation is fed then the zone cannot be resoluted. So to start JP signing, JP has two registers,
JPDS to the root zone and the root zone operation is manual operation right now. So we had a fear for the mis-operation. That will be very rare, but it cannot stop operating.
So TLD has a very big fear for the zone vanishing. So we thought that TLD zone operators should have some kind of basic practise to mitigate the impact of zone vanishing.
James Galvin: Thank you. And now let me invite our last panelist to come up, Siamak Hadinia from APNIC who's going to come up and tell us about their experience and plans for DNSSEC.
Siamak Hadinia: Good morning everyone. My name is
Siamak Hadinia, I work for APNIC. As you know APNIC is responsible for all the IP source allocation assignment for the Asia-Pacific region.
I created some slides for the DNSSEC and how APNIC approaches important things for the DNSSEC.
The first question is why DNSSEC? So perhaps we know that DNS is very robust and very scalable, but it's not secure, so it's susceptible to security threats such as
DoS attack and also cash poisoning and other things.
So we are hoping that DNSSEC provides some integrity for the DNS data. So basically the approach here is using cryptographic mechanisms and applying these for the DNS data. So by this actually it uses the same concept of public and private, I'm sure that everyone knows about this.
So by that all the DNSSEC order is signed by the owners and also countersigned by parents. It also can be verified by resolvers with the trust anchor.
So the goals here for DNSSEC is establishing a chain of trust from any sign zone to the root. And so the DNS -- the way it works I just briefly mention, is that DNSKEY, which is a public key record, is signed by the zone's private key and each DNSKEY can be identified with the delegation signer, like the DS record, so the parent actually keeps that record.
Also the DS circle in the parent zone is signed by the parent zone's private key, so this is the way it establishes the chain of trust.
Specifically APNIC focuses on the ... the delegated resources that we've got some for the region.
So we actually put up a plan for the DNSSEC deployment, so we had several phases. We started with the testing, so we signed the ... subzones. Phase 2 we actually brought this into production, so we are internally publishing this -- the sign zones. But it's not yet in the parent. And also we are waiting for the -- to get all this, you know, DS records from the members.
Basically what the operator have here is actually the delegation from -- we're waiting for the signed zones, but they will accept our DS records in the future, I think it's on 14 March, so that we can get the DS record from our members probably later in June.
So there are some dependencies as I explained. So to get that done, to get all the DS records from the members, and also the same, IANA get our DS record. So basically we ... so it's not accepting the DS record, and also we need to do something about the DNS management system to get all the updates. And the dates we are hoping to achieve is for APNIC to receive all this DS record would be June 2011.
As I mentioned, IANA will be signing -- we will be accepting our DS records on 14 March. Thank you.
James Galvin: Thank you very much. Let me invite all of our other panelists to come back up here to join the panelists here and I assume we'll get our display of Lance up on the screen too. If you have a question please raise your hand and the microphone will come around, if you prefer to write something down bring it to
Yannis in the back of the room. This session really is intended to be interactive. I'd very much like to know what's important to you, what are the questions that you have.
I think that all the speakers that we've had so far this morning have been infrastructure providers in one form or another. As Edmon started us this morning when he mentioned the chicken and egg problem. The issue is somebody has to go first and naturally that would fall to the infrastructure providers. So we have registries up here and of course a particular software vendor who have done their part to deploy DNSSEC.
They also have special challenges because these are the people who have the largest operations that have to accommodate DNSSEC. So Xiaodong had mentioned performance issues, that has affected all of these people. He was the one who mentioned it explicitly, but it is certainly an issue that has affected everyone of the people up here.
As an infrastructure provider you have larger zones to deal with, you have larger numbers of customers to deal with. You have larger numbers of queries in the DNS that have to be dealt with, you have larger quantities of bandwidth that you need in order to deal with the DNSSEC interactions that happen in the DNS, you also have a larger number of -- the size of your zones. So you need a bigger operation in order to handle those things.
Those issues will affect some of you out here in your desire to deploy DNSSEC, but not on the same scale as these infrastructure providers.
So one of the things I want to remind us, as Vint said this morning, he pointed out that even though there's only 21 per cent penetration of internet in the Asia region, here we are in the Asia region where in terms of internet penetration throughout the world, just under 50 percent of the worldwide internet penetration is in this
Asia region. You folks out here today have an important influence, an important role to play in the deployment of
DNSSEC in the world at large. You clearly are the largest set of users, and the potential to be the greatest number of users of this technology and the value that we're going to get from it.
One of the things that I'd like to get from each of our panelists here. I put this question to each of them to speak about, is as infrastructure providers, what do you see as the next step in deploying DNSSEC? I think that there's more infrastructure that we need. So there's a second level of infrastructure that has to be addressed.
So we have registrars for those of the registries that have them, you have the part of the infrastructure puzzle that deals directly with registrants. Then of course there's the other side of DNSSEC, which is how do we make use of it, how do we get more people to sign their zones and more ISPs and network providers to actually want to do the validation and provide that service to people.
So the first question that I put to you is what are you doing, or what are your plans, or what are your expectations about filling out the rest of the infrastructure in DNSSEC deployment?
So anyone want to volunteer to go first?
Xiaodong Lee: It's a good question. My concern is, I have many discussions with ISP and -- I mean ISP carriers and the registrars and some of the users. We have done some investigation on the DNSSEC department in China. I want to share with you, you know, there's so many others, they don't know what a DNSSEC, don't care more about
DNSSEC. I only want my browser to accept the website to be secure. The others, they don't care about DNSSEC.
But I think that the most important role for DNSSEC deployment is the carriers and the registrar. The registrar, most of the registrar provides the hosting. I mean if they don't want to sign DNSSEC it is a big problem. Carriers run servers for other users. But I make sure that not all of them are familiar with DNS,
I think the first thing we should do is doing some kind of promotion work, to train some people, some key person to know about the DNSSEC, especially for the -- I don't mean the system administrator. The system administrator cannot make decisions; to make decisions to give the support or human resource or facilities or money to support the DNSSEC problem is the management. So they should do some promotion and training for them. What is
DNSSEC and why we should do DNSSEC?
And then we should train them how to do DNSSEC. I think maybe it's some kind of marketing work, not technical work. So I think that is my concern. So I think we need a lot of work. You know, not all of them join with me, not all of the management layer people, they join the technical meetings or trainings. So I think how to get them to be trained, I think it's a little bit difficult.
James Galvin: Thank you Xiaodong. I heard you say that you believe that we have a promotion opportunity that we need to exercise for DNSSEC, we need to get more of the managers and decision-makers engaged and interested in wanting to go down this path and to implement DNSSEC and add it to what they do.
Xiaodong Lee: Yes.
James Galvin: I would say that's part of why we're here today. This is the goal of what we're doing today is trying to make it visible and obvious to people. It's time for the next generation of people, the second level of people to be thinking about how to deploy DNSSEC, and
I'm hoping that's why many of you are here today, to find out about the experiences of these infrastructure providers and the work that they've done.
Let me move to Lance, you said you had a response.
Lance Wolak: Sure. Thank you, Jim. So our next step is to look at the registrant community and look for the large groups that are adopting DNSSEC. Therefore what we're trying to identify is the leading adopters within the .org community that are signing their domain. What we'd like to do is turn that into a promotional opportunity with that segment of the .org population and take the reasons why that they are becoming the leading adopters, take those reasons and that rationale out to that segment in a much larger fashion and have these leading adopters work on the demand side of this so that they can work with their own specific registrars, they can work with their hosting providers, all of the infrastructure side would get the encouragement from the paying registrants to move forward.
So while we've spent a lot of time on the infrastructure side, I think it's really important to pull together the large groups of registrants by industry segment and let them lead the charge on this.
James Galvin: Thank you, Lance. Joao?
Joao Damas: Thank you. Just a further couple of things. One is that we keep talking about making the information available and perhaps we need to start thinking a little bit more about how the information is consumed. Earlier today, there was talk about using
DNSSEC as an alternative to CAs.
Yes, the technology is there to provide that information, but unless the support in the application for instance starts being there, unless the browser vendors start making use of those facilities, of the new opportunities that you have by using DNSSEC, the incentive to use it, it's going to be very hypothetical. It's very hard to communicate the real benefit to the end user unless it's clearly visible in applications they interact with every day.
And the second thing is that one thing that we are seeing and noticing with DNSSEC is that it changes the model under which most people operated DNS so far. The DNS has been a very reliable system for years and it has usually just worked. What that has meant is that unfortunately it has been sort of the bastard child of internet services in ISPs, for instance. It's something that's usually installed in the latest, the less important of the servers, left there without maintenance because it just keeps working without human intervention and with
DNSSEC that has to change.
The DNS operations inside ISPs need to change from being something that you need to work but you don't really care once it's set up. Something that is on par with your web servers and all the rest of the services. So you have to adapt how you work inside ISPs to make this more relevant and be able to make use of it.
James Galvin: Anyone else?
Yoshiro Yoneya: JPRS is now thinking about how to promote more stable work for DNS operation. Because the area of DNS operation, or misoperation will cause, as I said, DNS zone vanishing. So that we are now discussing, we are talking with registrars who are also operating DNS provider. So that some operation of DNSSEC, we are discussing such kind of stable DNS service will deploy the DNSSEC to the end-users.
James Galvin: Thank you.
Edmon Chung: I certainly agree with what was said in terms of the ISPs and also in terms of registrars and registrants. I think definitely for us DotAsia and those in the DNS community, the next step, as Jim you asked, is definitely with the registrars and registrants and getting them to deploy.
But I think one of the things I wanted to respond to is quite interesting, I was just sitting here thinking, as
Jim mentioned the ISP areas have often agreed with what was said in terms that a lot of times DNS is really taken for granted and it's not like it's not a high priority, it's important, but not a lot of time is spent on understanding it, and how to do it better.
And one of the things that perhaps which came to mind just now, is what would be quite interesting is as we promote DNSSEC and ask for ISPs to implement them, and it is important that they implement it because they're really the interface between applications or the user and how the DNSSEC information eventually gets there. But also to perhaps think about what roles ISPs should play.
What I mean by that, is that this is, you know, I don't know this just came up to mind actually in the last little while.
What is the role in terms of if they see something that is not authenticated? What is a role as they pass it back to the end user? What type of information, and what additional role should or should not they play, might be something that is important to think about as well.
Especially in this region and, in fact, not only in this region, but the growing, I should say, the growing utilisation of certain filtering or, you know, certain content issues on the internet. Certain authorities or policies or legal policies inside certain countries or, you know, what the ISP's role should be as we go about the deployment of DNSSEC might be an interesting area that we might need to spend some time on as well. And that brings us beyond just technology but also some policies and how we see what the role for ISPs might be.
James Galvin: Thank you.
Siamak Hadinia: I just wanted to add one point here, saying that apart from raising awareness for the community for the DNSSEC, there might be some maybe operational issues as well in technical. So perhaps we can think about using all sorts of alternatives we have.
For example we can -- because the key management might be an issue here. So using hardware security modules for signing is one way of doing this, but other ways actually are available using soft key. So perhaps, you know, like providing this information for all the ISPs and sharing this information with people as well.
James Galvin: Thank you. So I want to focus on one thing in particular, a common thread that I heard in these responses. So my question was about the next part of the infrastructure that has to be deployed. It's not enough for an individual or an individual zone or domain name to want to sign a domain name and make it secure; how do you make that value, how do you achieve a value proposition out of that?
And a piece of that, and in fact unfortunately an unrepresented role among these panelists here is ISPs, we've heard a number of people talk about them and the role that they have.
More generally than just speaking about ISPs is the issue of validation. It's wonderful for a lot of people to sign their domains. It would be great if everybody was signing the domains.
But the important part of signing that signature is for validation to occur. Edmon spoke about the policy with respect to validation. Right now we're in a transition period so it would be hard to imagine an ideal model where if everything is signed then if you have an invalid signature it doesn't exist. That would be a policy and I would assert that that would be the best policy for
DNSSEC, at some point. If we get broad deployment where everybody has it, then the correct response should be if
I don't have a valid signature, then the domain simply doesn't exist, so I don't provide a response back.
But there are a lot of organisations that have to provide resolvers. The application services providers, browsers in particular, e-mail service providers or any other future application that wants to take advantage of
DNSSEC, where are they going to get their valid signatures from, where is that going to come from? We have infrastructure providers up here who are creating the means to sign your domain name, and make signatures available so you can have a secure site.
Does anybody have comments or plans, or what do you think are the issues with getting that critical part of the infrastructure, the resolvers, the people who are going to provide validated answers who are going to validate responses, which is principally ISPs; everybody depends, your ordinary user depends on an ISP to provide valid responses. Do you have any comments or suggestions, or plans? What are you doing to reach out in particular to those adopters to get them on board so that DNSSEC can be available and a value proposition for the larger community?
Joao Damas: Not a lot, to be honest. We keep insisting on it, but unless people start seeing more than the cost side of security and start seeing how to enable these additional features to get some benefit. That, for instance, could start with what the registries are doing, the IP registries are doing, APNIC and company.
A lot of people still, for instance, use the reverse look ups as a measure to try to contain spam, and you use records like SPF records that are put into zones. But without any warranty that that information you are using to control the income of spam is verifiable. You're really just basing your efforts in good faith. Now when
... gets signed and the whole thing is able to be signed throughout the actual prefix delegation, that whole process has a lot of extra reliability.
And fighting spam is something that costs ISPs money, real money. Processing all these emails that shouldn't have been there in the first place costs ISPs money. If they find a reliable way of fighting it in a secure manner, in the way that we can trust there is clear value there, because it reduces the cost.
James Galvin: You mentioned cost explicitly. Let's focus on that issue a little bit for the moment. Early adopters such as the folks up here on this panel, have obviously invested quite a lot in being in front. As is typical for an early adopter, there's always an investment. You have to put more into the deployment and the service and features than the next set of people who implement will.
So my question is to those of who are infrastructure providers. You've already made your investment, so this is not about how you justified your investment in what you did. But what do you think about how the next not early adopters, if you're the early adopter, who are going to be the next generation of adopters, and what are we going to incent them. Are they going to pay for it?
If they're not going to pay for it, what about the rest of the infrastructure that is providing services for them, what's their business model for DNSSEC in encouraging deployment?
Xiaodong Lee: It's not a direct answer for your question, James. Maybe we forgot another industry related to DNSSEC. There's so many companies to have the security software or security device. Maybe for the ... they protect the user's computer. I will discuss with him, because there are so many security issues, some company developed the fibre, because there's so many checks, so many companies that have the device, there's so many areas ... security to take care of many security scenes. I think it's a problem. Maybe there are so many
DNSSEC issues, we don't know that. But I think it's not a hot topic, but how many, where the DNS hijack is happening.
So where the internet infrastructure, we set up the DN servers, maybe the ISP carriers should have the encryption service, we build up the internet infrastructure to provide the DNS resolution for the users. But they don't know more about the security issues. The security industry didn't know more about that. If there's so many DNS hijack issues, I think that's -- maybe it's -- we don't need so much time to get promotion for DNSSEC. There's so many people will be involved in the DNS development.
So James I think that we need to ask them, maybe they have found so many DNS security issues in their software or monitoring system. For myself, we deploy DNSSEC, but
I should tell my partners, registrar or ISP, what's the benefit for you? If you don't deploy the DNSSEC what's the risk for you? And where is the risk?
James Galvin: So I think what I hear you saying is the focus should not be on what is the value necessarily of
DNSSEC, you know, why is it important, it's about what are the bad things that are going to happen if you don't do it.
Xiaodong Lee: Yeah. It's no doubt that DNSSEC is very important; I totally agree that. I'm not a security expert, I don't know more about security. So we take care how to deploy the DNSSEC, how to improve it in the infrastructure, to make the infrastructure more secure.
But some people, some hackers, you know, we edited the industry of DNS, but we also edited the hackers. If the hackers hack some important infrastructure, it's a very crazy idea, but maybe we don't know that, maybe it happens every day. But if you know more about that, it's very important. It doesn't mean I worry about DNSSEC.
It's very important.
James Galvin: Let me draw and observe -- there are three important roles in the deployment of DNSSEC and what it means. You have, first, your large infrastructure providers which are the people who are primarily represented here, you have your registries and you need the registrars, you need the ability to create signatures, you need the ability to sign your domain name so that you can protect your services that you're offering.
There a second category of the people who make DNSSEC available, so you have your networks, your ISPs, their job in providing resolution services. Some applications will probably need to implement DNSSEC directly, so browsers are obvious examples. Email service providers and their software taking advantage directly of DNSSEC.
Then we have this third category of end-users. Several people along the way here have talked about end-users. I think that Xiaodong your comment about educating people on what can go wrong if you don't have DNSSEC. So the way to create the value proposition for DNSSEC is to talk about the risks of not doing it, as opposed to the specific benefits that you get from doing it. So my question now is about end-users.
Normally when you talk about wanting to get a benefit out of it, the idea is I want user community to take advantage of it. I want them to know about it. So who do we educate about the risks of not having DNSSEC? Do we educate the end-users? Those who are actually -- who get the most value out of DNSSEC, or are we going to educate the rest of the infrastructure on why they should be providing it to those end-users? So is it the end-users or the rest of the infrastructure that need to be educated about DNSSEC?
Edmon Chung: Actually, you know, I think that's a great question. I think it relates to what Xiaodong is talking about as well. And I'm just really sparked by Xiaodong's comment, is that we don't have -- we need more people here and we need those security experts in a way in terms of how to sell to the end consumer. We need the
Semantics, we need the Norton folks, we need those people, because it seems like that we as infrastructure providers have always been good at telling the world about the good news, and we need some expertise on telling the world the bad news. And, you know, I hate to use the word, but some risk factors, some scaring tactics might actually work.
I mean we've seen that happen, you know, in the DNS industry for example for registry lock, you know, the ability to lock a domain name down so that no updates can be made.
It only took off after a big disaster happened and suddenly everybody's interested in it. I'm not saying that we need a disaster to happen for DNSSEC to be deployed, but I certainly think that in terms of educating the community we probably need some of the experts in doing those, you know, scare tactics and, in a way, to help us.
And sort of this brings me to a thought that I think in my work on the internationalised domain names, I think
Verisign has been doing a very good job in bringing together the right people in order to do some of the advocacy, here as Afilias, as .org and here DotAsia, I think we probably can learn from that as well, and as sparked by Xiaodong, really invite some of those guys in to the discussion and learn from them how best to educate the consumers.
I think definitely educating the end-users is important, and they need to know what the risks are, and then eventually that demand would pull the -- would hopefully create a pull demand for ISPs to eventually implement.
On that topic, actually jumping back to a couple of questions back, I wanted to say that it's very interesting in terms of thinking about the reverse DNS part and how ISPs, how we reach out to ISPs to, I guess,
-- quote/unquote -- educate or advocate about DNSSEC. It might be perhaps APNIC and the APNIC community might actually be a very good area and community to reach out to, because they are the ISPs and thinking about the deployment there, as I earlier talked about in terms of the role of the ISPs, especially with DNSSEC and how they should respond given the background of all this politics about content filtering and all those kind of things. It actually might be beneficial for the RIR community to take the lead for us in terms of thinking about the policies for DNSSEC at the ISP level.
And I guess to eventually, I very much agree with Jim's ultimate goal of saying if it's not authenticated, then it shouldn't eventually -- it shouldn't be returned to the end user. But we definitely aren't there yet.
And perhaps the RIR community is actually a very good area to help us lead the way, for lack of a better description, to avoid overly politics on this particular issue, because I do believe that it has that dimension to it as well.
James Galvin: Thank you. Edmon, I hear you suggesting that you think that scare tactics are a good way to educate the general user community. That in and of itself would motivate the deployment of DNSSEC because then they would be asking for DNSSEC to be used and available, the websites that they go to should have it, their financial services, their bank that they go to should all use it, their ISPs should then be doing validation for them and so on.
Lance I'd like to come back to you for a moment in your discussion about looking ahead. You talked about looking for leading adopters and wanting to get those groups to sign their domains and make those services available in a secure way. If scare tactics are an appropriate way to motivate end-users to want to ask for DNSSEC, do you think that that's the right way to reach out to second level domains and delegations to motivate them to want to sign for their user communities?
Lance Wolak: OK. Thank you, Jim. So I do agree that we need to continue the work that we've done with the early adopters, with the infrastructure providers, getting them to adopt the DNSSEC. Just continue to move forward there. But to your point of getting the next wave beyond the early adopters, I have to come back to what I mentioned earlier about the registrant community.
You also mentioned financial services. Within the .org community, we do have financial services institutions, credit unions, that are on .org. Many credit unions and so forth around .org today, and I do expect them to be the largest group of early adopters. We're watching the signed names, they're looking for patterns there.
But let me tell you, I really believe that the registrant has a lot of power here to influence the infrastructure providers. In fact, if we can identify those large groups and let's say it is the financial institutions that are leading the way among the registrant community as the early adopters, I believe they can put a lot of pressure on the infrastructure providers and application developers, because the registrant is the paying customer to a lot of these services. I think they can't put adequate pressure to have more and more infrastructure providers adopt the DNSSEC.
We're already finding today within the .org community that the registrars that were not part of the early adopter registrars are now coming to us and recognising that they need to get moving with DNSSEC. They need to do it quickly, because they're already getting inquiries from their registrars of how soon the registrar will offer DNSSEC, and if it's not soon enough, the registrant is more than prepared to move to another registrar.
So again, we're seeing this today where the registrant is ready to move to those infrastructure providers that have already adopted the DNSSEC, they're applying pressure to their existing infrastructure providers to either step up or get out of the way.
James Galvin: So I want to put forth a challenge here and taking those two comments together from Lance and from Edmon. So what I hear Lance suggesting is he believes that we need to continue to motivate the rest of the infrastructure to provide services. So we have folks in the room here who are registrants, you have domain names, you should want to be providing signed domain names to your customers so that you can then use that as an advantage for you in telling them that you have a secure site and they have a higher probability, a greater chance to ensure that they're talking to you.
Edmon is suggesting that we really need to educate users because we need to provide motivation on the user side and pull that up. So let me put something out there as an assertion and see what kind of reaction we can get from our panelists. I'm interested in a reaction from the audience too. Feel free if you don't have a question, if you want to make a comment about something,
I would love to hear from you.
But rather than scaring end-users, the question that always comes to my mind in thinking about DNSSEC is should it be the case that end-users need to know anything at all? Shouldn't end-users, shouldn't DNSSEC and the security of the internet just be automatic and just be present and there for them? So we should be focused more on the infrastructure side and building that out and getting the validation to happen as well as the opportunity to sign your domains and users should just automatically expect that everything is secure. Isn't that a model that we should reach for and try to achieve?
Xiaodong Lee: James I want to clarify: You mean end-users is registrant or?
James Galvin: So registrant is, I'm actually making a distinction between an end-user and a registrant. The registrant is the person who actually owns the domain name. They are the one who has to make the choice to sign the domain. And thus take advantage of the fact that the domain is now signed. Of course, they can't really take advantage of that until resolvers provide validated services, so that's the other piece of the infrastructure that, as Lance was saying, gets motivated and pulled up into getting involved. As you get more domains signed, more people want to validate.
So the question really is probably going -- and Edmon's comment that motivating DNSSEC from the end-user side, challenging that and suggesting that the user, the person who sits there at their mobile phone, smart device, the person sitting there at the browser, that's the end-user.
What's their role in DNSSEC? Do they have a role?
Shouldn't it be the case that they shouldn't care?
Everything should just work and they shouldn't have to think about it or even wonder. Should they have to worry about that golden lock that appears today when SSL, TLS certificates are used.
Edmon Chung: Since I started this crazy discussion, probably what I'm going to say people won't agree much.
Because I take a very different view on this particular issue. There are those who believe in a model where the user is relatively unintelligent and shouldn't be made aware, shouldn't necessarily be made aware of some of the technologies behind what they use on the internet. I'm actually on the other side.
I don't believe so much in smart or overly smart or sometimes I call smart-ass technologies which shield the user from knowing from much from it. At the end of the day, what I do believe is one of the, sort of the beauty of the internet and also the ugly part of the internet is that it's just sort of the -- quote/unquote -- the truth is that there is no way to absolutely say that, at least up to this point, there's no way to absolutely say that something is good or bad or something that is right or wrong, and not only in terms of content, but also in terms of what happens, you never know exactly whether, you know, you were hacked or not.
Ultimately I think what is important is that end-users need to know that their actions are a part of the whole process of the security. They need to be responsible for their security on-line. And if we shield too much and if we take, and if we allow people to take too much for granted about certain services, I think we would create a false sense of security which is actually, in my view, detrimental to the development of the internet.
And I think there are people, in fact this is one of the things that I keep attacking Apple about, which is why
I'm not using Apple, is because it's too -- sometimes what you think is really friendly is actually shielding people from knowing better. But if people can learn what a WiFi is, people can learn what AP, access points are, and people can learn how to type in an URL and people can learn some of the things set up a POP account, set up an
SMTP account. I think people can learn to understand a little bit more about the security. That actually is helpful for the community at large.
I know that a lot of the engineers actually disagree with my viewpoint, but anyway, that's sort of my view. That's why I think we should open up and let people know what's happening. As much as people can see the transparency really ultimately creates the sense of security, a real sense of security for end-users. That's my personal view.
James Galvin: So my question to that, and my response, is part of the motivation for this session is to talk about why DNSSEC, you know, why should we need to be moving forward and join and want to get involved in this.
I think that as infrastructure providers, the members of this panel have answered that question for themselves; to a first order your response is because it's the right thing to do you're all early adopters and you've made an investment in doing it. Somebody has to start this process of making a more secure, a safer internet available for everyone else, and the DNS is a critical part of that.
So you need some education in order to continue to promote the deployment of DNSSEC in that community. We now have another level of infrastructure that has to be involved, so we have to continue that education, because we have to get more registrars involved, as Lance was talking about. Registrants now are thinking about what can I do if I have signed my domain, what value can I get out of it? It's a selling point, the value proposition for me is to my customers. So now I need a registrar, I need the rest of that infrastructure, so I need to be able to sign my domain, that's the registrar, and once we get the rest of that puzzle, piece of the overall infrastructure going, the next thing is going to be the resolvers, the ISPs, and as Lance was suggesting, they'll be motivated to be involved.
I'm going to challenge you, Edmon, on whether or not we should be educating users or not. I still want to put out there and ask to the community here, I mean people, if you're thinking about DNSSEC and you want to sign your zone and make that available, the question is: Are you going to educate your user about it and expect them to take action to take advantage of your DNSSEC? Who educates the user?
The reason why I challenge educating the user is, in part, because who owns that problem? How do we educate the entire internet community about the right thing to do about security? Shouldn't security be an automatic and integral part of the infrastructure? And so the education stops a little bit at that point. There should be much less education of the end-user community. It's really about educating from the top down and you educate less as you move down.
So I put that out there as a challenge, or an assertion, that we don't educate users, we educate the rest of the infrastructure and look for a response from our infrastructure providers here on whether they agree or disagree with that point.
Yoshiro Yoneya: I think the education of the end-users will be what I called the media. Because the users of the internet is not educated by some certain organisation such as registries or registrars or ISPs, but I think the usage, or the internet registry is a common sense of the internet users. So the media should promote the use or how to use internet more secure in the public. For example, some government or education organisation such as university or high schools should do that kind of education.
James Galvin: So I hear you suggesting that we need to involve the media and promoting DNSSEC and getting that level of community. So in Japan, you have the DNSSEC
Japan programme, where part of its principal goal is about educating and reaching to the people who need to know about DNSSEC. Are you reaching for media in particular? Are you reaching into high schools?
Lance, I put the question to you, after Yoshiro here, about: Are the leading providers, the leading adopters that you're looking at, have you considered media as one of those channels that you need to reach out for?
Yoshiro Yoneya: Currently we don't have contact with media, because the first priority is the infrastructure providers such as ISPs and registrars.
So we don't have communication with media yet, but it should be in the future.
Lance Wolak: So there are registrants today without
DNSSEC that are doing verification, so you have the website like a financial institution on one end, and you have the end-user on the other end, and there are programs that they have such as recognising certain objects or having some recognition, visual between the end-user and the website that allows both parties to know that they are talking to the correct person. So the end-user now knows that they are, in fact, speaking with their bank, for example; the bank knows that they are actually talking to that end-user, that account holder, and there's no misrepresentations on either side.
So there are other ways to solve that particular problem.
I think it's very important, though, that we continue to make the public aware that this challenge of verifying that you are connected to the correct website or that website owner is correctly connected to the proper end-user, that challenge still exists. I think the public needs to be aware of the threats that exist to that. And DNSSEC is one way to prevent the man in the middle, to ensure that there's this tamper-proof connection from start to finish.
So I do agree that we should be educating the end-user, but not so much specifically on DNSSEC in the technical problems that it solves, or the technical opportunities that result from a DNSSEC deployment, but talk more about the end-to-end verification that is the larger challenge here. Those are the type of stories and descriptions that most end-users can identify with and can understand very well.
And it's then up to the registrant, the financial institution, to speak very openly with their customers that they are taking every step possible to verify the account holder coming into the website and giving the account holder reassurance that they, in fact, are connecting to their financial institution.
So I think the type of educational awareness needs to be at that level and not so much at the very detailed technical level on DNSSEC.
James Galvin: Thank you. So let me bring this discussion back around to cost again and ask each of our panelists to respond a little bit to this issue. As early adopters, the folks up here on the table are early infrastructure adopters, and so you've made your investment and you've had to invest in infrastructure.
Xiaodong made particular reference to the need to grow your real infrastructure, your network connectivity, servers processing power. All of those things are important and essential for large providers, which all of you, as early adopters, you know, fall into that category of being larger providers. So performance and those kinds of issues are important to you.
So what about the next set of early adopters? What about the next level of domains? So now we're looking to try and grow the opportunity for more domains, the folks in the audience here to sign their domains, they're going to have some costs associated with that. What do you say to people who would respond that DNSSEC is expensive and it's too hard for me to do this, how am I going to recover my costs? Obviously I think that's an important consideration for people who have the one domain to sign.
You folks have made your decision. What do you say to the next adopters about cost and how they're going to recover their costs and where that money is going to come from?
Yoshiro Yoneya: Last year in Japan, we discussed about that issue. The result, at that time, is the DNSSEC is not widely deployed yet. It is very in front of the deployment. So the signed zones are very few. So that it is just -- now is time to start DNSSEC validation, because the impact is very small right now, at this moment. But in the future, if the DNSSEC deployed much more, then the impact will be in place. But if ISP starts right now, they do not need much expensive hardwares or softwares, but they can start with their facilities right now.
If they miss this starting point, they have to upgrade their softwares and hardwares networks with very wide gap. That gap will cost them. So starting in the very early stage is very cost-effective for the ISPs.
James Galvin: Thank you. That's a good point. I want to emphasise that point. So earlier, I had said that there are essentially three major categories of deployment, people for roles in DNSSEC. So you have the infrastructure providers, the larger ones represented here, you have your intermediaries which are the network providers, those who do the validation and provide that service to their customers. Then you have the end-user and their role or non-role in knowing about DNSSEC deployment and what it means to them and how to make that available.
I think Yoshiro you make an excellent point about the intermediaries. Because now is the time for your ISPs, in particular those who provide resolver services, to employ DNSSEC validation. One of the principal reasons for that, if you get involved now and you turn it on, you're going to see that slow growth going forward.
You're going to have an opportunity to grow your infrastructure to meet that need. It's not a very big investment that you have to make up front, you can grow with the demand. As the demand comes to you, then you can get to it.
The infrastructure providers here didn't really have that option. If you're going to deploy it, you need to deploy it and make sure you're ready for the real usage and what might happen. So you have to get ahead of that. And so all of the folks up here have made their investment in getting themselves ready.
What I'd like to do, though, is get to the question of what about the signed domains, the other people who have domains and their signing, they're going to have some costs that they're going to have to deal with too.
Because they're going to have to look for DNS providers that have the services, or they're going to have to look for registrars that have signed services and hosting services. Are they going to pay more for this? Are the registrars who get involved be expected to pay more for it?
As registries who are offering services and are now looking for your channels to promote DNSSEC, what is your response? What are you presenting to registrars and what are you trying to promote to registrants who want to sign their domain? What are you saying to them about the costs of DNSSEC? Or have you not thought about that question yet? Is that a question that you're now just getting into?
Edmon Chung: I think for us as DotAsia, I guess we're happy and lucky to have Afilias help us on the technology side. As a registry, speaking to registrars, we're offering DNSSEC services at the registry level with no extra charge to the registrars. This is one of the things that I think is probably a -- it's definitely our decision to do that. And Afilias' support was important.
I think this is important to get it out as well and to offer to registrars the capability of submitting DS records basically to the registry without additional cost for them.
But at the end, you know, how registrars then provide the service to registrants, I think at this point, in terms of the cost from the registrar, well, and for that matter, for the registry as well, definitely there are additional costs. But I think at this point it is a -- in fact, as Yoshiro says, because the incremental costs probably at this point is not as prohibitive, it is a good time to invest into it and start working on it as we go about.
Eventually, I think, ultimately there would be certain services, I think the basic service should, you know, really DNSSEC should be a part of domain registration, domain services as a basic product, I think, in the future. But there could be additional services. I think as Vint definitely mentioned, I mentioned, in the future that trust of anchor, trust of chain can provide additional services. Those are probably the prime areas where registrars and those in the DNS industry can provide additional value and, therefore, recoup some of the costs and, you know, that will be additional business.
One more point, slightly off tangent, but I think it's somewhat related. We talk about costs, we talk about, you know, some leadership in terms of adoption. The reason why I brought the government into this session earlier this morning is I think, especially here in the
Asia region, the government has always been -- governments around Asia has been very proactive in internet development, and this is an area that I think government can lead the way. Especially with governments rolling out services like tax reporting for citizens and a lot of government services are now available on-line, government really should definitely take the lead and show how end -- well, not end-users, but show the registrant area what it is about, create show cases of a broad deployment of DNSSEC across government networks, and then also do, in terms of the media side and education side of a broader sense, then the government can also play a role in that as well.
So actually I agree that in terms of infrastructure providers like registries, our sort of -- quote/unquote
-- responsibilities are probably to focus on the infrastructure and educating that group, but we need to bring in our partners like the government, like the media, to then also educate the end-users.
James Galvin: One last appeal to the audience for anyone who might have some questions if you want to raise your hand or stand up. They have a microphone that they'll bring you to or if you want to bring a question back to Yannis and she'll bring it up front for me.
While we wait for that, let me ask a question of each of our panelists, something for you to think about.
So we're focused a lot here on registrants getting them to sign domains, we're focused a lot on the end-user and getting them to want DNSSEC. So let me cross that bridge and ask for you to think a little bit about the future.
Where do we go from here? Past the point of deploying
DNSSEC, do you have any thoughts about what is really going to happen? Lance and Yoshiro and others spoke about looking for particular channels of leading adopters. But we've all referenced the fact that we need validation, so we need the ISPs to do the validation. We need for DNSSEC to be valuable. In order for it to be valuable, we need the validation in the network and we also might need it in applications and services.
What is the value of DNSSEC long-term? What do you think is really going to come and be available for us? What's going to make it interesting for end-users?
Lance Wolak: I think it's a fair question to ask, you know, how do we get the rest of the industry motivated and moving forward. However, it still feels like a question we would have asked ourselves a year or so ago.
My observations (loss of audio) are infrastructure providers that are already moving forward with this. So what it represents, DNSSEC represents right now the fact that an industry is coming together around a specific technology to offer a greater level of security to the registrants, as well as the end-user community. And while you could argue as to how far along we are in that adoption, it is happening, it is going on. And you have the industry rallying around DNSSEC now.
So I think that we can continue to see adoption across the board with DNSSEC, and I think it's up to us to look at what other types of security technology we should be deploying out that may be very complementary to DNSSEC.
As far as the cost of deploying DNSSEC, again I think that question might have been a big question asked a year or two ago. In general, infrastructure providers see their costs going up, security is a concern. If the priority is there for specific technology, infrastructure companies will make that investment and by the fact that we're seeing the industry rallying around DNSSEC now, that puts DNSSEC on the priority list for these infrastructure providers.
There's many reasons why you'd have to increase your provisioning no matter what type of an infrastructure provider you are. DNSSEC is just another reason. But due to the fact that the industry is moving forward and is implementing this, I think that, you know, less needs to be done in terms of justifying the expense, it's really making the industry aware in the corners that are not aware yet that there is a great adoption going on here. And it's in all of our best interests to continue to rally around this.
So that's my perspective on where we are today in 2011.
I think 2010 was the big turning point of when all the dominoes started falling, and in favour of DNSSEC. And going forward today it's keeping everybody's priority on
DNSSEC and continuing to make all the infrastructure providers aware that, in fact, there is a tremendous interest, the critical mass is there, and we should continue to work on this.
James Galvin: Thank you, Lance. Any other panelist want to respond?
I understand we have a question from a microphone over here. One last question from the floor and then I have one last closing question I want to ask of each of the panelists.
Question From The Floor: My name is Migel Ramirez, I'm from the Philippines from Telco. I've got one comment only. With respect to the DNSSEC implementation, I was just surprised that when you mentioned APNIC, for me I guess APNIC is in the right position, maybe because for me it's -- you always do in Asia, workshops everywhere, anywhere, you have the APNIC, and APNIC I think is a good venue to start all of this.
And they have told us a while ago in one of the slides it was told that they already have a negotiation in terms of the IANA in terms of the discussion with respect of this
DNSSEC implementation, and I believe APNIC will be a good venue and the rest of the Asia Pacific members will get implementation. Thank you.
Joao Damas: I just wanted to make a note here, because
APNIC, as a core activity of APNIC we provide training to the region, so it's about to reverse DNSSEC and routing, as well as managing the resources.
The only thing I just wanted to clarify, is APNIC is facilitating the discussion, but is not proposing any kind of policy here. So we're waiting for the community actually. But we're happy to facilitate and also around the policy after it's been decided by the community. So basically this is the role of APNIC.
James Galvin: OK. Thank you. So I want to bring this session to a close.
I have one last question to ask of the panelists. I want each of you to think about the future a little bit and predict a particular number, hopefully we can step through people -- I'm sorry we had another question?
Edmon Chung: There was a question over there as well.
James Galvin: In the back? I do want to take questions from the audience. We had a question here, so please go ahead.
Question From The Floor: Tony Hill from the Internet
Society of Australia. I guess we've got a session tomorrow on IPv6 implementation around the world, which I think implies we're going to do a lot of rebuilding of the internet and its infrastructure.
And there's been a question raised in that area which I think is relevant to this debate, which is to what extent should end-users notice the change to IPv6? So you've been asking the question should end-users notice the implementation of DNSSEC, and I think in the IPv6 world where all sorts of items are going to be addressed, users are going to have to take more responsibility for security in that environment.
So they're all going to have globally routable addresses in the IPv6 world. In that context I think it's worthwhile joining forces in this debate to say there is some information that users need to exist in this future world and we need to figure out how to provide that information to at least improve their security a little bit, including through DNSSEC.
James Galvin: Thank you for that, Tony. In fact, it's because of watching and paying attention to what's going on with IPv6 that I've taken that question and applied it to DNSSEC and asked the same question: What role do users have in DNSSEC? Should they care in any way? What is the information that they need?
So as you said, you've been talking about users have to have a role in IPv6. So you have to figure out what message do they need, then you talk about what to give them so they can do that.
I actually think, I'm not convinced we know what message end-users need to have about DNSSEC yet. And I question whether there is any particular message that they need to have. I just put that question out there to you and I ask for everyone to think about it. All of you, as registrants, are going to have signed domains. You have to think about how you're going to get value out of your signed domain. So what are you going to tell to your customers so that they understand that you've done this and they can appreciate the value that you're expecting them to get from it?
I think that's an important question going forward. Then we have to find the mechanism for getting that information out. What does the end-user need to know?
What does their role need to be? How are we going to give that to them and get them actively engaged?
I do think we need to stop there. I have a question for each of our panelists, and that is that as you go forward in trying to promote the deployment of DNSSEC and each of you actually represents a registry or is somehow close to this, even if you're not a registry in particular, just interested in your thoughts about what's going to happen going forward.
How many signed domains do you actually anticipate in the early years? Some of you already have signed domains, so you've got some sense of what you think is happening. Is
2011 a pivotal year? Last year the root was signed, TLDs and registries are signing their TLDs now. They're beginning to offer signed delegations. We're obviously seeing some growth in that space. How many do you expect to have in your registry and you can put the timeframe on this. You can have one number in this amount of time or you can project you expect a certain amount of growth over a period of time.
I'm just interested in what you're thinking about and what you're projecting for your own. So let me ask first who wants to go first, then I'll pick on people as we go down.
Yoshiro Yoneya: Currently JP has about 300 signed zones. But I think it will be increased 100 or 200 in this year. It not so increases because the support of
DNS providers are highly recommended. But the implement of the DNSSEC is hard, and we meet at JP registry, DNSSEC
Japan are discussing with DNS providers. But there is some lacking of business model, how to recover the cost of development. Their movement is not so fast. So that,
I think, the increase is not so high in this area. But maybe, in the future, it will be increased, because of the support of DNS providers.
James Galvin: Thank you. Joao, since you're leaning forward.
Joao Damas: Making predictions is really hard. I think we will continue to see incremental growth at the pace we are seeing so far until we reach a point where someone actually realises how to use this in their applications.
And when that happens, we will see this continue. I don't know yet what that application will be. But sooner or later, I think someone will figure out that being able to add and define end points reliable will add sufficient value.
Siamak Hadinia: It's already happening in the reverse zone, but I guess your question is mostly about the 4 part zone, so basically the others can answer this.
Edmon Chung: Actually, I would have no idea. But I think the best way to answer the question is to ask our technology provider in your estimation for us because that will depend on your advice. But really I think in terms of registering DS records, that is actually not implemented yet at the DotAsia registry, it's now the TLD is signed, I think we're rolling out DS records later on in the year. Once we get that, I think there are two elements that is really important though.
One is probably take a look at how concentrated hosts are, you know, because I mean the NS delegation, those hosts, how concentrated it is in the DotAsia zone, I think that would give us a good indication of where we want to focus attention on, and of course how concentrated it is with registrars, and which registrars, if they implement and how they implement it, whether they charge more, that would definitely influence the numbers.
But I think really, .org is probably showing us the way, so their numbers probably will give us a pretty good indication of how we can expect.
James Galvin: Lance, let me move to you next.
Lance Wolak: So the .org TLD is close to 9 million total domains under management, and a very high percentage of the 9 million are domains directly associated with the website that is a smaller number of redirects to other TLDs such as com or net or ccTLD. So the heavy percentage going directly to a .org native website, I do expect the numbers to be favouring on the high side.
And I do expect 2011 to be a pivotal year based on the information that I've been receiving since probably
November timeframe of 2010 of the significant interest among registrants to be DNSSEC ready for the registrar.
So the number that I'm looking at is 10,000 signed domains. I can't tell you specifically when that will occur, I think 2011 again will be a pivotal year but I'm looking probably into 2012. But the 10,000 mark is a milestone that I'm watching closely.
James Galvin: Thank you. Finally Xiaodong.
Xiaodong Lee: James, you challenge my expertise on prediction. I think that for China, especially for .cn,
I will try to finish the DNSSEC work this year, but I cannot predict how many partners will adopt DNSSEC in this year. But I think I try to promote this and cover it with the partners to deploy DNSSEC in their own DNS.
OK. That's all. It's very difficult.
James Galvin: OK, thank you.
With that, let me just close the panel session, and take this opportunity to thank all of our panelists and we'll move on to closing remarks and endings.
Thank you very much for all the people who came up here and talked about their experiences
James Galvin: So the session today was supposed to be about why DNSSEC, we want to talk about a high level of some of the issues and the challenges that we're facing in trying to promote DNSSEC deployment and what its values are going to be.
Going all the way back to the beginning of this session altogether we had Stephen Mak telling us about DNSSEC affects our entire internet ecosystem. It does. We've had a set of particular players up here today, registry infrastructure providers telling you about their experiences. But the DNS affects everybody. It affects everything that we do, whether you see it or not. The average end-user probably has no idea what DNS is, doesn't care, doesn't need to know, doesn't want to know, and yet it is a critical and essential resource to making anything that we do on the internet work.
So again, Stephen Mak said it affects our entire ecosystem. So it seems ordinary to me, and I hope to you, that protecting it and adding security to it should be the right thing to do. There shouldn't be any question of getting it done. If there's any question at all it's just about when, and what you're going to do with it once it is done.
Vint Cerf talked about DNS being an alternative to certification authorities and DNSSEC being a trust anchor for other network resources. For me I've been, as I said in the beginning here, involved in DNSSEC for a very long time, since the very beginning. I was there in the first discussions and I'm still here today. So at that level I consider myself a little bit of a DNSSEC evangelist and where to go with it. In the early days it was just about protecting the DNS.
But I think DNSSEC is much more than that. It goes to the comment that Vint made in his opening remarks.
DNSSEC to me today is not about protecting the DNS, I think that should be automatic and an ordinary thing.
It's about what we're going to do with it going forward.
The DNS is a critical internet infrastructure resource that everything depends on. It just needs to be secure.
The question now is if DNSSEC, as we protect that infrastructure, how are we going to use that and what are we going to do going forward to make the internet a more secure and safe place? It's a building block. It's a foundation for things to come. We briefly talked here, it was mentioned a couple of times by people about what you could do with DNSSEC. So it has a role in some spam mitigation perhaps. I propose the ideal solution that if everybody deploys DNSSEC so that means if I get an invalid signature, it just simply doesn't exist. So it needs to be secure or it's just not there.
What about email service providers and what they can do to protect the infrastructure? What about web browsers and what they can do to provide a better experience to users? I think we are on the edge of a huge opportunity,
DNSSEC is a significant foundation in what's to come and where we're going to go. And it's really about what you can do with it.
You as registrants, you as domain holders need to think about signing your domain for your customers, you need to do something to make your services better for the people that you interact with every day, and so you need to be thinking about how you want your customers to see and experience of a better, safer, more secure internet and create that value proposition for all of us.
So those are my closing remarks. Thank you very much.
And we have a few announcements to make and Desiree is going to come up and give us some final announcements here to end the session today. Thank you.
Desiree Ho: Thank you, James. Just a few announcements. Lunch will be served in the convention hall from now until 2 pm. After lunch please join us in the opening ceremony. It will be held at 2 pm in convention hall. I shall see you there. Thank you.
Enjoy your lunch.