Site Map

Please note:

You are viewing archival ICANN material. Links and information may be outdated or incorrect. Visit ICANN's main website for current information.

ICANN Meetings in Wellington, New Zealand

DNSSEC Workshop

Tuesday, 28 March 2006

Note: The following is the output of the real-time captioning taken during the DNSSEC Workshop held on 28 March 2006 in Wellington, New Zealand. Although the captioning output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

DNSSEC WORKSHOP

>>STEVE CROCKER: COME ON IN.
TAKE A SEAT.
WE'RE HAVING NETWORK TROUBLES.
WE'LL START UP (INAUDIBLE).

>>STEVE CONTE: IF ANYONE HERE IS RUNNING AN AD HOC NETWORK, WE WOULD APPRECIATE IT IF YOU WOULD GET IT DOWN.
WE'RE TRYING TO GET THE ACCESS POINTS WORKING AND WE FEEL MAYBE THE AD HOC NETWORKS ARE HELPING TO AMPLIFY THE ISSUE THAT'S GOING ON RIGHT NOW.
SO IF YOU HAVE ONE RUNNING, PLEASE SHUT IT DOWN.

>>STEVE CROCKER: SO WITH APOLOGIES, WE'RE HAVING NETWORK TROUBLES, WHICH IS KIND OF AN INTERESTING COUNTERPOINT TO PART OF THE SUBJECT THAT WE'RE -- THIS SESSION AND THE PREVIOUS SESSION WERE ALL ABOUT.
THE -- WHAT WE'RE GOING TO DO IS WE'RE GOING TO STALL FOR JUST A TINY BIT LONGER.
AND THEN IF WE CONTINUE TO HAVE NETWORK TROUBLES, WE'LL DO A QUICK SHUFFLE OF THE TOPICS THAT WE'RE GOING TO COVER AND JUST MOVE FORWARD.
AND WE HAVE A DEMO THAT IS INTENDED TO BE PRETTY INTERESTING, BUT IT DOES REQUIRE A NETWORK TO MAKE IT WORK.
SO IF THAT IS NOT AVAILABLE, WE'LL PUSH THAT OFF TO THE END AND HOPE THAT WE'RE BACK IN BUSINESS BY THEN.
I CAN SOFITEL YOU -- THERE'S THIS SIGN OUTSIDE THE FRONT OF THE ROOM HERE, CAUGHT MY ATTENTION, THE INTERNET OPEN & UNCAPTURABLE.
AND WE WERE INTENDING TO GIVE A DEMONSTRATION THAT CHALLENGED THAT A LITTLE BIT, BUT IT SEEMS THAT WE'VE BEEN BEATEN TO THE PUNCH BY OTHER FORCES.
ALL RIGHT.
SO I'M INFORMED THAT THE NETWORK TROUBLES ARE CONTINUING.
MAYBE WE'LL BE IN A POSITION TO SHOW THAT PORTION OF IT TOWARD THE END.
SO WE'LL DO A LITTLE REORDERING.
I'LL TELL WHAT YOU WE WOULD HAVE SHOWN YOU, AND THEN MAYBE WE'LL HAVE AN ACTUAL CHANCE TO ACTUALLY SHOW YOU.
SO WITH THAT, WELCOME TO THE DNSSEC DEPLOYMENT SESSION AT ICANN.
THIS IS A SPECIAL WORKSHOP FOCUSED ON DEPLOYMENT ISSUES.
IT IS ONE OF A SERIES OF SESSIONS THAT WE'VE HAD AT THE LAST SEVERAL ICANN MEETINGS.
THE -- WE FOCUSED ON THE REGISTRY COMMUNITY, ON THE REGISTRAR COMMUNITY.
TODAY, WE HAVE AN INTERESTING FOCUS ON THE DNS MANAGED AND OTHERWISE OUTSOURCED SERVICE PROVIDERS, DNS SERVICE PROVIDERS, WHICH IS NOT A WELL-UNDERSTOOD AND WELL-DEFINED COMMUNITY, SOMEWHAT SURPRISINGLY, SINCE THAT IS RIGHT AT THE CORE OF THE OPERATIONS THAT WE'RE ALL INVOLVED IN.
THIS WILL ALL BECOME A BIT CLEARER AS WE PROGRESS.
THE AGENDA TODAY, OPENING AND A DEMONSTRATION, ALTHOUGH THE DEMONSTRATION WILL BE MOVED TO LATER.
MY NAME IS STEVE CROCKER.
I AM FROM SHINKURO, INCORPORATED, AND HAVE -- I HAVE A ROLE IN ICANN AS CHAIR OF THE SECURITY AND STABILITY ADVISORY COMMITTEE, AND LIAISON ONTO THE BOARD.
BUT I'M ALSO VERY ACTIVELY INVOLVED IN THE PROMULGATION AND ADOPTION OF DNSSEC, AND WITH SUPPORT FROM THE U.S. DEPARTMENT OF HOMELAND SECURITY.
SO WE'RE ACTUALLY PUTTING SORT OF OUR DAY JOB KIND OF TIME IN IT.
MY COLLEAGUE, MARK FELDMAN, SITTING OVER ON THE -- RAISE YOUR HAND, MARK, THERE -- IS HERE TO HELP OUT.
AND IS ALSO ACTIVELY INVOLVED.
WE HAVE A QUITE STELLAR SET OF PEOPLE TO MAKE PRESENTATIONS.
ON MY LEFT IS BRUCE TONKIN, FROM MELBOURNE I.T., LIMITED.
ON MY RIGHT HERE IS ELLIOT NOSS FROM TUCOWS, RAM MOHAN FROM AFILIAS, AND ANDY OZMENT FROM MIT'S LINCOLN LABORATORY.
WE WERE SCHEDULED TO HAVE RODNEY JOFFE FROM ULTRADNS.
HE'S BEEN UNAVOIDABLY DETAINED.
ELLIOT AND I ARE GOING TO ATTEMPT TO CONVEY SOME OF THE QUITE INTERESTING AND IMPORTANT DEVELOPMENTS AT ULTRADNS, PLUS THE PERSPECTIVE THERE.
HERE'S THE DEMO THAT YOU'RE NOT GOING TO SEE AT THE MOMENT.
WE SET UP AN ALTERNATE NETWORK CALLED "BADNET."
AND AT THIS POINT, WE WERE GOING TO ENGAGE IN A LITTLE BIT OF BACK AND FORTH ABOUT HOW LARGE OF A DEMONSTRATION YOU WANTED.
DO YOU WANT TO HIJACK JUST SPECIAL PORTS OR EVERYTHING?
WE CAN ADJUST IT IN REALTIME.
AND THEN IF YOU CONNECT IT UP TO BADNET INSTEAD OF THE ICANN NETWORK, WE CAN MAKE SOME INTERESTING THINGS HAPPEN ON YOUR SCREENS.
I FOUND IT INTERESTING WALKING INTO THE SESSION TODAY, THERE WAS A SIGN RIGHT OUTSIDE THAT SAYS THE NETWORK IS BEING PROVIDED BY INTERNETNZ.
THESE ARE QUITE GOOD PEOPLE.
I HAVE NO -- NOTHING NEGATIVE TO SAY, PARTICULARLY SINCE I'M GOING TO BE INTERACTING WITH THEM IN MORE DETAIL.
BUT THE LAST PART THERE, "THE INTERNET, OPEN & UNCAPTURABLE," CAUGHT MY ATTENTION.
ALL RIGHT.
--

>> (INAUDIBLE).

>>STEVE CROCKER: I'M SORRY?

>> (INAUDIBLE).

>>STEVE CROCKER: THAT'S A MISSION.
THIS IS THE -- THIS IS THE HOPE -- THE HOPE AND THE DESIRE.
WELL, I AGREE WITH THAT.
ALL RIGHT.
SO LET ME COVER JUST BRIEFLY DNSSEC BASICS.
I'VE BORROWED SLIDES FROM RIPE NCC.
THESE GUYS DO A VERY FINE JOB.
AND I'D LIKE TO GIVE THEM CREDIT.
SO WHY DNSSEC?
DNS IS NOT SECURE.
THERE ARE KNOWN VULNERABILITIES.
PEOPLE DEPEND MORE AND MORE ON THE DOMAIN NAME SERVICE.
DNS SECURITY PREVENTS DATA SPOOFING AND CORRUPTION FOR THE -- SORT OF THE LONG-HAUL PART OF THE DNS SYSTEM, THAT IS, AFTER THE ENTRIES ARE CREATED AND PUT INTO THE AUTHORITATIVE SERVERS AND FROM THAT POINT TO WHERE THEY GET CLOSE TO OR RIGHT AT THE END POINT FOR THE USERS.
THIS IS NOT THE RIGHT PLACE TO GET INTO A VERY DETAILED TUTORIAL.
THERE ARE TRAINING WORKSHOPS THAT ARE AVAILABLE.
SO SOME OF THE TERMS THAT ARE SPECIFIC TO DNS TECHNOLOGY, DELEGATIONS, REFERRALS, ZONES, AND SO FORTH, ALTERNATIVE SERVERS, CACHING FORWARDERS, START OF AUTHORITY PARAMETERS AND SO FORTH, I'M NOT GOING TO GET INTO DETAIL, EXCEPT IN ONE PARTICULAR AREA RELATED TO NSEC, WHICH I'M GOING TO TRY TO BRING FORWARD IN A WAY.
SO HERE'S A SORT OF ALL-ENCOMPASSING DIAGRAM OF WHAT THE LOOKUP PROCESS LOOKS LIKE.
AN INITIAL QUERY STARTS FROM A RESOLVER TO A CACHING FORWARDER AND THEN GOES OFF TO A SERIES OF NAME SERVERS, STARTING WITH THE ROOT AND TOP-LEVEL NAME SERVER AND THEN SUBORDINATE NAME SERVER.
AND THEN THE ANSWERS ARE ALL ASSEMBLED BACK INTO THIS RECURSIVE RESOLVER, AND THEN FORWARDED BACK TO THE ORIGINAL QUERY.
THERE'S A SERIES SHOWN HERE, A SERIES OF DIFFERENT STEPS.
AND THE ISSUE AT HAND IS, WHAT HAPPENS IF THERE ARE INTERFERENCE ALONG ANY OF THESE PATHS AND WHAT HAPPENS IF THERE IS INTERFERENCE IN THIS CACHING FORWARDER.
NOW, IN PREPARING INFORMATION THAT IS PUT INTO THESE FILES, THE PROCESS IS THAT THERE'S A ZONE ADMINISTRATOR AND ZONE FILES, SOMETIMES DYNAMIC UPDATES THAT CREATE A MASTER FILE.
THAT MASTER FILE IS THEN OFTEN SHARED WITH SEVERAL SECONDARY OR SLAVE SERVERS SO THAT THERE'S MULTIPLE COPIES AROUND.
AND THEN -- OOPS.
AND THEN THE CACHING FORWARDERS AND RESOLVERS MAKE ACCESS TO THIS.
SO THE LEFT HALF OF THIS SLIDE IS THE PREPARATION OF THE MATERIAL.
AND THE RIGHT HALF IS THE ACCESSING OF THAT MATERIAL.
AND HERE'S THE PLACES WHERE THINGS CAN GO WRONG.
AND AS YOU CAN SEE, THERE'S QUITE A FEW OF THEM.
THE FOCUS OF OUR ATTENTION FOR DNSSEC PROTOCOL IS FUNDAMENTALLY ON THE RIGHT-HAND SIDE OF THIS.
AND, TO A CERTAIN EXTENT, RIGHT HERE.
SO WE TAKE AS A GIVEN THAT THE CORRECT INFORMATION IS PUT FORTH INTO THE ZONE FILE AND IT'S COMMUNICATED SECURELY TO THE MASTER, AND THEN IT'S THE REST OF THIS PROCESS THAT WE'RE TRYING TO PROTECT.
LET'S SEE.
SO DNSSEC PROTECTS AGAINST DATE SPOOFING AND CORRUPTION, TSIG AND PROTECTS AGAINST THE OTHER PART OF THE DIAGRAM.
AND THEN THE KEYS AND SIGNATURE RECORDS AND THE NON- -- NEXT SECURE RECORD PROVIDE THE MECHANISMS WITHIN THE DNSSEC PROTOCOL TO ESTABLISH AUTHENTICITY AND THE INTEGRITY OF THE DATA.
AND THE DS RECORDS PROVIDE A MECHANISM TO DELEGATE TRUST DOWN TO THIRD PARTIES THROUGH PUBLIC KEY MECHANISMS.
SO A SECURE DNS IS USED AS AN INFRASTRUCTURE WITH PUBLIC KEYS.
AND THERE'S A NATURAL TENDENCY TO THINK OF THAT AS BEING SIMILAR IN MANY RESPECTS TO A PUBLIC KEY INFRASTRUCTURE.
I DON'T WANT TO GET TOO FAR OFF ON THAT PATH.
BUT IT'S NOT INTENDED THAT DNS SECURITY SERVE AS A COMPLETE REPLACEMENT FOR PUBLIC KEY INFRASTRUCTURE.
BUT -- AND THERE ARE SOME PLACES WHERE THEY WILL OVERLAP AND SOME PLACES WHERE THEY WILL BE JUST COMPLETELY SEPARATE IDEAS.
THE CURRENT STATE OF AFFAIRS IS THAT THE PROTOCOLS, AFTER AN EXTREMELY LONG PERIOD OF TIME, HAVE BEEN PUBLISHED LAST YEAR AS RFCS 4033, 34, AND 35.
JUST ALMOST EXACTLY A YEAR AGO.
THE PRIOR ITERATION WAS RFC2535.
AND THAT'S BEEN SUPERSEDED BY THESE DOCUMENTS.
SO THE -- SO ULTRABRIEF SUMMARY IS THAT DNSSEC PROVIDES INTEGRITY AND AUTHENTICITY BY PROVIDING RESOURCE RECORDS THAT ARE SIGNED CRYPTOGRAPHICALLY WITH A PRIVATE KEY, AND THEN THE PUBLIC HALF OF THE CORRESPONDING PUBLIC KEY IS USED ON THE VERIFICATION SIDE BY RESOLVERS TO CHECK THAT THOSE SIGNATURES ARE CORRECT.
THERE'S ALSO A HIERARCHY OF SIGNATURES, AND CHILDREN SIGN THEIR ZONES WITH THEIR OWN PRIVATE KEYS AND THEN THOSE -- THE PUBLIC PART OF THOSE KEYS ARE THEN ATTESTED TO OR SIGNED BY THE PARENTS.
IF ALL OF THE ZONES ARE SIGNED AND THE HIERARCHY IS COMPLETELY FILLED IN, THEN THERE ONLY NEEDS TO BE ONE PUBLIC KEY FOR THE ROOT THAT IS DISTRIBUTED.
WE'RE SOME DISTANCE FROM THERE, AND WE WILL HAVE TO OPERATE FOR A WHILE WITH MULTIPLE KEYS FOR WHEREVER THERE IS A BREAK IN THE HIERARCHY.
BUT, EVENTUALLY, I BELIEVE WE'LL GET THERE.
ONE PARTICULAR ISSUE IS KIND OF AN OUTSTANDING PROBLEM.
IT'S FORTUNATELY BEING ADDRESSED.
ONE OF THE MORE TECHNICAL ASPECTS OF THE PROTOCOL IS, WHAT HAPPENS IF YOU ASK FOR SOMETHING THAT ISN'T THERE.
SO YOU ASK FOR A NONEXISTENT DOMAIN.
THERE ARE A NUMBER OF POSSIBILITIES.
ONE IS YOU CAN GET NO ANSWER.
ANOTHER IS YOU CAN GET AN ORDINARY ANSWER THAT SAYS THE DOMAIN DOESN'T EXIST.
NEITHER OF THOSE WOULD BE COMPLETELY SATISFACTORY, BECAUSE THEY WOULD PERMIT A BAD GUY TO DELIVER THAT KIND OF RESPONSE AND YOU WOULDN'T KNOW IF IT WAS REALLY TRUE THAT THE DOMAIN DIDN'T EXIST OR IF YOU WERE BEING FOOLED IN SOME FASHION.
SO THERE IS A SIGNED RESPONSE THAT SAYS THE DOMAIN YOU'VE ASKED FOR DOES NOT EXIST, AND WE'RE TELLING YOU THIS WITH THE AUTHORITY AND WITH THE CRYPTOGRAPHIC PROTECTION ON THE ANSWER THAT IS THE SAME AS THE OTHER.
HOWEVER, UNLIKE ORDINARY ANSWERS, WHICH ARE SIGNED IN ADVANCE, IT'S IMPOSSIBLE TO CREATE A SIGNED RESPONSE FOR EVERY POSSIBLE NONEXISTENT DOMAIN, BECAUSE THERE ARE AN ASTRONOMICAL NUMBER, AND THERE'S NO WAY TO GENERATE ALL OF THEM IN ADVANCE.
SO THE SOLUTION THAT WAS ADOPTED IS TO DESCRIBE A WHOLE RANGE OF NONEXISTENT DOMAINS IN THE FORM OF A SPAN.
LET ME SEE.
SO HERE'S AN EXAMPLE.
THIS IS, AGAIN, A LITTLE ON THE TECHNICAL SIDE.
BUT LET'S SUPPOSE THAT IN A CERTAIN DOMAIN, IN RIPE.NET, MAILBOX.RIGHT.NET EXISTS AND WWW.RIPE.NET EXISTS, BUT THE QUERY IS FOR POPSERVER.RIPE.NET. AND THAT FALLS IN BETWEEN MAILBOX AND WWW IN AN ALPHABETIC SENSE.
SO THAT BECAUSE THIS IS IN THE "M'S," AND MY MARKER'S JUST DISAPPEARED HERE -- AND POP SERVER FALLS BETWEEN MAILBOX AND TRIPLE W.
SO WHAT COMES BACK WOULD THEN BE A -- LET'S SEE.
WHAT COMES BACK IS A RECORD -- HERE, THIS RECORD HERE, THAT SAYS THERE'S NOTHING BETWEEN MAILBOX AND WWW.
AND THEN IT'S LEFT FOR THE -- ON THE QUERYING SIDE TO DETERMINE THAT, OH, YES, I ASKED FOR POP SERVER.
THAT FALLS BETWEEN MAILBOX AND WWW, AND THEREFORE I'M BEING TOLD THAT IT DOESN'T EXIST.
IT'S A NICE, CLEVER, ELEGANT ANSWER, BUT IT HAS AN UNINTENDED CONSEQUENCE.
AND THE UNINTENDED CONSEQUENCE IS -- HERE ARE SOME MORE COMPLEXITIES.
BUT THE -- WELL, HERE WE GO.
THE UNINTENDED CONSEQUENCE IS THAT IT MAKES IT POSSIBLE TO ASK FOR SOMETHING THAT DOES NOT EXIST AND BE TOLD WHAT THE NEXT ONE THAT DOES EXIST IS.
AND THEN FROM THERE, TO FIGURE OUT WHAT THE NEXT ONE AFTER THAT IS AND THE NEXT ONE AFTER THAT IS AND SO FORTH.
THAT PROCESS IS COLLOQUIALLY KNOWN AS ZONE-WALKING AND MAKES IT POSSIBLE FOR SOMEBODY TO RELATIVELY EFFICIENTLY FIGURE OUT ALL OF THE NAMES IN A TOP-LEVEL DOMAIN OR IN ANY DOMAIN.
THE SENSITIVITY ARISES IN THAT SOME OF THE TOP-LEVEL DOMAIN OPERATORS HAVE TRIED NOT TO MAKE AVAILABLE THE ENTIRE CONTENTS OF THEIR ZONE AND VIEW IT AS A PRIVACY CONSTRAINT.
ORIGINALLY, THE DOMAIN NAME SYSTEM WAS VIEWED AS AN ENTIRELY OPEN SYSTEM, WITHOUT ANY SENSE OF PRIVACY ABOUT WHAT WAS IN THERE.
BUT SENSITIVITY ON THIS POINT HAS INCREASED OVER THE LAST FEW YEARS.
AND THIS SIDE EFFECT OF THE CURRENT DESIGN IS VIEWED AS PROBLEMATIC.
FORTUNATELY, THERE IS A QUITE STRONG FIX BEING PREPARED AND IS ALMOST READY TO GO THAT WILL GO UNDER THE NAME NSEC 3.
I'LL COVER THAT IN JUST A SECOND HERE.
SO BROADLY, ON THE DEPLOYMENT ISSUES, THERE IS A SERIES OF CHALLENGES FOR GETTING EACH OF THE ZONES SIGNED.
AND THEN THERE ARE SOME CHALLENGES ON THE RESOLVERS AND THE APPLICATIONS.
I WANT TO FOCUS MOSTLY ON THE SIGNING SIDE AT THE MOMENT.
HERE'S A ROADMAP FOR GETTING THE ROOT SIGNED.
AND THE ROOT IS PARTICULARLY SENSITIVE BECAUSE EVERYBODY HAS CONCERNS ABOUT WHO CONTROLS THE KEY, WHO TECHNOLOGY IS BEING USED, HOW OFTEN WILL IT CHANGE.
HOW DO I FIND OUT WHAT THE KEY IS.
THE SIX COMPONENTS OF THIS FAIRLY SMALL, COMPACT ROADMAP ARE THAT THERE'S GOT TO BE A PROCESS FOR GENERATING THE PUBLIC/PRIVATE KEY PAIR FOR THE ROOT, AND THEN A PROCESS FOR DISTRIBUTING THE PUBLIC PART OF THAT KEY TO EVERYBODY SO THAT THEY KNOW WHAT IT IS.
AND THE ROLLOVER PROBLEM OF CHANGING THAT KEY FROM TIME TO TIME, HOPEFULLY NOT VERY OFTEN, IS PART OF THOSE -- THAT PROCESS THERE.
THEN WITH THE PRIVATE KEY GENERATED, CAN BEGIN THE PROCESS OF SIGNING THE ROOT.
THERE ARE TWO PARTS OF THIS.
ONE IS SIGNING THE ROOT WITHOUT HAVING ANY ENTRIES SUPPLIED BY THE TOP-LEVEL DOMAINS, WHICH ARE THE CHILDREN.
AND JUST SIGNING THE PORTIONS OF THE ROOT THAT ARE UNIQUE TO THE ROOT, THE START OF AUTHORITY AND SORT OF THE HEADER INFORMATION.
THERE IS A SPECIAL ROLE IN THE ROOT -- WITH RESPECT TO THE OPERATION OF THE ROOT IN THAT THERE ARE 13 INDEPENDENTLY OPERATED ROOT SERVERS THAT ARE RUN BY ORGANIZATIONS DIFFERENT FROM WHERE THE INFORMATION ABOUT WHAT'S IN THE ROOT IS PREPARED.
SO THIS IS UNIQUE AND DIFFERENT FROM THE OPERATION OF ANY OTHER ZONE.
ALMOST ALWAYS, THE ORGANIZATION THAT PREPARES A ZONE ALSO HAS RESPONSIBILITY FOR PROVIDING THE SERVERS THAT USERS GO TO LOOK IT UP.
IN THIS CASE, YOU HAVE DIFFERENT ORGANIZATIONS.
YOU HAVE FUNDAMENTALLY THE IANA, IN COOPERATION WITH VERISIGN AND WITH OVERSIGHT FROM THE U.S. DEPARTMENT OF COMMERCE, INVOLVED IN THE PREPARATION OF THE ROOT ZONE. AND THEN YOU HAVE A DOZEN ORGANIZATIONS OPERATING 13 DIFFERENT ROOT SERVERS AROUND THE WORLD, AND MANY, MANY COPIES OF EACH OF THOSE 13 AS A SEPARATE COLLECTION OF PEOPLE.
SO STEP D HERE IS WHETHER OR NOT THAT SET OF ORGANIZATIONS ARE IN FACT READY TO SERVE THE ZONE.
WE HAVE BEEN TRACKING THEM AND INTERACTING WITH THEM OVER A PERIOD OF TIME.
FUNDAMENTALLY, THEY'RE READY TO GO RELATIVELY QUICKLY WHEN THE OTHER PIECES ARE IN PLACE.
SOME OF THEM ARE READY TO GO NOW, AND SOME OF THEM WILL MOVE ALONG QUICKLY WHEN THERE'S PRESSURE FROM THE OTHER SIDE.
AND THEN ON THE BOTTOM OF THIS MAP IS THE ACQUISITION OF THE KEYS FROM THE CHILDREN, THAT IS, FROM THE TOP-LEVEL DOMAINS WHEN THEY HAVE THEIR ZONES SIGNED.
WE HAVE ONE TOP-LEVEL DOMAIN THAT IS FULLY SIGNED AND IN OPERATION TODAY, AND OTHERS THAT ARE MOVING FORWARD.
SWEDEN PUT THEIR TOP-LEVEL DOMAIN OPERATION -- SIGNED ZONE INTO OPERATION A COUPLE MONTHS AGO.
AND THAT'S SERVING AS A NICE FLAG AND STIMULUS FOR OTHERS.
WHEN ALL THOSE PIECES COME TOGETHER, THEN WE'LL BE AT THE STAGE F, WHERE WE HAVE A FULLY SIGNED ZONE WITH SIGNED ENTRIES FOR THOSE TOP-LEVEL DOMAINS THAT HAVE KEYS READY TO BE DISTRIBUTED.
WITH RESPECT TO GETTING THE TOP-LEVEL DOMAIN SIGNED, AS I SAID, SWEDEN IS SIGNED AND OPERATIONAL.
RIPE IS RUNNING A PORTION OF THE REVERSE DIRECTORY FOR -- THAT MAPS NUMBERS BACK TO NAMES CALLED IN-ADDR.ARPA. AND IT HAS ITS PORTION SIGNED.
THE LARGE GTLDS, ORG, COM, AND NET, HAVE TEST BEDS THAT ARE EVOLVING.
AND MORE IS COMING ALONG IN GOOD ORDER.
I MENTIONED THE ZONE WALKING PROBLEM.
THAT IS ONE OF THE IMPEDIMENTS FOR SOME NUMBER OF TOP-LEVEL DOMAIN OPERATORS.
NSEC3, WHICH USES A DIFFERENT WAY OF CHARACTERIZING A SPAN OF MISSING RECORDS OR NONEXISTENT RECORDS THAT CANNOT BE UNTANGLED BACK TO THE ORIGINAL NAMES IS DESIGNED, AND THERE'S A SHAKEDOWN WORKSHOP EARLY PART OF MAY, SO SORT OF IN ABOUT SIX WEEKS, AT THE GERMAN REGISTRY DNIC.
THERE IS A SLIGHTLY DIFFERENT PROBLEM.
THE DNSSEC IMPOSES SOMEWHAT GREATER RESOURCE REQUIREMENTS, PARTICULARLY MEMORY REQUIREMENTS AND, TO SOME EXTENT, BANDWIDTH, BUT MEMORY IS THE KEY ONE.
THE IMPACT IN A PRACTICAL SENSE IS GREATEST ON THE VERY LARGEST DOMAINS.
AND THE CURRENT DESIGN REQUIRES ONE NSEC RECORD FOR EVERY DELEGATION, EVEN IF THOSE DELEGATIONS ARE NOT SIGNED.
THERE IS A VERY SLIGHT VARIANT WHICH CHANGES THE USE OF THE NSEC OR THE NSEC3 RECORDS TO GO ONLY BETWEEN SIGNED ZONES.
WHEN ALL OF THE CHILDREN OF A ZONE ARE SIGNED, THIS MAKES NO DIFFERENCE.
BUT IN THE TRANSITION PROCESS, THE LATTER, WHICH SOMETIMES IS CALLED OPT IN, ALTHOUGH THAT'S A SLIGHTLY MISLEADING TERM, REDUCES THE INITIAL COST AND SPREADS A TOTAL COST OVER THE ADOPTION PERIOD IN A MUCH MORE SENSIBLE WAY.
THE TECHNICAL WORK THAT'S UNDERWAY ACTUALLY IS LOOKING AT BOTH OF THESE CHANGES, NSEC3 AND OPT-IN TOGETHER.
AND BOTH SPECS ARE ADVANCING ALONG.
SO THEN THAT BRINGS US DOWN TO THE SECOND-LEVEL DOMAINS, ENTERPRISES, UNIVERSITIES, SMALL BUSINESSES, PERSONAL DOMAINS, AND SO FORTH.
AND, NOW, HERE IS WHERE THERE IS A VERY INTERESTING AND I THINK EXTREMELY IMPORTANT ASPECT.
NORMALLY, WHEN THERE'S A DISCUSSION ABOUT OPERATION OF AN ENTERPRISE ZONE, THE DISCUSSION IS IN TERMS OF THE IN-HOUSE OPERATION, THE I.T. DEPARTMENT OR THE NETWORK MANAGEMENT DEPARTMENT WITHIN AN ORGANIZATION.
AND THEN WHEN THERE'S A DISCUSSION ABOUT WHAT IT TAKES TO BRING DNSSEC INTO OPERATION, THE DETAILS ARE, WHAT KIND OF SOFTWARE DO YOU HAVE TO HAVE?
DO YOU NEED ANY MORE HARDWARE?
DO YOU NEED SPECIAL HARDWARE FOR THE CRYPTOGRAPHY?
WHAT ARE THE KEY LIFE TIMES?
AND WHO'S IN CHARGE?
WHAT'S THE MANAGEMENT CHAIN?
WHAT ARE THE PROCEDURES?
WHAT KIND OF TRAINING?
ALL OF THOSE THINGS ARE, INDEED, VERY IMPORTANT.
AND THERE'S AN EXTENSIVE SET OF TRAINING MATERIAL, AND THERE'S MORE TO COME.
AND THERE IS A SMALL SET, A GROWING SET, OF ORGANIZATIONS THAT ARE DOING THIS ALREADY.
AND LET ME INVITE ANYBODY WHO WANTS TO GET THEIR OWN ZONE SIGNED TO BECOME A FOUNDING OPERATOR.
I'LL SHOW YOU IN A MINUTE A -- THE BEGINNINGS OF A LIST AND SOME SUPPORT FOR THAT.
HOWEVER, THE OTHER SIDE OF THINGS IS THAT THERE TURN OUT TO BE A VERY LARGE NUMBER OF ZONES THAT ARE NOT MAINTAINED WHERE THE NAME SERVERS ARE NOT THE NAME SERVERS INSIDE OF THE ENTERPRISE, BUT ARE ELSEWHERE.
QUITE OFTEN, THIS IS TAKEN CARE OF BY THE REGISTRARS, AND SOMETIMES BY HOSTING SERVICES.
AND IT'S ONE OF THOSE THINGS THAT OFTEN IS NOT EVEN IN THE CONSCIOUSNESS OF THE PEOPLE WHO HAVE THE ZONES.
FREQUENTLY, THE ZONES ARE VERY SMALL.
THERE'S ANOTHER CLASS OF ZONE OPERATORS THAT SPECIALIZE IN RUNNING ZONES, ULTRADNS, VERISIGN, AKAMAI, AND SEVERAL OTHERS, THAT PROVIDE HIGH-QUALITY MANAGED DNS SERVICE.
AND LATER ON IN THE PROGRAM TODAY, WE'LL FOCUS ON SOME OF THE PLANS THAT ULTRADNS HAS, WHICH ARE, I THINK, GOING TO HELP MOVE THINGS FORWARD.
THE REALLY IMPORTANT ASPECT IS THAT ONCE ONE OF THESE DNS SERVICE PROVIDERS PROVIDES SIGNED ZONES FOR ONE OF ITS CUSTOMERS, IT CAN DO SO FOR THE REST OF ITS CUSTOMERS WITHOUT ANY ADDITIONAL INVESTMENT IN THE PROCEDURES, IN THE SOFTWARE, IN THE HARDWARE, IN THE LEARNING CURVE ASPECT.
AND THE CUSTOMERS DO NOT NEED TO DO ANYTHING OTHER THAN PERHAPS SAY, "YES," OR EVEN THAT, IT MAY BE THAT A PARTICULAR SERVICE PROVIDER SAYS WE'RE JUST GOING TO DO THIS FOR EVERYBODY.
THAT DEPENDS A BIT ON THE BUSINESS MODELS.
BUT AT MOST, IT INVOLVES SAYING "YES," AND PERHAPS ACCOMMODATING AN ADDITIONAL CHARGE.
BUT THERE IS NO IMPACT ON THEIR INTERNAL OPERATION.
THERE IS NO TRAINING; THERE'S NO POLICY ISSUES; THERE'S NO LEARNING CURVE, AND SO FORTH.
SO WE EXPECT THAT BEYOND THE INITIAL SET OF SORT OF FOUNDING DNSSEC ZONE OPERATORS, MY SMALL COMPANY, FOR EXAMPLE, WE NOW HAVE A SIGNED ZONE, AND THERE'S SEVERAL OTHERS, THAT THE NEXT BIG WAVE WILL ACTUALLY COME FROM OUTSOURCED DNS SERVICE PROVIDERS SIGNING ZONES ON BEHALF OF THEIR CUSTOMERS.
SO THAT'S -- I'LL CLOSE THIS PART WITH OPPORTUNITY.
IN THE VERY SHORT RUN, IF YOU WANT TO BECOME A FOUNDING OPERATOR, THERE IS A LITTLE LIST.
LET ME SEE IF I CAN PULL UP WHAT THAT LOOKS LIKE HERE.
LET'S SEE.
I DON'T KNOW HOW TO GET THE SIZE CORRECT FOR THIS SCREEN.
WELL, I'LL MOVE YOU AROUND HERE.
SO HERE'S A -- THE BEGINNINGS OF A LIST THAT WE'VE STARTED WHERE EVEN IF YOU DO NOT HAVE THE CAPABILITIES OF SIGNING THE ZONE YOURSELF, THERE'S A HANDFUL OF US THAT WILL BE HAPPY FOR A VERY MODEST-SIZED ZONE, NOT FOR BIG, HAIRY ZONES, TO SIGN THEM OR TO RUN PRIMARY OR SECONDARY SERVERS. AND WE ALSO INVITE ANYBODY ELSE WHO WANTS TO BE PART OF THIS COLLABORATIVE CONSORTIUM TO DO SO.
AND HERE'S WHAT THE TABLE LOOKS LIKE AT THE MOMENT.
SO THERE'S WHO WILL SIGN OR BE A SECONDARY OR PRIMARY, WHETHER IT'S ACCESSIBLE BY IPV4 OR IPV6, WHETHER THE OTHER PARTY WANTS TO MAKE A CHARGE, AND WHETHER OR NOT THE ARRANGEMENT IS YOU HOST US AND WE'LL HOST YOU, OR WHETHER THEY'LL DO IT JUST ON BEHALF OF THE COMMUNITY AT LARGE.
NLNET LABS, FOR EXAMPLE, IN THE NETHERLANDS SAYS THEY'LL HOST SECONDARY ZONES FOR ANYBODY, NO REQUIREMENT, NO FEE, NO MUTUAL SERVICE REQUIRED.
ALL RIGHT.
SO WITH THAT, I THINK THAT IS THE END OF THE FIRST PART HERE.
LET ME TURN THINGS OVER TO -- OH.
SO I'LL COME BACK TO THIS AT THE TAIL END, BUT THERE IS A SERIES OF RESOURCES AND CONTACTS.
SO WITH THAT, LET ME TURN THE NEXT PERIOD OF TIME OVER TO ANDY OZMENT, WHO WILL MODERATE AND THEN WRAP UP THE -- SORT OF THE MIDDLE PART OF THE PROGRAM HERE.
ANDY.

>>ANDY OZMENT: THANK YOU.
ONCE AGAIN, MY NAME IS ANDY OZMENT FROM MIT LINCOLN LABORATORY.
IN THIS SECTION OF THE MEETING THIS MORNING, I'M GOING TO GIVE A BRIEF OVERVIEW OF SOME OF THE BUSINESS OPPORTUNITIES AND SOME OF THE OPPORTUNITIES WE SEE THAT DNSSEC PROVIDES. THEN BRUCE TONKIN IS GOING TO DISCUSS DEPLOYMENT, AND RAM WILL TALK ABOUT DNSSEC AS A RISK MANAGEMENT TOOL, AND I WILL COME BACK AND TALK ABOUT INCREASING THE VALUE OF THE DNS.
SO STEVE HAS GIVEN YOU A GOOD IDEA OF HOW DNSSEC WORKS. I WANT TO HIGHLIGHT, IF YOU WERE AN E-COMMERCE ORGANIZATION, FOR EXAMPLE, THEN YOU ARE EXTRAORDINARILY INTERESTED IN TO ENSURING THE SECURITY AND AVAILABILITY OF YOUR CONNECTION TO YOUR CUSTOMERS.
SO DNSSEC PROVIDES HIGH SECURITY INFRASTRUCTURE FOR E-COMMERCE ORGANIZATIONS OR ANY ORGANIZATION THAT IS VERY CONCERNED ABOUT THEIR WEB PRESENCE, WHETHER THAT'S BUSINESS-TO-BUSINESS OR BUSINESS-TO-CONSUMER.
SO THERE IS AN OPPORTUNITY HERE FOR SERVICE PROVIDERS TO OFFER A MORE SECURE SERVICE TO THESE ORGANIZATIONS.
AS A RESULT, WE ARE GOING TO SEE ADOPTION STARTING FROM THE TOP WITH LARGE ORGANIZATIONS THAT VALUE SECURITY AND ORGANIZATIONS THAT WANT TO SIGNAL THAT THEY VALUE SECURITY WILL BE THE INITIAL DEPLOYERS, AS WILL THE INFRASTRUCTURE PROVIDERS THAT TARGET THESE LARGE ORGANIZATIONS.
ON THE CONSUMER SIDE, DNSSEC IS GOING TO INCREASE THE WILLINGNESS OF CONSUMERS TO TRANSACT ON THE INTERNET. AND I AM NOT SUGGESTING THAT CONSUMERS WILL UNDERSTAND THIS TECHNOLOGY, BUT THEY WILL UNDERSTAND THAT A SITE IS USING ALL THE SECURITY MEASURES AVAILABLE TO IT, AND THEY WILL READ ABOUT PHARMING ATTACKS IN THE MEDIA AND THEY WILL READ THAT SITES USING DNSSEC PROTECT THEMSELVES AND THEIR CONSUMERS AGAINST IT. AND KNOWING THAT PROTECTIONS ARE AVAILABLE AND IN USE BY THESE HIGH-VALUE SITES WILL INCREASE CONSUMERS' TRUST IN THE INTERNET AND IN THE SITES THAT USE THIS TECHNOLOGY.
SO DNSSEC HELPS BOTH IMPROVE THE SECURITY OF THE INFRASTRUCTURE. IT ENABLES BUSINESSES TO TAKE ADDITIONAL PRECAUTIONS, AND IT INCREASES CONSUMERS' TRUST IN THE INTERNET.
AND AFTER RAM AND BRUCE TALK, I AM GOING TO DISCUSS A BENEFIT THAT WE HAVEN'T PREVIOUSLY MENTIONED OR THAT WE HAVEN'T PREVIOUSLY GONE INTO DETAIL ABOUT, WHICH IS THAT DNSSEC WILL ACTUALLY INCREASE THE VALUE OF THE DNS ITSELF. AND IT WILL DO THIS BY ENABLING DEVELOPERS AND BUSINESSES TO USE THE DNS FOR NEW APPLICATIONS.
SO RIGHT NOW, LET ME PASS TO BRUCE TONKIN. HE IS GOING TO DISCUSS DEPLOYMENT STEPS FOR DNSSEC.

>>BRUCE TONKIN: THANK YOU, ANDY.
I WAS ASKED TO GIVE A BIT OF A TALK ABOUT HOW A REGISTRAR WOULD MAKE A DECISION ON WHETHER TO OFFER THIS TO CUSTOMERS OR A DNS SERVICE PROVIDER FOR THAT MATTER, AND WHAT ARE SOME OF THE THINGS THAT WE WOULD BE THINKING ABOUT WHEN WE DID THAT.
I THINK PROBABLY THE BEST THING I COULD SAY IS TO -- THIS IS ALL ABOUT MANAGING EXPECTATIONS. AND I HAVE BEEN INVOLVED IN TWO THINGS, AND I CAN ACTUALLY NOW SAY IT WAS A CENTURY AGO. IT WAS THE LATE '90S. AND IT SEEMS LIKE 100 YEARS AGO. BUT ONE OF THEM WAS THE INTRODUCTION OF WEB SITE DIGITAL CERTIFICATES, OR JUST DIGITAL CERTIFICATES IN GENERAL. AND THE OTHER WAS THE BEGINNINGS OF THE INTRODUCTION OF INTERNATIONALIZED DOMAIN NAMES.
THE EARLY DAYS WERE OBVIOUSLY FAIRLY PROPRIETARY RATHER THAN THE CURRENT STANDARDS-BASED SOLUTION WE HAVE TODAY.
BUT IN BOTH CASES, I THINK THOSE TECHNOLOGIES CAUSED PROBLEMS IN THAT WHEN COMPANIES LIKE MELBOURNE IT BEGAN TO SELL THOSE SORT OF SERVICES, BECAUSE WE DIDN'T MANAGE EXPECTATIONS AND DIDN'T MEET THE EXPECTATIONS OF THOSE PURCHASING THOSE SERVICES, WE RAN INTO PROBLEMS. AND THAT EFFECTIVELY MEANT IT TOOK ANOTHER FIVE OR SO YEARS BEFORE MANY OF THOSE ORGANIZATIONS WOULD TAKE THAT TECHNOLOGY SERIOUSLY AGAIN.
SO IN THE EARLIER ADOPTION PHASE OF THESE TECHNOLOGIES, WE NEED TO BE VERY CLEAR THAT IT IS IN THE EARLY STAGES AND WHAT YOU DO GET FOR YOUR INVESTMENT AT THIS EARLY STAGE.
SO I'LL JUST TAKE YOU THROUGH KIND OF AN ANALOGY HERE WHICH IS WEB SITE DIGITAL CERTIFICATES.
TODAY, MOST PEOPLE THAT OPERATE A WEB SITE DON'T REALLY UNDERSTAND WEB SITE DIGITAL CERTIFICATES. AND MOST PEOPLE THAT ACCESS WEB SITES TODAY DON'T REALLY UNDERSTAND HOW DIGITAL CERTIFICATES WORK.
HOWEVER, MOST PEOPLE CONDUCTING E-COMMERCE HAVE A PERCEIVED NEED THAT THEY NEED TO HAVE THESE DIGITAL CERTIFICATES, AND THAT'S A GOOD THING. DIGITAL CERTIFICATES DO PROVIDE A MORE SECURE INFRASTRUCTURE.
AND TODAY, THERE ARE SOME PREMIUM VERSIONS AND SOME LOW-COST VERSIONS NOW AVAILABLE. AGAIN, DUE TO THE COMMENTS I JUST MADE EARLIER THAT PEOPLE DON'T REALLY UNDERSTAND HOW IT WORKS, THEY HAVE DIFFICULTY JUDGING AS TO WHY THEY SHOULD PAY FOR A PREMIUM OR WHY THEY SHOULD GO FOR LOWER COST. BUT PROBABLY LARGER COMPANIES FEEL THAT IF THEY GO FOR A PREMIUM AND THEY ARE GOING FOR A TRUSTED BRAND AND IT'S FROM A COMPANY THAT'S HAD A HISTORY IN INTERNET SECURITY, THEY WILL TEND TO LEAN IN THAT DIRECTION. WHEREAS OTHERS WHO ARE COST SENSITIVE BUT AT LEAST WANT TO BE SEEN AS DOING SOMETHING ABOUT SECURITY WILL PROBABLY GO TOWARDS A LOWER COST VERSION.
AND CERTAINLY CONSUMERS TODAY DO UNDERSTAND THAT THERE IS SOME SORT OF -- AND I'LL JUST PUT INVERTED COMMAS, " SECURE MODE" THAT IS NEEDED BEFORE YOU EXCHANGE PERSONAL OR CREDIT CARD INFORMATION.
SO MANY PEOPLE ARE HAPPY SURFING THE INTERNET. THEY DON'T REALLY CARE WHERE THEY GO, BUT THE MINUTE THEY HAVE TO ACTUALLY ENTER THEIR HOME ADDRESS OR THEIR TELEPHONE NUMBER OR THEIR CREDIT CARD, THEY SUDDENLY THINK, " OKAY, DO I REALLY WANT TO DO THIS?" AND THEY MAY LOOK AT A COUPLE OF THINGS. IS IT AN ORGANIZATION THEY TRUST, TO START WITH. AND THEY MAY ALSO SORT OF THING, YOU AND I INTERACT WITH ORGANIZATIONS I TRUST, SUCH AS A BANK, THERE MAY BE SUCH INDICATION OR THEY SAY SOMETHING ON THEIR WEB SITE ABOUT SECURITY. SO WHEN THEY LOOK AT AN ORGANIZATION THAT THEY MAY NOT KNOW AS WELL, THEY ARE PROBABLY LOOKING FOR SOME VISUAL INDICATION OF SOME SORT THAT WHAT THEY ARE ABOUT TO DO IS SECURE.
SO IF WE LOOK AT WHAT'S INVOLVED IN DNSSEC AND THE STEPS AND DEPLOYMENT, THERE ARE VARIOUS OPERATORS THAT OPERATE DNS ZONES. THERE'S OBVIOUSLY THE TOP-LEVEL DOMAIN REGISTRY ZONES. AND TYPICALLY, THE AVERAGE USER DOESN'T DIRECTLY INTERACT WITH ANY OF THOSE ZONES. THEY GO THROUGH ANOTHER COMPANY, WHETHER IT'S A REGISTRAR OR IT COULD BE A COMPANY THAT, IN TURN, GOES THROUGH A REGISTRAR BEFORE ANY RECORDS ARE INSERTED INTO THE REGISTRY.
THEN THERE ARE INFRASTRUCTURE SERVICE PROVIDERS, SOME OF WHICH SPECIALIZE IN DNS. AND THERE ARE A FEW OF THOSE. ULTRA DNS WAS MENTIONED IN ONE OF THE PRESENTATIONS EARLIER. MANY REGISTRARS PROVIDE SPECIALIST DNS SERVICES. AND THESE SERVICES COULD BE FOR A SECOND- OR THIRD-LEVEL ZONE BELOW THE TOP LEVEL.
LET ME JUST TURN THIS OFF.
(PHONE RINGING).
YOU CAN ALWAYS GUARANTEE YOU WILL GET A PHONE CALL WHEN YOU ARE DOING A PRESENTATION.
AND THEN ALSO, OPERATORS THAT PROVIDE E-MAIL SERVICES AND HOST WEB SITES, TYPICALLY ARE RUNNING A DNS ZONE THEMSELVES. THERE ARE ALSO WHAT I CALL HERE REGISTRANT ZONES. YOU DON'T HAVE TO BE SOMEONE HUGE TO RUN A DNS ZONE. YOU CAN RUN A DNS ZONE ON THIS LAPTOP IF YOU WANT TO. BUT WHEN IT COMES TO REGISTRANTS, THEY ARE TYPICALLY LARGE CORPORATES THAT HAVE I.T. STAFF AND SKILLED RESOURCES, OR THEY ARE PROBABLY INDIVIDUALS THAT ARE INTERESTED IN MAKING SURE THAT THEY ARE SEEN TO DO THE LATEST THING. AND THESE PEOPLE, THE INDIVIDUALS ARE LIKELY TO BE CONSULTANTS AND PROVIDE SERVICES FOR OTHER ORGANIZATIONS. SO IN THE EARLY STAGES, THEY WANT TO MAKE SURE THEY ARE UP-TO-DATE IN LEARNING ABOUT A NEW TECHNOLOGY SO THEY CAN PROVIDE ADVICE TO BIGGER ORGANIZATIONS.
SO THE EARLY ADOPTERS FOR SOMETHING LIKE DNSSEC ARE EITHER GOING TO BE LARGE ORGANIZATIONS THAT VALUE SECURITY, AND PROBABLY MORE IMPORTANTLY NEED TO BE SEEN TO BE TAKING SECURITY SERIOUSLY.
SO OBVIOUSLY, AND I USED ANALOGIES YESTERDAY THAT IF YOU WERE TO GO BACK A COUPLE OF HUNDRED YEARS AGO AND YOU WERE TALKING ABOUT PUTTING YOUR MONEY IN A BANK IN A SMALL TOWN IN, LET'S SAY, OUTSIDE OF A MAJOR CITY, THE MAIN THING THAT GAVE YOU A FEELING THAT THIS WAS A SAFE THING TO DO WAS THAT YOU SAW THIS REALLY STRONG STONE BUILDING. WHEN YOU WENT INSIDE THE STONE BUILDING YOU SAW A HUGE BIG DOOR OF SOME SORT THAT LOOKED LIKE IT WAS MADE OF IRON AND SEEMED TO BE IMPREGNABLE. EVEN THOUGH THERE ARE PROBABLY BACK DOORS OUT THE BACK THAT WAS PROBABLY JUST A WOODEN DOOR THAT COULD BE OPENED WITH A CROWBAR, AT LEAST WHEN YOU WALKED IN THE FRONT OF THE BUILDING IT LOOKED PRETTY SOLID.
SO CERTAINLY, ORGANIZATIONS THAT WANT THEIR CUSTOMERS TO INTERACT WITH THEM WITH EITHER FINANCIAL OR PERSONAL INFORMATION CERTAINLY WANT TO MAKE THE FRONT DOOR LOOK LIKE IT'S A BIG, SECURE, STABLE ORGANIZATION. AND IS A SAFE ORGANIZATION TO DO BUSINESS WITH.
AND WHETHER IT'S DIGITAL CERTIFICATES OR DNSSEC, THESE ORGANIZATIONS, AT THE VERY LEAST, THEIR MARKETING PEOPLE WANT TO BE ABLE TO SAY THAT THEY ARE USING SOMETHING THAT'S SECURE, AND WILL NO DOUBT SAY THAT THEY ARE -- ONE OF THE THINGS THAT THEY DO IS DNSSEC, EVEN IF THEY DON'T KNOW WHAT THAT MEANS.
INFRASTRUCTURE PROVIDERS THAT TARGET THESE LARGE ORGANIZATIONS ARE ALSO LIKELY TO BE EARLY ADOPTERS. AND THERE ARE MANY INFRASTRUCTURE PROVIDERS IN THE INTERNET. THERE ARE MANY REGISTRARS. I THINK I HEARD THERE ARE 575 REGISTRARS TODAY FOR .COM. AND OBVIOUSLY THEY VARY TREMENDOUSLY IN THE SORT OF CLIENTS OR CUSTOMERS THAT THEY SERVE.
LIKEWISE, WHEN YOU ARE LOOKING AT WEB HOSTING ORGANIZATIONS, THEY VARY FROM ORGANIZATIONS THAT ARE HOSTING TENS OF THOUSANDS OF CUSTOMERS OR EVEN HUNDREDS OF THOUSANDS OF CUSTOMERS, BUT THOSE CUSTOMERS MAY EACH PAY ONLY A FEW DOLLARS FOR THE SERVICE. AND YOU ALSO HAVE WEB HOSTING ORGANIZATIONS THAT HAVE MAYBE TEN CUSTOMERS, AND THEY CHARGE HUNDREDS OF THOUSANDS OF DOLLARS PER CUSTOMER.
SO IT'S THOSE DNS PROVIDERS THAT ARE MOST LIKELY TO BE THE EARLY ADOPTERS OF DNSSEC, BECAUSE THEY SERVICE THE MARKET WHERE SECURITY IS MOST IMPORTANT.
THE OTHER EARLY ADOPTER WOULD BE TECHNICAL SKILLED INDIVIDUALS THAT EITHER WANT TO BE SEEN TO BE USING THE LATEST THING OR WANT TO BUILD THEIR SKILLS. AND CERTAINLY SOME INFRASTRUCTURE PROVIDERS DO TARGET THAT MARKET AS WELL. AND SO THERE'S AN OPPORTUNITY THERE.
THEN AS YOU MOVE MORE INTO MAINSTREAM DEPLOYMENT, YOU WILL FIND THAT MOST INDIVIDUALS AND ORGANIZATIONS IN THE MAINSTREAM WILL NOT HAVE THE SKILLS NEEDED TO MANAGE DNSSEC SETUP AND MAINTENANCE. AND THESE ORGANIZATIONS USUALLY USE REGISTRARS, WEB HOSTING, E-MAIL HOSTING COMPANIES TO PROVIDE THESE SERVICES TODAY, EVEN FOR THINGS THAT AREN'T BASED ON SECURITY.
AND THOSE, IF YOU LIKE, INTERMEDIARIES, THE REGISTRARS, HOSTING, WILL INCORPORATE DNSSEC INTO THEIR SERVICE. IT WILL INITIALLY BE A PREMIUM SERVICE, SOME SORT OF OPTIONAL EXTRA, AND PROBABLY THE CLOSEST EXAMPLE I COULD GIVE FOR THE DOMAIN NAME INDUSTRY TODAY IS PRIVATE REGISTRATION SERVICES. IN THE PAST TWO YEARS, A NUMBER OF LARGE REGISTRARS HAVE OFFERED PRIVATE REGISTRATION SERVICES, AND THEY CHARGE A FEW DOLLARS EXTRA FOR THAT SERVICE.
WHEREAS WHAT I'M SEEING THIS YEAR IN 2006 IS THAT SOME REGISTRARS NOW MAKE THAT PART OF THE SERVICE. IT'S NOT AN OPTIONAL EXTRA; IT'S JUST PART OF THE SERVICE.
AND THIS IS PROBABLY SIMILAR TO OTHER TECHNOLOGIES. IF WE USE AN ANALOGY OF MOTOR CARS.
YOU WILL FIND THINGS LIKE ANTI-LOCK BRAKES MAY WELL BE USED IN THE PREMIUM OR LUXURY VERSION OF A CAR. AGAIN, THE AVERAGE INDIVIDUAL HAS NO IDEA HOW ANTI-LOCK BRAKES WORK, BUT THE FACT THAT THEY ARE BUYING A PREMIUM AND BUYING THE WORLD'S BEST CAR, THEY EXPECT IT TO HAVE THE BEST TECHNOLOGY AND ANTI-LOCK BRAKES IS EXPECTED TO BE PART OF THAT.
AND THEN AS IT MOVES INTO THE MAINSTREAM, IT STARTS AS AN OPTION ON THE STANDARD FAMILY CAR. SO THE STANDARD FAMILY CAR MOST PEOPLE WOULD HAVE YOU WILL PAY MAYBE A FEW YOU THOUSAND DOLLARS EXTRA FOR THIS FEATURE. AND THEN A COUPLE OF YEARS LATER YOU WILL FIND THAT IT'S JUST IN EVERY FAMILY CAR, AND ACTUALLY IT'S CEASED TO EVEN BE MENTIONED. AND THINGS LIKE ANTI-LOCK BRAKES YOU DON'T SEE MENTIONED AS MUCH ANYMORE BECAUSE IT'S JUST ASSUMED THAT'S IN EVERY CAR.
AND I THINK THAT WILL BE THE SAME IN THE DEPLOYMENT OF DNSSEC.
SO THEN YOU MOVE TO LATE ADOPTERS WHERE YOU WILL NEVER EVEN SEE THE WORD. IT WILL NEVER GET MENTIONED. YOU WON'T EVEN BE AWARE OF ITS EXISTENCE BECAUSE IT WILL BE INCORPORATED INTO ALL THE SERVICES AND APPLICATIONS BEING USED ON THE INTERNET.
BUT I THINK IT'S IMPORTANT TO POINT OUT, AND I THINK STEVE HAS DONE THAT IN TRYING TO EXPLAIN SOME OF THE STEPS, BUT IT'S MORE THAN JUST PUTTING A SERVICE IN THE INFRASTRUCTURE. IT HAS TO WORK END-TO-END IN THAT APPLICATIONS AND OTHER THINGS NEED TO BE AWARE WHEN SOMETHING HAS GONE WRONG AND GIVE CONSUMERS SOME SORT OF VISUAL INDICATION.
AND SO IN SOME WAYS IT'S A BIT LIKE THE EARLY DAYS OF INTERNATIONALIZED DOMAIN NAMES. FOR SOME TIME, REGISTRIES LIKE VERISIGN HAVE HAD SUPPORT FOR INTERNATIONALIZED DOMAIN NAMES AT THE SECOND LEVEL, BUT YOU STILL DON'T SEE VERY MANY OF THEM IN THE COMMUNITY BECAUSE THE END-USER SOFTWARE, IT TAKES A WHILE BEFORE IT'S INCORPORATED THERE. AND, YOU KNOW, YOU CAN ACTUALLY USE THEM.
DNSSEC IS NOT THE SAME THING. IT'S NOT SOMETHING YOU REALLY SEE AS A CONSUMER, BUT AT LEAST YOU WOULD EXPECT AN APPLICATION DO SAY, HEY, THIS IS NOT SECURE. YOU KNOW, DON'T PUT YOUR DETAILS IN HERE. AT THE VERY LEAST YOU WOULD WANT SOME SORT OF APPLICATION SUPPORT THAT TELLS YOU, AS A USER, THAT THERE'S SOME SORT OF SECURITY PROBLEM.
SO JUST HAVING THE FEATURE OF DNSSEC IS NOT GOOD ENOUGH ON ITS OWN. YOU ALSO HAVE TO HAVE THE APPLICATION INFRASTRUCTURE THAT LETS YOU KNOW WHEN THERE'S A PROBLEM.
SO I THINK THE NEXT STEPS FROM MY POINT OF VIEW ARE RAISING THE AWARENESS OF THE BENEFITS OF DNSSEC TO THOSE ORGANIZATIONS THAT TODAY VALUE SECURITY. AND THESE -- AND THOSE ORGANIZATIONS THAT NEED TO BE SEEN TO BE TAKING PRECAUTIONS OF SOME SORT. EVEN IF THEY DON'T KNOW WHAT THOSE PRECAUTIONS ARE OR HOW THEY WORK, THEY DEFINITELY NEED TO BE SEEN TO BE TAKING PRECAUTIONS.
WE NEED TO MANAGE THE EXPECTATIONS REGARDING WHEN THE SERVICES WILL BECOME MORE WIDESPREAD SO WE AVOID THE MISTAKES OF SOME PAST TECHNICAL DEPLOYMENTS IN THE DNS.
AND I BELIEVE THAT THE INFRASTRUCTURE PROVIDERS THAT CURRENTLY TARGET LARGER ORGANIZATIONS THAT CARE ABOUT SECURITY AND TECHNICAL EARLY ADOPTERS SHOULD BEGIN TO EXPERIMENT AND BUILD EXPERTISE SO THAT WHEN IT IS BEGINNING TO GET READY FOR DEPLOYMENT, YOU CAN TAKE ADVANTAGE OF THAT OPPORTUNITY AND REINFORCE, I GUESS, THE PREMIUM SERVICE THAT IS A FEATURE OF THAT MARKET.
SO THAT'S ALL FOR ME.

>>RAM MOHAN: THANK YOU, AND WELCOME. MY NAME IS RAM MOHAN. I AM THE CTO FOR AFILIAS, WE'RE THE REGISTRY OPERATOR FOR .INFO AND PROVIDE REGISTRY SERVICES FOR A NUMBER OF OTHER TLDS, INCLUDING .ORG AND SOON TO BE .MOBI.
MY FOCUS TODAY IS A LITTLE BIT MORE ABOUT DNSSEC AS A RISK MANAGEMENT TOOL.
WE'VE HAD MULTIPLE PRESENTATIONS, NOT JUST TODAY BUT ALSO IN ICANN WORKSHOPS PRIOR, WHERE WE HAVE HAD, YOU KNOW, FOLKS TALK ABOUT DNSSEC, ITS VALUE, ITS BENEFITS AND THINGS LIKE THAT. BUT ONE OF THE THINGS THAT WE'VE HEARD FROM NETWORK OPERATORS, AS WELL AS FROM REGISTRARS, IS HEY, THERE IS NO DEMAND IN THE MARKETPLACE. OUR CUSTOMERS AREN'T TELLING US THAT THEY NEED DNSSEC. AND WITHOUT HAVING THAT KIND OF DEMAND, IT'S VERY HARD FOR US TO MAKE A CASE TO OUR CFO OR CEO OR EVEN TO OUR CIOS TO JUSTIFY WHY AN INVESTMENT IN DNSSEC IS USEFUL AND VALUABLE.
SO MY FOCUS TODAY IS TO TRY AND BRING A DIFFERENT OR ANOTHER PERSPECTIVE IN HOW TO EVALUATE AN INVESTMENT IN DNSSEC.
I MEAN, THE TECHNOLOGY PROMISES TO BRING INTEGRITY --

>>BRUCE TONKIN: IF YOU WANT, YOU CAN TRANSFER TO MY SEAT.

>>RAM MOHAN: I'M GOOD. IF YOU COULD JUST DRIVE IT FOR ME, BRUCE, I WILL TELL YOU WHEN THE NEXT SLIDES COME UP.
THE TECHNOLOGY IS, TO MY WAY OF THINKING, IS BETTER PLUMBING FOR THE INTERNET. IT'S THE KIND OF TECHNOLOGY THAT'S NOT SEXY, IT'S NOT THE KIND OF THING THAT COMES UP ON THE COVER OF ANY MAGAZINE. BUT IT'S VERY GOOD FOR HOW THE CORE OF THE INTERNET WORKS; RIGHT? SO IF YOU ARE TRYING TO PROMOTE BETTER PLUMBING, WELL, YOU BETTER HAVE A REASONABLY GOOD ARGUMENT FOR IT. AND JUST HAVING THE BASIC ARGUMENT THAT IT WILL MAKE THINGS BE MORE SECURE OR HAVE MORE INTEGRITY IS ONE PIECE.
THE STANDARD WAY OF EVALUATING INVESTMENTS IN MOST TECHNOLOGIES, DNSSEC IS NO STRANGER TO THAT, IS COST OF INVESTMENT OR RETURN ON CAPITAL, OR A RETURN ON INVESTMENT, AN ROI.
HOWEVER, I THINK -- BRUCE, IF YOU COULD GO TO THE NEXT SLIDE -- I THINK THERE SHOULD BE AN ADDITIONAL AND DIFFERENT METHOD APPROACH TO ANALYZE DNSSEC INVESTMENT IN AN ORGANIZATION AND AT A NETWORK PROVIDER AS WELL AS AT A NETWORK PROVIDER'S CLIENT, WHICH IS RETURN ON RISK.
IN THE NEXT SLIDE, WHAT I'M TALKING ABOUT IS HOW MUCH RISK IS YOUR ORGANIZATION WILLING TO BE EXPOSED TO? BECAUSE NOT DEPLOYING A SIGNED NAME OR A SIGNED ZONE OPENS UP EXPOSURE TO PHARMING. AND IF YOU ARE AN ORGANIZATION THAT HAS INVESTED A GREAT DEAL OF EFFORT, TIME AND MONEY IN ANTI-PHISHING, FOR EXAMPLE, BECAUSE THAT'S IMPORTANT FOR THE -- TO INCREASE YOUR SECURITY PROFILE AND TO BE SEEN AS A COMPANY THAT IS RESPONSIBLE AND THAT IS RESPONSIVE TO ONGOING SECURITY THREATS, WELL, YOU KNOW WHAT? IT'S IRRELEVANT. WHATEVER THE BEST ANTI-PHISHING TECHNOLOGIES YOU HAVE GOT, IT'S IRRELEVANT IF YOUR DNS TRAFFIC IS SUBJECT TO CAPTURE AND REDIRECTION; RIGHT? AND THAT'S WHAT A NON-DNSSEC ZONE ALLOWS TO HAPPEN.
AND THE OTHER THING THAT IT OPENS UP, EXPOSURE TO YOU AS A NETWORK OPERATOR, OR TO YOU AS AN ORGANIZATION, IS TO EXPLAIN TO THE WORLD WHY YOU ALLOWED YOUR DNS INFRASTRUCTURE TO BE POISONED, CAPTURED, AND HIJACKED WHEN, ESPECIALLY, YOU KNEW THAT THERE WAS A DETERRENT TO IT.
ON THE NEXT SLIDE, I THINK THAT ORGANIZATIONS OUGHT TO START VIEWING DNSSEC NOT JUST AS AN INVESTMENT AND EVALUATED FROM A RETURN ON INVESTMENT PERSPECTIVE, BUT AS AN INSURANCE POLICY AGAINST THE INCREASING RISK OF DNS REDIRECTION.
I MEAN, WHAT THIS TECHNOLOGY DOES IS IT PROVIDES SOME LEVEL OF AN INSURANCE POLICY AGAINST COMPROMISE OF YOUR DNS SERVERS AS WELL AS A SULLYING OF YOUR REPUTATION. IF YOU ARE WITH A GOVERNMENT, IF YOU ARE WITH A FINANCIAL INSTITUTION, E-COMMERCE, THERE ARE ANY NUMBER OF ORGANIZATIONS. YOU HAVE A RESPONSIBILITY TO HAVE A GOOD SECURITY PROFILE, AND AS BRUCE WAS SAYING BEFORE, TO NOT JUST IMPLEMENT GOOD SECURITY, BUT ALSO BEING SEEN AS HAVING A GOOD SECURITY PROFILE.
AND IF YOU START VIEWING DNSSEC AS AN INSURANCE POLICY, AS ONE IN A SET OF MEASURES THAT ARE TAKEN TO IMPROVE AND INCREASE THE SECURITY PROFILE, I THINK THAT IS AN EXTRA ADDITIONAL WAY OF EVALUATING INVESTING IN DNSSEC, NOT JUST LOOK AT IT FROM AMOUNT OF MONEY SPENT AND HOW MUCH NEW BUSINESS IS IT GOING TO BRING. OKAY? SO ON THE LAST SLIDE HERE, IT'S NOT ENOUGH TO EVALUATE DNSSEC DEPLOYMENT JUST BASED ON AN ROI CRITERIA.
I THINK ORGANIZATIONS, NETWORK PROVIDERS, REGISTRARS, AS WELL AS GOVERNMENTS, ANYBODY WHO HAS A DOMAIN NAME AND HAS AN IMPLIED OR DIRECT RESPONSIBILITY TO BE SECURE, APPEAR SECURE, AND ENSURE THAT WHEN PEOPLE ARE ACTUALLY TYPING IN THAT DOMAIN NAME IN A BROWSER THAT THEY GET TRANSPORTED TO YOUR DOMAIN, YOU HAVE TO START THINKING ABOUT WHY DNSSEC, FROM THE POINT OF VIEW OF THE EXPOSURE TO RISK THAT YOU ARE INCREASING IF YOU DO NOT DEPLOY DNSSEC, THAT IF YOU DO HAVE DNSSEC DEPLOYED, YOU COULD VIEW IT AS AN INSURANCE POLICY. AND THAT IN YOUR PUBLIC PROFILE, IN YOUR PUBLIC RELATIONS, EVEN, YOU HAVE THE ABILITY TO SAY THAT YOU ARE IMPLEMENTING A TECHNOLOGY THAT ENHANCES THE SECURITY PROFILE OF YOUR FIRM.
SO DON'T JUST THINK OF DNSSEC AS MONEY SPENT. ALSO THINK OF IT AS THE IMPROVEMENT IN THE REDUCTION OF RISK THAT YOU ARE SHOWING TO THE OUTSIDE WORLD.

>>ANDY OZMENT: THANKS, RAM.
I'M GOING TO SPEAK AGAIN ON ONE OF THE OPPORTUNITIES THAT DNSSEC CREATES THAT WE HAVEN'T DISCUSSED A GREAT DEAL IN PREVIOUS FORUMS ON DNSSEC. AND THAT'S INCREASING THE VALUE OF THE DNS AS A WHOLE.
SO THERE IS -- AT THE MOMENT, THERE ARE A NUMBER OF DIFFERENT ORGANIZATIONS AND GROUPS LOOKING AT THE DNS AS A TOOL FOR DELIVERING SERVICES OTHER THAN JUST NAME RESOLUTION.
SO THERE'S A GREAT DEAL OF DEMAND FOR USING THE DNS FOR NEW SERVICES LIKE ANTISPAM EFFORTS, DKIM, SPF AND THE LIKE, THERE ARE E-MAIL ENCRYPTION PROPOSALS THAT PROPOSE TO USE THE DNS. AND I AM PART OF A TEAM AT LINCOLN LABORATORY AND ELSEWHERE THAT IS PROPOSING A RECORD TO INCREASE THE SECURITY PROVIDED BY HTTPS. SO TO REMOVE THE NEED FOR USERS TO HAVE TO CHECK THE SECURITY ICONS IN THEIR BROWSER.
AND THAT'S A PROPOSAL CALLED THE SSR RECORD, SERVICE SECURITY REQUIREMENTS.
SO THERE ARE A NUMBER OF PROPOSED SERVICES THAT WILL RELY ON THE DNS, AND AS THESE NEW SERVICES ADD VALUE TO THE DNS, THEY ALSO INCREASE THE NEED FOR DNS SECURITY.
SO AS AN EXAMPLE, ONCE WE PLACE ANTI-SPAM INFORMATION INTO THE DNS, THEN THAT CREATES AN INCENTIVE FOR SPAMMERS TO ATTACK THE DNS ITSELF. AND WE KNOW THAT WHEN SPAMMERS HAVE ECONOMIC INCENTIVES TO DO THINGS, TO ATTACK ENTITIES, THAT THEY HAVE BEEN WILLING TO DO SO IN THE PAST.
SO DNSSEC BOTH PROTECTS EXISTING SERVICES THAT ARE BEING PROPOSED FOR THE DNS AND IT ALSO ENABLES SERVICES THAT REQUIRE SECURITY THEMSELVES. AND REGISTRANTS WANT THESE NEW SERVICES. AND HAVING IMPLEMENTED THEM, THE DNS WILL BE EVEN MORE IMPORTANT TO REGISTRANTS.
AND I'M SPEAKING TO YOU TODAY AS AN AUDIENCE OF SERVICE PROVIDERS TO ARTICULATE THE CASE THAT REGISTRANTS WILL WANT A TRUSTED SERVICE PROVIDER. THE MORE VALUE THEY PLACE IN THE DNS, THE MORE RELY ON IT, THE MORE IMPORTANT IT IS TO THEM THAT THEIR SERVICE PROVIDER IS TRUSTWORTHY, IF THEY OUTSOURCE THEY ARE GOING TO LOOK FOR A SERVICE PROVIDER THAT USES DNSSEC.
IF THEY DON'T OUTSOURCE, THEY MAY BE LOOKING FOR A SERVICE PROVIDER TO HELP THEM DEPLOY DNSSEC THEMSELVES.
SO NOW I'M GOING TO TURN THE PRESENTATION OVER TO ELLIOT AND STEVE AGAIN, WHO WILL PRESENT THE VIEWPOINT OF JUST SUCH A SERVICE PROVIDER.

>>STEVE CROCKER: THANK YOU.
ONE SECOND WHILE WE GET THINGS ORGANIZED HERE.
ALL RIGHT.
THAT'S THE WRONG ONE.
SO LET ME THANK RAM, WHO IS DOUBLE-BOOKED HERE BETWEEN DIFFERENT MEETINGS AND RUNNING OFF.
THANK YOU VERY MUCH.
ULTRADNS IS A LARGE MANAGED DNS SERVICE PROVIDER.
I HAD HOPED THAT RODNEY JOFFE, THE FOUNDER, CTO -- FOUNDER AND CTO AND CHAIRMAN OF THE BOARD, WOULD BE HERE.
HE'S BEEN UNAVOIDABLY DETAINED AND SENDS HIS QUITE SINCERE AND ABJECT APOLOGIES.
AND HE'S BEEN ENORMOUSLY COOPERATIVE AND VIGILANT AT GETTING MATERIAL TO US SO THAT WE COULD CONVEY THE MESSAGES THAT HE HAD IN MIND.
AND I THINK THAT THIS IS SOME FAIRLY INTERESTING AND QUITE SIGNIFICANT DEVELOPMENTS.
ELLIOT NOSS, FROM TUCOWS, AND I WILL ATTEMPT TO DO A BIT OF A TAG-TEAM HERE IN REALTIME AS WE MOVE FORWARD.
ELLIOT, JUST JUMP RIGHT IN AT ANY POINT.
AND DO YOU HAVE ANY PRELIMINARY COMMENTS YOU WANT TO SAY?

>>ELLIOT NOSS: I THINK ONLY ONE, WHICH IS, YOU KNOW, FIRST OF ALL, I'M ELLIOT NOSS FROM TUCOWS.
WE ARE A REGISTRAR PRIMARY, YOU KNOW, SUPPLIER OF BOTH DOMAIN NAMES AND A BUNCH OF OTHER SERVICES TO WEB HOSTING COMPANIES, ISPS, WEB DESIGNERS, AND THE LIKE.
I'M PROBABLY THE LEAST TECHNICAL PERSON IN THE ROOM AND ALWAYS BEING SORT OF A GEEK-WANT TO BE.
SO, STEVE, I WANT TO THANK BOTH YOU AND RODNEY, ONE OF MY ASPIRATIONS IS TO BE UP HERE WITH SSAC.
SO I APPRECIATE THAT, BECAUSE I CAN TICK A BOX NOW.

>>STEVE CROCKER: I'LL HAVE TO FIGURE OUT WHAT THE RETURN FAVOR IS.
THIS IS AN EXCITING GUY.
THERE'S PLENTY OF THINGS I'D LIKE TO DO HANGING OUT WITH HIM.
ALL RIGHT, ULTRADNS IS PRIMARY A COMPANY THAT PROVIDES NAME SERVICE TO DOMAIN NAME HOLDERS.
AND THIS IS DISTINCT FROM PROVIDING REGISTRAR OR REGISTRY SERVICES, WHICH ARE THE PARTS THAT ARE A GREAT DEAL MORE VISIBLE IN THE INDUSTRY.
THEY PROVIDE NAME SERVICE FOR 22 COUNTRY CODE TOP-LEVEL DOMAINS, FOR FOUR GENERIC TOP-LEVEL DOMAINS, ONE THAT I'M FAMILIAR WITH IN PARTICULAR IS DOT ORG, WHICH IS SOMETHING IN EXCESS OF FOUR MILLION NAMES AND IS ONE OF THE LARGEST DOMAINS.
IN AGGREGATE, THEY HANDLE 14 MILLION DOMAINS, WHICH IS A VERY LARGE FRACTION, AROUND 20%, OF ALL OF THE DOMAINS THAT EXIST ENTIRELY.
THEY HAVE 8,000 CUSTOMERS.
AND OF THOSE, MANY OF THEM ARE IN THE FORTUNE 100 AND -- OR THE TOP GOVERNMENT AND E-COMMERCE COMPANIES.
THEY PROVIDE A COMBINATION OF PRIMARY SERVICE FOR VERY MANY OF THEM, AND SECONDARY SERVICE FOR SOME OTHERS.
THAT'S A VERY IMPORTANT ASPECT, BECAUSE AT THE POINT WHERE A MANAGED SERVICE PROVIDER IS PROVIDING PRIMARY SERVICE, THEY'RE ALSO, AS I HAD DESCRIBED EARLIER, IN, NOW, A VERY GOOD POSITION TO SIGN THOSE ZONES AND PROVIDE SIGNED SERVICE FOR THEM.
THOUGH THEIR CONFIGURATIONS ARE THAT THEY HAVE MASTER SERVICES, THEY HAVE EXTERNAL SLAVES, AND SLAVES THERE ON FOUR DIFFERENT CONTINENTS, THEY MAKE EXTENSIVE USE OF ANYCAST, AND THEY'RE ABLE TO UPDATE RECORDS WITHIN A VERY SHORT TIME, UNDER TWO MINUTES.
THEY HAVE THEIR OWN SOFTWARE AND THEIR OWN ARCHITECTURE THAT IS SOMEWHAT DIFFERENT FROM THE STANDARD OFF-THE-SHELF SOFTWARE AVAILABLE FROM OTHER SUPPLIERS.
I THINK THAT ALL OF THESE -- I'M SURE RODNEY COULD MAKE A VERY INTERESTING PITCH HERE.
BUT THE MAIN MESSAGE IS THAT THERE IS A CONSIDERABLE AMOUNT OF EXPERTISE, CONSIDERABLE AMOUNT OF OPERATIONAL EXPERIENCE AND COMPETENCE AT PROVIDING THE NAME SERVICE HERE.
THEY'VE HAD A RESTRICTED TEST BED IN PLACE THAT IMPLEMENTS THE STANDARD SPECIFICATIONS FOR DNSSEC.
I MENTIONED THE DIFFICULTIES OF THE NSEC PROCESS, AND ALSO THE LACK OF OPT-IN THAT IMPOSES A GREAT LOAD.
THEY HAVE MANAGED TO ACCOMMODATE THE DEMANDS OF RUNNING IN THAT OPERATION AND ARE READY TO GO.
AND -- LET'S SEE.
LET ME BACK UP BEFORE I GET THERE.
THE MESSAGE, WHICH WE'LL COME TO IN A MINUTE, IS THAT THEY'RE IN A POSITION WHERE THEY'RE GOING TO OFFER COMMERCIAL DNSSEC SERVICE IN Q2, 2006.
Q2 STARTS SATURDAY.
I SUSPECT THAT THEY'RE NOT GOING TO HAVE IT RUNNING SATURDAY.
BUT WITHIN THE PERIOD ENDING IN -- SOMETIME BEFORE THE END OF JUNE.
THAT IS, IN THE SCHEME OF THINGS, VERY, VERY QUICK.
THAT MEANS THAT WE ARE NOW GOING TO SEE THE CAPABILITY FOR A VERY LARGE NUMBER OF SIGNED ZONES FOR, EXCUSE ME, AN INTERESTING RANGE OF BOTH VERY LARGE AND VERY SMALL COMPANIES AND EVERYTHING IN BETWEEN ON A COME-ONE, COME-ALL, IT'S THERE IF YOU WANT TO USE IT BASIS.
SO THAT WILL, I THINK, BE ONE OF THE MORE IMPORTANT MILESTONES IN TERMS OF AVAILABILITY OF DNSSEC.
THAT RAISES THE QUESTION OF, WELL, IF WE CAN GET THE ENTERPRISES SIGNED, WHAT HAPPENS ABOVE THAT, AND, IN PARTICULAR, ALSO WHO'S GOING TO USE THAT?
SO WE HAVE SOME CHICKEN-AND-EGG PROBLEMS.
THERE'S A LOT OF EXPERIENCE WITH SECURITY INCIDENCES, PHARMING, CACHE POISONING, AND SO FORTH.
SOME OF THE COMPLAINTS OR QUIBBLES ABOUT DNSSEC IS, IT'S KIND OF INTERESTING, TECHNICALLY SOPHISTICATED.
IS IT A SOLUTION LOOKING FOR A PROBLEM?
FROM ULTRADNS'S BUSINESS PERSPECTIVE, SO THEY'RE READY TO OFFER THIS AND SIGN ALL OF THE ZONES.
WILL ANYBODY USE THEM?
WHAT ARE THE REAL ISSUES?
ARE THERE FINANCIAL INCENTIVES FOR TOP-LEVEL DOMAIN REGISTRIES?
ARE THERE INCENTIVES FOR THE REGISTRARS EITHER IN THE FORM OF A COMPETITIVE ADVANTAGE OR IN TERMS OF ACTUAL REVENUE?
AND WHAT ARE THE INCENTIVES OR IMPEDIMENTS FOR THE DOMAIN HOLDERS?
SITTING -- OVERHANGING THIS ENTIRE AREA IS THE OBSERVATION THAT THE ROOT IS NOT YET SIGNED AND THAT THAT WILL SERVE AS EITHER AN IMPORTANT STIMULUS IF IT DOES GET SIGNED SOON, OR AN IMPORTANT SORT OF RETARDING EFFECT IF IT DOESN'T GET SIGNED.
AND THEN -- AND I SUSPECT THAT IN VERY SHORT ORDER, WE'RE GOING TO HAVE TO HAVE SOME RESOLUTION OF THAT.

>>ELLIOT NOSS: JUST BEFORE YOU GO ON, STEVE, I WANTED TO ADD A COUPLE OF THINGS TO SET UP BEFORE WE MOVE TO THE NEXT PART OF THE PRESENTATION.
I THOUGHT BRUCE AND RAM BOTH DID AN EXCELLENT JOB TALKING ABOUT A LOT OF THE HISTORY AND THE CHALLENGES -- ANDY AS WELL, I DIDN'T MEAN TO LEAVE YOU OUT THERE, ANDY.
I THINK THAT THERE WERE A NUMBER OF ANALOGIES DRAWN.
FOR ME, DNSSEC HAS ALWAYS FELT A LOT LIKE ANOTHER VARIATION ON THE IDENTITY DISCUSSION AND DEBATE THAT HAS GONE ON FOR YEARS AROUND ONLINE IDENTITY, THINGS LIKE LIBERTY, YOU KNOW, SOME OF THE RECENT VERISIGN ANNOUNCEMENTS.
I'VE REALLY BEEN STRUCK -- YOU KNOW, WE STEPPED AWAY FROM THE IDENTITY DEBATE PROBABLY ABOUT 18 OR 24 MONTHS AGO, AFTER PARTICIPATING FAIRLY ACTIVELY FOR A COUPLE OF YEARS.
AND IT WAS BECAUSE OF THAT SOLUTION LOOKING FOR A PROBLEM STRUGGLE.
IT HAS -- WE'VE RECENTLY RE-ENGAGED AROUND THAT, YOU KNOW, MUCH AS WE'RE UP HERE NOW.
AND THAT'S BECAUSE, FOR A LOT OF REASONS, CUSTOMER SOPHISTICATION, YOU KNOW, BLACK HAT SOPHISTICATION, THE LEVEL OF ACTIVITY THAT MOST BUSINESSES ARE ENGAGING IN ONLINE.
YOU KNOW, WE THINK THAT IT IS THE CASE THAT A LOT OF THESE ISSUES ARE BACK ON THE TABLE AND REALLY HAVE BUSINESS IMPORTANCE NOW.

>>STEVE CROCKER: THAT'S VERY GOOD.
THANK YOU.
IN THE PROCESS OF WAITING FOR THE ROOT TO BE SIGNED, AN ALTERNATIVE STRATEGY OF BUILDING A REPOSITORY OF TRUSTED KEYS WITHIN INDIVIDUAL RESOLVERS, KNOWN AS DLV, IS BEING PROMULGATED BY SOME OF THE DEVELOPERS, PARTICULARLY INTERNET SYSTEMS CORPORATION -- CONSORTIUM.
AND THE CURRENT VERSIONS OF BIND THAT ARE AVAILABLE FROM THEM INCLUDE THIS CAPABILITY.
SO THIS IS A SO-CALLED LOOK-ASIDE DIRECTORY THAT ALLOWS THE END USERS TO ACCUMULATE THE KEYS OF TRUST ANCHORS FOR THE TOPS OF CHAINS OF TRUST WHERE -- THAT ARE THEN NOT CONNECTED DIRECTLY TO THE ROOT, BECAUSE THE ROOT ISN'T SIGNED OR BECAUSE THE TOP-LEVEL DOMAIN ISN'T SIGNED, OR WHEREVER THE CHAIN IS BROKEN.
AND, IN FACT, THERE IS A DIRECTORY THAT CAN BE PICKED UP FROM A CENTRALIZED PLACE SO THAT NOT EVERY USER HAS TO BUILD HIS OWN VERSION OF THIS.
THIS IS A REASONABLE MAKESHIFT WAY OF PROCEEDING UNTIL THERE IS SOME CONVERGENCE ON GETTING THE ROOT SIGNED.
SO WHAT ULTRADNS IS SAYING IS THAT THEY'RE BUILDING DNSSEC IN THEIR SYSTEMS, THAT INTERNET SYSTEMS CONSORTIUM HAS A BETA VERSION OF THE DLV DIRECTORY INFRASTRUCTURE IN PLACE.
AND NOW THE CRITICAL THING IS THAT THEY, AS I SAID, WILL ROLL THIS OUT DURING Q2 2006.
AND I THINK THAT PLANTS NOT JUST ONE, BUT MULTIPLE STAKES IN THE GROUND FOR MOVING DNSSEC FORWARD.
ELLIOT, I THINK I'LL LET YOU SPEAK TO THIS ASPECT.

>>ELLIOT NOSS: SURE.
AND SO WHEN RODNEY MADE US AWARE OF WHAT HE WAS PLANNING TO ANNOUNCE AND GOT ME A LITTLE SMARTER ABOUT THE WAY IT LOOKED, IT WAS SOMETHING THAT WE WANTED TO GET ACTIVE WITH RIGHT AWAY.
YOU KNOW, OUR VIEW OF DNSSEC SPECIFICALLY UNTIL THAT POINT WAS THAT, YOU KNOW, WE'RE ALWAYS HOPEFUL BUT SKEPTICAL AS THINGS ARE MOVING THROUGH THE ICANN PROCESS.
AND UNTIL, YOU KNOW, WE FELT THAT ISSUES AROUND THE ROOTS BEING SIGNED WERE GOING TO BE RESOLVED, WE WEREN'T GOING TO SPEND A LOT OF TIME AND EFFORT.
WHEN WE SAW AN ALTERNATIVE THAT WOULD ALLOW US TO ENGAGE IN A DEPLOYMENT THAT, IN A SPECIFIC SET OF BUSINESS CONTEXTS, WE COULD USE NOW, WE GOT PRETTY EXCITED.
YOU KNOW, FOR US, WHAT WE'RE DOING IN IDENTITY BROADLY HAS EVERYTHING TO DO WITH DISTRIBUTED IDENTITY AND EVERYTHING TO DO WITH CONTEXTUAL IDENTITY.
IN OTHER WORDS, WE'RE CONCERNED WITH SOLVING BUSINESS PROBLEMS THAT WE HAVE TODAY AND THAT OUR SERVICE PROVIDER CUSTOMERS HAVE TODAY.
AND THIS APPROACH IS COMPLETELY CONSISTENT WITH THAT.
YOU KNOW, OF COURSE, WE ARE VERY MUCH LOOKING FORWARD TO RESOLUTION OF THE BROADER ISSUES, THE ROOTS BEING SIGNED, ET CETERA.
BUT, YOU KNOW, THIS IS SOMETHING THAT, YOU KNOW, RODNEY'S TALKING ABOUT A LAUNCH IN THE SECOND QUARTER.
YOU KNOW, OUR APPROACH IS GOING TO BE TO START PLAYING WITH THIS STUFF, YOU KNOW, AS SOON AS, ESSENTIALLY, HE'LL LET US HAVE, YOU KNOW, SORT OF CODE AND METHODOLOGY TO START TO PLAY AROUND WITH.
WE WOULD LOVE TO BE IN A POSITION TO BE OFFERING SERVICE, YOU KNOW, SOMETIME IN Q3 OR Q4 IF IT'S NOT TOO COMPLICATED.
AND I THINK THE OTHER THING TO NOTE ABOUT THIS IS -- AND BRUCE ALLUDED TO THIS IN A COUPLE DIFFERENT WAYS -- FOR US, THIS IS VERY MUCH A PIECE OF INFRASTRUCTURE.
WHILE -- YOU KNOW, WHILE TO OUR SERVICE PROVIDER CUSTOMERS WE WILL LIKELY BE EITHER SELLING IT DIRECTLY OR INCLUDING IT IN MUCH BROADER SERVICE BUNDLES FOR THEM, WE DO NOT EXPECT, EXCEPT IN THE ODD CIRCUMSTANCE, OUR SERVICE PROVIDER CUSTOMERS, HOSTING COMPANIES, ISPS, TO BE SELLING DNSSEC SPECIFICALLY.
TO US, THAT WOULD BE LIKE, YOU KNOW, HIGHLIGHTING THE CARBURETOR IN A CAR.
WE DO SEE THIS VERY MUCH AS BEING PART OF, YOU KNOW, THE PREMIUM BUNDLE.
MAYBE IT'S SOMETHING YOU GET IN THE $50 A MONTH BUNDLE, NOT THE $20 A MONTH BUNDLE.
OR EVEN THE $20 A MONTH BUNDLE, NOT THE $10 A MONTH BUNDLE.
BUT WE THINK THAT THIS IS, AGAIN, A PIECE OF A LARGER PIE.
AND THAT HAS BEEN VERY MUCH WHERE WE'VE SEEN THE MARKET GOING MORE AND MORE.
YOU KNOW, IT'S REALLY -- THE INTERNET SERVICES MARKET IS ONE THAT'S BECOME MUCH MORE COMPLICATED FOR END USERS OVER THE LAST NUMBER OF YEARS.
AND THERE'S BEEN A GREATER AND GREATER RELIANCE ON SERVICE PROVIDERS TO SIMPLIFY IT FOR THEM, TO MAKE, ESSENTIALLY, THE INTERNET EASIER TO USE.
THAT'S TRUE WHETHER IT'S FOR INDIVIDUALS, SMALL BUSINESSES, MEDIUM-SIZED BUSINESSES, LARGE ENTERPRISES.
YOU KNOW, THEIR END USER BEHAVIOR IS VIRTUALLY IDENTICAL UP AND DOWN THE STACK.
EVEN THE LARGEST COMPANIES WITH SIGNIFICANT INTERNAL I.T. DEPARTMENTS STILL TEND TO OUTSOURCE THE MOST CRITICAL PIECES OF INTERNET SERVICES INFRASTRUCTURE.
AND SO, YOU KNOW, AGAIN, YOU CAN ROLL A FEW THINGS TOGETHER: THE ABILITY TO DO IT RIGHT AWAY, THE ABILITY TO REALLY PROVIDE VALUE AS PART OF A BIGGER PUZZLE.
AND WE'RE QUITE EXCITED ABOUT IT.
THANKS, STEVE.

>>STEVE CROCKER: I HAVE TO CONFESS THAT I WENT OFF ON A LITTLE BIT OF A RAPTURE WHEN I HEARD THE WORD "CARBURETOR," TRYING TO REMEMBER WHAT THAT WAS, ACTUALLY.
FUEL INJECTOR WAS THE THING THAT COMES TO MIND AS WHAT I REALLY WANT INCLUDED IN THE MODERN CAR.
BUT I SUPPOSE -- ALTHOUGH IT'S NOT QUITE AS SEXY -- IT'S MORE LIKE AIRBAGS THAT WE'RE TALKING ABOUT THESE DAYS.
BUT, YES, IT SHOULD BE INCLUDED AS PART OF THE INFRASTRUCTURE AS OPPOSED TO....

>>BRUCE TONKIN: IT'S MUCH EASIER TO DRAW A PICTURE OF AN AIRBAG THAN IT IS -- IN YOUR EARLIER PRESENTATION -- TO DRAW A PICTURE OF DNSSEC.
SO I THINK AS A MARKETING PROPOSITION, THE IDEA THAT THIS PILLOW COMES OUT AND YOU HAVE A NICE SLEEP WHEN THERE'S A CRASH IS, I THINK, EASIER TO EXPLAIN TO A CONSUMER.

>>STEVE CROCKER: DID YOU JUST SAY DNSSEC PUT YOU TO SLEEP?
NO.
I'M SORRY.
SO HERE'S THE PICTURE OF HOW THE PIECES ARE PUT TOGETHER FROM THE CUSTOMER -- LET'S SEE.
CAN I POINT HERE? -- FROM THE CUSTOMER SAYING THAT THEY WANT THEIR SITE OR THEIR ZONE TO BE SECURED, THAT ULTRADNS WILL SIGN THE ZONE, AND THEN MAKE IT AVAILABLE.
THIS CYCLE IS WHERE NOT ALL OF THE ZONE IS TOTALLY CONTAINED OR NOT ALL OF THE CUSTOMERS' RECORDS ARE TOTALLY CONTAINED, I THINK, WITHIN ULTRADNS'S OPERATION, BUT PROVIDE SOME COMMUNICATION BACK AND FORTH TO THE CUSTOMER SITE.
SO YOU MIGHT HAVE INTERESTING KINDS OF EXAMPLES THAT COME UP.
YOU MIGHT HAVE, LET'S SAY, A LARGE CORPORATION THAT HAS MOST OF ITS RECORDS, MOST OF ITS NAME AND ADDRESS RECORDS OUTSOURCED TO AN EXTERNAL SERVICE PROVIDER LIKE ULTRADNS, BUT THERE MAY BE A PORTION WITHIN THE LARGE CORPORATION, A TYPICAL EXAMPLE WOULD BE, SAY, A RESEARCH GROUP THAT WANTS TO RUN ITS OWN OPERATION, THERE'S A SMALL TEAM OF VERY COMPETENT AND SHARP PEOPLE WHO SAY, "WE'RE GOING TO RUN ENTIRELY OUR OWN ZONE, AND WE JUST NEED TO CONNECT IT UP."
SO HERE'S THE PATHWAY, FOR THE PART OF THE ZONE THAT'S RUN BY ULTRADNS ON BEHALF OF THE COMPANY, AND THEN THE ABILITY TO COMMUNICATE BACK AND FORTH TO THE COMPANY FOR THE KEYS THAT ARE NECESSARY.
DID YOU WANT TO ADD TO THAT?

>>ELLIOT NOSS: WELL, THE ONLY POINT I'D THROWN IN HERE -- AND, I MEAN, IT'S A POINT THAT I'LL KEEP COMING BACK TO -- IS, THIS JUST FITS BEAUTIFULLY WITH THE DISTRIBUTED NATURE, YOU KNOW, OF THE WAY THAT INTERNET SERVICES ARE BEING PROVIDED NOW.
I DON'T THINK THAT PEOPLE APPRECIATE THAT IN A SIMPLE -- OR END USERS APPRECIATE THAT IN A SIMPLE DOMAIN TRANSACTION, YOU'RE OFTEN GOING THROUGH THREE OR FOUR PARTIES BY NECESSITY.
IT REALLY LOOKS LIKE A SEAMLESS TRANSACTION.
HERE IS JUST ANOTHER BEAUTIFUL EXAMPLE.
AND WE THINK THERE'S, AGAIN, REAL ANALOGIES TO THE WAY IDENTITY AND IDENTITY OVERLAYS ARE GOING TO ROLL OUT.

>>STEVE CROCKER: YES.
SO HERE'S THE REST OF THAT PICTURE WITH THE TRANSFER OF THE KEYS THROUGH, THE LOOK-ASIDE VALIDATION DIRECTORY, WHERE THE TOP LEVEL OF THE ENTERPRISE'S STRUCTURE, THE KEY ASSOCIATED WITH THAT, IS MADE AVAILABLE TO OTHERS IN THE ABSENCE OF A SUPERSTRUCTURE AT THE TOP-LEVEL DOMAIN AND THE ROOT.
SO SORT OF CLOSING WITH THIS, THE -- THERE IS A BETA DELIVERY OF THIS DLV PROCESS IN PLACE.
DNSSEC WILL BE ROLLED OUT NEXT QUARTER.
THE PRODUCT OFFERING IS COMING.
AND THAT IT'S ALL COMING TOGETHER, AS IT WERE, INCLUDING THE GENERAL AVAILABILITY OF BIND 9.4, WHICH WILL HAVE THE SUPPORT.

>>ELLIOT NOSS: AND ONE LAST POINT I'D LIKE TO ADD.
FOR US, WE WOULD NOT BE SURPRISED IF WE HAVE CUSTOMERS WHO ARE LOOKING TO START PLAYING WITH THIS BEFORE WE'RE AVAILABLE TO DELIVER IT TO THEM.
SO....

>>STEVE CROCKER: SO THAT'S GREAT.

>>ELLIOT NOSS: YEP.

>>STEVE CROCKER: SO WITH THAT, I WANT TO BRING THE PRESENTATION PART OF THIS SESSION TO A CLOSE, OPEN IT UP FOR QUESTIONS, LEAVE YOU WITH A COUPLE OF POINTERS.
THESE SLIDES WILL ALL BE AVAILABLE ON THE NET AS SOON AS WE CAN GATHER THEM UP AND MAKE THEM AVAILABLE.
I THINK WE'RE STILL DOWN, -- YES, I'M GETTING THE NEGATIVE SIGNAL.
I APOLOGIZE.
WE WERE VERY MUCH LOOKING FORWARD TO HIJACKING EACH AND EVERY ONE OF YOUR LAPTOPS FROM YOU.
SEE US FOR A PRIVATE DEMO, IF YOU WANT, AT SOME POINT.
AND IT WILL BE INTERESTING, DO WE KNOW -- IS ANY OF THE STAFF AROUND WHO CAN TELL US WHAT'S GOING ON OUTSIDE THAT'S BRINGING DOWN OUR NETWORK?
THE ANSWER IS NO.
WELL, I'M SURE -- I'M SURE WE'LL FIND OUT AFTER A WHILE.
SO LET ME OPEN UP THE FLOOR TO QUESTIONS.
ANYBODY WANT TO ASK ANY OF US OR POSE ANY GENERAL QUESTIONS?

>>IZUMI AIZU: HI, MY NAME IS IZUMI AIZU, AND I AM ON THE AT-LARGE ADVISORY COMMITTEE, BUT I HAVE ALSO BEEN DOING SOME STUDY ON THE SECURITY POLICIES OF GOVERNMENTS, NOT ICANN.
THE FIRST QUESTION I THINK I ASKED THIS TO STEVE MONTHS AGO, THAT HOW BAD IS IT?
OR WHAT ARE THE CURRENT STATE OF PLAY?
I MEAN, I HEAR A LOT OF POSSIBLE ATTACKS AND REDIRECTION AND WHATEVER.
BUT HOW MUCH ACTUALLY IS HAPPENING?
HAS THERE BEEN ANY KNOWN CASES WHERE A FAMOUS OR, YOU KNOW, IMPORTANT SITE WAS HACKED?
AND WHICH CAN BE PREVENTED FROM THE INTRODUCTION OF DNSSEC?

>>STEVE CROCKER: YEAH.

>>IZUMI AIZU: AND ANY -- SORRY -- STATISTICAL DATA OF THIS SPOOFING OR OTHER THINGS, HOW BAD THEY ARE.
ARE THEY ON THE INCREASE?
IS THERE ANY PUBLICLY AVAILABLE DATA?
BECAUSE WITHOUT THESE, I FEEL A BIT SORT OF YOUR PRESENTATION ABOUT THE IMPORTANCE AND STUFF LIKE THAT, BUT YOU DON'T REALLY PRESENT THE HARD FACTS.
THAT'S -- I'M PUZZLED.

>>STEVE CROCKER: I APPRECIATE THE QUESTION.
SO I DIDN'T COME PREPARED, AND, IN FACT, I PERSONALLY TEND NOT SO MUCH TO ACCUMULATE THE KIND OF HORROR STORIES AND THE STATISTICS.
BUT I THINK YOU ASK A VERY FAIR QUESTION.
I'LL PROBABLY HAVE TO PAY MORE ATTENTION IN THE FUTURE.
MY ATTITUDE ABOUT THESE THINGS IS THAT IT IS COMPLETELY CLEAR AND, YOU KNOW, WITH APOLOGIES THAT WE COULDN'T DO THIS DEMO.
BUT THE DEMO THAT WE HAVE IS AT THE BOTTOM END OF THE SCALE IN TERMS OF SOPHISTICATION. AND THERE ARE MUCH MORE SOPHISTICATED KINDS OF ATTACKS.
AND THE KIND OF ATTACK THAT WE CAN SHOW YOU CAN BE DONE AT A LOCAL COFFEE SHOP OR INTERNET CAFE OR, INDEED, IN ANY ENVIRONMENT, LIKE THIS.
SO THE FACT THAT IT IS RELATIVELY EASY TO DO THIS KIND OF HIJACKING IS, FROM MY POINT OF VIEW, A VERY COMPELLING STORY, AND IT BECOMES NOT A QUESTION OF HOW MUCH BLOOD THERE IS IN THE STREET, BUT SORT OF HOW EASY IT IS FOR THESE KINDS OF ATTACKS TO BE DONE.
AND WHENEVER THERE IS AN INCENTIVE, WHETHER IT IS OUT OF MALICIOUSNESS OR OUT OF FINANCIAL INCENTIVE OR OUT OF, YOU KNOW, SORT OF LARGER WARFARE KINDS OF THINGS, HOSTILE ACTIONS, THERE JUST ISN'T ANY -- THERE IS, FROM MY POINT OF VIEW, PLENTY OF NOTICE.
ONE DOESN'T HAVE TO SEE, YOU KNOW, A BIG RISE IN INCIDENTS, BECAUSE AT SOME POINT, IF THAT'S HAPPENING, IT'S A BIT TOO LATE.
IT TAKES A WHILE TO ROLL OUT THE INFRASTRUCTURE HERE.
AND I'D RATHER NOT BE REACTING TO A LARGE NUMBER OF INCIDENTS AND RISING STATISTICS.
I'D RATHER STAY, AS MUCH AS POSSIBLE, AHEAD OF THE GAME.

>>ANDY OZMENT: I'M GOING TO JUMP IN AS WELL ON THAT.
THAT'S TO SAY THAT ONE OF THE PROBLEMS WITH THIS TYPE OF ATTACK IS, UNLIKE, FOR EXAMPLE, A PHISHING ATTACK, IT'S MUCH EASIER TO GO SORT OF UNDER THE RADAR ON THIS TYPE OF ATTACK.
IF YOU USE A DNS ATTACK TO GATHER SOMEBODY'S ONLINE CREDENTIALS AND UTILIZE THEM LATER OR IN AN OFFLINE FASHION TO MAKE MONEY FROM THEM, SO IF YOU ENCODE SOMEBODY'S ACCOUNT INFORMATION ON AN ATM CARD AND USE THAT TO WITHDRAW MONEY, IT'S MUCH, MUCH MORE DIFFICULT TO TRACK THAT BACK TO A SPECIFIC ATTACK THAN IT IS WITH, FOR EXAMPLE, A PHISHING E-MAIL.

>>IZUMI AIZU: WELL, HAVE YOU SORT OF TRIED TO ESTABLISH SOME KIND OF REPORTING MECHANISM, FOR EXAMPLE? THE CERT COMMUNITY IS RECEIVING THE INCIDENT REPORTS, OR ISOC, OR OTHERS.
SO UNLESS YOU REALLY ESTABLISH THE CASE ABOUT RETURN ON INVESTMENT STUFF OR RISK MANAGEMENT, BUT HOW BAD THE SITUATIONS ARE, OTHER THAN JUST, YOU KNOW, HEARING THE SORT OF INDIRECT THREATS OR, I MEAN, THE WARNINGS, I THINK IT'S STILL PRETTY WEAK TO ARGUE, HONESTLY.

>>STEVE CROCKER: THANK YOU.
ANYBODY ELSE?
SO WITH THAT, I THINK I WANT TO THANK EVERYBODY FOR COMING. AND I PARTICULARLY WANT TO THANK THE PRESENTERS. MARK FELDMAN FOR BEING ON THE SPOT HERE, READY, WILLING AND ABLE -- WELL, BUT NOT ABLE HERE. NOT HAVING THE OPPORTUNITY TO GIVE YOU A BIT OF A THRILL.
ANDY OZMENT, ELLIOT NOSS, BRUCE TONKIN AND RAM MOHAN FOR THE WORK THAT'S GONE IN PREPARING AND FOR THE TIME HERE.
SO THANK YOU ALL. FEEL FREE TO CONTACT ANY OF US AND WE'D BE HAPPY TO HELP.
AND WE DO PARTICULARLY APPRECIATE THE FEEDBACK, EVEN THE KIND OF QUESTION THAT SAYS: YOU REALLY HAVE TO FIX THIS PROBLEM BEFORE WE CAN MOVE FORWARD. IT'S VERY MUCH APPRECIATED.
SO WE ARE GOING TO DO THE UNUSUAL THING HERE OF ACTUALLY GIVING YOU A FEW MINUTES THAT YOU GET BACK IN YOUR SCHEDULE. AND THEN WE CAN GET ON WITH THE REST OF THE EVENTS AT ICANN TODAY.
THANK YOU.
[ APPLAUSE ]

© Internet Corporation for Assigned Names and Numbers