ICANN Meetings in Vancouver, Canada
Public Workshop on DNSSEC - The Registrar's View
Wednesday, 30 November 2005
9:00 a.m.
Note: The following is the output of the real-time captioning taken during the Public Workshop on DNSSEC held on 30 November, 2005 in Vancouver, Canada. Although the captioning output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> WE WERE WAITING A LITTLE BIT TO SEE IF THE WELCOME WOULD BE POSSIBLE.
BUT I THINK VINT HAS BEEN DETAINED, SO WE'RE GOING TO START.
WELCOME LESS ELEGANTLY THAN VINT CERF WOULD HAVE TO THE WORKSHOP ON DNSSEC.
MY NAME IS ALLISON MANKIN, AND I'M MODERATING AND TIME-KEEPING.
I WORK ON THE DNSSEC DEPLOYMENT INITIATIVE AT SHINKURO IN WASHINGTON, D.C.
AND WE HAVE A REALLY PACKED PROGRAM, SO I WILL BE TIME-KEEPING.
HOPEFULLY, YOU'VE GOT THE PAPER PROGRAM.
THERE ARE SOME CHANGES IN IT, AND I WILL BE NOTIFYING YOU AS THE TIME GOES ON ON THAT.
THE PROGRAM IS ALSO AVAILABLE ON THE WEB.
UNFORTUNATELY, THE WEB SITE IS NOT HERE.
BUT WE CAN PROBABLY ARRANGE TO FLASH IT UP IN A SLIDE.
I'LL GET A SLIDE UP THERE RIGHT AFTER THE KEYNOTE SO THAT YOU CAN SEE THAT.
OUR FIRST PRESENTER IS UMA MURALI, WHO IS THE PRESIDENT AND CEO OF GOOD LUCK DOMAIN.
AND SHE'S GOING TO INTRODUCE YOU TO THE VIEW FROM THE DEVELOPING WORLD.
SO, UMA, CAN YOU GO UP THERE?
AND YOUR SLIDE'S ALREADY THERE.
USE THE ARROW KEY TO NAVIGATE.
>>UMA MURALI: ALLISON, CAN YOU PLEASE HELP --
>>ALLISON MANKIN: JUST THE DOWN ARROW KEY.
>>UMA MURALI: GOT IT.
PAGE DOWN AND PAGE UP.
>>ALLISON MANKIN: YEAH.
>>UMA MURALI: GOOD MORNING, EVERYONE.
YOU ALL HAD YOUR CUP OF COFFEE?
HAD THE POWER COFFEE?
BECAUSE I'M GOING TO GIVE YOU A UNIQUE PICTURE FROM A REGISTRAR POINT OF VIEW FROM A DEVELOPING COUNTRY.
HOW MANY OF YOU ARE HERE FROM INDIA?
HOW MANY OF YOU ARE HERE FROM SRI LANKA?
HOW MANY OF YOU ARE HERE FROM U.S. AND CANADA AND THE U.K.?
YOU HAVE TO UNDERSTAND, IT'S A UNIQUE SITUATION WORKING AS A REGISTRAR IN INDIA AND IN SOUTHEAST ASIA.
AND I'M GOING TO GIVE YOU A PICTURE AND TAKE YOU ON A TOUR TO SOUTHEAST ASIA.
LADIES AND GENTLEMEN, WE DO NOT DENY THE IMPORTANCE OF DNSSEC.
SECURITY PLANNING IS VERY CRITICAL FOR THE FUTURE OF THE DOMAIN INDUSTRY TODAY.
DNSSEC, I WOULD SAY IT'S AN INSURANCE POLICY FOR ONLINE IDENTITY HOLDERS.
I THINK WE SHOULD -- IT'S GREAT WE ARE THINKING ABOUT IT, AND IT'S GREAT WE ARE LOOKING INTO HOW TO DEPLOY IT AND HOW TO IMPLEMENT IT.
INTERNET SECURITY IN DEVELOPING COUNTRIES IS QUITE DIFFERENT THAN FROM THE WESTERN WORLD.
OUR CHALLENGES AS REGISTRAR IN THIS ENVIRONMENT PROVIDE USEFUL LESSONS IN THE SCOPE, ROLLOUT, AND IN THE IMPLEMENTATION OF DNSSEC IN DEVELOPING MARKETS.
IT'S UNIQUE.
THE FOCUS OF TODAY'S PRESENTATION IS NONTECHNICAL.
AND I WANT TO KEEP IT THAT WAY.
THE FOCUS OF TODAY'S PRESENTATION IS TWOFOLD.
NUMBER ONE, TALKING ABOUT THE ISSUES, SPECIFIC ISSUES AND CHALLENGES IN DEVELOPING COUNTRIES.
AND THE SECOND FOLD IS, FOCUS ON IDEAS TO MAKE DNSSEC A SUCCESS IN DEVELOPING MARKETS.
BEFORE THAT, I WANT TO TALK TO YOU A LITTLE BIT -- HIT UPON WHO WE ARE AND WHAT WE DO.
GOOD LUCK DOMAINS, AN ICANN-ACCREDITED REGISTRAR, WE ARE A VERY SMALL REGISTRAR BASED IN CHENNAI, INDIA.
THE COUNTRIES WE FOCUS ARE INDIA, SRI LANKA, MALAYSIA, SINGAPORE, SOUTH AFRICA.
THE CONTINENTS THAT WE CONCENTRATE, ASIA, AFRICA, AND SOUTH AMERICA.
NOW, HERE I WANT TO GIVE YOU A PICTURE OF WHO OUR CUSTOMERS ARE, WHAT THEY ARE LIKE, WHAT DO THEY NEED, WHAT IS THEIR MENTAL MODEL, WHAT ARE THEIR PRIORITIES?
THIS IS WHAT WE ARE GOING TO BE TALKING ABOUT AND LOOKING AT TODAY.
OUR CUSTOMERS ARE MOSTLY NONTECHNICAL.
MOST OF THEM ARE SMALL/MEDIUM BUSINESSES, ANYWHERE BETWEEN THOUSAND DOLLARS TO $40,000 IN ANNUAL REVENUES.
THEY LOOK FOR HIGH-QUALITY, EXCELLENT SERVICE PACKAGES BACKED BY STRONG TECHNOLOGY AND CUSTOMER SERVICE.
THEY LOVE HAND-HOLDING.
AND THEY LIKE FACE-TO-FACE INTERACTIONS.
WHAT ARE THEIR PRIORITIES?
DEFINITELY, THEIR PRIORITY IS NOT INTERNET TECHNOLOGY.
ONLINE FORUMS AND ONLINE ADVERTISING ARE NOT THE MAINSTREAM.
MOST BUSINESSES USE GMAIL OR YAHOO! MAIL BECAUSE THEY ARE FREE SERVICES.
WHY DO WE NEED DOMAIN NAMES?
YAHOO! PROVIDES A FREE SERVICE, AND THAT'S FINE WITH ME.
MANY BUSINESSES HAVE LOW BANDWIDTH CONNECTIVITY AND HIGHEST USED APPLICATION IS WEB BROWSER.
SO THIS IS OUR CUSTOMER PRIORITY IN THE DEVELOPING COUNTRIES TODAY.
MOST OF OUR CUSTOMERS' MENTAL MODEL IS, IF YOU TALK ABOUT SECURITY, INSTALLED ANTI-VIRUS PROGRAM, INSTALLATION OF ANTI-VIRUS PROGRAM IS THE ULTIMATE SECURITY.
A LOT OF SOFTWARE IS NOT LICENSED, EVEN TODAY.
NO PROBLEMS USING PIRATED OR SHARED LICENSES.
A LOT OF MY CUSTOMERS ARE STILL SUSPICIOUS GIVING CREDIT CARDS ONLINE.
YOU KNOW, THEY WOULDN'T EVEN MIND TRAVELING 100 MILES AND COME AND KNOCK AT THE DOOR AND SIT WITH US AND CHITCHAT FOUR HOURS AND BOOK A DOMAIN NAME, HAVE A CUP OF COFFEE, AND PAY BY CASH.
BECAUSE THEY DON'T LIKE TO PAY BY ONLINE.
IT WAS FUN GOING IN THERE AND WORKING IN THAT COMMUNITY.
I LOVE IT.
BUT WE HAVE TO THINK ABOUT THESE ISSUES.
CHALLENGES IN DEVELOPING COUNTRIES.
I'M GOING TO BRING FORTH IN FRONT OF YOU SOME CHALLENGES THAT WE FACE.
WHEN WE TALK ABOUT DNSSEC, SOME ISSUES HERE ARE COST AND CURRENCY ISSUES, LANGUAGE ISSUES, MARKET NEEDS, ISP ADOPTION, GOVERNMENT SUPPORT, EDUCATION AND AWARENESS.
WHEN YOU TALK ABOUT SECURITY, DNS SECURITY, EDUCATION AND AWARENESS.
AND PLANNING AND BUDGET.
WE HAVE TO CONSIDER ALL THESE ISSUES WHEN WE THINK ABOUT THE SCOPE AND DEPLOYMENT OF DNS SECURITY.
COST AND CURRENCY ISSUES, WHEN WE TALK ABOUT IT, A DOLLAR GOES A LONG WAY.
I KNOW ED WILLS KNOWS, HE RECENTLY VISITED WITH ME TO INDIA.
DO YOU KNOW, IT COSTS 5 CENTS TO HAVE A GREAT CUP OF TEA IN SRI LANKA?
AND DO YOU KNOW, IT IS LESS THAN $2 TO HAVE A GREAT LUNCH OR DINNER IN A RESTAURANT IN INDIA?
DO YOU KNOW THE CURRENCY CONVERSION RATE FOR A DOLLAR TO RUPEE.
INDIAN RUPEE, IT'S FOR ONE DOLLAR, IT'S 40 RUPEES.
IN SRI LANKA, IT'S ONE DOLLAR TO 90 RUPEES.
BUT I'M TALKING ABOUT THESE COST ISSUES, THE CURRENCY CONVERSION RATES.
WHY DO YOU THINK PEOPLE WOULD WANT TO GO AND PAY SUCH AMOUNT OF MONEY TO GO AND BUY A GOOD GTLD OR STLD NAMES WHEN THEY CAN GET A YAHOO! NAME FREE?
IF I'M NOT A TECHIE COMPANY, I DON'T NEED A DOMAIN NAME.
THAT'S SOME OF THE ATTITUDES WE SEE.
SO WE SPENT A LOT OF TIME EDUCATING, CONVERTING, AND TALKING ABOUT THE IMPORTANCE OF THE GTLDS, THE STLDS, THE DOMAIN NAMES.
WHEN WE DO ALL THESE THINGS, WHERE IS THE QUESTION OF DNSSEC?
WHERE IS THE QUESTION OF SSI SECURITY?
SO.... LANGUAGE ISSUE.
ALTHOUGH ENGLISH IS A COMMON LINK LANGUAGE IN MANY OF THE DEVELOPING COUNTRIES, THERE ARE ABOUT 85 LANGUAGES IN ALL THE MARKETS WE COVER.
WE ARE OFTEN ASKED TO PROVIDE SUPPORT IN AT LEAST EIGHT TO TEN LANGUAGES.
AND TODAY, WE DO NOT HAVE MATERIALS ON DNS, DNS SECURITY MATERIALS ARE NOT AVAILABLE IN HINDI OR ARABIC LANGUAGES.
THESE TWO LANGUAGES ARE SPOKEN BY OVER ONE BILLION PEOPLE WORLDWIDE.
SO LANGUAGE IS A HUGE ISSUE IF WE DO NOT HAVE EDUCATIONAL MATERIALS IN THE LOCAL LANGUAGES.
ARE THE DEVELOPING COUNTRIES READY FOR DNSSEC?
MILLION DOLLAR QUESTION.
THE SAME QUESTION WE SHOULD ASK IF THE WESTERN WORLD IS READY FOR DNSSEC.
WE KNOW IT'S IMPORTANT, BUT ARE WE READY?
WE CALLED A LOT OF OUR ISPS IN INDIA AND SRI LANKA AND MALAYSIA AND SINGAPORE.
AND, TO OUR SURPRISE, A LOT OF THE ISPS, THEY DO NOT HAVE IN THEIR BUDGET FOR DNSSEC FOR THE YEAR 2006 OR FOR THE YEAR 2007.
THEY'RE NOT EVEN THINKING ABOUT IT.
WHY?
BECAUSE THE MARKET DEMAND DOESN'T CALL FOR IT.
NO INCIDENT HAD SCARED THE MARKET YET.
SO WE TALKED TO OUR CUSTOMERS.
"WHAT DO YOU THINK?"
AND MY CUSTOMERS WERE SO FUNNY.
THEY SAID, "WE USE THE INTERNET FOR E-MAILS, SO THAT'S OKAY.
NO FEAR OF SECURITY LAPSES."
I'M JUST GIVING YOU A PICTURE OF DNSSEC AND THE NEED FOR IT IN TODAY'S GROWING MARKET.
IN DEVELOPING COUNTRIES, YOU NEED TO UNDERSTAND, GOVERNMENTS HAVE A LOT OF AUTHORITY IN THESE COUNTRIES.
POLICIES AND PROCEDURES MADE BY THE GOVERNMENT INFLUENCE THE BUSINESSES IN A BIG WAY.
INTERNATIONAL EXPERTS, SPEAKERS ARE OFTEN CONSIDERED TO BE MORE LEGITIMATE THAN LOCAL AUTHORITIES.
SO THEIR EDUCATION AND THEIR AWARENESS OF THE PEOPLE, THE COMMON PEOPLE, IS SO LIMITED TO THESE LECTURES, AND WHAT THEY HEAR FROM THE AUTHORITIES FROM THE WESTERN WORLD.
IF A WESTERN I.T. BRAND, GARTNER, META, IDG, IF THEY SAY, "BUDGET FOR DNSSEC," THEY WILL JUMP UP AND DOWN AND THEY WILL DO IT.
JUST AN IDEA, IF YOU'RE PLANNING FOR SOMETHING LIKE THAT.
SO WE TALKED ABOUT THE ISSUES.
THESE ARE ONLY A FEW ISSUES I AM TALKING ABOUT THAT WE WILL FACE.
NOW WE NEED TO TALK ABOUT WHAT CAN WE DO.
HOW CAN WE GET THIS MARKET READY FOR DNSSEC?
FIRST OF ALL, MY HUMBLE REQUEST IS, STOP CALLING IT "DNSSEC."
IT IS TOO TECHIE AND IT'S TOO INTIMIDATING EVEN FOR ME.
CREATE A NET-SECURE MARK/LOGO PROGRAM.
PUBLICIZE THE PROBLEMS PROMINENTLY.
PUBLICIZE, PUBLICIZE, PUBLICIZE.
I DON'T KNOW HOW MANY ICANN OFFICIALS ARE HERE, BUT ICANN MUST DEFINITELY ALLOCATE SOME MONEY FOR THE EDUCATION OF DNSSEC IN DEVELOPING COUNTRIES.
ISOC AND SIMILAR ORGANIZATIONS COULD PROMOTE THE AWARENESS OF DNSSEC ALSO.
WHO ARE SOME OF THE PEOPLE WHO TAKE IT TO THE MARKET AND GO AND MARKET AND TALK ABOUT DNSSEC?
REGISTRARS.
ICANN-ACCREDITED REGISTRARS.
ICANN OFFICIALS REQUEST, LOWER THE FINANCIAL REQUIREMENT TO BECOME ICANN-ACCREDITED REGISTRAR IN DEVELOPING COUNTRIES.
CAN YOU IMAGINE THE AMOUNT OF MONEY YOU HAVE TO COME, BRING IT IN YOUR BANK BEFORE YOU APPLY FOR ACCREDITATION, IF IT'S THE SAME FOR EVERYWHERE?
REGISTRARS ARE THE ONES WHO CAN EFFECTIVELY EVANGELIZE THIS MARKET.
TODAY, THESE MARKETS ARE PRIMARILY SERVED MORE BY RESELLERS, AND THEY DO NOT OFTEN INVEST IN INFRASTRUCTURE PROJECTS.
SO UNLESS WE INCREASE THE NUMBER OF ICANN-ACCREDITED REGISTRARS IN THE GROWING DEVELOPING COUNTRIES, IT'S VERY DIFFICULT.
INTERNET EDUCATION AND INFORMATION OF DNSSEC IN DIFFERENT LANGUAGES.
EDUCATION AND AWARENESS IS PRIMARY.
SO WE NEED TO PUT IT IN MULTIPLE LANGUAGES, AND BILINGUAL SO PEOPLE FROM ALL OVER THE COUNTRY CAN READ.
WE CAN ALSO CREATE INTERNATIONAL TASK FORCE TO WORK ON ROLLOUT OF DNSSEC THAT WILL ISSUE WHITE PAPERS, SPEAK AT THE CONFERENCES, AND MARKET THIS TOPIC, MARKET THIS TOPIC IN ALL THE LANGUAGES, AT LEAST THE MAIN LANGUAGES, LIKE HINDI AND ARABIC, SO PEOPLE UNDERSTAND.
THERE ARE A LOT OF PEOPLE WITH MONEY, BUT THEY DON'T KNOW, THEY ARE SCARED THE HECK ALL OF THIS INTERNET, BECAUSE MOST OF IT IS ALL IN ENGLISH.
SO, FINALLY, LADIES AND GENTLEMEN, I THANK YOU SO MUCH FOR GIVING ME AN OPPORTUNITY TO COME AND PRESENT IN FRONT OF YOU THE ISSUES AND WHAT IT WILL TAKE TO MAKE DNSSEC A GRAND SUCCESS IN DEVELOPING COUNTRIES.
AND, AGAIN, I WANT TO EMPHASIZE, IT'S A GREAT IDEA, AND I WOULD SAY IT IS THE INSURANCE POLICY FOR ALL THE ONLINE IDENTITY HOLDERS.
BUT WE NEED TO ROLL OUT AND DEPLOY AND IMPLEMENT DNSSEC WITH A LOT OF PLANNING AND A LOT OF MARKETING, AND ALWAYS, ALWAYS TAKE THE GOVERNMENT OFFICIALS ON YOUR SIDE TO EMPHASIZE WHAT WE WANT TO DO IN THESE COUNTRIES.
I THANK YOU SO MUCH.
(APPLAUSE.)
>>ALLISON MANKIN: THANK YOU VERY MUCH.
OKAY.
SO OUR NEXT SPEAKER IS MARGIE MILAM, WHO'S FROM MARKMONITOR.
SHE'S THE GENERAL COUNSEL AND VICE PRESIDENT.
AND HER PRESENTATION IS JUST BEHIND THERE.
WHY DON'T I BRING IT UP FOR YOU.
OKAY.
JUST USE THE ARROW KEY.
>>MARGIE MILAM: OKAY, GREAT.
GOOD MORNING, EVERYONE.
I THOUGHT IT WOULD BE HELPFUL TO PROVIDE YOU AN OVERVIEW OF DNSSEC FROM THE PERSPECTIVE OF A CORPORATION, A COMPANY LIKE MARKMONITOR, THAT REPRESENTS MANY CORPORATIONS.
MARKMONITOR PLAYS AN ACTIVE ROLE IN INTERNET SECURITY.
WE ARE AN ICANN-ACCREDITED REGISTRAR.
WE SERVE OVER 40 OF THE FORTUNE 100 CORPORATIONS.
THESE ARE COMPANIES LIKE GOOGLE, YAHOO!, DELL, BIG CORPORATIONS CONDUCTING LOTS OF BUSINESS OVER THE INTERNET.
WE ALSO REPRESENT A NUMBER OF INTERNATIONAL AND DOMESTIC BANKS THAT ARE CONCERNED ABOUT ONLINE FRAUD AND FRAUD-RELATED ISSUES.
OUR PRODUCTS FOCUS PRIMARILY ON CORPORATE IDENTITY PROTECTION.
SO THIS INCLUDES EVERYTHING FROM DOMAIN NAME MANAGEMENT TO MONITORING ONLINE BRAND ABUSE, DETECTION OF PHISHING EVENTS.
WE HAVE AN ALLIANCE THROUGH MANY ISPS, SUCH AS AOL AND EARTH LINK AND YAHOO!, WHERE WE WILL SCAN THROUGH E-MAILS AND IDENTIFY FRAUDS ON BEHALF OF OUR CLIENTS.
WE ALSO PROVIDE ADMINISTRATIVE AND TECHNICAL SHUTDOWN SERVICES WHEN A FRAUD IS RECOGNIZED SO THAT IT CAN BE TAKEN DOWN QUICKLY.
AND WE'VE ALSO DEVELOPED AN ALLIANCE WITH MICROSOFT FOR THEIR NEW INTERNET EXPLORER, VERSION 7, WHERE WE WILL BE PROVIDING INFORMATION TO THE BROWSER THAT WILL ENABLE CONSUMERS TO IDENTIFY WHETHER A SITE IS FRAUDULENT OR SAFE.
SO WE PROVIDE BLACK-LISTING SERVICES AND, BASICALLY, BROWSER-FLAGGING SERVICES FOR MICROSOFT FOR OUR CORPORATE CLIENTS.
THE KINDS OF ISSUES THAT OUR CLIENTS FACE ARE MANY.
SOME OF THEM WOULD NOT LIKELY BE SERVED BY DNSSEC.
DNSSEC MAY ADDRESS SOME OF THESE ISSUES.
BUT I'VE HIGHLIGHTED HERE THE KINDS OF THINGS THAT OUR CLIENTS ARE CONCERNED ABOUT.
CLEARLY, THE CONCERN ABOUT IDENTITY THEFT, PHISHING, PHARMING, CRIMEWARE THAT IS VERY SIGNIFICANTLY AFFECTING AMERICAN BUSINESSES AND INTERNATIONAL BUSINESSES.
THEY'RE ALSO CONCERNED ABOUT COUNTERFEIT AND GRAY MARKET GOODS AND TRAFFIC DIVERSION THAT CAN RESULT FROM DNSSEC -- DNS-TYPE POISONING.
THESE TYPES OF ATTACKS OCCUR THROUGH MANY VENUES, AND SOME OF THEM WOULD NOT BE ADDRESSED THROUGH THE DNSSEC PROTOCOL.
THE E-MAIL SOLICITATIONS FOR PHISHES, FOR EXAMPLE, WEB SITE DOWNLOADS, SOFTWARE INSTALLATION.
THESE ARE ALL THE DIFFERENT WAYS THAT OUR COMPANIES ARE TARGETED BY FRAUDSTERS.
THE PHISHING PROBLEM IS THE MOST SIGNIFICANT PROBLEM THAT OUR CLIENTS FACE RIGHT NOW.
CLEARLY, PHISHING THAT TARGETS THE CONSUMERS' PRIVATE INFORMATION IS A PROBLEM, AND PHISHERS ARE OPPORTUNISTIC RIGHT NOW AND ARE GRAVITATING TOWARDS COMPANIES THAT HAVE LESS-SECURE SECURITY ENVIRONMENTS.
SO EARLY ON IN THE PHISHING PROBLEM, WE SAW ATTACKS TARGETING THE MAJOR FINANCIAL INSTITUTIONS.
AND AS THE FINANCIAL INSTITUTIONS GOT SMARTER ABOUT HOW THE ATTACKS OCCURRED, WE HAVE BEEN SEEING ATTACKS AT SMALLER INSTITUTIONS, FOR EXAMPLE. SO IT'S SOMETHING THAT OUR CLIENTS ARE CONCERNED ABOUT, IS HAVING SECURITY THAT MAKES THEM LESS OF A TARGET TO PHISHERS.
I'VE PROVIDED JUST A COUPLE OF EXAMPLES OF THE KINDS OF PHISHING E-MAILS THAT ARE OUT THERE.
THEY'RE VERY SOPHISTICATED.
THIS IS ONE THAT TARGETED THE KATRINA HURRICANE EFFORTS.
AND AS YOU CAN SEE, THERE'S NUMEROUS LINKS IN THIS EMAIL.
SOME OF THEM GO TO THE LEGITIMATE RED CROSS SITE.
AND SOME OF THEM GO TO THE PHISHER WEB SITE, WHERE YOU WOULD PROVIDE YOUR PERSONAL INFORMATION.
IT'S VERY DIFFICULT FOR CONSUMERS TO DETECT WHETHER THIS IS A LEGITIMATE E-MAIL OR NOT.
THAT'S THE KINDS OF ISSUES THAT OUR CLIENTS FACE, IS HOW TO EDUCATE THEIR CUSTOMERS TO AVOID REPLYING TO AN E-MAIL LIKE THIS.
THIS IS ANOTHER TYPE OF EXAMPLE, LITTLE MORE SOPHISTICATED, WHERE IF YOU CLICKED ON AN E-MAIL, YOU'D BE POINTED TO A POPUP PAGE.
IF YOU PROVIDE YOUR INFORMATION IN THE POPUP, IT WOULD GO DIRECTLY TO THE PHISHER SITE.
BUT IN THE BACKGROUND, AS YOU CAN SEE, IT WILL ACTUALLY APPEAR THE LEGITIMATE SITE OF THE BANK.
SO A CONSUMER LIKE MYSELF MAY SEE THIS AND ACTUALLY FALL PREY TO THIS TYPE OF A SCAM, BECAUSE YOU CAN SEE THE LEGITIMATE WEB SITE AND IT DOES, INDEED, HAVE ALL THE INFORMATION THAT THE BANK SITE WOULD HAVE.
THERE'S ALSO BROWSER-RELATED FRAUDS.
HERE'S AN EXAMPLE OF ONE WHERE THE ADDRESS BAR IS REPLACED, SO IF A CONSUMER IS LOOKING AT THE TOP TO SEE WHETHER THEY'RE AT THE BANK SITE, IT APPEARS THAT THEY ARE.
ONE OF THE TYPES OF FRAUDS THAT WE SEE IS PHARMING.
AND I THINK THIS IS THE TYPE OF CONCERN THAT MAY BE ADDRESSED BY DNSSEC.
PHARMING IS WHEN I.P. ADDRESSES ARE CHANGED TO REDIRECT A DOMAIN NAME TO A FRAUDULENT WEB SITE.
AND ONE OF THE REASONS FOR DOING THIS WOULD BE TO OBTAIN CONFIDENTIAL INFORMATION FROM THE USER.
DNS-TYPE ATTACKS HAVE OCCURRED, FOR EXAMPLE, IN 2004, GOOGLE AND AMAZON USERS WERE SENT TO AN ONLINE PHARMACY.
AND THIS WAS THROUGH DNS TACTICS.
THE AL-JAZEERA WEB SITE IN 2003 WAS REDIRECTED TO A SITE THAT SAID "GOD BLESS OUR TROOPS."
AND SO I THINK THIS IS THE KIND OF THING THAT OUR CUSTOMERS MAY BENEFIT FROM A DNSSEC TYPE DEPLOYMENT.
THE PROBLEM WITH PHARMING IS IT'S MORE DANGEROUS THAN PHISHING.
BECAUSE MOST PHISHING INVOLVES AN E-MAIL SOLICITATION.
BUT PHARMING DOES NOT INVOLVE AN E-MAIL SOLICITATION AT ALL.
WHAT HAPPENS IS THAT OUR CUSTOMER WOULD ACTUALLY TYPE IN THE DOMAIN NAME, AND WOULD THINK THAT THEY'RE GOING TO THE LEGITIMATE SITE WHEN, IN FACT, THEY'RE GOING TO A SITE SET UP BY A FRAUDSTER.
FROM OUR PERSPECTIVE, AT THE MOMENT, PHISHING IS THE LARGEST PROBLEM, AND WE'RE NOT QUITE SURE THAT ALL PHISHING WOULD BE ADDRESSED BY DNSSEC.
THE E-MAIL SOLICITATIONS WOULD STILL BE OUT THERE.
AND OUR CLIENTS WILL STILL HAVE TO DEAL WITH PHISHING PROBLEMS THAT ARE UNRELATED TO DNS.
ALTHOUGH WE ARE SEEING INSTANCES OF PHARMING AND DNS ABUSE, AND THOSE INSTANCES ARE GROWING.
ACCORDING TO GARTNER, THE PROBLEM IS SIGNIFICANT. IN THE LAST YEAR ALONE, THE LOSS TO CONSUMERS AND INSTITUTIONS WAS APPROXIMATELY $2.5 BILLION AND IN THEIR SURVEY NEARLY ONE-THIRD OF CONSUMERS WERE CONCERNED ABOUT IDENTITY THEFT. THE INTERESTING STATISTIC HERE IS 30% OF ONLINE BANKING CUSTOMERS HAVE CHANGED THEIR USAGE TO DECREASE THE AMOUNT OF ACTIVITY THEY USE -- THAT THEY CONDUCT ONLINE. THAT'S A PROBLEM FOR OUR CUSTOMERS, BECAUSE THEY HAVE CHANGED THEIR BUSINESS MODELS TO DO A LOT OF ACTIVITY ONLINE, SUCH AS BANKING AND CUSTOMER SERVICE. AND ONCE CUSTOMERS START BECOMING UNCOMFORTABLE WITH THE INTERNET ENVIRONMENT, THEY WILL HAVE TO MOVE TO MORE EXPENSIVE WAYS TO SERVICE THEIR CLIENTS.
SO THE RISKS ARE HIGH PRIMARILY TO FINANCIAL INSTITUTIONS, THE RETAIL SECTOR, AND REALLY ANY COMPANY THAT DEALS WITH CONFIDENTIAL CUSTOMER INFORMATION. AND THE RISK IS REALLY CUSTOMERS LOSING TRUST IN THE SELF-SERVICE ENVIRONMENT ONLINE AND ASKING FOR SERVICE IN THE BRICK AND MORTAR WORLD WHICH WOULD COST OUR CLIENTS SIGNIFICANT DOLLARS TO ADJUST THEIR BUSINESS PRACTICES.
I WANTED ALSO TO TALK A LITTLE BIT ABOUT GOVERNMENT'S ROLE BECAUSE IT DOES AFFECT HOW OUR CLIENTS VIEW THE SECURITY ISSUES.
OBVIOUSLY THE GOVERNMENT GETS INVOLVED IN EDUCATION AND LAW ENFORCEMENT. BUT INTERESTING REGULATIONS AND GUIDANCE CAN ALSO DICTATE HOW COMPANIES VIEW SECURITY. AND JUST RECENTLY IN OCTOBER 2005, THE FEDERAL AGENCIES THAT GOVERN FINANCIAL INSTITUTIONS IN THE UNITED STATES HAVE ISSUED A GUIDANCE THAT ASKS BANKS TO ADOPT A MULTI-LAYERED APPROACH TO AUTHENTICATION.
AND WHAT THIS MEANS IS BANKS ARE NOW BEING TOLD THAT SINGLE-LAYER AUTHENTICATION IS NO LONGER APPROPRIATE, AND THAT IS WHAT WE ALL THINK OF AS LOG-INS AND PASSWORDS.
BANKS ARE NOW REQUIRED TO EVALUATE OTHER POSSIBILITIES IN PROVIDING THEIR CUSTOMERS A MORE SECURE AUTHENTICATED ENVIRONMENT. AND PROTOCOLS SUCH AS DNS, DNSSEC, OR OTHER THINGS ARE BEING EVALUATED TO COMPLY WITH THIS NEW NEED, AND THIS NEW GUIDANCE ISSUED BY THE FEDERAL GOVERNMENT.
AND SO AS GOVERNMENTS BECOME MORE INVOLVED IN TELLING BUSINESSES, SUCH AS BANKS AND FINANCIAL INSTITUTIONS, THAT THEY HAVE TO ENHANCE SECURITY, THAT IS HOW PROTOCOLS SUCH AS DNSSEC MAY BE MORE LIKELY TO BE ADOPTED.
SO THE ISSUES FOR OUR CLIENTS ARE FAIRLY SIMPLE. SCAMS ARE EASY TO SET UP, AND ARE CONSTANTLY EVOLVING. SO OUR CLIENTS ARE LOOKING FOR SOLUTIONS THAT CAN MEET THIS DEMAND AND SOLVE THIS PROBLEM.
BUT IT'S A MULTI-LAYERED APPROACH THAT THEY HAVE.
WE WILL LOOK FOR SOLUTIONS TO SERVE MANY ASPECTS OF FRAUD AND ARE EVALUATING TECHNOLOGIES SUCH AS BROWSER BLACK LISTS, ANTI-PHISHING TOOLBARS, DNSSEC AND OTHERS, AND OUR SOLUTION NEEDS TO BE A GLOBAL ONE BECAUSE OUR BUSINESSES ARE DOING BUSINESS ALL OVER THE WORLD WITH CONSUMERS ALL OVER THE WORLD.
SO FROM A MARKMONITOR STANDPOINT, WE TRY TO PROVIDE OUR CLIENTS WITH NUMEROUS APPROACHES TO THE ONLINE FRAUD PROBLEM. AS YOU CAN SEE, THERE'S MANY ASPECTS THAT HAVE TO BE ADDRESSED. ONLY ONE OF WHICH MAY BENEFIT FROM SOMETHING LIKE DNSSEC.
DNSSEC IN THIS SITUATION WOULD PROBABLY AVOID DNS POISONING AND THE PANEL LATER ON CAN TALK ABOUT HOW IT COULD AFFECT AND PREVENT DNS POISONING.
THIS SLIDE TALKS A LITTLE BIT ABOUT HOW E-MAIL IS AUTHENTICATED RIGHT NOW. TODAY IT'S PRETTY BASIC BUT BECAUSE OF THE CHANGES IN THE MARKETPLACE AND THE REGULATORY ENVIRONMENT, OUR CLIENTS ARE LOOKING TO NEW TECHNOLOGIES TO AUTHENTICATE WHERE AN E-MAIL COMES FROM AND THEY ARE LOOKING TO TECHNOLOGIES SUCH AS SPF, DOMAIN KEYS AND OTHER SOLUTIONS THAT ARE BEING DEVELOPED NOW TO MAKE E-MAILS MORE AUTHENTICATED, AND DNS WOULD BE COMPLEMENTARY TO THE TYPES OF TECHNOLOGIES THAT ARE BEING EVALUATED TODAY.
SO IN SUMMARY, CYBERCRIMINALS ARE USING MORE ADVANCED WAYS. OUR CLIENTS ARE CONCERNED ABOUT PHISHING AND FRAUD AND ONLINE CRIMES. AND DNS CONTINUES TO BE A PROBLEM IN INSTANCES SUCH AS PHARMING, AS I IDENTIFIED BEFORE.
AND SO OUR CLIENTS ARE REALLY LOOKING AT A MULTI-LEVEL APPROACH TO MONITOR, DETECT, AND TO PROTECT AGAINST FRAUD, BECAUSE FOR THEM, THE ISSUE IS VERY SIGNIFICANT. THEY DO NOT WANT THEIR CUSTOMERS TO LOSE CONFIDENCE IN THE ONLINE CHANNEL AND NEED TO ADAPT TECHNOLOGIES AND SOLUTIONS THAT WILL HELP ENHANCE CONSUMER CONFIDENCE.
AND AS GOVERNMENTS GET INVOLVED IN TELLING BUSINESSES HOW TO BECOME MORE SECURE, THAT WILL ALSO PLAY A PART INTO WHAT TECHNOLOGIES BECOME ADOPTED.
AND IF YOU HAVE ANY QUESTIONS ABOUT MARKMONITOR, YOU CAN VISIT OUR WEB SITE.
THANK YOU.
(APPLAUSE.)
>>ALLISON MANKIN: THANKS VERY MUCH. WHAT WE'RE GOING TO DO IS HAVE MARGIE AND UMA SITTING UP WITH THE BUSINESS CASE PANEL EVEN THOUGH THEY WON'T PRESENT, AND THEN WE'LL HAVE A DISCUSSION, I WARN YOU GUYS OF THAT, SO THOUGH THEY WON'T SPEAK AGAIN, WHEN THE DISCUSSION COMES AFTERWARDS, IF YOU HAVE QUESTIONS FOR THEM, THEY COULD SPEAK TO THOSE QUESTIONS.
NEXT WE ARE GOING TO HAVE RUSS MUNDY FROM THE SECURITIES, FROM SPARTA AND FROM THE DNSSEC DEPLOYMENT INITIATIVE DEMO A DNS ATTACK.
SO OVER TO RUSS. HE WILL BE USING TWO SCREENS FOR THAT.
>>RUSS MUNDY: HI. THANKS, ALLISON. SOUNDS LIKE IT'S ON, WORKING. STEVE IS RUNNING A CABLE OVER HERE.
>>ALLISON MANKIN: THAT'S RUSS MUNDY RATHER THAN THE STUART SCHECHTER FOR THE TRANSCRIPTION FOLKS, BUT I THINK YOU WON'T BE TRANSCRIBING BECAUSE HE'LL SWITCH THE TWO SCREENS.
>>RUSS MUNDY: I THINK THE TRANSCRIBING WILL BE CONTINUE BUT WON'T BE ON THE SCREEN. IT'S BEING RECORDED.
>>ALLISON MANKIN: SPLIT-SCREEN EXCITING ACTION COMING UP.
>>RUSS MUNDY: AND NOW -- WHICH SIDE IS IT ON HERE? HERE WE COME. WE HAVE A LITTLE DIFFERENT SIZE DISPLAYS.
SO HOPEFULLY THEY ALL COME UP TOGETHER. OUR TECHNICAL SUPPORT GUYS, IS THAT OUR MAXIMUM RESOLUTION ON THE PROJECTOR? IF IT IS, THAT'S FINE. IT MIGHT MAKE IT A LITTLE -- OKAY.
SEE IF WE CAN GET ANY HIGHER RESOLUTION HERE.
THAT'S THE PROBLEM WITH GETTING OLD, YOUR EYES DON'T WORK SO WELL.
SO WE'LL GIVE THAT A TRY.
OKAY. SO WE'LL GO WITH THAT.
I WANTED TO GIVE FOLKS A CHANCE TO SEE THE WEB SITE AND FIND IT HERE BACK ON THE SCREEN AGAIN.
LOST THE MOUSE. HERE WE ARE.
SO ALLISON MENTIONED EARLIER THE WEB SITE THAT HAS THE AGENDA ON IT, JUST TO GIVE PEOPLE A VISUAL OF WHAT IT LOOKS LIKE, AND THAT'S ALL I'LL DO. I WILL PUT THE URL UP.
OKAY. DO WE HAVE IT ON -- THERE WE GO. LET ME INCREASE THE FONT A LITTLE BIT. CAN PEOPLE READ THE WEB SITE? DO I NEED TO MAKE THE FONT BIGGER?
>>ALLISON MANKIN: ALSO, IF YOU GO TO WWW.DNSSEC-DEPLOYMENT.ORG, YOU DON'T NECESSARILY HAVE TO GO TO THE WHOLE THING. NEWSPAPER THE LEFT-HAND CORNER THERE IS A LINK TO THE AGENDA. SO -- AND THE AGENDA WILL BE POPULATED WITH ALL THESE SLIDES. SOME OF THEM ARE THERE, AND LATER TODAY YOU WILL HAVE ALL THE SLIDES THERE. SO....
>>RUSS MUNDY: OKAY. SO, WELL I GUESS WE'RE SET NOW.
THANK YOU, ALLISON, FOR THE INTRO, AND STEVE FOR THE TECHNICAL CREW FOR GOING THROUGH THE PAIN OF GETTING THIS SOMEWHAT UNUSUAL ARRANGEMENT SET UP.
FOR NOW, THE SCREEN THAT WAS THE TRANSCRIPTION HERE ON YOUR LEFT WILL BE THE PLACE THAT THE ACTUAL DEMO IS SHOWN.
BUT I'LL USE A FRONT -- I WANT TO GIVE A LITTLE DESCRIPTION ABOUT DNSSEC ON A VERY -- ON A LEVEL THAT'S INTENDED TO NOT BE PARTICULARLY TECHNICAL BUT TO GIVE ENOUGH INFORMATION TO FOLKS SO THEY CAN -- IF YOU DON'T HAVE MUCH FAMILIARITY WITH DNS AND DNSSEC, THAT WILL HOPEFULLY HELP YOU UNDERSTAND SOME OF THE TERMS THAT I'M USING HERE AS PART OF THE PRESENTATION.
AND BASICALLY DNS IS SOMETHING THAT LITERALLY EVERYONE THAT USES THE INTERNET MAKES USE OF. THEY MAY NOT THINK ABOUT IT. MOST PEOPLE DO AT LEAST HAVE AN IDEA OF WHAT A NAME IS. THEY MAY THINK IT'S A WEB SITE AND SO FORTH. BUT, OF COURSE, THAT'S OBVIOUSLY THE DNS.
AND PEOPLE JUST SIMPLY EXPECT IT TO WORK, EXPECT IT TO WORK RIGHT EVERY SINGLE TIME.
AND, IN FACT, MOST OF THE TIME THAT IS, IN FACT, THE CASE. IT DOES FUNCTION CORRECTLY.
UNFORTUNATELY, IT'S NOT ALWAYS THE CASE. YOU KNOW, THERE CERTAINLY HAVE BEEN SOME MALFUNCTIONS OVER TIME, BUT RELATIVELY SPEAK, FEW OF THOSE, CONSIDERING HOW MASSIVE AND BROAD SPREAD DNS IS THAT IT REALLY IS NEEDED TO MAKE LITERALLY ALMOST EVERY APPLICATION THAT USES THE DNS WORK.
AND SO WHEN PEOPLE DECIDE TO TAKE ADVANTAGE OF THE STRUCTURE THAT'S PUT IN PLACE AND ATTACK IT, IT CAUSES A GREAT DISRUPTION.
NOW, ONE OF THE THINGS THAT HAS OCCURRED OVER TIME IS THAT THERE HAVE BEEN SOME ATTACKS. SOME OF THEM HAVEN'T BEEN WELL PUBLICIZED OR KNOWN. SOME OF THEM HAVE GOT SOME PRETTY GOOD PUBLICATION ABOUT WHAT HAPPENED, AT LEAST AMONGST THE SECURITY COMMUNITY.
AND I'LL INCLUDE A DESCRIPTION OF A FAIRLY WIDELY PUBLICIZED ATTACK OF WHAT HAPPENED EARLIER THIS YEAR THAT ACTUALLY MAKES USE OF BOTH PHARMING AND PHISHING AS PART OF WHAT WAS DONE DURING THE ATTACK.
THE DEMONSTRATION I'M GOING TO GIVE LATER IN THE PRESENTATION IS A SUBSET OF THAT AND IT IS LITERALLY RUNNING ON THESE MACHINES SITTING OVER HERE TO MY RIGHT AND ON YOUR LEFT. AND IT IS FULLY SELF-CONTAINED.
SO WHAT IS -- WHAT IS IT FROM SORT OF A FUNCTIONAL PERSPECTIVE? TO MAKE IT WORK, IT LITERALLY IS DISTRIBUTED THROUGHOUT THE INTERNET, NAMES AND RESOLVERS AND NAME SERVERS ARE EVERY PLACE THE INTERNET IS FOR ALL INTENTS AND PURPOSES.
AND THE PARTS THAT ACTUALLY SORT OF CONSTITUTE THE DNS, I PUT INTO SORT OF TWO PILES. ONE PILE IS THE MOVING PARTS. ANOTHER PILE IS THE NAME SPACE. AND THE DIFFERENCE BEING THAT THE NAME SPACE ITSELF IS THE CONTENT, WHEN YOU THINK OF WWW.GOOGLE.COM, THAT'S NAME SPACE. THAT'S CONTENT.
IF YOU THINK OF A NAME SERVER, IF YOU THINK OF THE ROOT NAME SERVERS IN PARTICULAR THAT'S PART OF THE MOVING PART, WHAT I'M CALLING HERE, THEY ARE THE MECHANISM THAT ACTUALLY PROVIDES ANSWERS, STORES THE DATA AND RESPONDS TO QUERIES. AND IN FACT, BOTH OF THESE PARTS CAN BE AND HAVE BEEN SUBJECTED TO VARIOUS TYPES OF ATTACK OVER TIME.
NOW, WHEN YOU GO TO DO A DNS NAME RESOLUTION, LOOK UP AN ANSWER, HOW MY MACHINE SENDS OFF A QUERY TO FIND OUT HOW TO GET ITS PACKETS TO WWW.DNSSEC-DEPLOYMENT.ORG. BECAUSE THIS MACHINE HAD NO IDEA HOW TO DO THAT AND SO TO GET TO THAT WEB SITE BEFORE I COULD GET IT ON THE SCREEN TOOK SEVERAL DNS QUERIES. AND TO DO THAT YOU ACTUALLY GO THROUGH QUITE A FEW OF WHAT I CALL THE MOVING PARTS.
AND WHILE YOU'RE SOMEPLACE NEAR HOME, NEAR YOUR ENTERPRISE, YOU WILL HAVE YOUR LOCAL NAME SERVER, WHICH IN MOST ENTERPRISES A LOT OF PEOPLE ARE VERY CONFIDENT THAT IT'S RUN WELL. MOST OF THESE ARE RUN AT LEAST REASONABLY WELL, AND THE LIKELIHOOD OF HAVING A HUMAN BEING SIT IN THERE AND ATTACK IT IS NOT REAL HIGH.
THE PROBLEM IS THERE ARE A LOT OF OTHER PLACES THAT IT CAN BE ATTACKED, PLUS YOU'LL SEE BOTH FROM THE DESCRIPTION OF THE PUBLIC ATTACK AND THE DEMO HERE THAT THIS MACHINE ITSELF CAN BE ATTACKED WITHOUT THE HUMAN BEING EVER TOUCHING IT.
SO THE ATTACK THAT I HAVE MENTIONED HERE A COUPLE OF TIMES, AT THE BOTTOM OF THIS SLIDE YOU CAN SEE A URL FOR A FAIRLY DETAILED REPORT AND DESCRIPTION OF WHAT WENT ON HERE.
AND I WOULD STRONGLY URGE ANYBODY THAT WANTS TO HAVE SOMETHING THAT THEY CAN EITHER POINT TO OR PRINT OUT AND READ OR SEND TO SOME OTHER FOLKS TO SAY THIS STUFF IS REAL, TAKE A LOOK AT THAT URL AND GO THROUGH THE INFORMATION THAT'S THERE, AND IT WILL PROVIDE A LOT MORE DETAIL THAN WHAT I'M GOING TO GIVE HERE.
BUT THE FUNDAMENTAL ATTACK USES A VULNERABILITY IN DNS FOR SOME OF THE MOVING PARTS THAT HAS EXISTED OFF AND ON FOR YEARS. AND IT'S LARGELY, ALTHOUGH NOT TOTALLY, PARTICULAR IMPLEMENTATION DEPENDENT. IN OTHER WORDS, A SPECIFIC RELEASE OF A SPECIFIC NAME SERVER MIGHT HAVE A CACHE POISONING VULNERABILITY. WELL, THE PERPETRATORS OF THIS IDENTIFIED SOME OF THESE NAME SERVERS THAT WERE IN USE AND USED THAT AS THE BASIS OF THEIR ATTACK. IN PARTICULAR, THE REPORT DOCUMENTS THAT THERE WAS SOME SYMANTEC PRODUCTS AND THERE WERE MICROSOFT PRODUCTS AND VINE PRODUCTS THAT WERE IDENTIFIED AS BEING THIS WEAKNESS.
SO WHAT HAPPENED WAS THE ACTUAL ATTACK STARTED OUT USING PHISHING. EVEN THOUGH PHISHING ITSELF WOULD NOT HAVE BEEN STOPPED OR PREVENTED WITH DNS SECURITY, IT WAS PART OF WHAT WE HAVE SEEN IN TERMS OF THE IMAGINATIVE NATURE OF THE ATTACKERS OUT THERE. THEY WILL USE LOTS OF THINGS, WHATEVER THEY BELIEVE THEY NEED TO MAKE IT WORK.
AND SO BY USING THAT, THEY WERE ABLE TO CAUSE THIS LOCAL NAME SERVER, THAT WOULD BE YOUR LOCAL CACHING NAME SERVER THAT YOU HAVE CONFIDENCE WILL WORK RIGHT, IN THIS CASE IT WAS A BUNCH OF ISPS THAT YOU WOULD BE USING AS THEIR NAME SERVER. LIKE IF YOU ARE SITTING HERE IN THE HOTEL USING THAT NAME SERVER. THEY USED CACHE POISONING THAT EFFECTIVELY RESULTED IN ANY QUERY TO DOT COM GOING THROUGH MACHINERY THAT THE ATTACKERS CONTROLLED.
AND ONE OF THE -- YOU CAN SEE OVER THERE ON THE RIGHT-HAND SIDE OF THE SLIDE, THE REAL OBJECTIVE WAS NOT A DNS ATTACK. THE DNS ATTACK WAS A TOOL. IT WAS A PRECURSOR TO THE REAL OBJECTIVE. THE REAL OBJECTIVE BEING TO INSTALL SPYWARE, INSTALL BOTWARE, TO INSTALL FALSE CLICK-FOR-PAY SOFTWARE ON END-USER SYSTEMS. AND IN FACT, IN THE END RESULT, THEY WERE ABLE TO EFFECTIVELY CAPTURE THE FUNCTIONALITY OF A BUNCH OF THINGS IN THE END USER SYSTEM AND WE DON'T EVEN KNOW TODAY IF THAT'S ALL BEEN CLEANED OUT. WE ALSO DON'T KNOW IF, IN FACT, THE PROBLEMS HAVE TOTALLY BEEN SOLVED. IT'S GOTTEN A LOT OF PUBLICATION, BUT WE DON'T KNOW, IN FACT, THAT THEY HAVE BEEN SOLVED.
THERE'S ALSO NO EVIDENCE TO INDICATE THAT THE ATTACKERS HAVE GONE AWAY. ALL RIGHT? THEY ARE, AS FAR AS WE KNOW, STILL OUT THERE. THEY MAY BE LOOKING AT HOW TO MAKE USE OF, AGAIN, MULTIPLE TOOLS, PERHAPS STARTING WITH DNS, PERHAPS STARTING WITH OTHER THINGS, TO WAGE A SIMILAR ATTACK.
AND IN THIS INSTANCE, WHAT DNS SECURITY, HAD IT BEEN IN PLACE, WOULD HAVE DONE IS IT WOULD HAVE FLAGGED THE USERS OF THE NAME SERVER OPERATIONS THAT SOMETHING WAS GOING ON, BECAUSE THIS ATTACK WAS INTENDED TO BE A TOTALLY STEALTHY ATTACK, TO NOT BE IDENTIFIED AT ALL. AND IN FACT THE WAY THAT IT WAS IDENTIFIED WAS SOMEBODY MADE A MISTAKE FROM THE ATTACKER SIDE, AND THAT ALLOWED AN ALERT PERSON TO CATCH IT BY ANOTHER MEANS.
BUT DNSSEC, HAD IT BEEN IN PLACE, WOULD HAVE FLAGGED THIS AS A PROBLEM ALMOST IMMEDIATELY.
NOW, ON TO THE DEMO.
I WANTED TO PUT THIS LARGE RED LETTERS UP ON THE SCREEN, AND MOSTLY BECAUSE IN SOME JURISDICTIONS, AND I DON'T KNOW ABOUT THIS JURISDICTION, DOING THE KIND OF NAME CHANGE -- NAME SERVICE ATTACK, CHANGING DATA ONLINE, IS ILLEGAL. I DON'T WANT TO MEET THE RCMP AND GET HAULED OFF TO JAIL.
SO EVERYTHING IS CONTAINED AMONGST THESE THREE MACHINES HERE, AND IT'S ALL RUNNING THROUGH A WIRED HUB, SO NOTHING LEAVES IT. I'M NOT GOING TO ATTACK YOUR MACHINES OR ANYTHING LIKE THAT, THOUGH FRANKLY IN THE PAST WE HAVE DONE SOME OF THESE THAT OFFERED PEOPLE THE CHANCE TO PLAY AND HAVE THEIR MACHINES ATTACKED. IT IS SOMETHING THAT IS READILY DOABLE BECAUSE THIS WAS BUILT USING TOOLS THAT ARE AVAILABLE ON THE OPEN INTERNET.
NOW, WHAT WE'RE GOING TO DO HERE, I'M GOING TO SIT DOWN FOR JUST A MOMENT, IS WE'RE GOING TO FIRE UP ON THE SCREEN YOU WILL SEE OVER HERE IS A WEB BROWSER, COMMON WEB BROWSER, MOZILLA. AND JUST THE SHORT SUMMARY OF WHAT THIS IS IS THE USER'S WEB TRAFFIC IS ACTUALLY GOING TO BE MODIFIED ON THE FLY. OKAY? THE USER, WITHOUT DNSSEC, WOULD HAVE NO WAY OF KNOWING THIS.
AND WE PUT A LITTLE FLAG IN IT SO IT'S OBVIOUS THAT SOMETHING WAS MODIFIED, BUT WITHOUT THAT FLAG, THE USER WOULD HAVE NO WAY OF REALIZING THAT THEIR TRAFFIC HAD BEEN AFFECTED.
SO VERY SIMPLE LITTLE MACHINE HERE. FOR THOSE THAT LIKE KIND OF THE HARDWARE BASIS, THIS MACHINE OVER HERE IS ACTUALLY THE OFFICIAL NAME SERVER, AND THE ONE IN THE MIDDLE IS THE ATTACK MACHINE, AND THE ONE ON THE LEFT THAT'S NOT RESPONDING, WONDERFUL, IS THE POOR CLIENT THAT'S BEING ATTACKED.
SO LET ME JUST RESTART THE NAME SERVER HERE. AND LET'S SEE IF WE....
YES. THE JOYS OF DOING LIVE DEMOS. SAT HERE AND DID IT FIVE TIMES BEFORE THIS, AND IT ALL WORKED. AND NOW I'M NOT SURE WHY IT'S NOT, BECAUSE IT SHOULD BE RESPONDING MORE QUICKLY.
OKAY. SO LET ME SHOW ON THE SLIDES OVER HERE WHAT'S SUPPOSED TO BE HAPPENING.
AND SO WHAT WE'RE ACTUALLY SEEING HERE IF, YOU LOOK ON THE SCREEN ON THE LEFT, IS THAT THE MACHINE OVER HERE, JIMMY, IS MAKING A QUERY. OKAY. SO DID SOMEBODY UNPLUG ME? OKAY. IT LOOKS LIKE SOMETHING MAY HAVE GONE TO SLEEP. OKAY.
I ACTUALLY HAVE NOT STARTED THE ATTACK MACHINE YET. AND THE QUERY COMES BACK WITHOUT MODIFICATION, AND EVERYTHING WORKS AS IT IS SUPPOSED TO.
NOW, YOU'LL NOTICE THAT THE IP ADDRESS THAT YOU SEE OVER THERE IS A PRIVATE IP ADDRESS, ENDS WITH 45. AND THEN WHEN THE ACTUAL ATTACK STARTS, WHAT HAPPENS IS THE MACHINE IN THE MIDDLE THAT'S KNOWN AS TWOSTEP, SITTING THERE LISTENING ON THE LINE, AND IT PROVIDES AN ANSWER BEFORE THE REAL NAME SERVER. THE ANSWER BEING NOW POINTING IT TO IP ADDRESS 15.
AND THAT ACTUALLY GIVES THE MODIFIED WEB PAGE UP. AND FROM A FUNCTIONAL PERSPECTIVE, AS FAR AS THE USERS GETTING IT, ALTHOUGH THE BITS RETURN TO THE MACHINE, IT EFFECTIVELY BLOCKS THE CORRECT ANSWER FROM EVER REACHING THE MACHINE.
NOW, WITH DNSSEC IN PLACE, YOU HAVE POLICY CHOICES. THE FIRST POLICY THAT WE ARE SHOWING IS A STRICT POLICY. THE QUERY IS SENT OUT, GETS TO THE PROPER NAME SERVER. AGAIN, THE BAD GUY IS SITTING IN THE MIDDLE AND RESPONDS WITH THE INVALID INFORMATION.
WHAT DNSSEC DOES IS ALLOWS THE CHECK TO SAY THIS IS INVALID INFORMATION, AND THE STRICT POLICY SAYS, AND I'M NOT GOING TO GIVE ANYTHING BACK TO THE APPLICATION.
AND SO THE APPLICATION JUST GETS "NAME NOT FOUND. "
NOW, WITH THE EXTENDED POLICY, WHAT THIS ALLOWS YOU TO DO IS TO SAY I'M GOING TO WAIT IF I AM CERTAIN THAT THIS IS A SECURE DOMAIN AND THAT I WILL BE ABLE TO VALIDATE THE ANSWER. BECAUSE PART OF THE ATTACK VULNERABILITY THAT ALMOST EVERY DNS RESOLVER HAS IS THAT THE DNS RESOLVER TAKES THE FIRST ANSWER THAT IT GETS.
THIS ACTUALLY CHANGES THAT AND SAYS, I SEE THAT FIRST ANSWER AND I SEE THAT IT'S INVALID AND I KNOW I SHOULD BE GETTING A SECURABLE ANSWER. AND SO I'M GOING TO WAIT FOR THAT. AND IN THIS CASE IT WAITS AND THEN GETS THE VALID ANSWER.
SO THAT'S, INDEED, WHAT I'M SUPPOSED TO HAVE RUNNING HERE.
SO IF I COULD BEG EVERYBODY'S INDULGENCE FOR JUST A MINUTE, I WILL TAKE THE LAST COUPLE OF MOMENTS HERE TO MAKE THIS ACTUALLY WORK.
AH, SUCCESS!
OKAY. THIS IS THE ANSWER. THIS IS WHAT YOU MIGHT CALL AN ENGINEER'S SOPHISTICATED WEB PAGE. NOT A MARKETER'S WEB PAGE.
SO THIS IS FROM OUR RESEARCH BED, TEST BED, BACK AT THE RANCH.
AND WHAT WE'VE GOT THERE IS YOU CAN SEE JUST IT'S TEXT, AND WE DO HAVE OUR KEY ON THERE.
SO WHEN THIS IS -- THIS IS RUNNING WITHOUT DNSSEC, AND SO I WILL STOP THE BROWSER, EMPTY OUT THE DNS CACHE. AND THEN START THE ATTACK.
SO THIS TIME, AGAIN, STILL RUNNING WITHOUT DNSSEC, YOU'LL SEE THAT THE PAGE LOOKS THE SAME EXCEPT FOR "YOU ARE BEING WATCHED." AND IN FACT, THIS WAS CONTENT THAT WAS INSERTED ON THE FLY FROM -- AS THE ANSWER ACTUALLY CAME BACK FROM THE REAL WEB SERVER RUNNING ON WAREHOUSE BY WAY OF THE ATTACK MACHINE. AND WE JUST MADE THAT MODIFICATION SO YOU COULD SEE WHAT HAPPENED. BUT YOU CAN USE YOUR IMAGINATION AND FIGURE OUT THE MANY OTHER THINGS THAT YOU MIGHT BE ABLE TO DO WITH THIS.
NOW, WHAT I'LL DO IS FIRST SHOW THE POLICY OF -- WITH THE STRICT POLICY. IT'S HARD TO TYPE WHEN YOU ARE AT A FUNNY ANGLE.
AND WITH THE ATTACK RUNNING, NOW YOU'LL SEE A LITTLE BIT OF DATA OVER HERE. THESE ARE -- THESE ARE LOGS FROM WHAT'S GOING ON IN THE BACKGROUND WITH WHAT DNS IS DOING. AND DNS SECURITY. AND, IN FACT, AS WITH ANY INFRASTRUCTURE, YOU WANT -- ELEMENT, YOU WANT TO MAKE IT AS INVISIBLE TO THE USER AS POSSIBLE.
SO FOR THOSE THAT CAN READ, YOU SEE SOME RED UP THERE. THAT'S BASICALLY SAYING THAT THE VALIDATION HAS FAILED, AND WITH THIS STRICT POLICY IN PLACE, THE BROWSER, YOU CAN SEE THE LITTLE -- WELL, MAYBE YOU CAN SEE THE LITTLE HOUR GLASS THERE, IS WAITING, WAITING, WAITING FOR AN ANSWER. AND IN A LITTLE BIT -- OKAY, HERE WE COME, NAME DOES NOT EXIST.
SO THIS ILLUSTRATES THE STRICT POLICY THAT YOU CAN SET UP ASSOCIATED WITH DNSSEC. AND THEN YOU WOULD -- IF YOU WANTED THE MORE ENHANCED POLICY, YOU SIMPLY WOULD USE THAT AND WAIT FOR THE ACTUAL SECURED CHECKABLE ANSWER.
SO SORRY FOR THE LITTLE HICCUP IN THE MIDDLE OF GETTING THAT RUNNING THERE, BUT THAT WAS THE DEMONSTRATION. WE'RE A LITTLE BIT SHORT ON TIME AND WE WANT TO HOLD QUESTIONS UNTIL THE END. BUT THAT WAS, IN FACT, THE DEMO OF THE REAL LIVE ATTACK. THANK YOU.
(APPLAUSE.)
>>ALLISON MANKIN: OKAY.
NOW WE'RE GOING TO HAVE A PANEL ABOUT BUSINESS CASES.
AND THE FOLKS ARE GOING TO GO UP.
AND THEY KNOW THE ORDER THEY'RE GOING IN.
AND THEY'RE GOING TO INTRODUCE THEMSELVES.
AND THE FIRST ONE WILL BE STUART.
SO -- DO YOU HAVE YOUR PLUG, STUART?
STEVE IS GIVING HIM THAT.
LET ME SAY THIS: IF YOU WANT TO SEE THAT IN A WAY THAT YOU CAN SEE IT BETTER, THE DEMO, RUSS WILL STAY THROUGH FOR A WHILE IN THE LUNCH BREAK.
SO HE'LL LEAVE IT SET UP.
AND FEEL FREE TO GO AND ASK HIM QUESTIONS OR ASK HIM TO SHOW YOU THE DEMO AGAIN.
BECAUSE IT ACTUALLY IS PRETTY COMPELLING.
IT WAS A LITTLE HARD TO SEE.
YOU HAVE THE PLUG, STUART?
>>STUART SCHECHTER: (INAUDIBLE).
>>ALLISON MANKIN: OKAY.
SO PEOPLE WILL INTRODUCE THEMSELVES, AND IS EVERYBODY UP THERE?
YES.
YOU'RE NOT -- GET BACK UP THERE.
YOU'RE AN ESCAPEE.
WE ARE GOING TO HAVE A DISCUSSION.
SO WAKE UP, EVERYBODY.
THEY'RE GOING TO TALK A BIT AND PAY ATTENTION.
BE CAREFUL.
DON'T BACK UP OR GET DEFENSIVE AND FALL OFF.
ACTUALLY, SEBASTIAN, YOU'RE IN THE WRONG PANEL.
YOU CAN STAY THERE, BUT THIS IS ACTUALLY THE BUSINESS CASE PANEL.
YOU CAN STAY THERE.
BUT -- AND YOU CAN ANSWER QUESTIONS.
BUT YOU'LL BE THERE FOR THE NEXT ONE.
SO PLAN ON A DISCUSSION SESSION AFTER THEY'VE PANELIZED, COME TO THE MIKE, AND HAVE DISCUSSION.
SO, STUART, START UP.
INTRODUCE YOURSELF AND THEN MOVE ON.
>>STUART SCHECHTER: HI.
I'M STUART SCHECHTER FROM MIT LINCOLN LABORATORY.
CAN EVERYONE HEAR OKAY WITH THIS DISTANCE TO THE MIKE?
>> YES.
>>STUART SCHECHTER: GREAT.
SO I'M GOING TO BE TALKING ABOUT BUSINESS CASES FOR REGISTRARS FOR DEPLOYING DNS SECURITY.
AND I'M ONLY GOING TO HAVE TWO SLIDES.
AND THE DIFFERENCE BETWEEN THE TWO SLIDES ARE THAT I'M GOING TO BE TALKING ABOUT TWO DIFFERENT CLASSES OF CUSTOMERS FOR REGISTRARS.
SO ONE CLASS OF CUSTOMER, IF YOU'RE A REGISTRAR, ARE THOSE CUSTOMERS WHO -- FOR WHOM YOU MANAGE THEIR DNS SERVICES.
SO YOU'RE NOT ONLY -- THEY'RE NOT ONLY YOUR REGISTRANT, BUT YOU'RE ALSO RUNNING THEIR -- THE DNS SERVERS THAT RESPOND TO THE QUERIES FOR THEIR IP ADDRESS.
AND YOU MIGHT ALSO BE, SAY, PROVIDING WEB SERVICES, MAIL SERVICES, OR OTHER APPLICATION SERVICES.
FOR THESE CUSTOMERS, THE COST TO YOU OF DEPLOYING DNSSEC ARE ACTUALLY GOING TO BE COVERED BY A NUMBER OF THE OTHER SPEAKERS.
THERE'S A ONE-TIME COST TO UPGRADE YOUR EPP PROTOCOL FOR SPEAKING TO REGISTRIES, TO INCLUDE THE DNSSEC EXTENSIONS.
THERE'S A ONE-TIME COST TO UPDATE YOUR WORK FLOW SO THAT DNSSEC KEYS, THE KEYS THAT PROTECT -- THAT DO THE SIGNING THAT PROTECT THE DATA IN YOUR DOMAIN GET UPDATED FROM THE REGISTRANT TO YOU, THE REGISTRAR.
AND THEN THIS IS THE PROTOCOL THAT SENDS THEM FROM YOU TO THE REGISTRY.
AND THEN THERE WILL ALSO BE ANOTHER SPEAKER WHO WILL BE TALKING ABOUT THE INCREASED MEMBER AND BANDWIDTH REQUIREMENTS.
BUT THESE ARE PRETTY SMALL.
MOSTLY, THIS IS A SMALL CHANGE IN ORGANIZATIONAL WORK FLOW AND KEY MANAGEMENT.
AND THE GREAT NEWS IS THAT YOU CAN AMORTIZE THIS COST OVER ALL THE CUSTOMERS, BUILD ONE AUTOMATED SYSTEM THAT DOES THE SIGNING AND DOES THE KEY MANAGEMENT, AND ALL OF YOUR HOSTED CUSTOMERS FOR WHOM YOU'RE MANAGING THEIR DNS BENEFIT.
AND THOSE BENEFITS -- AND SO THE CUSTOMER DOESN'T ACTUALLY HAVE TO DO ANYTHING IN THIS SITUATION, BECAUSE YOU'RE MANAGING THE KEYS FOR THEM BECAUSE YOU'RE MANAGING THEIR DOMAIN NAME SERVICE.
THE BENEFITS TO YOU ARE THAT THIS IS GOING TO -- DNSSEC WILL ADDRESS A POTENTIAL AND IMPORTANT LEGAL LIABILITY, WHICH IS: WHAT HAPPENS IF YOU'RE -- THE DNS SERVERS YOU'RE RUNNING FOR THE CUSTOMERS SHOULD BECOME COMPROMISED?
IF YOUR DOMAIN -- IF YOUR CUSTOMERS ARE ABLE TO HAVE THEIR DOMAIN SIGNED AND YOU SIGN THE DOMAIN FOR THEM, THEN THIS PROTECTS AGAINST ATTACKS WHERE YOUR DOMAIN NAME SERVICES ARE COMPROMISED, BECAUSE THE ATTACKER WILL NOT BE ABLE TO UPDATE THE SIGNATURES WITHOUT THE APPROPRIATE KEYS.
SO ANY CLIENTS WHO ARE RUNNING DNSSEC-AWARE RESOLVERS WILL NOT BE AFFECTED BY THE ATTACK.
AND SO IF SUCH AN ATTACK SHOULD HAPPEN, THE DAMAGE TO YOUR CUSTOMERS WOULD BE SIGNIFICANTLY LESS IF YOU HAVE DEPLOYED DNSSEC.
ANOTHER BENEFIT IS, IT ALLOWS YOU TO PROVIDE ADDITIONAL MORE SECURE SERVICES AND STRENGTHENS THE SECURITY OF SERVICES, SUCH AS THE ANTISPAM PROPOSALS THAT PUT INFORMATION INTO THE DOMAIN NAME SYSTEM, SUCH AS DKIM, DOMAIN KEYS, SPF.
THESE PROPOSALS CURRENTLY REST ON THIS INFORMATION THAT GETS PLACED IN THE DOMAIN NAME SYSTEM, AND BY BETTER SECURING THAT INFORMATION SO THAT IT'S HARDER FOR ATTACKERS TO MODIFY, YOU CAN STRENGTHEN THESE OTHER SECURITY MEASURES.
IT WILL ALSO PROVIDE AN IMPORTANT CHECK BOX.
I KNOW A LOT OF REGISTRARS WHEN I TALK TO THEM, THEY SAY, "WELL, HOW DO I EXPLAIN THE EXACT ATTACK SCENARIOS AND WHY THIS MATTERS EXACTLY TO MY CUSTOMERS?
IT'S VERY HARD TO SEPARATE THE SITUATIONS WHERE DNSSEC WILL PROTECT YOU FROM THOSE WHERE IT WILL NOT."
AND THIS IS TRUE.
HOWEVER, ONCE SOME OF YOUR COMPETITORS, IF YOU'RE A REGISTRAR, HAVE DEPLOYED THIS, YOU NOW HAVE THE REVERSE PROBLEM, WHICH IS, IF YOU DON'T THINK DNSSEC IS IMPORTANT, HOW DO YOU EXPLAIN TO THEM THAT THESE SCENARIOS DON'T MATTER OR THAT YOU THINK THE SCENARIOS DON'T MATTER?
SO IN A COMPETITIVE MARKETPLACE, YOUR PROBLEM SUDDENLY BECOMES HOW DO YOU EXPLAIN THAT EVEN THOUGH YOUR COMPETITOR HAS DNSSEC, THAT YOU DON'T THINK IT'S IMPORTANT?
WELL, THAT'S GOING TO BE A VERY EXPENSIVE PROPOSITION AS FAR AS CUSTOMER SUPPORT TIME AS TO WHY THEY WANT TO BUY A DOMAIN NAME WHEN YOU'RE NOT DNSSEC-COMPLIANT.
IT MIGHT BE CHEAPER TO DEPLOY FOR THAT REASON IF NO OTHER.
THE CUSTOMERS TO WORRY ABOUT ARE THOSE WHO ARE JUST REGISTRANT, YOU'RE NOT HOSTING THEIR DOMAIN NAME SERVERS OR APPLICATION SERVERS.
THE COSTS TO YOU ARE PRETTY SIMILAR EXCEPT YOU NOW NEED A MECHANISM TO GET THE KEYS FROM THE REGISTRANT TO YOU.
AND THAT CAN JUST BE WEB FORMS.
I THINK, IN FACT, RICK IS GOING TO TALK ABOUT THE PROCESS AND WORK FLOW THEY USE.
AND IT'S NOT THAT COSTLY AS WELL.
BUT THE BENEFITS TO THESE CUSTOMERS CAN BE GREAT, BECAUSE THESE CUSTOMERS TEND TO BE THE LOW-PROFIT CUSTOMERS.
ALL THEY WANT IS THE DOMAIN NAME AND THAT'S A COMMODITY BUSINESS.
BUT YOU'RE GOING TO BE ADDING VALUE TO THOSE CUSTOMERS BY PROVIDING THE ABILITY FOR THEM TO PUT SECURITY INTO THEIR DOMAIN SERVERS AND THE RECORDS THAT THEY'RE SERVING FROM THOSE DOMAIN SERVERS.
IT ALSO PROVIDES YOU AN OPPORTUNITY TO PROVIDE AT LEAST TWO POTENTIAL SERVICES TO THESE CUSTOMERS. ONE, THEY'RE GOING TO NEED TO SIGN THEIR ZONES.
MISTAKES CAN BE MADE, THEY CAN ALLOW KEYS TO EXPIRE.
THEY MIGHT NOT SIGN A ZONE PROPERLY.
THEY'RE GOING TO WANT TO KNOW WHEN THEY'VE DONE SOMETHING WRONG AND THAT COULD PREVENT THEIR CUSTOMERS FROM GETTING TO THEIR SITES.
SO A SERVICE THAT ALLOWS -- THAT IS CONSTANTLY CHECKING AND PERIODICALLY LOOKING TO MAKE SURE THAT THEIR ZONE IS CORRECTLY SIGNED WOULD BE EXTREMELY VALUABLE TO THESE CUSTOMERS AND IS A POTENTIAL EXTRA SERVICE THAT YOU COULD SELL TO THEM.
ANOTHER SERVICE IS THAT THEY'RE GOING TO REQUIRE KEY MANAGEMENT.
AND MANAGING KEYS IS SOMETHING THAT'S NOT TOO EXPENSIVE WHEN YOU'RE ABLE TO AMORTIZE THE COST OVER ALL YOUR CUSTOMERS, OVER ALL YOUR REGISTRANTS.
THE THOUSANDS OF DOLLARS THAT IT COULD POTENTIALLY COST WHEN DIVIDED BY A LARGE NUMBER OF CUSTOMERS ISN'T BAD.
BUT WHEN A REGISTRANT HAS TO MANAGE KEYS FOR THEMSELVES AND HAS TO UPDATE THEIR OWN WORK FLOW, THAT CAN BE AN EXPENSIVE COST TO THE REGISTRANT.
BUT BY PROVIDING SOFTWARE, YOU CAN SIGNIFICANTLY REDUCE THAT COST.
AND YOU COULD POTENTIALLY EVEN HAVE SOFTWARE THAT SENDS THE KEYS UP TO YOU, WHICH WOULD INCREASE SWITCHING COSTS FOR THE REGISTRANTS.
SO THAT'S ALL I HAVE.
I WILL TAKE QUESTIONS IN THE -- ALONG WITH EVERYONE ELSE AS WE MOVE INTO THE PANEL.
AND NOW FOR THE NEXT --
>> IT'S ME.
IT'S ME.
>>STUART SCHECHTER: WHO IS GOING TO BE THE NEXT?
>>KEITH SCHWALME: I AM NEXT.
I DON'T HAVE A PRESENTATION TO SHOW.
SPARE YOU A BREAK FROM POWERPOINT FOR A WHILE.
MY NAME'S KEITH SCHWALME.
I'M FROM GOOD HARBOR CONSULTING.
AND PRIOR TO THAT, I WORKED EIGHT YEARS IN THE UNITED STATES SECRET SERVICE, WHERE I ENGAGED CLOSELY WITH TWO PARTICULAR SECTORS IN THE UNITED STATES: TELECOMMUNICATIONS AND BANKING AND FINANCE.
AND THAT'S PART OF THE REASON WHY I'M HERE TODAY, TO TALK ABOUT THE BUSINESS CASE FOR THE SECTORS.
AND IN THE UNITED STATES, WHEN WE TALK ABOUT THE SECTORS, THE DEPARTMENT OF HOMELAND SECURITY AND THEIR STRATEGY TO SECURE THE HOMELAND IDENTIFIED 17 SPECIFIC SECTORS.
AND I'M NOT GOING TO GO THROUGH THE WHOLE LIST.
BUT GROUPS LIKE AGRICULTURE, DEFENSE, GOVERNMENT, EMERGENCY SERVICES, TELECOMMUNICATIONS, BANKING AND FINANCE ARE JUST SOME OF THE SECTORS THAT ARE IDENTIFIED AS KEY TO THE CRITICAL INFRASTRUCTURE OF THE COUNTRY, OF THE NATION AS A WHOLE.
AND SO THE QUESTION IS, WHAT WILL THE SECTORS BE THINKING THROUGH AS THEY TRY TO UNDERSTAND THE BUSINESS CASE FOR DEPLOYING AND ADOPTING DNSSEC?
AND THE PARTICULAR SECTOR THAT HAS TRADITIONALLY LED THIS SPACE WHEN IT COMES TO I.T. SECURITY IS THE BANKING AND FINANCE SECTOR.
PART OF THAT IS BECAUSE THEY'RE THE MOST HEAVILY REGULATED.
AND THERE ARE A LOT OF COMPLIANCE ISSUES THAT THEY FACE WITH SECURITY BOTH IN THEIR BUSINESS-TO-BUSINESS RELATIONSHIPS, AS WELL AS THOSE WITH THEIR CUSTOMERS, THEIR BANKING CUSTOMERS THAT ACTUALLY STORE MONEY IN THEIR INSTITUTIONS.
THE BANKING AND FINANCE SECTOR UNDERSTANDS THAT THERE ARE VULNERABILITIES TO DNS.
TALKING WITH ONE LAST WEEK, A SECURITY PRACTITIONER IN ONE OF THE INSTITUTIONS, I ASKED HIM, WHAT DOES HE SEE AS THE BUSINESS CASE.
AND HIS SIMPLE RESPONSE IS, "CASH POISONING IS BAD."
NOTHING MORE THAN THAT.
BUT THEY UNDERSTAND THAT THERE'S A PROBLEM.
BUT IT'S ONE OF MANY.
IF YOU GO BACK THREE PRESENTATIONS, WE SAW ON SEVERAL SLIDES THAT THE CRIMINAL ELEMENT ON THE INTERNET IS FOND OF TAKING ADVANTAGE OF A LOT OF VULNERABILITIES.
AND THE BANKS GENERALLY FACE MOST OF THOSE WHEN IT COMES TO IDENTITY THEFT AND THE MALICIOUS ATTACKS OF PHISHING AND PHARMING AND OTHERS.
SO WHAT'S IMPORTANT TO THEM IS THAT THEY MAKE THIS TRANSITION LOGICALLY, AND THEY'RE GOING TO BE VERY SLOW AND METHODICAL ABOUT IT.
THEY HAVE EXPRESSED AN INTEREST IN DNSSEC.
THEY HAVE EXPRESSED AN UNDERSTANDING THAT IT IS IMPORTANT TO THEIR BUSINESS.
BUT IT'S NOT AT THE TOP OF THEIR LIST.
IT'S NOT ONE OF THOSE SECURITY FEATURES THAT THEY'RE GOING TO BE RAPID TO DEPLOY.
ONE OF THE THINGS THAT THEY HAVE ASKED FOR -- AND I'M SURE WE'LL SEE THIS ACROSS THE OTHER SECTORS AS WELL -- IS TO RUN SOME PILOT TESTS WHERE YOU HAVE A COUPLE OF INSTITUTIONS PARTNER WITH GOVERNMENT AND RUN SOME PILOTS, SEE THE RESULTS, UNDERSTAND THE COST, BOTH IN MANPOWER AND IN RETOOLING THE BACKEND SYSTEMS, AND THEN WHAT BENEFIT DOES IT ACTUALLY BRING TO THE CUSTOMERS, WHICH BRINGS UP ANOTHER POINT THAT THEY FACE, IS THAT THE CUSTOMERS AREN'T REALLY ASKING FOR THIS.
WE SAW A COUPLE SLIDES -- PRESENTATIONS BACK ABOUT THE NEW REGULATION BETWEEN THE FFIEC IN THE UNITED STATES AND THE BANKING COMMUNITY TO PROVIDE A SECOND FORM OF AUTHENTICATION.
THAT WILL BE THE DRIVING FORCE BEHIND THEIR SECURITY PRACTICES UNTIL THAT COMPLIANCE IS MET.
AND WE SEE THAT ACROSS MOST OF THE SECTORS NOW, THAT THE SECURITY IS NOT ABOUT WHAT'S GOOD TO DO, BUT WHAT MEETS THE COMPLIANCE REQUIREMENTS.
AND I THINK WE'LL FIND THAT TRUE WITH DNSSEC.
WE'LL SEE THAT IT SITS FOR A WHILE BEFORE THE BUSINESS CASE IS STRONG AND THE SECTORS ACROSS THE WHOLE ARE ANXIOUS TO DEVELOP IT AND DEPLOY IT.
AND THIS COMES BACK TO GOVERNMENT.
I THINK GOVERNMENT WILL HAVE THE ROLE, THEN, BOTH IN THE DOT MIL AND THE DOT GOV SPACE IN THE UNITED STATES, TO DEMONSTRATE THE DEPLOYMENT WORKS, THE BENEFITS OF THE DEPLOYMENT, AND THEN PROVIDE THAT FEEDBACK IN A MANNER THAT THE SECTORS CAN ADOPT IT AND DEPLOY.
AND THAT'S WHAT I HAVE FOR YOU.
I'D BE HAPPY TO TAKE QUESTIONS WHEN THE TIME COMES.
>>ALLISON MANKIN: RICK, YOU'RE NEXT.
DO YOU HAVE THE CABLE?AND THE AUDIENCE CAN BE THINKING WHAT THEY WANT TO COMMENT.
BECAUSE WE REALLY DO WANT A DISCUSSION.
MAYBE WHILE RICK IS GETTING READY, WHAT SOME -- RAM OR -- RAM, DO YOU WANT TO MAKE YOUR REMARKS WHILE RICK IS GETTING READY?
THAT WOULD PROBABLY -- OH, ARE YOU READY, RICK?
RAM, WHY DON'T YOU BE MAKING YOUR REMARKS WHILE THIS IS GOING UP, OKAY?
>>RAM MOHAN: SURE.
THANK YOU.
>>ALLISON MANKIN: OH, OOPS.
>>RAM MOHAN: YOU GOT IT?
READY?
GO.
>>ALLISON MANKIN: GO, AND KEEP MOVING.
>>RICK WESSON: AND NOW I HAVE THE WRONG ONE.
>>ALLISON MANKIN: OKAY.
RAM.
>>RICK WESSON: SORRY ABOUT THAT, ALLISON.
SO MY NAME IS RICK WESSON, I WORK FOR ALICE'S REGISTRAR, WHICH IS A SMALL DNS REGISTRAR.
AND MY GOAL HERE IS TO TALK ABOUT NOT JUST THE NEW SECURITY SERVICES THAT DNSSEC WILL ENABLE, BUT THE OTHER KINDS OF THINGS THAT YOU'LL BE ABLE TO DO ONCE DNSSEC IS DEPLOYED.
AND ONE OF THE THINGS THAT IT WILL DO IS, ESSENTIALLY, PARTITION CONTENT UNDERNEATH THE DOMAINS.
YOU'LL HAVE DOMAINS THAT HAVE DNSSEC ENABLED AND DOMAINS THAT DO NOT, WHICH, ESSENTIALLY, CREATES TRUST RELATIONSHIPS.
WE'LL ALSO BE ABLE TO EXPLORE ADDITIONAL DATA THAT'S PUBLISHED WITHIN THE DNSSEC RECORDS THAT ARE AVAILABLE IN THE DOMAIN SYSTEM ONCE YOU HAVE SIGNED YOUR DOMAIN, WHICH WILL ALLOW YOU TO LOOK AT AGING OF DOMAINS AND SIGNATURES.
THIS IS AN IMPORTANT PIECE OF META DATA THAT WILL BE AVAILABLE THAT MANY REGISTRARS ARE DISCUSSING WITHIN THE WHOIS TASK FORCE IS TRYING TO MAKE SOME OF THE DOMAIN EXPIRY INFORMATION GO AWAY.
IT'S GOING TO POP BACK UP HERE.
SO WHEN YOU HAVE METADATA, WHICH IS ESSENTIALLY WHAT COMPANIES USE TO DETERMINE TRUST RELATIONSHIPS, TO DETERMINE THE AVAILABILITY OF CONTENT ON A DOMAIN'S WEB SITE, AND, ESSENTIALLY, WHAT GOOGLE DOES IS MINE METADATA ABOUT THE INTERNET AND MAKE THAT AVAILABLE FOR SEARCHING, SO METADATA IS VERY IMPORTANT.
SECURED DOMAINS WILL HAVE A STRONG TRUST PIECE OF INFORMATION WHICH CAN BE LEVERAGED BY OTHER SERVICES.
SINCE EVERY DOMAIN WON'T BE SECURED, IT ALLOWS YOU TO CREATE CLASSIFICATIONS WHICH MAKES DOMAINS INTO TWO CLASSES, ONE WHICH IS SECURED AND ONE WHICH IS NOT.
SO THIS LEADS ME TO A BAD IDEA.
AND THE BAD IDEA IS SOMETHING THAT I'VE TOSSED AROUND TO VARIOUS FOLKS THAT HAVE BEEN IN THE TECHNICAL COMMUNITY, AND THEY SAY, "RICK, THIS IS NOT A GOOD IDEA."
SO I THOUGHT IT WAS ENTIRELY APPROPRIATE HERE.
DNSSEC, OF COURSE IT ENABLES THE SECURITY PROTOCOLS.
IT BINDS RELATIONSHIPS BETWEEN THE REGISTRAR, THE REGISTRANT, THE REGISTRY.
AND IT MAKES THAT A CRYPTOGRAPHICALLY STRONG STATEMENT.
THIS IS THE WHOIS OF A DOMAIN THAT I WILL PRESENT LATER IN ANOTHER PRESENTATION ON HOW WE IMPLEMENTED DNSSEC AT A REGISTRAR.
AND I JUST WANTED TO POINT OUT, THE WHOIS INFORMATION IS ENTIRELY INCORRECT.
AND THIS IS A REAL REGISTRATION.
ALICE'S REGISTRY BELIEVES THAT STRONG REQUIREMENTS SHOULD BE -- SHOULD BE A POLICY THAT IS ACCEPTED WITHIN ICANN ACCREDITED REGISTRARS.
AND THAT POLICY IS THAT WE REVIEW THE REGISTRANT INFORMATION, THUS MAKING INFORMATION LIKE THIS UNAVAILABLE TO DOMAINS THAT ARE DNSSEC-ENABLED.
WE INTENT TO CHARGE A SIGNIFICANT FEE, WHICH WILL THUS REDUCE THE NUMBER OF PEOPLE THAT ARE INTERESTED IN DNSSEC FOR -- FROM US, AND PROVIDE CONSULTING TO GET PEOPLE STARTED.
AND, OF COURSE, RESERVE THE RIGHT TO REFUSE SERVICE TO PEOPLE THAT HAVE BEEN SHOWN TO HAVE BAD BEHAVIOR ON THE INTERNET.
SO DNSSEC IS A PIECE OF INFORMATION THAT IS NOT JUST ABOUT SECURING THE DOMAIN.
EVERYONE ELSE HAS BEEN TALKING ABOUT WHAT YOU CAN DO AND HOW DNSSEC PREVENTS DIFFERENT KINDS OF ATTACKS.
THERE'S ALL KINDS OF OTHER THINGS THAT IT'S GOING TO ENABLE.
AND ONE OF THOSE IS BEING ABLE TO SEARCH ONLY CONTENT THAT HAS BEEN SECURED, OR TRAVERSE ONLY SECURED DOMAINS.
WE CAN ENVISION BROWSERS THAT ARE ENABLED WITH CAPABILITIES TO ONLY DISPLAY DOMAIN LINKS THAT ARE SECURED, VERSUS INSECURED.
THUS, HOPEFULLY, BEING ABLE TO LEVERAGE OR MITIGATE AGAINST PHISHING ATTACKS AND OTHER KINDS OF FRAUD THAT ARE FREQUENTLY FOUND ON THE INTERNET.
SO IT ENABLES CLASSES OF CONTENT AND CLASSES OF SERVICES THAT ARE DELINEATED BY SECURED ZONES.
SO THANKS, AND THE HINTS ARE IMPORTANT.
THAT'S WHAT DNSSEC WILL ENABLE, IS PIECES OF METADATA, ADDITIONAL INFORMATION ABOUT DOMAINS.
AND SOLVING THIS CHICKEN AND EGG PROBLEM, WHICH IS WHAT DNSSEC DOES, TAKES A LONG TIME.
THANKS.
RAM.
>>RAM MOHAN: THANK YOU.
I'M RAM MOHAN.
I'M THE CHIEF TECHNOLOGY OFFICER FOR AFILIAS.
WE MANAGE THE DOT INFO DOMAIN NAME.
AND WE ALSO PROVIDE BACKEND SERVICES FOR THE DOT ORG REGISTRY.
THE DOT ORG REGISTRY HAS, FOR ALL OF 2005, BEEN VERY INTENTLY FOCUSED ON DNSSEC AND ON THE DEPLOYMENT AND UNDERSTANDING DNSSEC DEPLOYMENT.
I'VE BEEN PART OF THE GROUP INSIDE OF THE PUBLIC INTEREST REGISTRY, PIR, THAT IS -- THAT WENT THROUGH SOME OF THE DECISION-MAKING PROCESS FOR WHY IT SHOULD GO AND DEPLOY DNSSEC.
WHAT IS IN THE PUBLIC MIND OR IN MANY GENERAL AREAS CONSIDERED TO BE A NOT-READY-FOR-PRIME-TIME TECHNOLOGY OR SYSTEM, PARTICULARLY WITH FEEDBACK COMING FROM MULTIPLE PLACES THAT THERE IS NOT ENOUGH DEMAND IN THE MARKETPLACE.
IF I HAD TO ARTICULATE THE BUSINESS CASE FOR A REGISTRY WHY YOU AS A REGISTRY OPERATOR, OR EVEN YOU AS A REGISTRAR, SHOULD THINK ABOUT DNSSEC SERIOUSLY AND SHOULD THINK ABOUT IMPLEMENTING DNSSEC, THE ANSWER IS NOT RETURN ON INVESTMENT, BUT RETURN ON RISK.
HOW MUCH RISK ARE YOU WILLING TO TAKE?
HOW MUCH RISK DO YOU WANT TO MITIGATE?
AND THAT REALLY IS THE METRIC THAT OUGHT TO BE APPLIED WHEN YOU CONSIDER DNSSEC.
YES, CLEARLY, THERE ARE COSTS INVOLVED IN THE IMPLEMENTATION AND THE DEPLOYMENT OF DNSSEC.
YES, YOU HAVE TO EDUCATE AND YOU HAVE TO MAKE SURE THAT YOUR CUSTOMER BASE UNDERSTANDS WHY IT'S IMPORTANT.
BUT THINK ABOUT THIS: ARE YOU WILLING TO TAKE A CERTAIN AMOUNT OF RISK?
AND WHAT IS THE THRESHOLD FOR YOU TO SAY IT'S ACCEPTABLE?
BUSINESS FOLKS IN COMPANIES ALL OVER THE WORLD EVERY DAY HAVE TO MAKE THIS CALL ON WHAT AMOUNT OF RISK IS ACCEPTABLE FOR YOUR BUSINESS.
AND THAT, I SUGGEST TO YOU, LADIES AND GENTLEMEN, SHOULD BE THE METRIC THAT YOU APPLY WHEN YOU THINK ABOUT DNSSEC DEPLOYMENT, NOT RETURN ON INVESTMENT, NOT RETURN ON CAPITAL, BUT RETURN ON RISK.
HOW MUCH RISK ARE YOU WILLING TO TAKE AND AT WHAT POINT DO YOU REACH THE TIPPING POINT WHERE THE AMOUNT OF RISK AND THE AMOUNT OF EXPOSURE YOU AND YOUR -- YOU ARE TAKING AND YOUR CUSTOMERS ARE BEING EXPOSED TO IS GOING TO OUTWEIGH THE COST AND THE EFFORT TO ACTUALLY GO AND EDUCATE AND DEPLOY DNSSEC.
THANK YOU.
>>PAUL DIAZ: OKAY.
MY NAME IS PAUL DIAZ, I'M FROM NETWORK SOLUTIONS.
AND ON THIS PANEL, I'M REPRESENTING THE LARGE REGISTRAR COMBINED SERVICES HOSTING SERVICES PROVIDER.
I REALLY DON'T HAVE A PRESENTATION, BUT, RATHER, WILL OPEN UP THE QUESTION SESSIONS.
FOLLOWING VERY NICELY ON WHAT RAM HAS JUST PRESENTED, I THINK A LOT OF THE PEOPLE IN THE ROOM HAVE A -- THE VIEW THAT WE SHARE RIGHT NOW IN THAT WE'RE SOMEWHAT SKEPTICAL ABOUT DNSSEC, BUT WE WANT TO BE OPEN-MINDED, WANT TO LEARN MORE.
WHAT I'D ASK, GIVEN THE FOCUS OF THIS PARTICULAR PANEL, IS THAT OUR EXPERTS AND, AGAIN, OPENING UP TO THE FLOOR AS WELL, HELP US THINK THROUGH OR DELVE MORE DEEPLY INTO SOME OF THE COMPETITIVE ADVANTAGES THAT STUART TOUCHED ON IN HIS SLIDES, SOME OF THE OPPORTUNITIES THAT RICK DID IN HIS, AND MAYBE BEGIN WITH YOU, RAM, IN FOCUSING OR MOVING THE MINDSET AWAY FROM COST AND BENEFIT FOCUS TO ACCEPTABLE RISK, BECAUSE ONE OF THE THINGS I'VE HEARD FROM A LOT OF IN PARTICULAR ENGINEERING TYPES IS THAT THEIR RISK, THEIR PRIORITY RISKS RIGHT NOW ARE THE MORE HERE AND NOW PROBLEMS, THINGS LIKE DENIAL OF SERVICE ATTACKS, PHISHING.
AND THERE'S STILL A LOT OF UNCERTAINTY OR CONFUSION ABOUT HOW THE DNSSEC PROTOCOL WILL HELP ADDRESS THESE ISSUES.
MAYBE WE COULD START THERE.
>>RAM MOHAN: SURE.
IN MY INTERACTIONS WITH TECHNOLOGISTS, ALL OF THIS YEAR, EVEN LAST YEAR, BUT FOR THE LAST YEAR AND A HALF, TWO YEARS IN THE PAST GOING FORWARD, THE SINGLE BIGGEST PRIORITY FROM A TECHNOLOGIST'S PERSPECTIVE IS SECURITY.
AND IT'S SECURITY IN VARIOUS FORMS.
MARGIE HAD SOME EXCELLENT SLIDES ON THE VARIOUS KINDS OF SECURITY THINGS THAT PEOPLE ARE WORRYING ABOUT.
BUT IF YOU'RE TECHNOLOGIST, YOU HAVE PEOPLE COMING TO YOU AND SAYING, "JUST MAKE IT SECURE.
I DON'T CARE HOW TO WORKS." AND IN MANY CASES, "I DON'T EVEN CARE WHAT IT COSTS.
TELL ME WHAT I HAVE TO DO."
AND I THINK IN MANY CASES, THE TECHNOLOGISTS COME BACK WITH THREE PROGRAMS AND FOUR SCRIPTS AND SEVEN CHRON JOBS AND GET INTO A LONG EXPLANATION OF HOW THEY HAVE TO BE SEQUENCED AND ABOUT YOU KNOW TWO MINUTES INTO IT, YOU'VE LOST THE BUSINESSPERSON, BECAUSE WHAT DO YOU CARE; RIGHT?
IT'S JUST ALL MAGIC.
IT'S JUST SUPPOSED TO WORK.
AND THE ONLY ANSWER THAT THEY NEED TO HEAR IS, "WE'RE TAKING STEPS TO MITIGATE RISK."
THAT ANSWER ISN'T COMING THROUGH.
WHAT'S COMING THROUGH IS, HERE ARE ALL THE TACTICAL STEPS THAT WE'RE TAKING.
AND IT NEEDS SOMEONE TO COME TOGETHER TO HELP THESE FOLKS PUT TOGETHER A STRUCTURE THAT SAYS, HERE IS A MODEL, AND IT FITS INTO THIS MODEL.
AND IT'S NOT JUST ABOUT THESE SCRIPTS AND THESE THINGS.
GIVE IT NAMES, YOU KNOW.
YOU CALL IT PHARMING.
YOU KNOW, CALL IT THE ANTI-PHARMING SYSTEM, OKAY?
NOW YOU'VE GOT ATTENTION OF BUSINESS FOLKS.
BUT I THINK FOR TECHNOLOGISTS, THEY HAVE TO LEARN TO LEAVE THE TECHNOLOGY ASIDE, BECAUSE THEIR BUSINESS PEOPLE HAVE HIRED THEM BECAUSE THEY'RE EXCELLENT TECHNOLOGISTS, AND THEY'RE REALLY LOOKING FOR THEM TO SOLVE THE PROBLEM.
THEY DON'T CARE ABOUT HOW IT'S DONE.
>>STUART SCHECHTER: I GUESS I'LL TAKE THE OPPOSITE SIDE AND SAY THAT I DON'T THINK THAT YOU REALLY -- THAT THE MARKET IS EVER GOING TO FULLY UNDERSTAND THE PRECISE BENEFITS HERE.
AND I DON'T THINK THAT THE MARKET NEEDS TO.
I THINK THERE'S A LOT OF SIGNALING THAT HAPPENS, AND WE CAN SEE PLENTY OF EXAMPLES WHERE THE PERCEPTION OF ADDITIONAL SECURITY IS ENOUGH.
FOR EXAMPLE, PEOPLE CAN PAY $30 FOR A CERTIFICATE FROM GEO TRUST OR $1,000 FOR A CERTIFICATE FROM VERISIGN.
OR EVEN TAKING WITHIN THE VERISIGN CORPORATE, JUST WITHIN THE VERISIGN PRODUCTS, THEY CAN CHOOSE $100 CERTIFICATE OR A $1,000 VERISIGN CERTIFICATE, AND THEY'RE BOTH GOING TO GET THE CUSTOMER THE EXACT SAME RESULT, THAT THE REGISTRANT WHO NOW HAS THE CERTIFICATE, THEIR CUSTOMERS WILL BE ABLE TO SEE THAT THEY HAVE A SECURE SITE, EXACT SAME RESULT.
THERE IS A LARGE PART OF THE MARKET THAT WILL PAY THE ADDITIONAL $900 BECAUSE OF THE VARIOUS BRANDING ON ONE OF THEM AND NOT THE OTHER ONE.
AND IF THEY ACTUALLY FULLY UNDERSTOOD THE ACTUAL SECURITY ISSUES AT HAND, THEY WOULDN'T NEED TO, BUT THEY DO ANYWAY.
AND SINCE DNSSEC IS SOMETHING THAT HAS AMAZINGLY GOOD LONG-TERM BENEFITS, BUT THE SHORT-TERM BENEFITS ARE DIFFICULT, I THINK THAT AS A COMMUNITY, WE SHOULD ACCEPT THE FACT THAT USERS DON'T HAVE TO FULLY UNDERSTAND IT, EMBRACE IT, AND GET THEM TO -- GET THEM TO TAKE IT BASED ON THE FACT THAT THEY'RE HEARING THERE'S THIS ADDITIONAL SECURITY FEATURE, NOT TRY TO EXPLAIN IT TOO MUCH.
>>RAM MOHAN: I DON'T KNOW WHY WE'RE ON -- YOU'RE SAYING WE'RE ON DIFFERENT SIDES.
I THINK I'M SAYING SOMETHING CONGRUENT TO WHAT YOU'RE SAYING.
BUT WHAT I'M ACTUALLY -- WHAT I'M TRYING TO GIVE IS ADVICE, IF YOU WILL, FOR TECHNOLOGISTS, WHO ARE THE PEOPLE CALLED UPON BY THE BUSINESS FOLKS, AT REGISTRARS AND OTHER PLACES, OR AT REGISTRIES.
AND THEY'RE ASKED, "SO I HEAR ABOUT THIS THING.
SHOULD I BOTHER?
WHAT SHOULD I DO?"
AND WHAT I'M SAYING IS, MOST TECHNOLOGISTS I KNOW, MANY OF THEM, ANYWAY, THE ANSWERS THEY GIVE ARE SO DETAILED AND SO FOCUSED ON ALL THE GREAT TECHIE THINGS THAT DNSSEC WILL DO THAT THEY'VE LOST THE BUSINESS PEOPLE.
AND, YOU KNOW, YOU ANYWAY ONLY HAVE TWO OR THREE MINUTES TO GET TO THAT PERSON TO MAKE UP THEIR MIND.
SO THAT'S WHAT I'M REALLY SAYING.
>>KEITH SCHWALME: I THINK, TOO, THAT THERE'S ANOTHER PIECE OF THIS FROM THE BUSINESS SIDE, WHICH IS THAT IN THE LAST FOUR YEARS, THE IDEA BEHIND RISK MANAGEMENT ISSUES IS REALLY DRASTICALLY CHANGED, AND THE FOCUS HAS BEEN PREDOMINANTLY ON WHAT IS THE THREAT OF TODAY.
AND ALTHOUGH THE VULNERABILITY IN DNS IS REAL TODAY, THE ATTACK THAT RUSS DEMONSTRATED AND THOSE THAT WE SEE IN THE MEDIA HAVEN'T BEEN LARGE OR WIDE SCALE ENOUGH FOR THERE TO BE A BUSINESS REASON TO THINK THAT THAT'S A THREAT OF TODAY.
SO THAT'S THE ISSUE OF TOMORROW AND THAT'S LOWER ON MY RISK MANAGEMENT SCALE.
AND SO I'LL PUT IT OFF.
AND SO YOU GIVE ME, AS A TECHNOLOGIST, A GOOD SOLUTION.
BUT AT THE END OF THE DAY, WHAT YOU'RE TELLING ME IS THIS IS FOR AN ISSUE THAT I DON'T HAVE TO FACE QUITE YET.
AND THAT'S A MINDSET THAT REALLY NEEDS TO CHANGE IN UPPER MANAGEMENT AS WELL AS DOWN THROUGH, I THINK, THE CHAIN INTO THE PRACTITIONERS.
>>ALLISON MANKIN: ARE THERE AUDIENCE MEMBERS WHO -- OKAY, BRUCE.
DO YOU WANT THIS MICROPHONE?
>>BRUCE TONKIN: MY NAME IS BRUCE TONKIN FROM MELBOURNE I.T.
I WAS JUST TRYING TO THINK OF --
>>BRUCE TONKIN: MY NAME IS BRUCE TONKIN FROM MELBOURNE, I.T., I WAS JUST TRYING TO THINK OF THE -- THE FIRST COUPLE OF PRESENTATIONS, BECAUSE ONE OF THE PRESENTATIONS WAS SORT OF SAYING WE NEED TO INCREASE AWARENESS AND EXPLAIN WHAT THE ISSUES ARE TO PEOPLE, CREATE WHITE PAPERS, GET THE GARTNERS AND OTHERS TO TELL EVERYONE HOW IMPORTANT THIS IS AND YOU MUST FIX IT, WHICH IS VERY MUCH SORT OF TRYING TO GET THE MARKET TO, IF YOU LIKE, GROW DEMAND AND THEN PEOPLE COME TO A REGISTRAR AND SAY HEY, I WANT ONE OF THOSE THINGS. CAN I HAVE ONE? AND ANOTHER APPROACH IS MORE SORT OF SAYING, OKAY, WE SHOULD EITHER GET A GOVERNMENT TO CREATE A LAW, AND WE TALKED ABOUT IT IN THE BANKING SECTOR, THE GOVERNMENTS IN SOME COUNTRIES ARE SAYING YOUR SINGLE LEVEL AUTHENTICATION IS NOT ENOUGH, YOU HAVE TO INCREASE IT TO DOUBLE LEVEL. WE HEARD OTHERS SAY DOT GOV AND DOT MIL SHOULD IMPLEMENT THIS AND IT IS SORT OF A TOP DOWN, YOU WILL DO THIS AND THIS IS HOW IT WILL HAPPEN.
AND I WAS TRYING TO THINK THAT THAT IS ONE OF THE ISSUES I AM SORT OF GRAPPLING WITH IS, IS THIS SOMETHING WE SHOULD BE DOING FROM A MARKET POINT OF VIEW? AND I THINK STUART MENTIONED WE HAVE SOME SORT OF CHECK BOX OR SOME MAGIC THING APPEARS, AND IT LOOKS REALLY LIKE SOMETHING I NEED TO HAVE. AND THEREFORE, YOU BUY IT. YOU DON'T ACTUALLY UNDERSTAND WHAT IT IS, BUT EVERYONE ELSE HAS ONE, SO, THEREFORE, YOU NEED TO HAVE IT.
AND THAT'S ONE THING.
THE PROBLEM IS THERE'S LOTS OF THINGS LIKE THAT.
SO WE HAVE -- WHY CHOOSE DNSSEC? I CAN CREATE LOTS OF THINGS THAT LOOK SIMILAR.
AND I WAS LOOKING AT IT IN THE CONTEXT OF I GUESS REGULATION IN THE CAR INDUSTRY. AND IF YOU THINK THAT IN MANY -- I BELIEVE IN MANY COUNTRIES, CARS MUST YOU CONTAIN SEAT BELTS, IT'S A LAW, AND IN MANY COUNTRIES IT'S THE LAW THAT YOU MUST USE THAT SEAT BELT. AND A SEAT BELT IS NOT SOMETHING THAT SEXY AND IT'S A BIT OF A HASSLE AND I HAVE TO STRAP IT AROUND MYSELF, AND A LOT OF PEOPLE DON'T LIKE BEING STRAPPED INTO SOMETHING, AND THAT'S SOMETHING VERY MUCH AT A GOVERNMENT REGULATION SORT OF FOCUS. YOU MUST PUT ON THIS SEAT BELT TO PROTECT YOU.
AND THEN WE LOOK AT AIR BAGS, AND AIR BAGS DOESN'T SEEM TO HAVE GONE THROUGH THAT.
IT SEEMS TO HAVE COME MORE FROM A MARKETING POINT OF VIEW. SO SOME CAR COMPANIES HAVE SORT OF SAID, LOOK, WE HAVE AIR BAGS. YOU SHOULD BUY MY CAR. AND THAT SEEMS TO HAVE ATTRACTION WITH PEOPLE BECAUSE THE CONCEPT THAT YOU CAN BE SITTING IN YOUR CAR, I DON'T HAVE TO PUT ANYTHING ON, I DON'T ACTUALLY HAVE TO DO ANYTHING BUT IF I HAVE AN ACCIDENT THIS NICE COMFORTABLE PILLOW COMES UP IN FRONT OF ME AND I HAVE A LITTLE SLEEP AS I SMASH INTO A TREE AND THE CAR AND MY BODY DISINTEGRATES. BUT IT IS NICE SO I CAN HAVE A NICE SLEEP ON THIS PILLOW IN FRONT OF ME.
AND IF YOU THINK ABOUT THAT ONE THAT'S A CASE WHERE THE GOVERNMENTS HAVEN'T PARTICULARLY MADE IT A LAW TO HAVE AIR BAGS, AND IT'S PROBABLY BECAUSE AIR BAGS, AT THE END OF THE DAY, MAY NOT, CERTAINLY, HAVE A HUGE IMPACT ON SAVING LIFE. MAYBE THEY REDUCED INJURIES A BIT. BUT WHAT PROBABLY HAVE A BIGGER IMPACT ON SAVING LIVES IS BETTER ROADS AND CUTTING DOWN TREES ON THE SIDE OF THE ROAD AND THINGS LIKE THAT WHICH IS A MAJOR INFRASTRUCTURE PROJECT. AND CAR COMPANIES AREN'T GOING TO PAY FOR ROADS TO BE FIXED NOR AM I BUT HOPEFULLY THE GOVERNMENT WILL DO THAT.
WHAT CAUSES GOVERNMENTS TO GO FIX ROADS AND CUT DOWN TREES OFF TO THE SIDE OF THE ROADS? THEY DO THAT WHEN A LOT OF PEOPLE GET KILLED. IF A LOT OF PEOPLE GET KILLED IN A PARTICULAR AREA, AND IT'S AN AREA WHERE A GUY IS TRYING TO GET ELECTED TO GOVERNMENT, HE SAYS I AM GOING TO FIX THIS PIECE OF ROAD, PUT A LOT OF MONEY INTO THIS ROAD, VOTE FOR ME.
AND THAT'S THE CASE WHERE THE INVESTMENT INTO FIXING THAT ROAD IS IN MANY CASES HAS BEEN DRIVEN BY SOMETHING HAPPENING AND A LEVEL OF DEATHS. BECAUSE WE COULD OBVIOUSLY FIX ROADS EVERYWHERE IN THE COUNTRY BUT WE HAVE CHOSEN A FEW IN PARTICULAR.
SO THE ISSUE I HAVE, AND REALLY KIND OF A QUESTION FOR THE PANEL, IS WHAT DO YOU THINK WE'RE DOING HERE WITH DNSSEC? ARE WE IN THE BUSINESS OF BUILDING ROADS, WHICH IS REALLY INFRASTRUCTURE THING, AND WE ALMOST WANT TO HAVE A FEW DEATHS AND HAVE A REAL GROUND SWELL OF ELECTORS GOING UP THERE AND SAYING WE DEMAND DNSSEC, THE INTERNET IS NOT STRONG ENOUGH, LET'S FIX IT, OR ARE WE TREATING IT LIKE A MARKET LIBERAL THING LIKE AN AIRBAG THAT'S VERY VISIBLE, AND IF IT'S VISIBLE IT HAS TO BE IN THE E-MAIL APPLICATION, IN THE BROWSER, IN THE SEARCH ENGINES. I THINK AS RICK SAID, IF GOOGLE OR MSN OR YAHOO! SAID WE'RE GOING TO GIVE NUMBER ONE RANKING TO EVERYONE THAT'S GOT DNSSEC, THE REGISTRARS WOULD BE IN THERE LIKE A SHOT. THEY WOULD HAVE IT DONE BY NEXT WEEK.
BUT BECAUSE THEY KNOW THEIR CUSTOMERS WILL WANT THAT, AND THAT'S REAL SORT OF MARKET DRIVEN STUFF BUT THAT REQUIRES THE COOPERATION OF THOSE DIFFERENT ENTITIES AND MAKE IT IN YOUR FACE, LIKE THE AIRBAG, VERSUS ARE WE TALKING ABOUT THE ROADS AND WE ACTUALLY REALLY TRYING TO DEMONSTRATE HOW THINGS GO WRONG.
AND I DON'T THINK WE HAVE HAD ENOUGH DISASTERS YET.
>>RICK WESSON: BRUCE, IF YOU LET ME ANSWER THAT QUESTION, I THINK WE CAN LOOK AT PROTOCOL DEVELOPMENT TO UNDERSTAND WHETHER WE ARE DOING MARKET DRIVEN OR IF WE ARE DOING INFRASTRUCTURE DRIVEN. AND WE WILL SEE WITH DS WHICH IS THE IMPLEMENTATION THAT WE ARE ALL LOOKING TO DEPLOY, AND I'M SORRY IF THIS GOES OVER A FEW PEOPLE'S HEADS, BUT DS IS ESSENTIALLY SAYING THIS IS GOING TO BE A MARKET DRIVEN FORCE. IT'S NOT INFRASTRUCTURE.
IF WE WERE DOING A DIFFERENT PROTOCOL IMPLEMENTATION, THEN WE WOULD HAVE DIFFERENT REQUIREMENTS AND THAT WOULD SPREAD DOWN. BUT DS PRETTY MUCH SAYS THAT IT'S GOING TO BE A MARKET DRIVEN FORCE. SO WE'RE NOT CUTTING DOWN TREES, WE ARE NOT BUILDING ROADS.
>>BRUCE TONKIN: AND THEN THAT NEEDS TO BE YOUR FOCUS, IF IT IS MARKET DRIVEN, THEN THING IT'S GOT TO GET THE APPLICATION PROVIDERS IN THERE THAT ARE ACTUALLY GOING TO MAKE IT VISIBLE THAT THIS IS ACTUALLY HAPPENING. YOU HAVE TO UNDERSTAND THE TECHNOLOGY OF AT LEAST THERE'S SOME VISIBLE THING THAT HAPPENS WHETHER YOU HAVE A BETTER RANKING IN THE SEARCH ENGINE OR WHATEVER.
>>RICK WESSON: I BELIEVE SSL CERTS ARE MARKET DRIVEN AND MANY OF THE REGISTRARS SELL THEM AND I BELIEVE THE MARKET SHARE FOR THAT - OR THE ENTIRE MARKET IS SOMEWHERE IN THE ORDER OF A QUARTER OF A MILLION CERTIFICATES WORLDWIDE. THAT'S IT.
>>BRUCE TONKIN: AND IT'S SOMETHING THAT APPEARS IN YOUR BROWSER. NOT EVERYONE UNDERSTANDS THAT BUT IT IS SOMETHING VISUAL TO PEOPLE.
>>ALLISON MANKIN: CAN I INTERVENE AND MAKE SURE WE DON'T HAVE A TECHNOLOGISTS' DISCUSSION HERE, WHICH IS NOT THE PURPOSE. I'M SURE YOU WON'T DO THAT, BILL, BUT WE ARE DEFINITELY HERE NOT TO HAVE A DISCUSSION WHICH IS ABOUT BUSINESS CASES AND NOT GO DOWN INTO THE BITS AND BYTES. AND ALSO, BRING MORE -- NOT THE PEOPLE WHO ALWAYS TALK TO EACH OTHER TO TALK TO EACH OTHER HERE IN THIS ROOM.
SO WHILE WE ARE SWITCHING PANELS I AM GOING TO TRY TO GET TO KNOW YOU A LITTLE BIT.
BILL, BE BRIEF.
>>STUART SCHECHTER: CAN I FOLLOW-UP TO THAT ANSWER FIRST? AS FAR AS HAVING THE ROOT SIGN AND POSSIBLY THE REGISTRY SIGNING AS WELL THAT CAN'T BE MARKET DRIVEN AND SO THERE IS DEFINITELY AN ASPECT HERE THAT IS NOT.
THE OTHER PROBLEM, I THINK N THE MARKET DRIVEN APPROACH IS TAKING THAT METAPHOR OF ROADS, IS THAT WHAT WE REALLY HAVE ARE SOME REALLY NASTY POTHOLES IN A ROAD IN BAGHDAD. AND TRYING TO GET PEOPLE TO FIX THOSE POTHOLES WHEN THERE ARE PEOPLE -- WHEN EVERYONE IS WORRIED RIGHT NOW ABOUT HOW EASY IT IS TO BE SHOT.
WE ARE, IN FACT, WORRYING ABOUT TOMORROW'S THREAT. IT'S NOT TEN YEARS FROM NOW. IT IS REALLY TOMORROW. WE ARE ABOUT TO GET TO THE POINT WHERE THIS MATTERS.
BUT THERE'S SO MUCH OTHER STUFF GOING ON, THAT IT'S HARD TO SEPARATE OUT OF THE NOISE WHY THIS IS GOING TO BE IMPORTANT TOMORROW, WHICH DOES MAKE IT HARD TO SELL TO THE MARKET BUT IT IS SOMETHING THE MARKET SHOULD CARE ABOUT. THANK YOU.
>>RAM MOHAN: BILL, JUST A MOMENT.
I ALSO HAD -- SORRY ABOUT THAT. I ALSO HAD ONE MORE FOLLOW UP. THE THING ABOUT AIR BAGS, THIS ANALOGY, IS NOT JUST THAT AIR BAGS WERE DEPLOYED, BUT THAT THE MANUFACTURERS ACTUALLY GOT TO GO AND MARKET THAT THAT WAS AN ADVANTAGE.
SO I'M CURIOUS TO HEAR FROM THE REGISTRARS HERE IN OUR PANEL. WOULD YOU DO THAT? WOULD YOU ADD DNSSEC AND THEN PROMOTE THAT AS A DIFFERENTIATOR? DO YOU THINK THERE IS A REAL MARKET VALUE AND DEMAND FOR THAT? BECAUSE THAT'S WHAT MADE THIS WHOLE AIR BAGS THING WORK.
>>UMA MURALL: DEFINITELY, RAM. IF THERE IS A MARKET. THE MARKET HAS TO BE READY FOR US TO PROMOTE. AND THAT IS WHY I REALLY EMPHASIZE ON EDUCATION AND DEFINITELY EMPHASIZE THE PROBLEMS THAT WE'LL BE FACING. WE NEED TO EDUCATE THE MARKET BEFORE WE GO, AND PUT EVERYTHING IN FRONT OF THEM. THE RISK INVOLVED IF THEY DO NOT CHOOSE THIS. THEN LET THEM MAKE THE CHOICE. AND THAT'S WHAT WE HAVE TO DO.
>>MARGIE MILAM: ACTUALLY, MY ANSWER IS PRETTY SIMILAR BECAUSE ALTHOUGH WE HAVE A LOT OF ISSUES, AS I DESCRIBED EARLIER, IT IS EDUCATION TO TELL OUR CLIENTS WHY DNSSEC SOLVES ONE OF THOSE PROBLEMS, AND HOW MUCH EXTRA SECURITY THEY GET AS A RESULT OF ADOPTING IT.
SO THAT'S THE ANALYSIS WE WOULD HAVE TO DO AND TO BE ABLE TO EXPLAIN TO OUR CUSTOMERS WHO AREN'T ALL TECHIE WHY THIS IS A PARTICULARLY GOOD THING THAT COULD ADDRESS SOME OF THEIR FRAUD CONCERNS.
>>RICK WESSON: WE HAVE ALREADY IMPLEMENTED IT AND PROVIDE IT IN PRODUCTION, DNSSEC FOR ALL .ORG REGISTRANTS IN THE .ORG TEST BED.
>> BILL MANNING: ANYBODY ELSE? MY NAME IS BILL MANNING. THERE ARE A COUPLE OF THINGS I WANT TO TOUCH ON. DNSSEC AS A TECHNOLOGY IS RELATIVELY NEW. IT'S -- IN SOME SENSE IT'S LIKE A NEWBORN BABE; RIGHT? IT'S BEEN BORN ABOUT SIX TIMES, BUT IT'S STILL RELATIVELY FRESH, WHICH MEANS THAT IN A LOT OF -- IT'S NOT WIDELY DEPLOYED, IT'S NOT WIDELY DISTRIBUTED. YOU TOUCHED EARLIER ON THE FACT THAT A LARGE PERCENTAGE OF THE GLOBE DOESN'T KNOW OR UNDERSTAND DNSSEC. THIS IS PART OF THE EVOLUTIONARY PROCESS, AND WE'RE STILL IN EARLY STAGES.
AND THERE ARE CONTINUED ACTIVITIES. WE ACTUALLY INTEND ON BEING IN -- BY JANUARY, TO DO A DNS TRAINING IN CONNECTION WITH VNSNL AND OTHER FOLKS. I CAN TELL YOU ABOUT THAT LATER.
THE OTHER THING IS IF I AM CONSIDERING DNSSEC, A LOT OF PEOPLE THAT I HEARD TODAY HAVE TALKED ABOUT IT'S GOING TO COST ME MONEY. BUT DNSSEC CAN SAVE YOU MONEY IN THE INTERACTIONS THAT YOU HAVE WITH YOUR CUSTOMERS. ALL RIGHT? ONE OF THE ATTRIBUTES YOU TALKED ABOUT IS YOUR CUSTOMERS ARE WILLING TO TRAVEL 100 MILES TO COME DOWN TO SEE YOU FACE TO FACE BECAUSE THEY WANT TO DEVELOP THAT TRUST AND RAPPORT. AND IF YOU HAVE THAT TRUST AND RAPPORT, I KNOW YOU ARE MY CUSTOMER, I HAVE SEEN YOUR FACE, YOU HAVE COME IN, YOU HAVE HAD COFFEE WITH ME, THAT'S HOW YOU ESTABLISH TRUST.
AND DNSSEC GIVES YOU THE ABILITY TO HAVE THAT SAME LEVEL OF TRUST WITH YOUR CUSTOMER EVEN IF THEY CAN'T TRAVEL THE 6,000 MILES TO COME VISIT YOU.
IT ALSO ALLOWS YOU TO AUTOMATE YOUR PROCESSES AND PROCEDURES. IF YOU HAVE DNSSEC ENABLED SO YOUR CUSTOMERS CAN DO TRANSACTIONS WITH YOU USING DNSSEC TYPE OF ENABLED TRANSACTIONS, THAT REMOVES A LOT OF THE NEED, POTENTIALLY, FOR CUSTOMER SUPPORT. BECAUSE YOU HAVE AUTHENTICATED THEM.
SO AS YOU THINK ABOUT REGISTRATION AND REGISTRATION PROCESSES, THINK ABOUT DNSSEC AS AN OPPORTUNITY TO REDUCE YOUR COSTS, YOUR OPERATIONAL COSTS, AND POSSIBLY PASS THOSE COST SAVINGS ON TO YOUR CUSTOMERS. AS OPPOSED TO IT'S COSTLY AND THE BENEFITS ARE TEN YEARS OUT.
THIS IS STUFF YOU CAN DO PRETTY MUCH TODAY. YOU DON'T HAVE TO HAVE THE APPLICATIONS, NECESSARILY. ALL OF THEM IN YOUR BROWSERS TO MAKE THIS WORK. BUT YOU CAN, IN FACT, DO THIS.
AND WE'VE GOT A PILOT COMING UP OF SOME OF THIS KIND OF SOFTWARE, AND I THINK, RICK, YOU'VE GOT SOMETHING SIMILAR IN MIND.
SO THERE ARE THESE THINGS THAT ARE STARTING TO COME OUT.
HAVE YOU CONSIDERED COST SAVINGS FOR DNSSEC? DNSSEC AS A COST SAVINGS MEASURE?
>>UMA MURALL: THANK YOU, BILL, SHOULD I ANSWER THIS? I THINK WE NEED TO LOOK AT IT AS A COST SAVINGS. ONE, YOU DEFINITELY KNOW IT SAVES THE COST BECAUSE I AM LOOKING INTO A LOT OF EDUCATION FOR MY CUSTOMERS AND A LOT OF TIME WITH THEM EXPLAINING WHY THIS IS REALLY GOOD FOR THEM. OF COURSE IN THE LONG RUN, THAT'S WHY I SAID WE REALLY NEED TO PUBLICIZE THE EFFECTS OF DNSSEC AND WHY CUSTOMERS NEED THIS.
AND YES, MAYBE AFTER A LONG PERIOD OF TIME, YES, IT WILL COME TO THE POINT WHERE IT HELPS US.
BUT INITIALLY, IT IS GOING TO TAKE A LOT OF CUSTOMER SERVICE AND A LOT OF TIME IN MARKETING IT.
>>ALLISON MANKIN: SO WE'LL TAKE THE TWO PEOPLE AT THE MIKE AND THEN WE WILL DO THE SHIFT, SO IT'S GOOD TO HAVE THE DISCUSSION.
>> ANDY OZMENT: MY NAME IS ANDY OZMENT FROM MIT LINCOLN LABORATORY. MY QUESTION IS REALLY A FOLLOW-UP TO WHAT RAM ASKED BEFORE. IT SEEMS TO ME IF A MAJORITY OF REGISTRARS, OR A SIGNIFICANT PORTION OF THEM, IF THEY GO TO REGISTRAR A DOMAIN AND THEY HAVE TWO BUTTONS, AND ONE IS TO REGISTER THIS DOMAIN AND THE OTHER IS REGISTER A SECURE DOMAIN AND IT HAS A 25% INCREASE IN PRICE, IT SEEMS TO ME A LOT OF YOUR CUSTOMERS ARE GOING TO CHOOSE TO PAY THE 25% PREMIUM, CERTAINLY IN THE DEVELOPED WORLD, TO OBTAIN WHAT THEY JUST -- THE ONE WORD THEY READ THERE, SECURE DOMAIN.
THERE WERE A LOT OF COMMENTS EARLIER THAT THERE NEEDED TO BE CUSTOMER EDUCATION. AND THAT'S JUST NOT AS CLEAR TO ME.
IT SEEMS VERY LIKELY TO ME THAT JUST THE ONE WORD, " SECURE DOMAIN, " WOULD ADD THAT PRICE PREMIUM. I WOULD LIKE TO KNOW HOW THE REGISTRARS FEEL ABOUT THAT STATEMENT.
>>RICK WESSON: THAT'S WHAT WE HAVE, ESSENTIALLY ONE BUTTON THAT SAYS LOCKED DOMAIN, UNLOCKED DOMAIN, SECURE DOMAIN. WITH CURRENTLY NO ADDITIONAL FEES.
>> ANDY OZMENT: NO OTHER REGISTRAR COMMENTS THERE?
>>PAUL DIAZ: YEAH, I GUESS SINCE WE HAVE NOT DEPLOYED THE DNSSEC YET, FOR US WE'RE STILL SKEPTICAL ABOUT WILL THIS BE SEEN, AS WAS MENTIONED EARLIER, AS JUST SOMETHING ELSE, ANOTHER MARKETING PLOY OR AN ADD-ON.
I THINK VERY CLEARLY, IN MOST OF THE CONVERSATIONS, PEOPLE ARE TALKING ABOUT THE NEED FOR MORE EDUCATION AND BETTER UNDERSTANDING, AND MAYBE JUST MOVING, SHIFTING THE CONVERSATION AWAY FROM THE TECHNOLOGY INTO THE PRACTICAL BENEFITS, IN WHICH CASE CHANGING EVEN THE NAME FROM DNSSEC TO WHAT WAS SUGGESTED THIS MORNING, NET SECURE OR SOMETHING LIKE THAT, SECURITY IN THE FOCUS OF THE OFFERING, PEOPLE WILL BE MORE READY TO ADOPT.
AT THIS POINT, THOUGH, I THINK THERE'S A LOT OF UNCERTAINTY OR DOUBT ABOUT IS THIS PARTICULAR PROTOCOL THE WAY TO GET US THERE, OR IS THIS STILL IN THE REALM OF TECHNOLOGY, SPECIALISTS TALKING TO ONE ANOTHER, AND IT'S NOT CLEARLY UNDERSTOOD BY THE MARKETPLACE.
JORDYN.
>>ALLISON MANKIN: WHY DON'T YOU RESPOND FROM YOUR PANEL, BECAUSE ONE OF THE THINGS THAT THE PANEL -- THAT PANEL COULD DO IS SAY SOMETHING LIKE DNSSEC ITSELF, IS IT A CONSTELLATION, ARE THERE ALTERNATIVES OR WHATEVER. YOU CAN DO THAT IN YOUR PANEL BECAUSE THE NEXT PANEL IS COMING UP.
CLOSING THE MIKE AFTER THESE TWO, AND THEN WE WILL SWITCH TO THE OTHER PANEL. SAY YOUR NAME.
>>JORDYN BUCHANAN: HI, I AM JORDYN BUCHANAN, WITH REGISTER.COM. I WILL TAKE A QUICK STAB AT THE LAST QUESTION, BECAUSE I THINK IT SEGUES INTO MY COMMENT WHICH IS I THINK WE SOMETIMES OVERESTIMATE THE POWER OF MARKETING. I MEAN, IT'S NICE TO BE ABLE TO SAY THROW UP SOME WORDS THERE AND PEOPLE WILL JUST BUY STUFF. BUT AT THE END OF THE DAY, YOU HAVE TO DELIVER VALUE.
PEOPLE ARE ULTIMATELY THE -- PEOPLE ARE RELATIVELY INTELLIGENT OR AT LEAST THE AVERAGE PERSON IS OF AVERAGE INTELLIGENCE. AND THEY ARE EVENTUALLY GOING TO FIGURE OUT THEY ARE PAYING MONEY FOR SOMETHING THEY ARE NOT SEEING A LOT OF VALUE FOR. SO UNLESS YOU CAN ULTIMATELY PERSUADE THEM THEY ARE GETTING VALUE FOR THE EXTRA 25% OR WHATEVER THEY ARE PAYING, NOT A LOT OF PEOPLE ARE GOING TO CHECK ON THE BOX BECAUSE YOU HAVE INCLUDED A LOT OF SEXY WORDS THERE.
AND I THINK THIS GETS TO, FOLLOWING UP ON BRUCE'S COMMENTS AND SOME OF THE THOUGHTS ABOUT HOW WE GENERATE DEMANDS FOR THIS, I THINK WE MAY ACTUALLY BE CONCENTRATING STILL ONE LEVEL TOO HIGH. WE STARTED WITH THE TECHNOLOGISTS AND NOW WE ARE TALKING REGISTRARS AND REGISTRARS ARE TALKING ABOUT WE NEED OUR CUSTOMERS TO BE SORT OF PERSUADED THAT THIS IS WORTHWHILE AND GENERATING DEMAND THAT WAY. BUT REALLY THE DEMAND NICE NEEDS TO COME FROM ONE LEVEL DOWN, EVEN, WHICH IS THE PEOPLE THAT ARE ACTUALLY SURFING TO THESE WEB SITES THAT REGISTRANTS ARE PAYING FOR DOMAINS FOR.
ULTIMATELY IF YOU LOOK AT THE LITTLE LOCK THAT WE GET WITH SSL CERTIFICATES, I THINK IT'S BEEN TREMENDOUSLY EFFECTIVE AT GETTING PEOPLE TO BUY CERTIFICATES. AND THE REASON THEY HAVE CERTIFICATES IS BECAUSE THEY KNOW THEY NEED TO GET THAT LITTLE LOCK IN THE CORNER OF THEIR BROWSER WINDOW. BUT THEY DON'T WANT THE LOCK BECAUSE THE LOCK MAGICALLY APPEARS. THEY DON'T WANT IT FOR THE ICON SAKE. THEY WANT IT BECAUSE WE HAVE BEEN TREMENDOUSLY EFFECTIVE AT PERSUADING CONSUMERS THAT IF THEY DON'T SEE A LITTLE LOCK, DON'T TYPE IN YOUR CREDIT CARD NUMBER.
SO THEN AS A MERCHANT, YOU SAY, WELL, IF I DON'T HAVE A LOCK DOWN THERE, NOBODY IS GOING TO BUY STUFF FROM ME.
SO I THINK WHAT WE REALLY NEED TO DO IS SOMEHOW MAKE SURE THAT PEOPLE WHO ARE SURFING AROUND THE INTERNET UNDERSTAND THE VALUE OF DNSSEC, NOT NECESSARILY -- SO IT'S A HARDER JOB, I THINK, BUT IT MAY BE AS SIMPLE AS GOING TO MICROSOFT AND SAYING, YOU KNOW WHAT? WHY DON'T YOU MAKE IT SO THE LOCK DOESN'T SHOW UP IF THEY HAVE A CERT UNLESS THEY ALSO HAVE DNSSEC ON THEIR SITE. THAT'S A WELL UNDERSTOOD MECHANISM, AND IT PROBABLY -- THERE'S A LITTLE BIT OF A BOOTSTRAPPING PROBLEM WITH TURNING OFF THE LOCK FOR MOST OF THE WEB SITES THAT EXIST TODAY, BUT I THINK THAT'S THE SORT OF APPROACH. IF YOU CAN TIE IT TO SOMETHING THAT'S WELL UNDERSTOOD BY THE MARKET TODAY AND PERSUADE PEOPLE, THE CONSUMERS, THAT THIS IS REQUIRED, I THINK THAT WILL HAVE A VERY QUICK PUSH-UP EFFECT, MAKING REGISTRANTS AND THEN REGISTRARS RAPIDLY ADOPTING THIS TECHNOLOGY.
>>UMA MURALL: I WANT TO MAKE A COMMENT HERE. YES, IT'S IMPORTANT, BUT AT THE SAME TIME AS RAM SAID, WE ALSO NEED TO EDUCATE THE PUBLIC, NOT ONLY WHAT THEY ARE GOING TO GET IF THEY CHOOSE DNSSEC, BUT ALSO WHAT THEY MIGHT LOSE IF THEY DO NOT CHOOSE IT.
I THINK THEY HAVE TO MAKE THE CHOICE, BUT THE RISKS SHOULD BE PUT IN FRONT OF THEM.
>>STUART SCHECHTER: I JUST WANT TO SAY THAT YOU DO SEE, ONCE AGAIN, THE VERISIGN CERTIFICATES WHERE YOU SEE A 1,000 PERCENT MARKUP FOR SOMETHING THAT GETS YOU NO SECURITY SHOWS THAT FOLKS DON'T -- WE MAY THINK THEY UNDERSTAND THE SECURITY OF SSL, BUT THEY REALLY DON'T.
THEY WILL ENTER THEIR USER NAME AND PASSWORD ON A SITE THAT IS NOT PROVIDED BY HTTPS. IN FACT, MOST OF THE REGISTRARS HAVE USER NAME AND PASSWORD FIELDS ON THEIR WEB SITES THAT ARE NOT ON THE FRONT PAGES WHERE THEY ARE NOT PROTECTED BY HTTPS. SO PEOPLE DO NOT UNDERSTAND THE REAL SECURITY BENEFITS OF HTTPS, AND THEY --
>>ALLISON MANKIN: NO MORE COMMENTS BY THE PANEL. I'M SORRY. ONE LAST COMMENT FROM THE FLOOR. WE ARE WAY PAST THE PANEL'S TIME. SORRY. THAT COULD GO ON FOR A WHILE, I KNOW.
>> ELMAR KNIPP: MY NAME IS ELMAR KNIPP, AND I AM SPEAKING AS A REGISTRAR. WE TRIED TO EDUCATE OUR END CUSTOMERS ABOUT DNSSEC, AND OUR CONCLUSION IS THAT IT'S SIMPLE IMPOSSIBLE. THEY WILL NOT UNDERSTAND THE TECHNIQUES BEHIND THIS. AND OUR CONCLUSION IS JUST SAY THERE'S A NEW THING WHICH IS SECURE, AND YOU HAVE TO PAY A LITTLE BIT MORE, AND THAT'S ALL.
THAT'S MY COMMENT.
>>ALLISON MANKIN: OKAY. I'D LIKE THIS PANEL TO STAND DOWN.
OKAY. THANK YOU VERY MUCH, BUSINESS CASE PANEL. AND NOW THE OTHER PANEL CAN COME UP. AND -- THANK YOU.
(APPLAUSE.)
NOW WE HAVE THE TECHNOLOGY PANEL, BUT THE TECHNOLOGY PANEL IS GOING TO BE VERY UNTECHNOLOGICAL AND BRIEF.
AND WHILE THE TECHNOLOGY PANEL IS STANDING UP, COMING UP, IT'S GOING -- I WANTED TO ASK THE AUDIENCE TO BE A LITTLE DEMOGRAPHIC AND IDENTIFY HOW MANY OF YOU ARE IN THE REGISTRAR BUSINESS? COULD YOU RAISE YOUR HANDS? OKAY. AND HOW MANY ARE IN ANOTHER -- THE REGISTRY BUSINESS? OKAY.
AND HOW MANY ARE IN OTHER DNS-RELATED BUSINESSES? I DON'T KNOW WHAT THEY WOULD BE.
ICANN. HOW MANY ARE YOU IN ICANN, OR OTHER? OKAY.
AND HOW MANY WOULD LIKE TO GO TO THE MIKE BUT HAVEN'T DONE THAT YET? SO WE KNOW WHAT TO ALLOW FOR? OH, OKAY.
WELL, WE EXPECT -- EVERYONE WILL HAVE TO GO TO THE MIKE. BILL, YOU HAVE BEEN THERE ALREADY.
>> BILL MANNING: I KNOW. YOU LEFT OUT THE HOW MANY HAVE BEEN AND WANT TO GO BACK.
>>ALLISON MANKIN: YES. ALL RIGHT.
SO THIS OTHER PANEL, STEVE CROCKER IS GOING TO FLASH SOME OF THE QUESTIONS THERE, SORT OF AN FAQ, AND WE HAVE SOME FOLKS UP THERE WHO ARE GOING TO SAY -- BE THE KIND OF PROXIES FOR THE PEOPLE WHO ASK FAQS. AND I AM GOING TO ASK THE PEOPLE THE PEOPLE WHO ANSWER FAQS TO BE REALLY BRIEF BECAUSE WE ALSO HAVE A COUPLE MORE EXPERIENCE PRESENTATIONS. THIS IS ALSO A COME TO THE MIKE AND DISCUSS. AND IF WE NEED TO IN ORDER TO LET PEOPLE GO TO LUNCH AND HAVE A BREAK BEFORE THE BUSY AFTERNOON, WE WILL CUT OUT SOME OF THE PRESENTATIONS AT THE END. SO HAVE AT IT, PANEL.
WHAT HAPPENS IS STEVE FLASHES THE FAQ, SEBASTIAN HAS A FEW SLIDES ABOUT WHAT GOES, AND THEN THE PANEL GOES. THEY KNOW WHAT THEY ARE DOING. THEY WILL INTRODUCE THEMSELVES.
>>STEVE CROCKER: HI THERE. THERE WE GO. MY NAME IS STEVE CROCKER AND SINCE THIS IS A TECHNOLOGY PANEL I GET TO START RIGHT OFF WITH A TECHNOLOGY SNAFU. I WAS ASKED IF I WOULD ASK EVERYBODY TO LOG OUT OF THE JABBER ROOM AND LOG BACK INTO, AND THEN THERE IS SOME CONFUSION AS TO WHICH ONE WE WANT TO LOG BACK INTO.
AND I DIDN'T GET THE LATEST WORD.
DO WE WANT THE OLD ROOM OR NEW ROOM? SPEAK.
>> THE NEW ONE.
>>STEVE CROCKER: THE NEW ONE. SO THE NEW ONE IS THE ONE ON TOP. AND IT IS UNAMBIGUOUS AND WE ARE UNDER WAY.
SO FOR THOSE OF YOU WHO WANT TO BE IN THE JABBER ROOM, IT IS DNSSEC-DEPLOYMENT@ CONFERENCE.ECOTROPH.NET.
SO I AM GOING TO POSE A SMALL NUMBER OF QUESTIONS AND THAT WILL KICK OFF THIS SESSION.
THESE ARE THE KIND OF QUESTIONS THAT COME UP SOMEWHAT REPEATEDLY AND DESERVE SOME STRAIGHTFORWARD RESPONSES TO TRY TO LAY THINGS TO REST.
SO TIME FRAMES.
I HAVE HEARD THAT IT'S NECESSARY FOR THE TOP LEVEL OF THE DNS THAT IS THE ROOT TO HAVE DNSSEC BEFORE THERE IS SECURITY. IS THAT TRUE? I HAVE ALSO HEARD THAT SOME ZONES HAVE DNSSEC ALREADY. ARE THEY OPERATING SECURELY? IF THE ROOT IS SECURE, IS THAT ALL THAT NEEDS TO BE DONE? AND WHEN WILL THIS HAPPEN? AND ALSO, ARE DNSSEC QUERIES CURRENTLY BEING SENT TO SERVERS? ARE APPLICATIONS ABLE TO WORK WITH DNSSEC ALREADY?
NOW, I ACTUALLY KNOW THE ANSWERS TO ALL THESE QUESTIONS, BUT I'M GOING TO LEAVE IT TO OTHERS TO SHARE THEM WITH YOU.
CAN I FIND OUT INFORMATION ABOUT SECURITY ISSUES AND THEN ABOUT DNSSEC, AND DNSSEC PLANNING, AND DNSSEC DEPLOYMENT AND OPERATION IN THE FORMS THAT I NEED? NOTE THAT THERE ARE MATERIALS FROM ALL OVER AGGREGATED AT TWO WEB SITES. WWW.DNSSEC-DEPLOYMENT.ORG AND WWW.DNSSEC.ORG.
PERFORMANCE ISSUES. DOES DNSSEC SLOW DOWN DNS WITH THE CRYPTO IT REQUIRES, IS THERE A SLOW DECODING FOR EVERY LOOKUP? HOW MANY ADDED BANDWIDTH DOES DNSSEC REQUIRE IN MY NETWORK? DO I NEED MUCH BIGGER SERVERS TO ADD DNSSEC TO THE ALREADY RUNNING DNS SYSTEM? PRIVACY ISSUES? I HAVE HEARD THAT SOME REGISTRIES ARE WAITING TO DEPLOY DNSSEC BECAUSE IT ALLOWS WHAT IS CALLED ZONE WALKING, REVEALING THE ENTIRE ZONE. DOES THIS MEAN DNSSEC IS DELAYED FOR EVERYONE? WHEN IS THE FIX COMING FOR THOSE REGISTRIES AND WHAT DOES THEIR DELAY MEAN FOR REGISTRARS WHO WORK WITH THEM? SO THOSE ARE THE QUESTIONS, AND WE NOW ARE GOING TO ROLL THROUGH A SERIES OF RESPONSES FROM THE PANEL MEMBERS.
AND IF I UNDERSTAND, MAXIME IS GOING TO START OFF. MAXINE APPLEBY.
>>MAXINE APPLEBY: HI, I'M MAXINE APPLEBY.
I THINK I OVERLAP THE BUSINESS A LITTLE BIT.
I'M WITH HOSTING.COM.
AND I'M NOT SURE IF I'M GOING TO ANSWER THESE QUESTIONS, BUT I'M, RATHER, GOING TO ASK ANOTHER ONE.
HOSTING.COM'S PRIMARY BUSINESS IS HOSTING.
IN FACT, WE HOST MANY OF THE CUSTOMERS THAT MARKMONITOR HAS IN ITS REGISTRAR OPERATIONS.
HOSTING.COM -- I HAVE KIND OF A UNIQUE POSITION WITH THE COMPANY IN THAT WE JUST RECEIVED OUR ACCREDITATION.
SO I'M IN A POSITION WHERE I'M ACTUALLY JUST A STARTUP REGISTRAR.
SO I'VE GOT TO KIND OF LOOK AT THE MARKET AND KIND OF EVALUATE THE MARKET TRENDS.
SO I NEED TO -- AND BECAUSE WE'RE JUST IN THE PLANNING STAGES NOW, I THOUGHT THAT DNSSEC WAS A GOOD FIT FOR OUR COMPANY, GIVEN THAT MANY OF OUR CUSTOMERS' CONCERNS ARE SECURITY.
AND I THINK MARGIE OUTLINED THEM PRETTY WELL.
WHEN I WENT TO MY ENGINEERS, THEY BASICALLY SAID, YOU KNOW, JUST LIKE WE HEARD ON THE PANEL BEFORE, IS THAT WE'RE JUST NOT REALLY SEEING A DEMAND FOR DNSSEC RIGHT NOW.
AND THEY HAD OTHER CONCERNS, JUST FROM AN ENGINEERING STANDPOINT, THAT WERE ADDRESSED IN SOME OF THE QUESTIONS.
BUT I GUESS MY BIG DILEMMA HERE IS THAT OVER THE NEXT YEAR, I NEED TO BE REALLY CONCERNED ABOUT THE DEPLOYMENT TIMING.
AND I CERTAINLY NEED TO MONITOR SOME OF THE INDUSTRY TRENDS AND STAY ON TOP OF IT, SUCH AS WHAT'S HAPPENING IN THE BANKING SECTOR AS FAR AS REGULATIONS AND HOW DNSSEC WORKS WITH THAT PARTICULAR SECTOR.
AND I CERTAINLY WANT TO BE RESPONSIBLE FOR MY COMPANY, BECAUSE I CAN'T MOVE QUICKLY IF DNSSEC TAKES OFF.
I CERTAINLY DON'T WANT TO BE IN A POSITION AS A STARTUP REGISTRAR NOT REALLY PLANNED AND READY TO ROLL OUT DNSSEC, AND ALL OF A SUDDEN YAHOO! IS ADVERTISING THAT THEIR STORES ARE SAFER BECAUSE THEY'VE IMPLEMENTED THIS DNSSEC SECURITY.
AND THEREFORE ALL OF A SUDDEN MY CUSTOMERS WHO HAVE, YOU KNOW, GOOD COMPETING E-COMMERCE HOSTING WITH US ARE NOW GOING TO BE ASKING US, "WHY DON'T YOU HAVE DNSSEC?"
SO MY QUESTION IS REALLY MORE ABOUT DEPLOYMENT AND, YOU KNOW, WHEN DO YOU THINK THIS IS ACTUALLY GOING TO ROLL OUT?
AND WHAT ARE SOME OF THE MARKET TRENDS THAT I NEED TO BE LOOKING AT?
AND, YOU KNOW, GIVE ME SOME EXAMPLES ON WHERE I'M GOING TO BE ABLE TO SEE DNSSEC AS A NATURAL IMPLEMENTATION OVER THE NEXT X TIME.
PANEL?
STEVE?
>>STEVE CROCKER: WE HAD -- TIM GOING NEXT, I THINK?
>>TIM RUIZ: OKAY.
OKAY.
I ALSO DON'T HAVE ANY ANSWERS, BUT HAVE QUESTIONS.
WE'VE DISCUSSED THIS WITH OUR ENGINEERING STAFF.
AND SOME OF THE COMMENTS THAT WE'VE GOTTEN BACK WERE VERY SIMILAR TO SOME OF THE QUESTIONS YOU'VE HEARD.
FOR EXAMPLE, ONE COMMENT WAS THE DNSSEC INFRASTRUCTURE IS ALREADY TOO SUSCEPTIBLE TO DDOS.
THE ADDITIONAL CPU BURDENS OF DNSSEC WOULD PUT US AT EVEN MORE RISK AS WELL AS THE REST OF THE DNS INFRASTRUCTURES OUT THERE.
THE ONLY THING IT REALLY SOLVES IS MAN IN THE MIDDLE OR DNS POISONING ATTACKS, AND THIS HAS YET TO HAPPEN ON A LARGE SCALE. AND ALSO IN ADMINS PROTECT THEIR SERVERS PROPERLY, IT PROBABLY WON'T HAPPEN.
SO MY QUESTION TO PERHAPS RUSS AND TO RAM, WHAT ABOUT THAT?
IF ADMINS PROTECT THEIR SERVERS PROPERLY, IS MAN IN THE MIDDLE AND DNS POISONING ATTACKS POSSIBLE?
CAN IT BE FIXED ANOTHER WAY?
AND IF WE DO IMPLEMENT DNSSEC, HOW WILL THAT PROTECT OUR CUSTOMERS IF IT ISN'T SUPPORTED ELSEWHERE, IN APPLICATIONS, FOR EXAMPLE?
ANOTHER CONCEPT OR -- WHETHER IT'S MYTH OR FACT -- IS THAT NO MATTER WHAT, OUR AUTHORITATIVE NAME SERVERS WILL HAVE TO PERFORM SOME CRYPTOGRAPHIC FUNCTIONS ON EVERY SINGLE DNS REQUEST THAT COMES OUR WAY.
AGAIN, ADDITIONAL LOAD ON THE CPU AND ADDITIONAL MEMORY.
SO THEY'RE CONCERNED THAT WE WOULD NEED TO DOUBLE OUR HARDWARE ENCRYPTION -- OR DOUBLE OUR SERVERS, DNS SERVERS, PURCHASE HARD ENCRYPTION MODULES TO GO ALONG WITH THOSE SERVERS SO THAT WE COULD HANDLE THE GROWTH AND OUR CURRENT LOAD.
THEY'RE ALSO CONCERNED THAT THE SYMMETRIC KEY DISTRIBUTION WOULD BE A NIGHTMARE TO MANAGE, AS WOULD THE ASYMMETRIC KEY SERVERS THAT WOULD NEED TO EXIST.
SO I GUESS FOR STUART, PERHAPS THE QUESTION MIGHT BE: YOU TALKED ABOUT THE SMALL EXPENSE IN IMPLEMENTING EPP, THE SMALL EXPENSE IN THE WORK FLOW FOR SIGNING.
BUT WHAT ABOUT THIS OTHER -- THESE OTHER CON- -- OR THESE OTHER PERCEPTIONS THAT DUE TO THE INCREASED NUMBER OF SERVERS THAT ARE GOING TO BE REQUIRED, YOU KNOW, THAT'S GOING TO BE A MUCH LARGER EXPENSE, AS WELL AS THE RESOURCES TO MAINTAIN THOSE SERVERS?
AND WHAT ABOUT THE SYMMETRIC KEY DISTRIBUTION?
IS THAT REALLY GOING TO BE A NIGHTMARE?
WHAT'S TRULY INVOLVED IN MANAGING THAT?
AND, I DON'T KNOW, PERHAPS RICK COULD RESPOND TO THAT SINCE HE'S ALREADY IMPLEMENTED IT AND HAS DEALT WITH THOSE ISSUES.
SO THOSE ARE SOME OF THE QUESTIONS THAT OUR ENGINEERS HAVE HAD AND THE PERCEPTIONS THAT THEY HAVE RIGHT NOW ABOUT DNSSEC AND WHAT'S INVOLVED IN IMPLEMENTING IT.
>>RUSS MUNDY: STEVE, HOW DID YOU WANT TO HANDLE RESPONDING TO THESE?
OR DO WE WANT TO ASK IF THE AUDIENCE HAS MORE?
I THINK THAT WOULD ALSO BE A GOOD THING.
>>STEVE CROCKER: YEP.
SO I KNOW THAT WE'RE UNDER CONSIDERABLE TIME PRESSURE HERE, AND I THINK WE NEED TO ROLL THROUGH THE REMARKS OF EACH OF THE PANEL MEMBERS.
I WANT TO MOVE FROM THIS END DOWNWARD AND CONTINUE IN THAT FASHION.
SO LET ME -- GO AHEAD, SEBASTIAN.
DO YOU NEED --
>>ALLISON MANKIN: STEVE, LET ME MENTION THAT IMMEDIATELY FOLLOWING YOUR PANEL, JAAP WILL TALK ABOUT THE PERFORMANCE RESULTS FROM RIPE.
SO PEOPLE WILL GET SOME REAL QUANTITATIVE INFORMATION ABOUT PERFORMANCE THAT WILL BE HELPFUL.
SO --
>>STEVE CROCKER: I THINK THAT WILL BE EXTREMELY HELPFUL.
I KNOW THOSE PERFORMANCE RESULTS, AND I THINK THEY'RE QUITE USEFUL.
YOU CAN SEE IT HERE.
>>SEBASTIAN CASTRO: OKAY.
LOOKS OKAY.
WELL, THANKS, EVERYONE.
THANKS, ALLISON FOR INVITING ME TO BE HERE.
WE COME FROM FAR -- VERY FAR PLACE IN THE WORLD.
WE COME FROM SOUTH AMERICA.
I HAVE BEEN INVOLVED IN DNSSEC DEPLOYMENT AND DNSSEC TRAINING CONDUCTED BY BILL MANNING.
SO BILL KNOWS ME.
I KNOW BILL, I THINK.
AND I HAD THE CHANCE TO SHARE WITH YOU WHAT I HAVE BEEN DOING IN DNSSEC DEPLOYMENT, WHAT PROBLEMS WE HAVE FOUND, AND SHARE WITH YOU THE VIEW WE HAVE OF REGISTRY AND REGISTRAR AT THE SAME TIME.
WE DON'T WORK IN THE WAY THE OTHERS DO.
WE DON'T HAVE BUSINESS HERE.
WE DO IT BECAUSE WE WERE ELECTED TO DO THAT.
AND WE DO OUR JOB QUITE WELL, ACCORDING TO THE CHILEAN COMMUNITY.
SO I'M GOING TO SHARE WITH YOU A DIFFERENT VIEW FROM THE OTHER GUYS AND I HOPE THAT AT THE END OF THE SLIDES PUT YOU A COUPLE OF QUESTIONS IN YOUR MINDS TO THINK ABOUT IT.
OKAY?
OKAY.
BRIEF INTRODUCTION ABOUT OURSELVES.
NIC CHILE IS A DOT CL REGISTRY/REGISTRAR.
WE DON'T HAVE A REGISTRY/REGISTRAR MODEL, SO WE ARE THE ONLY ONE IN THIS BUSINESS IN CHILE.
WE DON'T OFFER SERVICES AS A REGISTRAR, ONLY FREE SECONDARY NAME SERVER FOR ABOUT 40,000 ZONES.
WE DON'T HAVE EPP, BUT WE'D LIKE TO.
WE ARE LOOKING FOR IT IN THE NEXT MONTH, BECAUSE THERE ARE SOME OTHER REGISTRARS INTERESTED IN DOING BUSINESS WITH US.
WE DON'T HAVE CUSTOMER ID, SO WE DON'T VALIDATE USER.
WE USE A ONE-TIME AUTHORIZATION CODE FOR EVERY OPERATION.
SO DEPLOYING DNSSEC IN CHILE WILL HAVE TO CHANGE THAT WAY OF OPERATION.
WE ARE CURRENTLY DOING THE PROCESS OF MOVING FROM THE OLD SYSTEM TO THE NEW ONE SUPPORTING EPP REGISTRY/REGISTRAR MODEL, AND SO ON.
WHAT ARE OUR GENERAL CONCERNS?
NUMBER ONE, THERE IS NO SENSIBILITY IN CHILEAN CUSTOMERS ABOUT DNSSEC.
WE CONDUCTED A SURVEY WITHIN THE TECHNOLOGICAL COMMUNITY, AND THEY SAY, OH, WHAT IS DNSSEC?
AND THE ONES WHO REALLY KNOW OR THEY THOUGHT THEY KNEW ABOUT DNSSEC SAID, "NO, THIS IS ALL ABOUT CONFIDENTIALITY."
SO THEY WERE WRONG.
AND THE OTHER PROBLEM IS HIGH LACK OF TECHNICAL PREPARATION BETWEEN OPERATORS.
WE -- PERSONALLY, I HAVE TO DEAL WITH OPERATORS IN CHILEAN INTERNET, AND THEY COMMIT EVERYTHING YOU CAN IMAGINE.
SO WE HAVE TO EDUCATE THEM BEFORE DNSSEC.
OUR PARTICULAR CONCERN ABOUT DNSSEC DEPLOYMENT.
WE WANTED TO SUPPORT A SIGNED VERSION OF OUR -- IF WE WANTED TO SUPPORT A SIGNED VERSION OF OUR ZONE, WE COULDN'T DO IT.
IF WE DECIDED TO DO IT TOMORROW, WE COULDN'T.
FIVE OUT OF NINE NAME SERVERS FOR DOT CL ZONES ARE NOT UNDER OUR ADMINISTRATION.
WE RECEIVE SERVICES FROM ISC, FROM BILL MANNING, FROM APNIC, FROM RIPE, ET CETERA.
SO WE HAVE TO ASK THEM BEFORE DEPLOYING DNSSEC.
AND THE OTHER FOUR ARE WELL PROVISIONED FOR THIS, INCLUDING CPU, MEMORY, BANDWIDTH, EVERYTHING.
WE HAVE CHECKED THE DOCUMENTS THAT SAID, OH, YOU ARE GOING TO NEED ABOUT THAT EXTRA CPU.
OUR OTHER PARTICULAR CONCERNS ARE THE NEW REGULATION SYSTEM IS ALREADY DELAYED, SO INTRODUCING A BIG REQUIREMENT LIKE DNSSEC COULD DELAY IT MORE.
AND WE DON'T WANT THAT.
WE HAVE COSTS INVOLVED, NEW HARDWARE PROBABLY WE WOULDN'T HAVE TO BUY NEW HARDWARE.
DEVELOPERS, AND DEVELOPERS IN CHILE ARE QUITE EXPENSIVE, ESPECIALLY THE QUALIFIED ONES.
WE ARE GOING TO NEED MORE OPERATORS OR TECHNICAL STAFF FOR CUSTOMER SUPPORT.
SO IF THE CHILEAN COMMUNITY HAS A PROBLEM AT THIS MOMENT IF WE DEPLOY DNSSEC, WE ARE GOING TO INCREASE THE PROBLEMS IN -- A FEW TIMES.
SO WHAT HAVE WE DONE IN DNSSEC DEPLOYMENT?
WE ARE CREATING A CRITICAL MASS FOR DNSSEC.
NIC CHILE IS ASSOCIATED WITH THE UNIVERSITY OF CHILE, THE MAIN -- THE MOST IMPORTANT UNIVERSITY IN CHILE.
SO WE EDUCATE OUR COMMUNITY CONSTANTLY.
SO THROUGH SEVERAL PRESENTATIONS, AND MORE ON THE WAY, WE HAVE BEEN EDUCATING CHILEAN COMMUNITY ABOUT WHAT IS GOING ON, WHAT IS DNSSEC ABOUT, AND HOW TO DEPLOY IT.
WE ALSO HAVE -- I ALSO PERSONALLY CREATED A GROUP OF ENTHUSIASTS TO TEST THE TECHNOLOGY, TO CREATE A NATIONAL TEST BED IN DNSSEC, TO START SIGNING ZONES, SIGNING DELEGATION, CREATING PROCEDURES FOR KEY UPLOADING, TESTING ROLLOVER PROCESS, ET CETERA.
SO MAKE MISTAKES, LEARN FROM THE EXPERIENCE, AND SHARE IT WITH THE REST OF THE COMMUNITY.
SO MY FINAL THOUGHT, AND WHAT I THOUGHT IS NEEDED, IS PROBABLY THOSE TECHNICIANS WILL WANT TO DEPLOY DNSSEC OR WANT TO TRY DNSSEC WILL NEED A DNSSEC DEPLOYMENT GUIDE.
BUT ALLISON KINDLY NOTICED ME YESTERDAY, THERE ARE SOME DOCUMENTS AVAILABLE WITH THAT INFORMATION.
SO THE QUESTION WILL BE, DO WE NEED TO PUT ALL THOSE DOCUMENTS IN ONE PLACE OR MAKE A SUMMARY OF THOSE DOCUMENTS TO GIVE A GENERAL VIEW IN THE TECHNICAL POINTS TO ALL THE PEOPLE INTERESTED IN THIS TOPIC?
FOR EXAMPLE, BEFORE ARRIVING IN VANCOUVER, WHAT DNSSEC DO AND DOESN'T, THIS WAS MY QUESTION.
I HAVE A CLEAR -- PRETTY CLEAR VIEW ABOUT IT.
BUT THE COMMUNITY, OUR COMMUNITY, DOESN'T.
WHAT ABOUT ZONE ENUMERATION OR ZONE WALKING?
THAT IS CONSIDERED A VERY SERIOUS PROBLEM.
AND MANY REGISTRARS WANT TO AVOID DNSSEC UNTIL THAT PROBLEM IS SOLVED.
WELL, I HAVE TO SAY, SOME WORKING PROBLEM IS BEING ADDRESSED AND IS BEING WORKED HARD.
SO I HOPE WE CAN FIND A SOLUTION SOON.
WHAT ABOUT SIZES FOR KEYS?
THIS IS TOO TECHNICAL PROBABLY.
BUT THAT'S CREATING POLICY.
RIPE HAS ONE POLICY, DOT SE HAS ANOTHER POLICY.
BUT WE SHOULD CREATE RECOMMENDATION FOR OTHER EARLIER ADOPTERS ABOUT POLICY, A STRICT POLICY, A LOOSE POLICY, I DON'T KNOW.
EXPECTED RESOURCE.
THE QUESTION CAME FROM TIM.
HOW MANY OR HOW MUCH CPU, MEMORY, BANDWIDTH ARE WE GOING TO NEED?
IT WAS MELISSA, YESTERDAY WE HAD A PREPARATION MEETING ON THIS, AND THE TECHNICAL GUY SAID, NO, YOU ARE GOING TO NEED THAT INCREASED NUMBER IN CPU AND BANDWIDTH.
AND SHE SAID, WHAT?
YOU ARE SCARING ME TO DEATH.
SO WE NEED TO BE CLEAR ABOUT IT.
OKAY?
FOR EXAMPLE, WE WERE STUDYING THE DOCUMENT ABOUT DNSSEC, AND THEY USE A TRUE RANDOM GENERATOR.
WHAT HAPPENS IF A REGISTRY DOESN'T HAVE THE MONEY TO BUY A TRUE RANDOM GENERATOR?
IT'S GOING TO BE A WEAK DNSSEC, A LESS QUALITY DNSSEC DEPLOYMENT.
AND RECOMMENDED PROCEDURES ABOUT COLLECTING KEYS.
WE HAVE TO CHANGE THE WAY WE WORK.
WE HAVE TO IDENTIFY CUSTOMERS TO RECEIVE AND TO COLLECT KEYS.
WHAT ABOUT ROLL OVERING KEYS.
AND THAT IS A PROBLEM THAT'S GOING TO BE SOLVED.
SO WE DON'T HAVE INFORMATION ABOUT THAT.
THERE ARE SOME POINTS SOLVED AND SOME POINTS PENDING.
AND PROBABLY THE COMMUNITY NEEDS TO KNOW CLEARLY WHICH ONES ARE THOSE.
OKAY.
THANK YOU, EVERYONE, FOR YOUR TIME AND YOUR PATIENCE.
>>STEVE CROCKER: THANK YOU VERY MUCH.
LET ME MOVE THE --
THANK YOU.
PETER KOCH.
>>PETER KOCH: OKAY.
THANK YOU.
MY NAME IS PETER KOCH.
I AM A RESEARCHER WORKING FOR DENIC, THE .DE TOP-LEVEL DOMAIN REGISTRY AND I ALSO HAPPEN TO BE ONE OF THE TWO COCHAIRS OF THE IETF DNS OPERATIONS WORKING GROUP, WHICH IS VERY CONCERNED WITH THE OPERATIONAL ASPECTS OF THE DNSSEC DEPLOYMENT.
MAYBE I CAN SHARE SOME OF THE ANSWERS ALREADY.
SO JUST AS A DATA POINT, WHAT DENIC IS DOING, WE HAVE COMMITTED OURSELVES TO SUPPORTING DNSSEC, OF COURSE.
FIRST AND FOREMOST, TO BE PREPARED.
WE HAVE HEARD SO FAR THAT, WELL, DNSSEC IS PROBABLY GOING TO SOLVE A PROBLEM THAT IS NOT YET WIDESPREAD.
LUCKY WE!
IF IT WERE, WE WOULD HAVE A PROBLEM NOW.
SO IT'S QUITE NATURAL THAT THE REGISTRIES TRY TO BE A BIT AHEAD OF THE SCHEDULE AND THE REGISTRARS NOW COMING IN.
THIS IS A GOOD THING.
IF OUR AND YOUR CUSTOMERS WOULD KNOCK ON OUR ALL DOORS AND DEMAND DNSSEC DEPLOYMENT TOMORROW, WE'D HAVE A COMMON PROBLEM.
FORTUNATELY, WE DON'T.
SO WHAT WE ARE CURRENTLY DOING IS WORKING ON INTERNAL PROCEDURES.
WE HAVE, OF COURSE, THE NAME SERVER SOFTWARE AND HARDWARE READY.
THAT'S THE EASY PART.
WE ARE WORKING ON REGISTRAR INTERACTION.
AND LAST, NOT LEAST, THAT MEANS THE PROVISIONING SYSTEM.
YOU MAY OR MAY NOT KNOW WE DON'T USE EPP BUT HAVE OUR OWN PROTOCOL WHICH BETTER BENEFITS OURS AND OUR REGISTRARS' NEEDS.
SO THAT WILL HAVE TO BE ENHANCED.
WE ARE CONCERNED ABOUT THE ZONE-WALKING PROBLEM.
AND I WILL HAVE A SLIDE ABOUT THAT LATER.
WE ARE DISCUSSING AND EVALUATING THE KEY MANAGEMENT, WHICH IS MORE OR LESS THE INTERNAL HANDLING OF THE KEYS, BECAUSE THE FARTHER YOU ARE UP IN THE TREE, THAT IS, CLOSER TO THE ROOT, THE MORE IMPORTANT THE CAREFUL HANDLING OF THE KEY IS, WITH THE ROOT KEY OR EVEN -- SO THE TOP-LEVEL DOMAIN KEY OR EVEN THE ROOT KEY BE COMPROMISED, THE SYSTEM WOULD BE IN REAL PROBLEM.
AND WE ARE WORKING ON EDUCATIONAL MATERIAL TARGETED TO OUR CONSTITUENCY THAT IS PROBABLY MOSTLY IN GERMAN LANGUAGE, OF COURSE.
SO WHAT DO WE SEE AS REGISTRAR ISSUES?
FIRST, WE HEARD THAT ELMAR KNIPP SAID I'M A BIT SCARED EDUCATING MY CUSTOMERS ABOUT HOW DNSSEC WORKS.
WELL, THE GOOD NEWS IS, YOU DON'T HAVE TO.
FOR THOSE CUSTOMERS THAT BUY FULL SERVICE, THAT IS, THE REGISTRATION, DNS SERVICE, AND MAYBE EVEN THE WEB HOSTING, YOU CAN JUST SECURE THEIR DELEGATIONS WITHOUT THEM EVEN KNOWING.
WELL, FOR MARKETING PURPOSES, THEY SHOULD KNOW.
AND FOR BILLING PURPOSES, OF COURSE, THEY SHOULD KNOW.
BUT YOU DON'T HAVE TO BOTHER THE END CUSTOMER WITH THE KEY MANAGEMENT STUFF IF YOU HAVE THE RIGHT CASE.
SO YOU CAN SECURE THAT.
YOU STICK A LABEL ON THAT PACKAGE, AND YOU SELL IT.
AND AT WHATEVER PRICE YOU MAY CHOOSE OR WHAT THE MARKET PAYS.
AND WHEN IT COMES TO NECESSITY OF DNSSEC, MORE AND MORE DNS SERVICES ARE COMING UP -- ARE EMERGING WHICH INTRODUCE MORE LEVELS OF INDIRECTION.
WE HAVE HEARD ABOUT SPF, ALL THAT ANTI-SPAM STUFF THAT IS PUT INTO THE DNS.
SPAMMERS ARE CRIMINALS, WELL, AT LEAST PART OF THEM.
SO THERE'S AN INCENTIVE FOR THOSE GUYS TO CACHE-POISON.
THEY DON'T DO THAT AT THE MOMENT BECAUSE THEY HAVE OTHER OPPORTUNITIES.
BUT THEY WILL DO ONCE MORE AND MORE PROTECTIVE MEASURES ARE IN PLACE.
SO WE ARE SHIFTING THEIR TARGET FROM ANYWHERE TO THE DNS.
AND THAT IS A REASON THAT THE DNS NEEDS TO BE PROTECTED.
REGISTRARS WHO ALSO PROVIDE DNS SERVICE NEED TO BE AWARE OF THE FACT THAT IN CONTRAST TO WHAT IS CURRENT PRACTICE, WHERE YOU SET UP A DOMAIN OR A ZONE AND THEN YOU MORE OR LESS FORGET ABOUT THAT, DNSSEC SECURED ZONES NEED REGULAR RESIGNING.
THAT MAY MEAN THAT YOU HAVE TO CONSIDER EVALUATING AND CHANGING YOUR INTERNAL WORK FLOW.
BUT THAT'S NOT A BIG DEAL, I GUESS.
YOU ALSO NEED DNSSEC-CAPABLE NAME SERVERS, HARDWARE, SOFTWARE, AND THEIR RESOURCES.
WE'LL HEAR ABOUT THE RESOURCES LATER BY JAAP.
SO I'LL SKIP THAT.
ALL REGISTRARS, OF COURSE, CAN DO THE MATH BASED ON WHAT THE RIPENCC CALCULATED AND WHAT YOU WILL SEE IN JAAP'S PRESENTATION.
AND YOU WILL FIND OUT THAT MOST OF YOU ALREADY HAVE ENOUGH HEAD ROOM FOR THOSE RESOURCES.
SO YOU SHOULD NOT REALLY BE SCARED, BUT OF COURSE YOU SHOULD BE CAUTIOUS.
AND THEN MAYBE YOU MIGHT WANT TO HAVE REGISTRANT EDUCATIONAL MATERIAL AGAIN TARGETED TO YOUR PREFERRED CUSTOMER BASE, THAT IS A LANGUAGE ISSUE AND MORE OR LESS A CULTURAL ISSUES.
THAT IS LIKE WHAT BUSINESS YOUR CUSTOMERS ARE IN.
OKAY.
SO FOR THE ZONE-WALKING ISSUE, THE DNS HAS A SIDE EFFECT THAT THE SO-CALLED PROOF OF NONEXISTENCE ENABLES ANYONE TO WALK THROUGH THE ZONE, THAT MEANS ENUMERATE ALL THE NAMES EXISTING IN A ZONE.
AT THE REGISTRY LEVEL, THAT IS EXPLICITLY FOR THE DE TOP-LEVEL DOMAIN. AND U.K. TOP-LEVEL DOMAIN AND OTHERS, THIS IS A SEVERE PRIVACY ISSUE.
WE DON'T WANT TO AND WE ARE NOT ALLOWED TO DISCLOSE THAT INFORMATION IN BULK.
SO WE HAVE TO WORK AGAINST THAT.
AS SUCH, THIS ZONE-WALKING ISSUE MAY CONCERN THE REGISTRARS AS WELL, BECAUSE THAT WOULD MEAN THAT ANYONE IS ABLE TO ENUMERATE A ZONE AND FIND OUT THE LIST OF ALL YOUR CUSTOMERS MORE OR LESS IMMEDIATELY.
YOU MIGHT NOT WANT THAT.
BUT THIS IS NOTHING YOU CAN FIGHT AGAINST.
THIS IS WHAT THE REGISTRIES WILL TAKE CARE OF.
SO THE IETF AND THE REGISTRIES ARE WORKING ON AT LEAST TWO DIFFERENT COUNTERMEASURES.
ONE IS PROTOCOL-BASED, ONE IS OPERATIONAL.
AND SO THE PROBLEM IS TAKEN CARE OF AND THE ZONE-WALKING ISSUE IS NO EXCUSE TO NOT WORK ON DNSSEC ANYMORE.
FOR THE VAST MAJORITY OF THE CUSTOMERS' ZONES, THE ZONE-WALKING ISSUE IS MORE OR LESS A NONISSUE, BECAUSE THE CUSTOMER ZONES ARE PRETTY EMPTY.
USUALLY YOU FIND IN THERE A WWW AND MAYBE AN MX RECORD FOR THE DOMAIN NAME ITSELF.
SO THERE'S NOT MUCH TO ENUMERATE ANYWAY.
FOR THOSE ZONES, YOU CAN DEPLOY DNSSEC AS IT STANDS WITHOUT BIG ISSUES.
STILL, THE CURES MIGHT HELP.
AND, FINALLY, THERE IS MORE THAN -- IN THE DNS THAN THE USUAL TOP-LEVEL DOMAINS.
ZONE-WALKING IS NOT AN ISSUE FOR THE ROOT ZONE, OF COURSE, BECAUSE THE CONTENT OF THE ROOT ZONE IS PRETTY PUBLIC ANYWAY, IN FULL.
IT IS ALSO NOT AN ISSUE IN THE REVERSE TREE.
AND WITH ENUM.
AND THOSE REGISTRARS WHO ALSO ARE CONSIDERED WITH ENUM MIGHT BE PARTICULARLY INTERESTED IN THIS TECHNOLOGY, BECAUSE ENUM IS REALLY INTERESTING CASE FOR DNSSEC SINCE IT HAS ONE OF THOSE ADDITIONAL LEVELS OF INDIRECTION I MENTIONED BEFORE.
AND DUE TO THE STRUCTURE OF THAT NAME SPACE, THERE IS NO POINT IN ENUMERATING IT BY DNSSEC, BECAUSE YOU CAN ENUMERATE IT ANYWAY.
SO THE BOTTOM LINE IS, ZONE-WALKING IS AN ISSUE, BUT IT'S NOT A SHOW-STOPPER ANYMORE.
IT IS BEING WORKED ON.
WORK IS MAKING GOOD PROGRESS.
AND WE CAN EXPECT A SOLUTION REAL SOON.
I WILL REFRAIN FROM STATING ANY DATE BECAUSE THAT HAS FAILED IN THE PAST.
BUT THIS IS REALLY GOING TO FLY.
OKAY.
>>STEVE CROCKER: THANK YOU VERY MUCH, PETER.
RUSS?
>>RUSS MUNDY: THANKS.
DON'T NEED THE CABLE.
>>ALLISON MANKIN: COULD I INTERRUPT?
IT TURNS OUT WE HAVE TO VACATE THE ROOM.
WE HAVE NO MORE THAN 15 MINUTES.
SO COULD I BE KIND OF ABRUPT TO YOU GUYS AND -- I'M SORRY -- THIS ALWAYS HAPPENS.
I'D KIND OF LIKE TO GET JAAP TO GIVE HIS TALK, BECAUSE IT'S REALLY GOOD.
NOT THAT YOU AREN'T GOOD, TOO.
SO, JAAP, COULD YOU GO UP TO THE PODIUM AND THEN THE PANELISTS COULD FILE OFF. AND WHAT WE HAVE IS JAAP AND THEN A WRAP-UP FROM PAUL.
IS THAT OKAY?
>>STEVE CROCKER: YEAH.
I THINK THAT'S FINE.
JAAP, COME ON UP HERE.
HERE'S THE CABLE.
>>ALLISON MANKIN: THAT WOULD BE ALL RIGHT.
AND THAT MAKES SENSE.
AND, ACTUALLY, IF YOU GUYS WANT TO STAY THERE, AND THEN PAUL CAN WRAP UP WITH YOU GUYS UP THERE, THAT WOULDN'T BE BAD, EITHER.
HOW'S THAT SOUND?
>>STEVE CROCKER: THANK YOU.
THAT'S A GOOD PLAN.
>>JAAP AKKERHUIS: SHORT WIRES HERE.
HI.
I'M JAAP AKKERHUIS, AND I'M ACTUALLY PROXYING THE RIPENCC.
THE WORK I AM TALKING ABOUT IS NOT DONE BY MYSELF, BUT BY THE RIPENCC, ALTHOUGH WE HAVE BEEN INVOLVED IN IT.
THIS IS ACTUALLY A SCALED-DOWN VERSION FROM A MUCH LONGER REPORT GIVEN BY OLAF KOLKMAN AT THE LAST RIPE MEETING.
THE REAL WORK HAS BEEN DONE BY THE PEOPLE LISTED BELOW.
THIS IS ABOUT SOME REAL WORK BEING DONE ON THIS MOMENT.
AND JUST TO MAKE SURE -- I AM JUST PRESENTING THIS.
I AM NOT PRETENDING TO DO THE WORK.
AND I WILL GIVE AN OVERVIEW OF DNSSEC IN THREE SLIDES.
AND SO TO USE THAT AS A METHOD FROM WHERE THINGS NEED TO CHANGE.
AND THEN GO TO THE TASKS WE NEED TO DO.
WELL, IN DNS, THE DATA FLOW IS VERY EASY AND YOU HAVE A ZONE FILE GOING TO THE MASTER SERVER.
AND -- WHICH MIGHT BE DONE BY HAND OR MIGHT BE DONE BY DYNAMIC UPDATES.
AND THE MASTER ACTUALLY SERVES OUT TO THE VARIOUS SLAVES.
BUT THE REAL INTERESTING PART IS THE CACHING FORWARDER USED BY THE ISPS AND THE USERS, AND USERS HAVE FINALLY RESOLVER.
THE POINT WHAT DNSSEC DEALS ABOUT IS THE RIGHT-HAND PART.
THAT'S THE REAL DATA PROTECTION.
WHAT'S ON THE LEFT, THERE ARE A LOT OF WAYS HOW TO GET DATA IN.
THE MASTER AND SLAVE, THAT'S A PART OF THE OPERATION OF THE REGISTRY OR THE REGISTRAR.
BUT ON THE RIGHT SIDE, THAT'S REALLY THE PART WHERE DNSSEC DEALS ABOUT.
AND AS IT SAID BEFORE, IT PROVIDES DATA AUTHENTICATION BASED ON PUBLIC KEY CRYPTOGRAPHY.
AND, ACTUALLY, THIS IS WHERE YOU BUILD CHAINS OF TRUST USING THE DS RESOURCE RECORDS.
AND THERE ARE A LOT OF TECHNICALITIES, BUT WE SKIP THAT.
AND SO THIS IS THE BASIC ARCHITECTURE.
YOU'VE GOT ZONES -- ZONE GENERATION.
AND THE THING THAT GETS ADDED ASIDE THE ZONE SIGN AND SIGNER ZONE.
AND THE PUBLICATION, THE SERVERS, DNSSEC-AWARE SERVERS.
AND THE THIRD PART OF DOING DNSSEC IS DNSSEC-AWARE PROVISIONING.
AND THE BASIC DEPLOYMENT TASKS ARE THE KEY MAINTENANCE POLICIES, THE ZONE SIGNING, THE DNS INFRASTRUCTURE, AND INTERFACING WITH THE CUSTOMERS.
THAT'S -- IN SHORT.
AND SO DEPLOYMENT TASKS.
HOW DID RIPENCC DO THAT?
THEY FIRST BUILT SOME KEY MAINTENANCE MECHANISM, AND SO THAT'S HERE.
THE PURPLE STUFF.
AND THERE ARE ACTUALLY -- NEEDS THE KEYS TO MAINTAIN, YOU HAVE TO DO A KEY ROLLOVER, THERE ARE DIFFERENT TYPES OF KEYS, YOU HAVE TO DEAL WITH SIGNING KEYS AND ZONE SIGNING KEYS.
AND YOU REALLY NEED THE -- THE PRIVATE KEYS NEED SOME SHIELDING AND SOME PRIVACY.
AND THIS IS DONE BY HAVING THE KEY MAINTAINER, WHICH IS CONNECTED TO -- IT'S CONNECTED TO THE -- ACTUALLY SEPARATE STUFF.
AND THIS IS BASICALLY HOW IT FITS IN THE CURRENT WAY OF DOING DNS.
AND THE DNS SERVER INFRASTRUCTURE IS ACTUALLY WHY A LOT OF THESE QUESTIONS CAME ON ON THE PANEL. AND THE REAL QUESTION IS HERE WHAT WILL BE THE EFFECT ON MEMORY, ON THE CPU, AND ON THE BANDWIDTH. AND TRYING TO ANSWER THIS QUESTION, RIPE WENT TO SIMULATION OF VIEW. THIS EXTENSIVE REPORT IS PUBLISHED AS RIPE REPORT 352. IT'S OPEN, ANYBODY CAN USE IT AND IT GIVES YOU A LOT OF INFORMATION ABOUT WHAT'S REALLY HAPPENING. AND I WOULD JUST PUT IN SOME SMALL HIGHLIGHTS, GIVEN THE TIME.
AND FIRST, PEOPLE LOOKED AT WHAT'S ALLOWED ON THE SERVER NOW? RIPE HAS TWO DIFFERENT SERVERS, A K.ROOT SERVER AND THE REFER SERVER. THE ONLY THING PICTURE INTERESTING HERE IS THE LEFT, THE TWO LEFT THINGS. THAT'S THE CASE OF THE K.ROOT SERVER AND IF YOU LOOK AT THE ORANGE, THAT'S CURRENTLY THE LOAD OF REQUESTS THAT COMES IN WHICH ASKS FOR DNSSEC. SO IF THE SWITCH IS ON, YOU HAVE TO -- THAT'S THE EXTRA ANSWERS YOU HAVE TO DO.
ON THE REFER, IT'S ABOUT THE CERT OF THE LOAD. THERE ARE A LOT OF DETAILS, BUT WE WILL SKIP IT.
SO THAT IS WHAT YOU CAN ABOUT WHAT YOU NEED TO ANSWER.
AND THIS IS THE BANDWIDTH TAKEN OF INTERVAL OF TEN MINUTES, ABOUT THE LOAD ON, IN THIS CASE, THE K-ROOT SERVER USING NSD. AND YOU SEE YOU HAVE AGGREGATES OF AROUND 1800 KILOBYTES A SECOND WHICH IS USED NOW.
AND IF YOU SIMULATE THIS WITH DIFFERENT KEY SIZES AND THINGS LIKE THAT, AND IF YOU -- THE UPPER BOUND IS IF YOU HAVE THE SAME TRAFFIC BUT NOW ALL THE TRAFFIC IS DONE WITH DNSSEC ANSWERS, THE LOAD DOUBLES OR TRIPLES WITH THE BANDWIDTH. THIS IS JUST THE BANDWIDTH. WHICH IS ACTUALLY, IF YOU ARE A REGISTRAR AND DOING DIFFERENT SERVICES LIKE HOSTING, THE DNS TRAFFIC IN GENERAL IS AROUND 10% OF ALL YOUR TRAFFIC. SO COMPARE IT TO ALL THE OTHER BANDWIDTHS NEEDS. ACTUALLY, IT'S NOT REALLY A BIG DEAL.
AND THE OTHER THING, THE AMOUNT OF CPU MEASUREMENTS. THERE ARE A COUPLE, IN THE REPORT, DETAILS ABOUT EXACTLY HOW IT GOT MEASURED, WHAT GOD GOT MEASURED. BUT THE CONCLUSION OF THE MEASUREMENT IS THAT DEPENDING ON THE SOFTWARE YOU USE, THE INCREASE IN CPU LOAD IS ACTUALLY MINIMAL, A COUPLE OF PERCENT, COMPARED TO WHAT IT ALREADY IS.
SO FURTHERMORE, THERE ARE CALCULATIONS YOU CAN MAKE HOW BIG THE MEMORY SIZE NEEDS TO BE AND DEPENDING ON THE SIZE OF THE KEYS, IT WILL BE ROUGHLY BETWEEN THREE TO NINE TIMES BIGGER.
BUT AGAIN, THE DETAILS ARE REALLY IN THE REPORT.
NOTE, THIS IS DONE ON THE SPECIFIC CASE LOAD, IT'S OF THE ROOT SERVER, AND ACTUALLY IN JANUARY WE WILL TAKE UP TO DO THIS FOR TWO DIFFERENT TLDS. WE DID IT FOR .NL AS AND BRAZIL HAS ASKED US TO DO THE SAME MEASUREMENTS, TRYING TO SEE WHAT IS DONE.
SO IN CASE YOU WANT TO KNOW HOW THIS IS DONE, COME SEE ME AND I CAN TELL ABOUT IT.
AND ONE OPERATIONAL ASPECT THAT CAME OUT OF ALL THESE MEASUREMENTS, THAT'S THE LAST BULLET, HAS TO DO THAT YOU DON'T WANT TO DO DNS KEY RR SETS IF YOU DON'T REALLY NEED IT. AND WHICH ACTUALLY IS TAKING IT TO THE VINE SOFTWARE FAMILY.
THE OTHER THING WHAT HAPPENED IS PART OF IT IS THE PROFICIENT PART AND PROVIDING SECURE DELEGATIONS.
AND ACTUALLY, RIPENCC CHOOSE THE SAME ROUTE THAT THEY WERE DOING ALREADY.
BASICALLY WHAT YOU NEED EXCHANGE IS THE DS KEY RECORD AND MORE OR LESS SIMILAR LIKE THE NAME SERVER RECORD. IT'S THE SAME AUTHENTICATION/AUTHORIZATION MODEL, ACTUALLY. AND THE ONLY THING IS IT'S MORE SENSITIVE TO MISTAKES. SO I HAVE TO TIGHTEN UP THE WAY THESE THINGS WERE HANDLED.
SO BETTER CHECKING FOR ERRORS. AND ALSO WHAT DS DID IS PROVIDE A LOT OF TOOLS THAT ARE AVAILABLE FROM THEIR WEB SITE. SO PEOPLE LOOK FOR TOOLS.
EITHER THE RIPE WEB SITE OR THE WEB SITES STEVE WAS MENTIONING EARLIER, YOU FIND LINKS TO ALL THESE TOOLS.
>>ALLISON MANKIN: SO --
>>JAAP AKKERHUIS: THE SIDE EFFECT OF DOING ALL THIS WORK IS IT MADE NCC LOOK BETTER TO WHATEVER THEY WERE DOING AT THE MOMENT. SO ACTUALLY, TAKE IT TO A COUPLE MODIFICATIONS WHERE THEY WERE ACTUALLY DOING THINGS WHICH WERE NOT SECURE YET. AND THESE THINGS WERE NOT DNSSEC SPECIFIC, BUT THEY -- BUT THEY ACTUALLY HELPED TO TIGHTEN UP THE COMPLETE OPERATION.
>>ALLISON MANKIN: JAAP, I AM GOING TO CUT IT.
>>JAAP AKKERHUIS: AND I AM DONE.
>>ALLISON MANKIN: GREAT, BECAUSE WE WANT -- PEOPLE WANT TO GET TO LUNCH.
(APPLAUSE.)
>>ALLISON MANKIN: AND ACTUALLY, RAM IS GOING TO GIVE HIS FOUR SLIDES, BECAUSE THEY REALLY ARE GREAT, AND I WANT TO GIVE JAAP'S HEADLINE, TOO, WHICH YOU MIGHT HAVE MISSED, WHICH IS THAT THEY DID THIS PERFORMANCE WORK AND THEY KNEW IT WAS GOING TO BE GOOD AND THEY ARE OPERATIONAL, THE DNSSEC FOR THE REVERSE TREE IS OPERATIONAL AT RIPE. SO YOU CAN DO A DELEGATION, AND IT'S RUNNING. THEY ARE VERY CONFIDENT OF IT AND THEY HAVE IT UP AND RUNNING.
SO THOSE NUMBERS ARE ABOUT SOMETHING THAT HAS GONE UP AND IS LIVE.
AND NOW WE ARE GOING TO HEAR JUST A VERY SHORT PRESENTATION ABOUT THE TEST BED AND THEN PAUL DIAZ IS GOING TO TAKE YOU OUT. RAM, YOU ARE UP.
>>RAM MOHAN: THANK YOU. I CAN'T ACTUALLY SEE THIS ON MY SCREEN SO I AM GOING TO READ IT OFF THE SCREEN THERE.
THE ORG TEST BED LAUNCHED ON THE 31ST OF OCTOBER, 2005. AND IT FEATURES DNSSEC AWARE NAME SERVERS, AND THE REGISTRY APPLICATION SERVERS, THEY USE EPP 1.0 PROTOCOL WHICH IS AN IETF RFC SPECIFICATION.
THE REGISTRY APPLICATION SERVERS LOAD AND THEY FEED THE ZONE DATA TO THE DNSSEC TEST BED NAME SERVERS. BY THE WAY, THIS IS A -- I HAVE MADE THIS A RELATIVELY TECHNICAL PRESENTATION MOSTLY BECAUSE I'M TRYING TO SHARE THE DETAILS OF WHAT WE'VE DONE.
THE WAY WE ENDED UP DOING THIS IS TO ALLOW ONLY .ORG ACCREDITED REGISTRARS INTO THE TEST BED. TWO REASONS. NUMBER ONE, THEY ALREADY HAD THE SOFTWARE, THE PRIMARY SOFTWARE TO INTERACT WITH THE REGISTRY. BUT THE SECOND THING WAS WE HAD TRUSTED RELATIONSHIPS WITH THEM, WE HAD SECURITY KEYS, CERTIFICATES, A WHOLE BUNCH OF THINGS THAT JUST MADE GETTING THEM GOING VERY EASY.
AND AS A RESULT OF THAT, WHEN -- WHAT WE HAVE DONE IS WHEN A NEW REGISTRAR COMES INTO .ORG AND WHEN THEY ARE ACCREDITED INTO .ORG AND THEY HAVE PASSED THE OPERATIONAL TESTS, THEY ARE AUTOMATICALLY QUALIFIED INTO THE DNS TEST BEDS SO LITERALLY RIGHT NOW THERE ARE OVER 200 .ORG ACCREDITED REGISTRARS WHO HAVE THE CAPABILITY TO GET INTO THE DNSSEC TEST BED AND TO PERFORM TESTS AND TO ACTUALLY DEPLOY CODE FOR DNSSEC.
THE TEST BED SERVER, YOU SEEP THE ADDRESSES THERE, THEY ARE SEPARATE FROM THE .ORG PRODUCTION SERVERS.
AND ON THE DNS SIDE WHAT WE ARE DOING IS RUNNING ON DEDICATED BIND SERVERS, AND OUR PLAN IS TO ADD TO OUR PRODUCTION ANYCAST NETWORK IN 2006.
WE HAVE CREATED THESE SYSTEMS AS ISOLATED DNS SYSTEMS, SO IF YOU WERE TO DO A QUERY AND WANTED TO FIND OUT INFORMATION, THIS IS WHAT YOU DO.
ONE CHOICE THAT WE MADE WAS TO BEGIN WITH AN EMPTY ZONE RATHER THAN BEGIN WITH A FULLY POPULATED .ORG ZONE. AND THIS WAS AN INTERESTING CHOICE. I'M HAPPY TO SHARE SOME OF THE THOUGHT PROCESS BEHIND IT LATER.
BUT WHAT IT'S ACTUALLY DONE IS IT'S HELPED SOME OF THE REGISTRARS THAT HAVE COME IN TO LEARN HOW TO POPULATE THE ZONE AND TO ADD THE NECESSARY KEYS.
WE HAVE ISSUED AN EXPERIMENTAL TOOL KIT AND IT IS AVAILABLE ON THE PIR WEB SITE AS WELL AS SOURCEFORGE AND IT USES THE EPP EXTENSION TO DNSSEC, THE HOLLENBECK DRAFT THAT'S AVAILABLE AND HAS BEEN PUBLISHED AND THE INTEND IS TO MAKE THIS THE STANDARD WAY OF INTERACTING. REGISTRARS, IF YOU ALREADY HAVE SOFTWARE WORKING IT'S JUST A LITTLE BIT OF AN EXTENSION TO MAKE IT WORK FOR THE DNSSEC TEST BED.
SOME POLICY DECISIONS, IT'S RUNNING ACCORDING TO THE BIS --
>>ALLISON MANKIN: RAM, PROBABLY NOT TIME -- WE'RE PROBABLY OUT OF TIME.
>>RAM MOHAN: LET ME JUST GO TO A COUPLE OF HIGHLIGHTS.
ROLLOVER OF KEYS IS OFTEN TALKED ABOUT AS AN IMPORTANT ISSUE. WE ALREADY ROLLED IT OVER LAST WEEK. THE KEY GOT ROLLED OVER AND NEXT YEAR, SOMETIME WE WILL BE DOING UNANNOUNCED BOTH ZONE AND KEY SIGNING KEYS WILL GET ROLLED OVER. AND IT'S GOING TO BE INTERESTING TO SEE HOW FOLKS WORK WITH IT.
THIS IS HOW THE PARTICIPATION HAS BEEN, OVER 200 REGISTRARS. THREE HAVE TRIED TO LOG IN IN THE LAST 45 DAYS. AND, YOU KNOW, THERE ARE ABOUT 12 DS RECORDS IN THE SYSTEM.
THANK YOU.
(APPLAUSE.)
>>PAUL DIAZ: OKAY. I WILL DO A QUICK WRAP-UP AND I PROMISE TO BE BRIEF. I AM AS HUNGRY AS EVERYBODY ELSE.
WE WERE PRESENTED AN AWFUL LOT OF MATERIAL TODAY. I WOULD ASK EVERYBODY TO REMEMBER WE PROVIDED THE TRANSCRIBERS WITH THE WEB ADDRESS, THE DNSSEC ADDRESS. ALL THE MATERIALS THAT WERE PRESENTED HERE, A WEALTH OF BACKGROUND MATERIAL AS WELL, ALL AVAILABLE AT THAT SITE, MANY THINGS TOO DENSE TO TRY TO ABSORB IN THIS ONE SESSION. I STRONGLY ENCOURAGE EVERYBODY TO GO BACK TO IT.
THANK YOU TO ALL THE PRESENTERS. THIS IS, AGAIN, A TREMENDOUS RANGE OF MATERIALS AND WHATNOT.
IN SUMMARY AND WRAPPING UP I COME AWAY WITH A COUPLE KEY ISSUES THAT NEED FURTHER DEVELOPMENT MOST EVERYBODY WAS WORKING AROUND SOME GENERAL AGREEMENT THAT GREATER EDUCATION ABOUT THE PROTOCOL AND ABOUT HOW IT'S IMPLEMENTED, PROS AND CONS, COSTS AND BENEFITS, THE RISKS OF INACTION, ET CETERA, ALL THIS NEEDS TO TAKE PLACE AMONGST THE REGISTRIES, REGISTRARS, END USERS, WHETHER DEFINED AS AN ENTERPRISE, SMALL BUSINESS, INDIVIDUAL CONSUMERS.
THE ANALOGIES THAT WERE USED, THE CAR SAFETY ANALOGY IN PARTICULAR, WAS HELPFUL IN HOPEFULLY HELPING US BETTER FRAME WILL DNSSEC BE ONE OF THESE NECESSARY INFRASTRUCTURES OR IS IT MORE MARKETING DRIVEN? THIS GETS BACK TO THE IDEA OF EDUCATION, DEFINITIONS. IT SEEMS TO ME THERE WAS SOME DISAGREEMENT AMONG THE VARIOUS EXPERTS ABOUT THE BEST WAY TO GO ABOUT THAT, THE PROPER WAY TO GO ABOUT THAT, THE RELATIVE BENEFITS OF ONE APPROACH OVER THE OTHER. NEVERTHELESS, UNLESS WE COME TO SOME GENERAL CONSENSUS AND BEGIN TO MOVE FORWARD ON THAT, I THINK THE F.U.D. THAT CURRENTLY EXISTS AROUND DNSSEC WILL CONTINUE. AND ONE OF THE SIMPLEST WAYS TO DEAL WITH THIS, I THINK, IN SUMMARY IS PERHAPS WE NEED TO BEGIN TO MOVE AWAY FROM SUCH A TECHNICAL DESCRIPTION, MOVE THIS OUT INTO MORE THE MAINSTREAM. THE SUGGESTION WAS DON'T CALL IT DNSSEC BUT MAYBE SECURE NET, NET SECURE, SOMETHING LIKE THAT.
NOT TO DUMB DOWN THE PROCESS, BECAUSE IT IS SUCH AN IMPORTANT ISSUE, BUT WITH SO MANY COMPETING SECURITY CONCERNS, I THINK THAT THIS PROTOCOL IN PARTICULAR AND ITS WIDESPREAD ADOPTION ACROSS THE INTERNET IN ALL THE VARIOUS TLDS IS GOING TO REQUIRE A SIMPLIFICATION TECHNOLOGY. LITTLE THINGS LIKE THE LOCK FOR A CERT, MAYBE WE HAVE A SPECIAL LOGO THAT CAN BE ADOPTED, OR SOMETHING ALONG THOSE LINES BUT SIMPLIFICATION I THINK IT SEEMS TO ME IS ALSO A NECESSARY STEP AS WE MOVE FORWARD AND CONTINUE TO DEVELOP.
AGAIN, I THANK EVERYBODY THAT PRESENTED TODAY. I THANK YOU ALL FOR YOUR TIME, AND WE LOOK FORWARD TO WORKING WITH YOU IN THE FUTURE.
(APPLAUSE.)