Registration Operations is More Than Just Registering Domain Names

Perceptions can be difficult to change. People see the world through the lens of their own experiences and desires, and new ideas can be difficult to assimilate. Such is the case with the registration ecosystem. Today’s operational models exist because of decisions made over time, but the assumptions that were used to support those decisions can (and should) be continuously challenged to ensure that they are addressing today’s realities. Are we ready to challenge assumptions? Can the operators of registration services do things differently?

(more…)

Blue Folder With Keyhole on digital background

“What’s in a Name?” Using DANE for Authentication of Internet Services

Do we already have strong security protections for our Internet services? For many years now, we have had numerous cryptographically enhanced protocols. Standards and suites like S/MIME, Transport Layer Security (TLS), IP Security (IPSec), OpenPGP, and many others have been mature for years, have offered us a range of protections and have been implemented by a wealth of code. Indeed, based on these protections, we already count on having “secure” eCommerce transactions, secure point-to-point phone calls that our neighbors can’t listen in on, secure Virtual Private Networks (VPN) that let us remotely connect to our internal enterprise networks, etc.  However, our Internet security protocols have all excluded a very important step from their security analyses; none of them describe a crucial step called secure key learning.  That is, before we can encrypt data or verify signatures, how does someone bootstrap and learn what cryptographic keys are needed?  In lieu of a way to do this, we have traditionally prefaced the security protections from these protocols with techniques like Out of Band (OOB) key learning (learning keys in an unspecified way) or Trust on First Use (ToFU) key learning (just accepting whatever keys are found first), and each protocol must do this separately (and potentially in its own, different, way).  This is because the protocols we use for protections have not formally specified a standardized way to securely bootstrap protocols.

(more…)

Minimum Disclosure: What Information Does a Name Server Need to Do Its Job?

Two principles in computer security that help bound the impact of a security compromise are the principle of least privilege and the principle of minimum disclosure or need-to-know.

As described by Jerome Saltzer in a July 1974 Communications of the ACM article, Protection and the Control of Information Sharing in Multics, the principle of least privilege states, “Every program and every privileged user should operate using the least amount of privilege necessary to complete the job.”

Need-to-know is the counterpart for sharing information: a system component should be given just enough information to perform its role, and no more. The US Department of Health and Human services adopts this principle in the HIPAA privacy policy, for example, which states: “protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”

There may be tradeoffs, of course, between minimizing the amount of privilege or information given to a component in a system, and other objectives such as performance or simplicity. For instance, a component may be able to do its job more efficiently if given more than the minimum amount.  And it may be easier just to share more than is needed, than to extract out just the minimum required. The minimum amounts of privilege may also be hard to determine exactly, and they might change over time as the system evolves or if it is used in new ways.

Least privilege is well established in DNS through the delegation from one name server to another of just the authority it needs to handle requests within a specific subdomain. The principle of minimum disclosure has come to the forefront recently in the form of a technique called qname-minimization, which aims to improve privacy in the Domain Name System (DNS).

(more…)

The Why and How of DNS Data Analysis

headshot-burt-kaliskiA network traffic analyzer can tell you what’s happening in your network, while a Domain Name System (DNS) analyzer can provide context on the “why” and “how.”

This was the theme of the recent Verisign Labs Distinguished Speaker Series discussion led by Paul Vixie and Robert Edmonds, titled Passive DNS Collection and Analysis – The “dnstap” Approach.

(more…)

Call for Participation: Registration Operations Workshop at IETF-92

The next Registration Operations Workshop will take place at the start of IETF-92 on Sunday, March 22, 2015, at The Fairmont Dallas Hotel. The workshop will start at 12:30 p.m. CDT and will finish at 4:30 p.m. CDT. We are seeking proposals for Extensible Provisioning Protocol (EPP) extensions to be featured as part of the workshop, including existing extensions that people wish to register with the Internet Assigned Numbers Authority (IANA) and new extensions that people wish to consider for further development.

Have you developed custom EPP extensions in your registry? Please submit a proposal to describe your extension. Facilities for remote participation will be provided.

(more…)

Where Do Old Protocols Go To Die?

In Ripley Scott’s classic 1982 science fiction film Blade Runner, replicant Roy Batty (portrayed by Rutger Hauer) delivers this soliloquy:

“I’ve…seen things you people wouldn’t believe…Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those…moments…will be lost in time, like (cough) tears…in…rain. Time…to die.”

The WHOIS protocol was first published as RFC 812 in March 1982 – almost 33 years ago. It was designed for use in a simpler time when the community of Internet users was much smaller. WHOIS eventually became the default registration data directory for the Domain Name System (DNS). As interest in domain names and the DNS has grown over time, attempts have been made to add new features to WHOIS. None of these attempts have been successful, and to this day we struggle with trying to make WHOIS do things it was never designed to do.

(more…)

New from Verisign Labs: What’s in your attack surface?

Recently, Verisign Labs researcher Eric Osterweil and Verisign CSO Danny McPherson, along with Lixia Zhang, a professor of computer science at UCLA, received the Best Paper Award at this year’s IEEE Workshop on Secure Network Protocols (NPSec ‘14) for their paper, “The Shape and Size of Threats: Defining a Networked System’s Attack Surface.” Below is a guest post from one of the authors, Eric Osterweil, principal researcher for Verisign Labs, describing the genesis of the research and future plans.

(more…)

Summary of the Registration Operations Association Workshop

The first Registration Operations Association Workshop took place on Thursday, October 16, 2014, at the Los Angeles Hyatt Regency Century Plaza Hotel. I’d like to thank the 64 people that took the time to attend and participate in the discussion, both in-person and remote.

I started the workshop with an introduction to some of the technical challenges being faced by the domain registration industry. Additional challenges were described by Thomas Stocking of Gandi.net, Tobias Sattler of United Domains and Peter Larsen of Larsen Data ApS, and James Gould of Verisign. After discussing the challenges, we had an opportunity to consider proposals for organization presented by John Levine of Standcore LLC, Thomas Rickert of eco, and Adam Newman of IEEE-ISTO. The remainder of the morning was spent discussing those proposals and other options for creating a forum in which all interested members of our community could meet for face-to-face discussions. I’m very happy to report that we reached consensus on an approach.

(more…)

New from Verisign Labs: Measuring IPv6 Adoption

IPv4 is the common thread that has held the internet together since its very early years, and, thus, it is both the most
important and most widely deployed networking protocol in existence. As the world rapidly runs out of available IPv4 address space, there has been a major movement to transition the internet to the IPv6 protocol with its vastly larger address space.

The global internet community has shown a huge level of collaborative effort in driving this transition. Events like World IPv6 Day and World IPv6 Launch Day brought together organizations working across all levels of network connectivity to raise awareness of the ever-increasing need for this change. Held on Feb. 11, 2011, World IPv6 Day marked the beginning of the changeover process. Since then, IPv6 adoption has been a closely watched and increasingly important metric.

(more…)

Registration Operations Association Workshop Update

In a series of recent blog posts I’ve described the technical challenges in registration operations, a proposal for an industry association, and announced an interactive workshop to explore association formation. This is an update on where things stand with the workshop.

The first Registration Operations Association Workshop is scheduled for Thursday, October 16, 2014 in the Pacific Palisades room at the Los Angeles Hyatt Regency Century Plaza hotel, the same venue being used for ICANN 51. The event is not affiliated with ICANN, but with ICANN’s support we’ve been able to secure a room that’s large enough to seat more than 100 people. Still, space is limited and seats are going fast. Please register quickly if you haven’t already done so. Registered attendees will receive updates via email as we get closer to the event date.

(more…)