Logo DNSSEC for Everybody: A Beginner's Guide - Shared screen with speaker view Audio Transcript Chat Messages Search transcript default user avatar ICANN-MTS-AV 00:00:00 DNS SEC for everybody, a beginner's guide. We've got a troop of folks to help entertain you. Hopefully, or something like that. 00:00:08 I would say we're going to have some questions, answers coming up in a little bit. And if you want to come on up a little bit closer. We're in this massive room here today. 00:00:17 So please feel free to come on up. We'll have a microphone we able to go around and talk to you and do this so 00:00:24 My name is Dan York, I'm with the Internet Society involved with some of the technical advocacy work we do there. And what we want to talk about today. 00:00:31 Is what is DNS SEC what what purpose does it serve and in. We're going to do that through a couple of ways. We're going to tell you a little story. 00:00:41 We're going to act out a skit. A couple of skits. We're going to talk a bit about this and we're going to try to have some a little bit of fun on this Sunday evening. First of all, mass question. How many of you here have deployed DNS SEC in some way. 00:00:55 Okay, a few people. All right. Well, we're. How many people have no idea what DNS SEC is at all. 00:01:02 Okay, a couple. I noticed the overlap with the folks who have deployed that. So there we go. We're good. So we're going to take you back a little bit and tell the story of the origins of DNS SEC in 5000 BC. 00:01:18 So as our story goes. This is a greener. She lives in a cave on one side of the Grand Canyon and this is OG. He lives in a cave on the other side. 00:01:30 It's a long way for them to go back and forth, and so they don't get to talk too much or visit or anything else like this. 00:01:37 So on one of their visits, they noticed that there's smoke coming out of ox fire and so they realized that they could chat using smoke signals. 00:01:48 If they could go and send signals to each other across it. They can obviously tell each other more stories talk about this have much more of a conversation 00:01:56 But one day a certain another nearby Cavan will call him Kaminski moves in next door to us and starts to send his own smoke signals. 00:02:08 Suddenly a green on the other side. She can't know which one is the right one. She doesn't know who should I be what's the right signals that I should be seeing here. 00:02:19 So she sets off to try to figure out what, what can we do here. How can we make it work. So I can know which one is there. So they go and consult the, the wise village elders caveman dippy thinks that he might have an idea. 00:02:38 He gets up and he runs into a cave, and he goes to the very back where he sees this pile of blue sand the strangely colored sand that only exists in a cave. So he takes some of that he runs out and he throws it into the fire. 00:03:01 The fire turns into a magnificent blue and suddenly now a green and I can chat, because now she knows which one is from og nobody else can interfere because they know for a fact that the blue smoke is coming from Og, not from somebody else. 00:03:22 In a funny way, this is what DNS SEC is all about. It's about ensuring that you're getting the correct information from the sender. It's doing something special to the information so that you can be able to see 00:03:39 What's, what is the unique information coming from that person. So we're going to talk a bit more get more technical around this at a high level. 00:03:48 Right, this is how DNS is often portrayed we wind up with the root of DNS, we have all of these top level domains. These T LDS that are here of all the different kinds of forums and then we have our second level domains. Below that, and we have all of this going on. 00:04:07 A resolve over DNS revolver knows how to get to the root and knows how to go through the hierarchy to go and figure it and each level along the way. 00:04:19 Passing tells the resolve or to go talk to somebody else DNS is a distributed database, it goes and figures out how you get the information from each different resolved or cashing it all along the way. 00:04:34 But there's no security in the protocol, just as in our little story. Somebody else can come along and spoof can give other answers in a different way. You can poison the caches of those resolves because once they store the information. It can be held on for some period of time. 00:04:54 So we're going to act out now. 00:04:58 Is our troop ready 00:05:01 Come on up. We're going to show you a bit about how this 00:05:06 X out. 00:05:09 So what you're seeing is, you're going to have 00:05:12 Our characters here who are going to play the role of a user who is going to want to go and search for information, want to connect to big bank calm. 00:05:25 So as our troopers are he gets off. All right. Wait. Okay, here we go. 00:05:32 Okay, so what's harder will be our user who will talk to our internet service provider has a resolve and that resolved or will then interact with our rearranging DNS hierarchy here. 00:05:53 Audio AUDIO Can you bring up that mic. 00:05:59 There we go. All right. 00:06:02 I think I want to buy a yacht. I've always wanted to buy a yacht, they're great big boats and I like great big books. I think I'm going to go check my bank and I bank at www big bank calm to find out how much money I have can, can you 00:06:17 Please give me the address for www big bank calm, so I can go talk to it. Sure. You're just the sort of customer. I'd like to keep happy. Let me go figure that out for you. 00:06:29 Hello, Route one of my users would like to go to www dot big bank.com, can you please tell me whether it is 00:06:36 Oh, I wish I could, but I've got a problem. I don't actually know. I do know where to find calm, you could ask.com 00:06:47 Okay, thanks. So give that a try. How about a.com one of my users wants to get a www dot big bag. COM. Can you please tell me whether it is 00:06:56 Well, I'm not sure about WWW dot but I know big bang calm is just right over there. Fine, I'll go ask him. Hello, big bank, can you please tell me what WWW dot big bang.com is 00:07:10 Mr ISP, I can tell you where WWW dot big bank calm. Yes, it is. That to.to.to dot three 00:07:23 I finally have an answer. 00:07:25 Hello, Mr. User WWW dot big bank.com is that to.to.to dot three AND CAN I COME ON, yo, yo, sometime. I'm afraid my. Yeah, it doesn't allow recursive resolves but that's okay. Alright, so I can go check. Wow. I have a boatload of cash. 00:07:43 Oh, let's give them a round of applause on that one. 00:07:51 So that's how DNS operates. That's what happens all the time for all of the zillions of little DNS queries that are going on, but we want to talk a bit more about how this could work. 00:08:03 So we're going to bring up another exchange. We're gonna do this again. But this time, you're going to see what happens when an attacker gets involved. 00:08:17 Hello. There we go. Today is the day. I'm going to buy my both my great thing. Yeah, I need to go to big bank calm again so I can transfer my money. Can you tell me where it is, again, cuz I forgot. 00:08:28 Yeah. Sadly, I forgot as well. I'll go figure it out for you though. 00:08:32 Hello, Route one of my users once go to www dot big bag. COM. Can you please tell me whether it is. If only I knew the answer. I do know where calm is, though, would that help 00:08:44 And yeah, it's kind of useless to go last.com hello.com. What am I, users once go to www dot big bank.com, can you please tell me where it is. 00:08:55 Well, I still don't know about WWW dot but I know that big bang calm is at 2.2 point to point. Oh good asked that. No, because big bank calm, is it 6666 00:09:11 Hahaha 00:09:16 Okay, sure. No worries. 00:09:19 Hulu, Mr user 00:09:21 Oh, six, six, I never okay. I can go give all of my money to 6666. Thank you. Where's my boat. Thank you. 00:09:33 My boat. 00:09:36 All right. Let's give them another round. 00:09:42 So this is indeed how DNS that we all are here to talk about DNS can be poisoned. This way the attacker can do it. Basically, whoever is able to get the answer back to resolve or first wins. 00:09:57 You know speed wins in this regard as far as who can go and do there. So in this case, Dr. Evil was able to get in before 00:10:03 Poor Russ here was able to go and give an answer back, get that answer there. Now, part of the danger to is that now Warren with the had 00:10:12 Our ISP, he's going to hold on to that answer for some period of time. So for anybody else who asks where WWW dot big bank.com is they're going to continue to get the bad 00:10:27 Exactly. He's gonna they're going to get that bad answer repeatedly until it times out. This is DNS DNS attacks. This is cache poisoning. This is all of this, it's there. 00:10:41 So, 00:10:43 Now, what we now have is, again, this is DNS with DNS SEC we add in this concept of digital signatures and you can see our troops still staying here because they're going to act this out again in a moment. 00:10:57 What happens is you have keys and signatures that are stored inside DNS so that you can be able to check did that information actually come from the original source. Is that really who should be giving out the information for big bank.com 00:11:19 So a resolve over to make this all work or resolve or knows where the route key is or knows how to get that. How many people know 00:11:28 Heard about the route key rollover last year. Yeah, okay. People look at that this was all about ensuring that there's a chain of trust from the roots of DNS, all the way down the chain. 00:11:42 For the different people, different authoritative servers that are providing information it all links up so we can protect the integrity of the information that's there. 00:11:51 So we want to make it so that our big bank name server, right here, he can be the one giving out the information to the ISP not somebody else so 00:12:03 Let's bring up our troop again as they are here and let's have this acted out another time, this time with DNS SEC you'll be glad to know this is the last time. 00:12:14 Oh, oh, yes, we have to go through this first. Go ahead, guys. So what are we doing here. 00:12:20 The route is signing. Now, wouldn't 00:12:24 Like it if it was that easy. Right. 00:12:29 So you'll notice the route signed there's calm and sign big bank assigned everybody's all signed, we're good. And now, 00:12:39 Okay, let's pretend that didn't happen. I have another year worth of money. I'm going to go buy another boat for reals. These this time. Can you tell me where big bank calm. Is this time. And can you get it right. 00:12:52 Yeah, I'll try. Let me go along and ask the hello route one of my users wants to figure out where www big bank comments. Can you please tell me no 00:13:03 No, I can't. But I can tell you where to find calm and calm may be able to tell you though. And I'm signed 00:13:13 Let me quickly check that signature. Yeah. Okay, that looks valid to me. I'll go along and check with com one of my users still wants to buy a 00:13:22 He needs to know what WWW dot Big Bang commas. Can you please tell me that still don't know about WWW dot but I can tell you that big bang calm, is that 2.2 point 2.2 and I can find that response. 00:13:35 Let me check that signature. Yeah, that looks okay I'll go along and ask that. Hello WW Big Bang Theory or 6666 where's the signature. I don't 00:13:53 Even you big bank calm, can you please tell me where WWW dot big bank calm as 00:13:59 Well, I certainly can WWW dot big bank calm, is that 2.2 point 2.3 and it is 00:14:12 Let me check this, and I'm gonna check it carefully. 00:14:16 Yep, that looks. Okay, here you go. User www.com to.to.to dot three and I validated it you can trust that. Oh, thank you, Mr bank can you transfer all of my money to Dan York I'm buying a used boat from him. 00:14:36 Why thank you. 00:14:39 Please give these guys a round of applause. 00:14:48 So that's how we do it and and that's what DNS SEC is all about, is it's having these signatures that ensure that 00:14:58 Somebody else can't get into that process. That's what it does. And that's all it does an important part, it just ensures that the integrity of the information. What was put into DNS is what the user gets out 00:15:11 It's not about confidentiality. It's not about securing that information. It's purely about verifying that the information is exactly what the user put in now to talk a little bit more and go into an example we're going to bring up Russ. 00:15:27 Monday, who is going to come up here and I'm going to give west as money back. 00:15:35 Thank you, Dad. 00:15:37 And thanks everybody who came to join us this afternoon. And boy, those lights are bright. So what I want to talk about here a little bit. Ah, the clicker good is examples and descriptions of the things people need to think about as they go through the process of deploying DNS sec 00:16:03 Part of the Why do it is, why are we worried about DNS sec to begin with and and we already talked about it from the DNS perspective and how DNS information. 00:16:16 Get, get can be messed with, particularly if you don't have DNS SEC in place. But why do people go after DNS DNS itself is not all that interesting. 00:16:31 When people go after doing things to DNS. It's in almost all cases so that they can do things to applications that are actually doing the 00:16:43 The DNS queries. So as you saw earlier when Wes was wanting to move money around in that case it was an effort to steal money. So it really is important. 00:16:55 For the applications that make use of DNS to do what they're doing. So if it doesn't get to the right place. Who knows what what's going to happen. 00:17:07 So we've had multiple examples in the real world of things of this nature and just 00:17:16 Some of the things are identified up there on the board and it's any application that's running on the Internet today. There's an extremely high likelihood 00:17:28 That it's making use of DNS under underneath of it. And most of the time users of applications don't know and frankly don't care. 00:17:39 That there's DNS present but it's essential for their applications to function properly. One of the things that I found a few years ago and I went back and looked again. And unfortunately, I didn't keep the specifics 00:17:53 Of what I found that there was a university professor there that I found in a course on programming. 00:18:01 That required his students to write a DNS hijack program. 00:18:06 And I looked through the entirety of the the the course requirements and layouts and there wasn't a single thing that I could see that talked about ethics or why this was something that you shouldn't do. 00:18:21 It was just, hey students go write a DNS hijack and it was really kind of spooky as somebody that's been trying to keep hijacks from happening for a long time. Fortunately, I've not been able to find that for about the last five years. So maybe it's gone away. 00:18:39 So, as Dan said that's the important thing is being able to get to the right place. And when you get to the right place. Be able to verify that the information you get back 00:18:55 Is in fact correct. So the public key cryptography that's embedded to to actually make DNS SEC work is the technical mechanism that is underlying of this 00:19:10 Now, when we went through some of our earlier efforts, we did at I can meetings actually run real hijacks. This is just a series of slides that kind of gives the same idea pictorial Lee with what you saw with the on stage performance here. 00:19:34 One of the reasons we stopped doing it. 00:19:38 For real is at one in one of the meetings we managed to instead of just hijacking the DNS in the particular room. Well, the 00:19:49 The configuration of the network wasn't quite as expected. And we hijacked the DNS for the entire icon meeting that was quite a laugh when it was over, but it wasn't while it was going on. 00:20:03 So we now just to show slides here and you can see Joe user is down in the lower left hand corner, and he wants to go to his web server up there. 00:20:14 And you can see from the picture he sends off a query. 00:20:20 That query that goes to his recursive server recursive server saves sends it to the authoritative name server so created with the web, his web server. He wants to go to gets the answer back to the recursive server. 00:20:35 And the recursive server then goes back and tells the user. This was what you saw was going back and forth running around on stage doing 00:20:43 Now we'll put in after that. Then he actually can conduct is transaction. 00:20:51 So, 00:20:53 When we put in actual websites. This is a particular configuration. 00:21:01 To a website so that the visual image on the website itself shows if you're doing DNS SEC underneath there's no standardized image to show that there's DNS SEC, but it was a whole lot easier to just set it up on a website so you could see it. 00:21:18 And when you go to that same website when you're not using a DNS SEC validation mechanism, you get a different symbol. So you can see the top one is a checkmark and the bottom one is, you know, a triangular warring to tell you. Oh, your DNS seconds off so 00:21:39 When we do the same type of thing as well. We were showing on the stage here again, Joe users sends a query. But this time, Dr. Evil is on the network. 00:21:51 So the query goes wandering off and in the real world. What actually happens is Dr. Evil sees the query and provides an answer. 00:22:04 Even though the query continues to wander through the network but Joe user is sent off to the impersonating website and you can see the other queries went through the network and came back, gave an answer. 00:22:21 But Joe user didn't get that answer, because the resolve over that he was using took the first answer. 00:22:29 And went to the wrong website so he could not get back to there unless he was using DNS SEC when he was using DNS SEC it prevented the incorrect answer from getting to his resolve. 00:22:45 And then afterwards, after he got the correct answer. He went back to the correct website and conducted his business as as appropriately. 00:22:59 So we instrumented a website to show what you can do it, and specifically the website was built so that we, there was a section of the website that showed 00:23:16 That was a place where a hijack could occur. And so the actual hijack that we conducted against a web browser that was not doing DNS SEC, we actually inserted information. 00:23:32 And the information we inserted was a bogus story that says Steve Crocker admits DNS SEC won't solve world hunger. 00:23:41 So it was it was a fairly obvious intend to be totally humorous illustration. But if you look at the the front most DNS SEC is off image. 00:23:54 And down at the bottom you can see.org shares Comcast in at sex advice for ISP 00:24:02 And on the one at the top of the page that is the top story. So essentially, with the hijack we inserted part of information on a page. 00:24:13 So even though it was on the same page on the browsers. It was different information and of course false information was inserted. So on a single web page. How many you know from going from an empty. 00:24:30 Empty name server with no Cached information, you know, this is CNN com from probably six or seven years ago. And there's somewhere around 00:24:44 Around 75 to 100 queries and responses, just to fill one page. So any one of those could be hijacked or a large portion of them could be now hasn't gotten any better. 00:24:58 Not in some ways, yes, in some ways, know there are more queries that it takes to fill a commercial website page than it used to. 00:25:08 But this particular instrumentation shows that there are now some of those are DNS SEC sign, but the number that it takes to actually fill a website is just about doubled in about four or five years. 00:25:24 So the basic thing that people often get concerned about, think about when you talk about DNS SEC is 00:25:33 Oh my goodness there's these cryptographic keys, do we, what do we have to do, it's so important for taking care of the crypto keys. Well, that's true. 00:25:41 But what's most important is your DNS zone data. So you need to take at least as much care with the accuracy and correctness of your DNS own data as you do with any crypto case. 00:25:57 Because the point of having DNS SEC associated with any zone is that the user who gets that information knows that. But DNS information is correct. 00:26:13 And so if you take more care of your crypto keys than you do have your zone data and somebody wants to attack your zone. 00:26:21 They'll attack the part of your system that does the entering of information into the system. 00:26:28 And if you sign that information, the recipients will say, oh, well, it must be good at signed but if someone successfully attacks what's often called the provisioning inside of your information of your DNS part 00:26:42 And gets the inaccurate information in there, in some ways, you're worse off than you were when you weren't using DNS SEC because you as an operator are verifying through crypto 00:26:53 That that information is correct and it. If it's not, then it's on you for not handling your information correctly and properly. So here's another example of doing the DNS without DNS sec 00:27:10 Zone for its own data where you are putting information into your authoritative name server so that information goats in 00:27:20 The authoritative name server is there the internet running and and contains it it receives a request from a recursive name server, who has also received a request from a client. And he answers that request. 00:27:35 So if you're including DNS in your operation of your system, as opposed to outsourcing it or having some registry provided for you. 00:27:52 If DNS is important enough for your function of what you're operating that you are doing all of the operation within your organic organization itself. You probably have DNS knowledgeable people on staff. 00:28:07 And you're probably going to want to do the DNS SEC activities as just part as extending where you're already doing to run DNS so 00:28:19 Large activities operating in her own DNS, especially where DNS is particularly critical are likely going to want to do their own DNS SEC implementation and operation. 00:28:32 So if you're so sort of a big deal. The operation that you're registering for or you're a big enterprise HP com has always been a great example here. 00:28:48 verisign.com their business is tied to the DNS THEY ARE IMPORTANT ORGANIZATIONS from a DNS perspective. And so they're going to be doing their own probably 00:29:01 If your DNS zones are things that might not be quite so important, either to the internet or to the economic viability of your organization. 00:29:12 So if you're my example here is that as an mp.org which is domain that I think I own. It's one that doesn't really do anything. Oh, you own it now okay I transferred it to us. Okay. 00:29:30 But the fact of the matter is, it's not really a critical DNS operation to it's good to be right, but it's not critical to the internet to your business function. 00:29:44 And then all of us here. We use DNS, we need to make use of DNS SEC when we can again. The important thing is to protect the DNS zone data. 00:29:58 So now we saw the example before I've loading up the authoritative zone and doing the about the the 00:30:07 The request for information and the answer. So this is a nice simple illustration of places that need to do a few more steps. You've got to sign the data for years own before it actually gets loaded into the authoritative servers for that so 00:30:28 The recursive server or end application. We hope at some point in time, but the recursive server itself needs to have 00:30:37 The rookie and do the validation, so that when the requests are made and the answers come back, you can actually do the validation itself. And for most validating name servers. Certainly the open source products. 00:30:51 It can be turned on by simply setting one configuration switch the proper way. That's it. That's all it takes to do it. 00:31:02 Now, in, in summary, the general concept of activities that run their own DNS. The DNS is very important to them. 00:31:12 They are going to want to do their own DNS SEC way their own DNS SEC activities to make sure that it is run as well and as accurately as their DNS. 00:31:23 If an activity has outsourced their DNS operation, they're probably going to want to also outsource the DNS SEC activities. And in, in some cases, this is getting it is getting easier. 00:31:40 Many providers of external service of DNS have not in the past offer DNS sec. So I urge activities to if they find that their service provider if you've outsourced. It doesn't do DNS sec 00:31:58 Asked them to. And if they don't, I'm not many people will do this. But some of us have, myself included, if they won't find a server, who will and change who you're giving your money to to provide DNS service so that they'll do DNS sec 00:32:16 So here's sort of our summary slide. These are the sponsoring organizations for this act for this activity that's gathering the second income on backup Dan and the rest of the time we have really open for discussion questions, answers. And folks, please come on up and we'll 00:32:43 Get some questions. I hope so. Yeah. If you guys want to come up and grab a microphone here we've got these are supposed to be. 00:32:51 Okay, yeah, these should be. Come on. So who's got questions you've seen this all anybody. Come on, somebody must 00:33:00 Kathy's here know Andrew is going to walk around. Dr. Evil. Somebody must have a question for Dr. Evil 00:33:10 Now, okay, over here, good somebody 00:33:14 Who's gonna afraid you're gonna have to start making jokes and be 00:33:18 Could be painful. 00:33:20 Let's take a look at Warren there. Okay, go ahead. Okay, thank you very much for the representation and the presentation to. Am I am lassila friendly. I'm an icon 66 fellow. And I just want to clarify if I understand correctly. If I understood correctly that the signing is 00:33:42 It follows that here are key of the DNS. So if the 00:33:48 Tea leaves not sign my domain i a register cannot be doesn't have are there is any way to have DNS SEC right 00:34:01 Yes, one of you. 00:34:04 Okay, so the answer is, I mean, you could sign your domain. You could do the things they are but it won't roll up in in the chain of trust. 00:34:12 So that the ELD so somebody you're going to validate it would not be able to confirm all the way back up to the route that it was there. So yes, generally for DNS sec to work, you need to have your TL D signed 00:34:25 On and you really need to have ideally everything signed to sit in a circle protect you from the root down as far as something assigned 00:34:34 Most of the to do today are signed and I think there'll be graphs at the DNS SEC workshop that will show that 00:34:39 There are over 10 million signed domains. You know, like end domains like big bank calm, which probably actually existence. Probably not signed 00:34:48 But, but you have to be able to validate the entire tree. That being said, even if you can't even validating down to.com is better than nothing. If big bank itself. You know, if there's not a connection below that. 00:34:59 But to West Point on Wednesday. If you come to the DNS SEC workshop will have a couple of charts that show some of the different areas that are out there and we produce some maps and in many parts, but I don't know which word country are you from, 00:35:13 Argentina okay today are 00:35:18 Hard okay it's checking. Go ahead. Back there. 00:35:23 Hi, my name is. Yes, he has a cow. I'm from Benin, I can 66 fellow. Thanks for the presentation and I will say the movie. So it helps us to really understand after catch on, actually. The first one is why 00:35:42 Deploying DNS SEC is 00:35:47 I don't know the right word to use, but 00:35:51 The deployment is quite slow. Okay, why are there technical reason political reasons. Just why 00:36:02 The second question I've been told about the DNS SEC road show program. 00:36:12 Easy dead. 00:36:14 Easy. 00:36:16 What, what is the what is the next step of DNS SEC ritual program. And my last question is to have more explanation on the 00:36:29 Infrastructure to generate the keys for DNS sec. I've been told also that there is a separate infrastructure that needs to be maintained in secret, though. So can you explain a little. Thank you. 00:36:43 Sure. So deployment challenges the DNS SEC road show and and the information about how to do the signing etc is that they have that correct 00:36:54 Okay, they may 00:36:56 Take one of them how I'll answer some of them. So I quickly check AR is signed, so the Argentine. Okay, cool. 00:37:04 And for the deployment stuff. Yes. DNS SEC hasn't been deployed quite as quickly as it could have been, but some interesting statistics were in Canada at the moment 13.3% of 00:37:17 requests are validated within within Canada 25 percentage in the US 90% in Greenland. 00:37:27 14% on Russia. 00:37:30 So, you know, it's not as widely deployed. It's not universally deployed, but the deployment is actually 00:37:36 Picking up and the majority the majority but a significant amount of of requests are currently being being validated and the huge majority of to these are signed 00:37:47 Part of the new god called track requires that the new god is are all signed and what's the majority of CC to DS are signed as well at this point. 00:37:56 Go ahead with 00:37:58 If you want to track you know things sort of daily my colleague 00:38:06 Victor. Thank you. I was blanking on his name. He and I have a website that actually we update on a daily basis, called steps. 00:38:12 DNS SEC dash tools.org and so that will show you in a few go look at the graph, you'll see it's continually been going up since 2011 00:38:20 Sometimes there's, you know, gigantic jumps. There was one actually just one the other day because one.com which is a a 00:38:28 Provider suddenly signed a bunch of stuff under the DK domain. So there's there's these huge jumps. 00:38:35 And really, in order to get deployment. We need more of those. We need giant, giant companies just to do it by default, because the most of the domains that are in use out in the world. 00:38:45 Aren't run by each individual person that's run by these you know companies that are doing DNS hosting and traditionally 00:38:51 There's been lots of big jumps, Sweden, being one of the first ones, and there's 00:38:55 And in the Czech Republic as well. There's been giant incentives to push people to sign it, the financial incentives actually making registration cheaper has actually greatly pushed a signing within particular country codes, for example, to go up. 00:39:12 Rested you wanna 00:39:14 Yeah, I'd like to just maybe follow up to what was was just saying there's a lot of different incentives that have been used by various organizations to encourage people to do DNS sec 00:39:29 One of the areas that has helped a great deal is that most of the large public Lee avail available DNS resolve that you see with four numbers. The same is pretty common thing. 00:39:46 Most all of them are now doing DNS SEC validation. One of the things that some of us that have been working as a space have 00:39:56 Done for quite a while is we wanted to see validation actually moved to the end application. 00:40:06 And the example that included in this briefing is where we've had the hijack where Steve Cropper was saying DNS SEC won't solve world hunger. 00:40:15 That validation itself was done in the browser itself and so 00:40:21 As you go and have your interactions in discussion with people. Keep in mind that the closer that the validation of your DNS information is done to the end user. 00:40:34 The more security you have put into the system itself so encourage people to think about going beyond even the large caching. 00:40:46 Public resolve and think about doing it in applications. Now, there was one other question. Yeah, let me just 00:40:54 On that particular thing to part of the deployment challenge is, it is. This picture shows there's actually two parts right everybody who signs and who has a domain needs to sign it. 00:41:05 And that's one part. So it's a signing side okay and now some of that as Russ mentioned 00:41:12 Some of that can be automated. We have any number of the tools that are out there. And if you go and talk to any of the DNS hosting providers out here. Some of them can make it super easy. Some people have a checkbox, you know, boom. Now your domain is signed. 00:41:26 Some of that is easy. But then the other part is that you've got to be checking. You've got to be validating that 00:41:33 And as Russ mentioned sometimes that's just and checking or removing like a comment line in a configuration file and now all of a sudden you're able to start validating. But part of what happened for a long time was that 00:41:46 We had this kind of chicken and egg kind of problem, as we would say, in the US, in terms of 00:41:53 Some of the network operators, the ISP is like Warren was playing who run DNS SEC validation 00:42:00 They were, they were saying we're not going to turn on validation because there aren't enough signed domains. 00:42:07 So the operators were saying, hey, we're not going to do this because on upside domains and some of the big hosting providers were saying, well, we're not going to sign our domains, because there aren't enough people validating 00:42:18 So it was a little bit of people just kind of pausing and saying this. Now today, a lot of that has been overcome because as Wes said there's real deployments out here, there's very large 00:42:31 You know, people who are doing a recursive resolving. And if you look at some of the big public DNS servers folks like the Google Public DNS Cloud Player quad nine some of those they're all doing DNS SEC validation 00:42:44 So the large resolves doing that large ISP 00:42:48 You know, are doing at Comcast here in North America with its 20 million customers that are it does all of it through DNS SEC validation 00:42:55 So that argument that slowed down deployment for a while, has now been overcome, but it's it's still going on there. I knew it to other parts, Fred, did you want to 00:43:07 Yeah, it's on. So I wanted to ask us a question. Um, do you know of specific and browsers that support DNS SEC validation what browser. I only have four browsers on my laptop. 00:43:22 What should I be using 00:43:24 Well unfortunately there is not an available browser that has built in DNS SEC validation, Warren. Do you know 00:43:33 One, we, we did have one in support it for a while, but it's no longer supportable weren't actually hang on a second. I think what you're talking about is that's doing data validation 00:43:44 No, no. So I mean all the browsers, the browsers rely on the system resolve it if your, if your computers doing DNS SEC validation 00:43:53 That resolve as the browser as Mancini just relying on what the system resolve it does so if you've enabled DNS SEC validation on whatever is over your computer points that you get the DNS SEC validation for free. And I think waste is going to try and shout. No. 00:44:10 Not at all. I would never shout at you. Okay. You just told me as a user, I need on my Mac on your Windows machine on your Linux machine. I need to go do something so 00:44:22 It's we will rat hole into something very technical or very harder to describe. But there's elements that were validation can happen right now today. 00:44:33 Applications, which includes web browsers and email readers and anything else that accesses the network typically don't do the validation themselves. 00:44:42 Like the skit. A minute ago. I. Joe user did not actually check those certificates myself I trusted my ISP to do that for me. 00:44:51 And it actually is your you terrible person I am a terrible person. So I actually have put validation code into. In fact, the medicine and P package that Russ was talking about a bit ago we actually have validation code in that open source package. 00:45:06 To actually check it in the application. Very few applications actually do that. There's one, the one of the biggest if you go to the stats page. I was talking about earlier. One of the biggest motivations for people signing and deploying right now is that it's one of the only ways to 00:45:21 Really, the best way to secure email between servers. So that actually is ramping up very, very quickly. It's 00:45:29 It's not all of DNS sec. But if you look at the the ramp up of Dane, which is the technology that signs email conversations between servers. 00:45:37 That's actually ramping up quite quickly. And that's done at least near the application if not in it. Okay, Warren. 00:45:43 And Fred, you said, as a user, you heard you had to do something, as a user, you should make sure that your ISP resolve as a validating, you can ask them. 00:45:53 Or use one of the, you know, if they don't, you can choose one of the large public resolve is you know 1111999988881 of those because all of those validation. So if you want DNS SEC protection. 00:46:06 Use your ISP is once if they validate if they do not use one of the other ones. There's a website internet.nl if you browse to that. It's got a thing which will actually check if the recurrent resolve is you're using do validation and so that way you can tell if your ISP is doing and 00:46:24 I want to come back to use this question, but also, I would say, Fred, as far as web browsers. Go. The other thing is if we 00:46:31 could rattle holding further, but let's just leave it for Wednesday, but things that start doing DNS over HTTPS as browsers are looking at and doing those things. 00:46:40 Many of those endpoints that are doing that are dough servers are also doing DNS SEC validation 00:46:46 So your browser might actually be doing that if it starts to go down that path. But let's not go to dough right now let's come back to use us question because he's been standing there very patiently and I'm sorry if I mispronounced your name. He has he does my name. Okay, thank you. 00:47:01 Thanks to have clarified the resolve as validation and zoom signature, which are two separate thing as 00:47:15 I understand two years back in my country beginning we were surprised when we noticed that 80% of the request DNS SEC validated by a by the result. That's why because 00:47:33 Some ISP is we're using public resolve as. Yes. And this is completely different to the zone assigning. That's why I was asking, Where is the program of DNS sec 00:47:50 Roadshow. Yes. So, and you're absolutely right. And that's on some of the statistics. 00:47:56 I don't know west of years, but I know Jeff Houston's AP next stats will show. There are some countries that have extremely high levels of DNS SEC validation going on. 00:48:05 And when you explore it. It's because some of those ISP in their country have gone and they're just using public DNS servers. They're not running their own resolves they're using 00:48:16 You know, a third, a third, a one dot one nine, whatever. One of the different public resolves that are out there. 00:48:21 It's as far as the eye can roadshow goes, I don't know. We're going to have to get back to you around that because 00:48:28 We're not involved with that direct program. So we'll need to get back to you around that. So yes, he just give us one of us your name. 00:48:35 And we can get back to you about that regarding the documentation question around around that. I can also find me. I can get you your number. 00:48:44 The Internet Society published some information on on our deploy 360 part of our website. I can has published some information. There's a number of different resources that are out there that talk about the details and many of the authoritative server companies ISC 00:49:02 No net lab, some of the others. They have gone through and created their own documentation about how to do this. So there are some good links out there. 00:49:10 Other questions. Yes, gentlemen, there 00:49:15 Thank you. I'm at the risk of being maybe a little off topic. I was wondering how DNS SEC is related to the six zero 00:49:22 Pseudo section in a response. 00:49:28 Not at all, actually, those are those are different. The real 00:49:34 DNS SEC is designed to protect a set of data and make it verifiable so that no matter how it gets to you. You'll, you'll understand it says zero and TC is another 00:49:46 Technology within the DNS for securing things but they only really secure a connection, not the data itself as it no matter what path that takes their different technologies. 00:49:57 Okay. 00:49:58 Yeah, go ahead and sort of slightly, following on from that wasted, you know, DNS SEC allows you to validate information about how it gets you 00:50:07 One of the nice things that you know leads on from that is a number of people are now actually just downloading the entire root zone into their resolve it because it's all sign. And so you can just validate it within your resolve and you don't need to send queries to the route. 00:50:23 That's sort of one of the nice things that having a sign zone does is in certain situations, you can just, you know, 00:50:29 Not deal with answering the queries, you can just suck on the entire zone file or let someone else do it. 00:50:35 Or something with the Transfer Requests, or how do you get the whole zone. So many of the server letters, including be 00:50:43 Be an F, and I can't remember which others. Let me just do a transfer request as Fr. 00:50:48 The if you're interested in doing more with this. It's called local route is one of the names. It's RFC 7706 has information on it. 00:50:57 And there's going to be a new version of that soon. 00:50:59 But yeah, local which are hyper local route or local section has a project which allows you to do it through a web page, right. Mine is actually called local route and it's local route that ay si.edu and it gives you the configuration, you need to actually turn a resolve her into a 00:51:15 Route valid or a a route caching resolve or so everything's pre caching, there's a lot of information on and hopefully makes it fairly easy for you if you are a 00:51:24 General currently knowledgeable administrator, probably not for the end user. And can I just ask one more more on topic DNS that question. If you look@like.com to have maybe a dozen 00:51:34 name servers to each of them get a unique DNS SEC key for each individual instance machine or is it one for the entire DLD. It's the entire so you actually sign as own 00:51:46 And so once the zone assigned it can be put on any name server. 00:51:51 So this is especially nice if you operate their own name server, and then you have some other organization who sort of the slave or the secondary server you sign your zone you give them the zone. There's no other keys required 00:52:02 Is you don't need to worry about them becoming malicious or anything. Yeah, that's the beauty of the way it's works without regard because then as as Warren said once you have it all signed like that you can just stop it wherever 00:52:14 It's public key private key cryptography. Other questions. 00:52:19 They can be generic. They can be stupid. They can be, why did DNS SEC just have SEC or something, I don't know. 00:52:32 Yes, back there. Yes, it 00:52:36 Another question I will hear that 00:52:40 There are some investigation or some analyses to change the protocol to generate the public and private keys of the road zone where are those discussion and what what is next. Well, I think some of my colleagues. 00:53:02 Hello. Okay. I think so. My colleagues on the table. Could it, could talk about this, just briefly, you're absolutely right. So in this signing 00:53:10 When you have the signed up there on the sign server, you do sign in using a particular cryptographic algorithm. 00:53:18 You know, and whether it's RSA or whether it's a encrypt elliptic curve cryptography at number of different things. And each of these cryptographic algorithms has different properties as far as being more secure. 00:53:30 More or less crack, you know, some, some of the original protocols have since been cracked in different ways that people could go and do it. And so people upgraded to more secure. Now we're looking at 00:53:43 Bit RSA keys in different ways. We're looking at elliptic curve which are also smaller. So yes, there are different algorithms that are out there. 00:53:52 As far as the status at the root. I'm boring. You look like you want to push your button. 00:53:56 No. Okay. I guess I'll just make some general comments. So you were pushing the button right here, your hand on it. So I think what the button. There we go. 00:54:06 So there's a lot of religion around what the best cryptographic protocol is and if you put in all three cryptographers in a room. 00:54:15 Only one of them will walk out alive because you'll have stabbed the others that you get some some huge argument about, you know, is RSA better or elliptic curve or ed to 5519 or various other things. 00:54:29 At the moment, there has been some migration from RSA to some newer protocols. 00:54:36 But one of the things that some people are starting to talk about is quantum secure protocols. There's some concern among some cryptographers that quantum computers are going to make the exact existing crypto stuff not work. 00:54:50 There are a bunch of other people who think that this concern is wildly overblown. 00:54:55 But it is something that people are starting to look at and some point, you know, they might people might start deploying 00:55:02 Quantum secure protocols. I think the answer those at the root side there's not an immediate plan to make a protocol change or receive and Jane. 00:55:12 Well, we're not going to change it. But I wanted to do a promotion for our Wednesday workshop, again, one of the items on the agenda. 00:55:21 Is a presentation by Kim Davies on the plans for the next group chaos K rollover. So if you're interested in more information about details of when and how and you know how they took all the various inputs, they got from the community. 00:55:41 The DNS SEC workshop on Wednesday afternoon has I think it's a 20 or 25 minute session where Kim, who's the president of PT I that runs the I Anna will be doing a presentation on their recently released draft plan, which I think was released either Friday or Saturday. 00:56:04 Hot off the presses, by the way, that workshop will be at 1:30pm next door in 517 see and it is several hours worth of discussions of various different types types. 00:56:16 Around DNS SEC all flavors. Some of it is high level some of its way down in the weeds and some of its in between and all sorts of things. So, and you'll see a number of us back there doing that. Other questions. 00:56:32 Andrew standing there with his hand in the air. Somebody's got to help them. 00:56:37 Anybody anyone 00:56:39 You have a moment of free advice or whatever. 00:56:43 Otherwise, we're going to ask Warren to start making jokes again. 00:56:47 Oh, good. Look at that. Perfect. 00:56:51 Just the threat. 00:56:53 All right, this might be a bit of a dumb question, but I just wanted to make something clear in my mind regarding um it's actually kind of a follow up to the question, Fred asked earlier. 00:57:07 Um, so basically if I don't have a browser that supports DNS SEC are like outlook or whatever. 00:57:18 Does that mean that the 00:57:22 Section in between my DNS resolve and my client is technically unprotected. 00:57:32 Yes. So, but now be clear, as one thing to all of the applications on your device historically have always left the DNS resolution. 00:57:44 To a little piece of code, the stub resolve or in the operating system. 00:57:49 Which then went out and made queries to the ISP resolve her and to do all that kind of things that was there. And so if you're operating system did not support DNS SEC validation checking the signatures. 00:58:00 Then yes you're you're at risk of, you know, a Dr. Evil swooping in and providing you with bogus information that could redirect you to another site. 00:58:11 Historically, that's been the way it has been outside of a few things like examples where people built in, you know, DNS SEC valid validation into specific browsers more protest kind of purposes. 00:58:23 This is changing a bit. There's a whole group within the Internet Engineering Task Force the IDF looking into the fact that more and more applications are doing DNS sec 00:58:34 Some of the higher profile stuff we've hearing about with dough and web browsers is part of that, but other applications are also doing more with 00:58:42 DNS validation and stuff in ways that are changing a bit of the architecture of how DNS works and how the internet works in some way. Warren's looking at me like he wants to say something. 00:58:53 Yeah. Warren thinks you might have actually we might all have oversold the protection. Some here. So what actually happens if you saw it in the skit, the ISP went off and did all the validation and the ISP eventually went back to the user and said I validated this. Don't worry, it's good. 00:59:11 The way DNS SEC actually works is the validating resolve at the ISP or public DNS or whoever does the validation and then it tells the client that it did it and it should trust it. Basically, etc. But saying yes, this is good. It's all happy. 00:59:28 So that does mean that if the packet gets fiddled with on the way back from the resolve to your client. 00:59:36 You know, somebody could be doing bad things. Eventually, it would be nice if your computer. Did the validation itself if it didn't trust the ISP, if it went through and did all the cryptographic work itself. 00:59:47 And some operating systems you can sort of forced into doing that, you know, Linux, for example, many of the Debian ones now come with a thing where you can turn on a knob and it will do the validation itself. 01:00:00 Certain people provide software which you can just stick on your machine. There's a piece of software called stubby which will do validation on the computer. 01:00:09 But in general, you're largely trusting your ISP or the resolve it to have done the right thing for you and to not be lying and also for your ISP to not be sort of tampering with the data on the way back. 01:00:23 Yeah, I was. Oh, yeah. If I can just add to my question. Yeah, I was thinking more like you got someone on the local network and maybe he just are poison the whole thing. And he's like, filtering and you just answers the DNS query faster. 01:00:38 Right, and that's exactly the attack vector that can happen. And this is also why you're seeing a lot of the work happening around DNS privacy. 01:00:47 Around DNS over pls DNS over https.do these things to look at. How do you encrypt the connection from your local you know your device to your recursive resolve. 01:00:59 So that you can have a secure connection there so that you can't have that person on your local network who sending packets. It's another element of of this layers defense in depth and layers of of DNS protection. 01:01:13 Yes, sort of, following on from that, there's two different attacks. There's somebody on your network, who is are poisoning and then giving you wrong answers so that he can force you to go to the wrong place. 01:01:24 But there's the equally scary thing have somebody on the network is just watching your packets 01:01:30 And, you know, it doesn't really help if you go to HTTPS alcoholics anonymous.org, you know, and that all of the content is encrypted. If people can see that you looked up the name alcoholics anonymous.org 01:01:41 Or, you know, gay rights.org or Human Rights Watch, the very fact that you're resolving certain names. The fact that that is an encrypted potentially as just as damaging as people being able to see the content that you're looking at. 01:01:55 And this type of thing that Warren was just describing sometimes has been called the coffee shop attack. 01:02:02 Where you walk into your favorite local coffee shop their Wi Fi may be encrypted but that's it's freely accessible and anybody in that coffee shop can join that Wi Fi and they can in fact 01:02:18 make copies of or give deceptive answers to your DNS queries. And so if you are, if you have a means to protect from your machine to where you trust. 01:02:36 The information is going to be accurate, then you're going to be less vulnerable to attack. And I know I know for a fact that this is a doable thing and that there is software available for download on the internet that will let you do it. 01:02:57 And just to be clear, again, so to just declare to 01:03:00 DNS SEC is purely about ensuring that you get the correct answers. It's purely about the integrity, what we've been talking about here are extra layers of privacy enhancements and we'll talk about some of those on Wednesday. 01:03:13 At our session in 130 there'll be some there's something in there around some of these elements that are part of that. 01:03:19 Are you good are you mark. Yes, yes, I'm good, thank you very much. All right, thank you. I'm Kathy tells me, we've got something from somebody wrote 01:03:27 This question is from Cosi. Can you explain the deal between Firefox and cloud fair about DNS SEC resolved or I heard it from a previous presentation. 01:03:38 Well, the, the dough. 01:03:42 I think I'm not sure what we do, how much do we want to get into here. So, so I can summarize it from a neutral point of view. Go ahead. 01:03:52 Playing that I'm not 01:03:55 The problem is, as I was willing to give the answer in the previous conversation but 01:04:01 And warn you, correct me when I go wrong. How's that, so there are two 01:04:06 Let me backtrack and actually answer the previous question. Again, really quickly. First, there are multiple ways to protect the conversation between you and the resolve or. Okay. Dr. Evil 01:04:18 There are multiple ways to protect you, to the resolve or and 01:04:21 The world still kind of working that out and then the Internet Engineering Task Force in two weeks are going to be yet more discussion about it. 01:04:28 You can do DNS SEC on your client, you can use something like dough. You can use something like dot, there's a number of ways that we're trying to figure out how to protect that. 01:04:37 The end. They all work in different ways. 01:04:39 For the web browsers, the web browsers have decided because they are already well versed in HTTPS. They understand that protocol they understand how to use it. Well, they have really fast libraries that know how to use it. 01:04:52 They've decided that they really want to do DNS over HTTPS and they're motivated to do that. 01:04:56 They're, they're deploying it in different ways. And so the two that I know about, I don't know about plans of the other ones are or Chrome and Firefox. I'll start with Firefox because they sort of went out and announced it first Firefox decided that they are going to partner. 01:05:11 With cloud flare, which is a, a, a web proxy and company that does. They have all sorts of features and they're also one of the people to stand up a DNS SEC worldwide validating resolve. 01:05:22 They are partnering with with cloud flare to send all of your web DNS requests to cloud flare. If you use Firefox. 01:05:29 And right now, if you use if you're in the United States, their future deployment plans are currently uncertain, but they have back down to just testing in the United States, this month. 01:05:40 And only with Cloud Player at the moment, but they will have a drop down box that will allow you to pick other providers, Google. On the other hand, 01:05:48 And this is where we're in will correct me when I go wrong, Google, on the other hand is actually going to test your ISP see does your ISP provide 01:05:57 HTTP or HTTPS service for DNS and if they if they do, and if they're on a trusted list, they will use dough to talk to your ISP 01:06:07 If those two things, you know, don't turn out to be true, then they're going to fall back to regular DNS, they're not going to send your traffic to another third party, though. Unless that's changed recently. 01:06:18 As much as it pains me to say that that's basically all correct. I mean, one, one thing I'd like to add is sort of the Chrome approach. 01:06:28 Google believes that you know you should continue with currently gives you should continue talking to your current resolve because it potentially does things for you like malware protection. 01:06:37 Bye talking to current set of resolve as I'm not changing your resolve it. It allows you to get all of your current protections at allows you potentially look up internal domain names, things like that. 01:06:48 And so that's the sort of Google approach. And I think for the remote listener. Who's Who asked that question. I think it's important to also understand there's a protocol dough. 01:07:02 DNS over HTTPS. That was defined by the IDF RFC 8484 it's a protocol that's basically how to do DNS over an HTTPS connection. There's a protocol called dough. 01:07:13 And a doe client, which could be a web browser. And that's the primary audience right now can talk to any dough server. 01:07:19 And it's a way to have an encrypted secure private connection between an application and a DNS resolve it. So it's encrypting that connection so dough as a protocol is that 01:07:32 Now dough as it's being initially deployed in these early stages, that's where some of this contention has come in because of these different mechanisms. 01:07:41 And the different ways that people have asked. So I just think it's important to understand there's a protocol that works at this privacy layer. 01:07:48 To ensure that somebody in the coffee shop can't be capturing all of your metadata about all the places that you want that. You want to go. 01:07:56 And that's what dough and then another protocol called DNS over pls which is dot 01:08:03 Those two protocols are designed to help protect the privacy. So they're there they they increase the level of privacy that we have in that 01:08:11 And and some of where the contention gets into is how these are actually being deployed in different ways in these early days right away. Just with pointed out that I'd forgotten full disclosure work for Google know who makes Chrome. I meant to disclose that but forgot 01:08:33 So for folks that want to see a little bit more here a little bit more about this discussion, and I can 64 I believe it was there was in high interest topics Session four hour and a half, two hours, roughly on 01:08:51 The O H and it and do it was mentioned some, but it was a rather lengthy session and it is recorded, and I'm quite certain is available on the icon 64 archive website so you can watch couple hours of the I can relevant discussion there. 01:09:12 Other questions, Andrew. I think that was actually, I can 65. Wasn't it the last one, where the dose session was in Marrakech. Yes. Yeah. Yeah. Right. 01:09:24 Okay. Other I should at least mentioned, I actually worked for the University of Southern California to disclose where I'm from. 01:09:30 And I believe that they will be probably more stuff, although I haven't checked the thing on dough and and similar at the DNS SEC workshop. Yes. So we do have a session on doing on dough on the on Wednesday. 01:09:44 Other questions. Yes, up here in the front delmon 01:09:49 Oh, right there. 01:09:52 And then I saw you come to you too. 01:09:58 Guy from the US. So do you. Is there a way to do a private DNS queries that can't be coffee shops that don't and 01:10:10 That there's no snooping allowed because the the DNS query itself is encrypted in some way. 01:10:16 Yeah. And this is where both again dough or do t dot and those are technologies that let you go and do that, and you can 01:10:25 Connect from your well if you want to use those directly, you could do them from your web browser. If you set up either Chrome or Firefox to 01:10:34 Use you can set them up now to use dough or and you can tell them which server to connect to. So you can go and do that now. You can also go to DNS privacy.org right is DNS private 01:10:47 DNS dash privacy.org where there's a whole series of other different software you can install you can install something called stubby on your local system which will go and encrypt all of your queries to certain do T 01:11:01 servers that are out there so you can you can do that. You can also run your own dough or do T server if you want to you can run that on your own in your own place and set that up that way. 01:11:13 As possible. Do it. Good. And you can also fire up a VPN, if you know what a quick easy solution now for everything. Yes. Yes, you. Other questions. Yes, back there. 01:11:25 And my question is in terms of digital literacy. Sure. We M. When we talk about educating the user or the registrants should we and explain to them the importance of DNS SEC for their domains, when they register, because when we talk about the ISP the registry registrar's 01:11:51 Not register registers. Right. But when we talk about that is that would help the deployment of DNS SEC, what, what's your opinion on that. Well, I think all four of us up here and others here would say absolutely. 01:12:07 We certainly encourage people to include that as part of it, you know, and just say that as you're getting your domain out there. And as you're deploying it, it should be signed. 01:12:16 And is again some of the registrar's and I don't know in Argentina, but some of the registrar's that are there. 01:12:24 Have gotten to the point registrar's and DNS hosting writers. I've gotten to the point where they made DNS SEC as easy as you know, checking a box or moving a switch or doing something else. 01:12:33 And that's really in the ideal world, that's where we want it to go on the signing side is where it just becomes something very simple and easy at the end user doesn't even have to 01:12:43 Really get involved with in some way. But we do encourage people to get out there and get them signed because it ensures from a, from a brand from a reputation point of view, it ensures that people are going to be getting to the sites that you put into the DNS. 01:12:59 So, 01:13:01 I can, I disagree slightly Warren can disagree of corn can disagree with anything because he loves arguing 01:13:08 So, I mean, it depends. At which point, and the digital literacy is that are cycles. I think that we would all say that DNS SEC is a good thing. 01:13:17 But is it the most important thing for a new user on the internet, probably not. Is it the most important thing when somebody registers a domain. 01:13:28 It could be, but I mean there's a lot of other security things that are also really important that you need to get right. And so this fits in a spectrum. 01:13:40 All right, Warren. That was a good disagreement spectrum. Go ahead. And that's why, like I was thinking about that too. Because when you think about in terms of incentives and 01:13:53 Like for us that we are kind of involving the I can an internet governance. If you don't have a technical background, you have to spend time and effort on understanding why DNS SEC is important. So the restaurant or the user they thinking about his 01:14:13 Company or whatever, like how do we build a narrative to like okay this is important. Maybe your domain is going to be a little more expensive. 01:14:25 But it has internet the internet or security. Right. Yeah. You're. This is part of the challenge and quite honestly this is why in many places we've been working with the DNS. 01:14:39 Providers the DNS hosting providers or the registrar's who may be oftentimes the same and encouraging them to 01:14:45 Either just make this happen. Just sign everything as some some DNS hosting providers do they just sign it. By default, or to make it easy for people to understand and to do that. And ideally, make it without a cost. Although, you know, the business models vary in different places. 01:15:04 Because that's because, to your point in Warren and I will agree with Warren that in the grand scheme of things that somebody getting online in a new place. This is yet another one of those things they they have on their list. 01:15:17 But it may not arise, depending on their level of sadness and their ability to work with it. It may not rise to the top, but it's and for that reason. Ideally, it's just something that's in the infrastructure, you know, it's being it's being dealt with on those levels. 01:15:31 Going to disagree with anymore now. Okay, good. He's going to show you other questions. We have time for about one or two more. 01:15:42 No. Oh. Oh, Mr. Levine up here. 01:15:52 I say that, cuz I know john well 01:15:54 Now this is actually just a commercial commercial yeah a little earlier, a few of you mentioned 01:16:02 Quantum quick what quantum cryptography might, but what effect it might have on DNS SEC and by amazing coincidence, there is a talk on exactly that topic. So last talk tech day tomorrow. 01:16:15 Perfect. Yes. The bad news is the guy, giving it as a pompous blowhard but there's not much you can do about that. 01:16:22 Okay, well, like john we're assuming that you john you're okay. Oh. All right. Okay. So john will be giving a talk. 01:16:33 Tomorrow at the end of tech day which, by the way, if you're new, and I see a number of fellows. 01:16:38 Who you said your nipples tomorrow is is tech day where there's a number of different sessions that are going on in 01:16:45 One of these rooms. I'm not sure which one. But if you look in the schedule for tech day. And there are a lot of different topics ranging from I guess quantum cryptography on this. 01:16:55 To d das attacks to other different kinds of things, or in various different topics I haven't looked at the schedule for this for this week. So I don't even know. 01:17:04 But anyway, there's a lot of good sessions that are inside of there as well. That would be 516 see oh listen to that. Perfect. We have found that which 01:17:16 1030 is when it starts tomorrow. 01:17:19 Anything else 01:17:23 Okay. So, if not, I would say thank you for your attention and also if you're interested in more you're welcome to come and talk to any of us will be around for a few more minutes. 01:17:32 And again, on Wednesday at 130 and 517 see the room next door, we will have the DNS SEC workshop which will cover a range of topics. You can see the agenda. If you go up and look at the site on the scheduler and all of that. So thank you very much and enjoy your week here at I can Powered by Otter.ai paused