On July 16-21, 2017, the IETF 99 conference will take place in Prague. What IETF is and how it works has been already explained by my colleague Ondřej Surý in Czech Cesta do hlubin IETF, Odkud pochází internetové standardy (aneb bylo jednou jedno RFC) or Vrána k vráně sedá aneb koťátka, dogy a nápoje v IETF. Ladislav Lhotka, in turn, described its unusual geeky atmosphere IETF: internet podle mručící většiny. So it is enough to mention that IETF is an organization that publishes Internet standards. Its goal is to create quality technical documentation that influences the development of the Internet and its applications.
In just a few days, all entrepreneurs in Slovakia will have active electronic mailboxes, which is the counterpart of our data boxes. Although the inspiration from the Czech system is obvious, there is at least one significant difference.
I hope former US President Ronald Reagan would forgive me for borrowing and altering the slogan of his presidential campaign. After all, quite a few people seem to be doing it these days.
It all started when we received a response to one of the automatic e-mails generated by our honeypots when they detect an attack attempt or suspicious behavior. These notifications are sent to abuse contacts of the network from which the attack originated. Portscan of the WAN interface:
Locked Shields is the largest international cyber security drill. It is regularly organised since 2010 by NATO CCDOE (Cooperative Cyber Defence Centre of Excellence), and the focus of the drill is a clash between two teams. The red team attacks the blue team, which plays the role of the defender. This year, the drill was attended by a total of 19 blue teams. The teams were charged with the defense of a diverse computer infrastructure of a fictional country’s military base consisting of different servers, numerous workstations, SCADA systems, etc. The defenders were to face attackers, whose objective was to damage, compromise, or completely take down the network or its elements, or at least to make things complicated for the defenders. In addition to the technical part, the drill is focused also on strategic decision-making, cooperation with the press and the handling legal matters. We were invited by colleagues from GovCert and assigned to the “Linux team”.
For many years, our association has been running a service going by the acronym “ODVR” – Open DNSSEC Validating Resolvers. At times when DNSSEC was just beginning, we thought it was necessary to come up with an alternative to DNS resolvers provided by ISPs who introduced the validation support too slowly. Since then, we have offered a publicly available service that allows validation of domains using DNSSEC security even in those networks whose default DNS resolvers do not support this.
It has been almost half a year since we presented the intention to change the DNSSEC algorithm for .cz zone DNSSEC key at our IT 16.2 conference. In his presentation, our colleague Zdeněk Brůna described in detail the advantages of algorithms based on elliptic curves, especially the ECDSA algorithm. However, due to the situation where this step cannot be done because of the lack of support for this algorithm in the root zone, our activities have shifted to mainly educate and monitor the impact of this education on the state of support for this new technology. At a seminar with registrars that we held at the end of February, we noticed a positive response to some ECDSA properties, such as smaller zone file size or smaller DNS response size. Some registrars have already declared interest in switching to ECDSA. At the same time, the registrars have suggested that we publish statistics on our site showing how different DNSSEC algorithms are used in the .cz zone. We liked this idea and we are now publishing these statistics.
In mid-February we informed about Reducing TTL in the .cz zone by one hour. Then, at a similar hour every Wednesday, we reduced it by another hour, until on March 15, 2017 we reached the required value of 1 hour (i.e. TTL=3600).
The golden rule of security, stability, and resiliency of virtually anything is “don’t put all your eggs into one basket”. This generally applies to the DNS, and there are some recommendations to avoid having all your nameservers in one domain. I would like to show that in this case, this is not a silver bullet, it depends on many conditions, and using different domains in your nameserver set might even make things not better, but worse.
A couple of weeks ago, I got an email informing me that it had been almost three years since my entry into the Turris project, and I could now purchase the router for a symbolic price of one crown. I did that right away to test for my colleagues whether the system works well; however, it also brought back nostalgic memories. Because three years ago I had the same goal – to test whether everything was working properly – when I filled what was probably the first router lease contract. Those three years have gone by in a flash, so it is perhaps a good time to stop and look back.