Stomp Rocket

By Duane on July 23, 2010 10:50 PM
23359.jpg

23355.jpg

23362_600.jpg

Visit to Toledo

By Duane on July 21, 2010 12:00 PM

Highlights of our trip to trip to Toledo:

  • Shopping at The Anderson's (where daddy bought a melon-baller)
  • Pool party at TK's awesome house!
  • Meeting the "Original Stewie"
  • Skipping rocks at side-cut park
  • Seeing the building where Grandpa Dan worked
  • Playing the squeaky mouse with shy Lily
  • 3-D sidewalk chalk -- NCIS style!
  • Washing Grandma's 2nd story windows, yikes
  • A slow Italian dinner with everyone
  • Ice cream every night
  • Silly bands!
  • Lounging in the red carpet club
23028_600.jpg23072_900x600.jpg 23059_450x675.jpg23163_450x675.jpg 23100_600.jpg23121_900x600.jpg 23143_600.jpg23156_600.jpg 23148_900x600.jpg23158_600.jpg 23233_600.jpg23243_600.jpg 23255_600.jpg23283_600.jpg 23171_600.jpg

Signing the DNS Root

By Duane on July 13, 2010 9:27 PM

I've never been very good at explaining my job to family and friends. I'm going to try to make up for that a little by talking about some things I've been involved in at work that I find particular exciting.

In less than two days the root zone of the Internet's Domain Name System (DNS) will be officially signed, for the first time. Signing the zone means adding an extra layer of security, so that we can be sure received DNS messages are authentic.

DNS is an Internet protocol that, among other things, is used to map domain names to IP addresses. It was invented 27 years ago without any real security features. Some 10 years ago, people began work to develop security extensions to the protocol, which we call DNSSEC.

The DNS is a hierarchical system, which is to say, tree-like. We usually visualize it as an inverted tree, with the "root" of the tree at the top. The root of the DNS is important because it is the starting point for any lookup. In DNSSEC the root is especially important because it is the starting point for validation. Think of the root zone as the only point that everyone automatically trusts.

My employer, VeriSign, plays two important roles with the DNS root zone. First, VeriSign operates two of the 13 root servers (named by the letters A and J). Second, VeriSign is the Root Zone Maintainer. In the context of DNSSEC, this means that its our job to actually sign and publish the zone.

In DNSSEC, signing is accomplished using keys. These keys have two parts: a public part and a private part. A signature is created using the private (secret) part and can be later verified using the public part.

There are two types of keys: KSKs and ZSKs. Both are needed to sign a zone and normally a single organization would be responsible for both. However, the root zone's importance necessitates a separation-of-powers. VeriSign is responsible for only the ZSKs while the Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for the KSKs.

The public part of the KSK from ICANN forms what we call the Trust Anchor for the DNS. It is the root of the security hierarchy. If you have the trust anchor (the public part) you can validate or verify any signature in the DNS hierarchy.

As you may imagine, the keys to the root zone are Serious Business. Keys equate to trust. If an attacker of some kind manages to get a copy of a private key, the attacker immediately becomes trusted. In other words, the attacker can create new signatures that everyone will automatically trust. Therefore, keys are stored in fancy (and expensive) devices designed to protect them called a Hardware Security Module (HSM). If the device thinks it is being attacked, it erases the keys inside.

ksk0002.jpg

On Monday I was privileged enough to participate in a key signing ceremony for the root zone. ICANN has built a pair of ceremony rooms -- one on each coast -- where private keys are stored and where signatures are generated. Specifically, the purpose of the ceremony and these rooms is to generate signatures of VeriSign's ZSKs using ICANN's KSK. In other words, VeriSign's keys are signed using ICANN's key. Approximately every three months a number of ICANN staff and Trusted Community Representatives will meet in one of the rooms and hold a key signing ceremony.

Trusted community representatives are people from around the world involved in the DNS. ICANN has designed a system whereby some number of representatives must be present in the room in order to read the keys from the security devices and generate the signatures.

The ceremony I witnessed on Monday was the second such ceremony to take place. At the first ceremony they initialized the devices in the east coast room, generated the first KSK, and signed the first set of ZSKs. At the second ceremony they initialized the west coast room and signed the second set of ZSKs. I found the whole thing really fascinating.

The ceremony took 6+ hours with a short break about halfway through. About 20 people in all were involved. There is a ceremony script with approximately two hundred distinct steps. And the entire thing was recorded on video. The reason for the elaborate ceremony is to demonstrate that keys and signatures are generated in complete transparency. There is extensive logging, auditing, witnessing, and recording of the entire thing. The level of attention to detail and paranoia is quite amazing.

Seven of the trusted community representatives are designated as Crypto Officers. They are assigned "smartcards" that are used to operate the HSM. Some number of crypto officers (three I think) must insert their cards in order to activate the HSM for signing. The crypto officers are not allowed to take their smartcards home with them, however. Instead, they leave the cards in a locked safe, which has bank-style safe deposit boxes inside. They take the deposit box key (an actual, physical key!) home with them.

ksk0003.jpg

Everything that goes into a safe is placed inside a plastic tamper-evident bag. The bags have serial numbers on them. Throughout the ceremony everyone was writing down the bag serial numbers on their copy of the script. At the next ceremony, these bags are removed, checked for evidence of tampering and matching serial numbers.

Signing of keys is done on a laptop running Linux. The laptop has no hard drive. Instead it boots from a read-only CDROM which contains all the necessary programs. As further evidence of the level of paranoia, a SHA256 hash of the CDROM was taken during the ceremony. This hash is a string of 64 hexadecimal characters (which we all wrote down) that represents a fingerprint of the contents of the CDROM. It will be verified in future ceremonies to prove that ICANN hasn't done something sneaky, like replace it with a different CDROM.

4791651390_44e37b350e.jpg

My role at this ceremony was to authenticate the ZSKs right before they were signed by ICANN. The ZSKs, generated at VeriSign, are sent to ICANN days before the ceremony. They put the ZSKs onto a flash memory disk, which gets inserted into the laptop. I brought with me a sheet of paper that has a hash (fingerprint) of the ZSK data.  Just before signing they asked me to turn my back to the screen and read (from my sheet) the sequence of words that represents the hash value.  Since my spoken words match the words on the screen, it is proof that the ZSKs are authentic and came from VeriSign. Then the keys are signed!

Here's Mehmet, the ceremony administrator, handing me a copy of the signed keys:

DW-gets-SKR.png

This was about halfway through the ceremony (step 108 of 199). The remainder was mostly putting things into bags, writing down their numbers, and locking them in the safes.

The real excitement happens on Thursday when we "unblind" the keys in the root zone and allow the actual KSK to be published so that DNSSEC validation can finally take place!

Family Kopczynski

By Duane on July 3, 2010 11:20 PM
KOP_0543.jpg

Priest Lake Family Reunion

By Duane on June 26, 2010 11:11 PM

Below are my favorite pictures from our vacation to Priest Lake. Mostly kids, since I haven't yet learned how to photograph adults.

Our favorite memories include:

  • Almost running out of gas getting there. Our car told us we had enough gas to drive only one more mile when we reached the gas station.
  • The egg-toss!
  • Aprons for fathers day
  • PJ's bug collection (both living and not)
  • Skater game on the xbox
  • Catching bass in the morning off Dale's boat
  • The 4-hour game of Phase 10 where Kole joined the game late and almost won it all
  • Noisy bunkbeds in the bedroom that smelled like BBQ
  • Failing to read the ice-cream maker instructions and not realizing that you have to put it in the freezer 24-hours before you want to make ice-cream
  • When Kammryn caught a really feisty fish that just turned out to be a snag
  • Bonking Colin on the head when playing the ladder ball game
22389_450x675.jpg22467_450x675.jpg 22485_900x600.jpg 22515_900x600.jpg 22521_900x600.jpg 22550_450x675.jpg22816_450x675.jpg 22560_900x600.jpg 22640_900x600.jpg 22709_900x600.jpg 22688_450x675.jpg22739_450x675.jpg 22763_900x675.jpg 22834_900x675.jpg 22767_900x675.jpg

To Grandpa Roy on Father's Day

By Duane on June 20, 2010 12:00 PM
4213.jpg

Thats me on the left, after bonking into a coffee table!

I don't think I've ever moved (as in all my belongings) without my Dad. From the day I got dropped off at college, to our family's biggest move back to Idaho, my Dad has been my moving buddy. We've loaded and unloaded countless U-hauls in Oregon, Washington, Idaho, and Colorado.

I believe it was the move to Portland where we had to unload everything in an unexpected heavy snowstorm. The weather during the move from Portland was much nicer, but I'll never forget how hard we (and by "we" I mean mostly Dad) worked to clean the apartment, only to learn that the cleaning deposit was non-refundable!

It should come as no surprise that each move required larger and larger vehicles to carry all the stuff. In my younger days I managed to fit my stuff in my Jeep. But when we moved from Colorado to Idaho a few years ago, I had to rent the largest U-haul truck available. We hired some professional truck-packers, but my Dad was right there helping box everything up, carry it all down the stairs, and help to clean up the aftermath. On top of that, he also drove the truck all the way from Boulder to Boise through some nasty weather while I tried to keep up in our mobile dog kennel. After a brief rest in Boise, we continued on to the valley and unloaded everything in the largest self-storage space to be found. I think that move took a year off his life and I should have offered to pay for his knee and hip replacement surgeries.

Speaking of cross-country adventures... Somewhere in the 1992 timeframe i was living in central washington and computer BBSes were all the rage. At work we had real Internet and Usenet newsgroups. I wanted a Unix computer at home and became a little too excited about a used HP 9000/300 computer that was for sale -- in Oklahoma! I knew very little about it, other than the fact that it ran "Real Unix." This was an unbelievably big computer. It came with two disk drives that could be mistaken for a washer and dryer. My Uncle Don had to stop by and add some 220-Volt outlets to my rented apartment. Anyway, Dad was happy to make the road trip with me. We were probably driving for 3 days there and back, hauling this overpriced hunk of junk. But he was happy to do it.

4204.jpg

Another great thing about Grandpa Roy is that he's always up for a project when he visits. He's helped lay new flooring, install toilets and sinks, finish retaining walls, and probably a few other project's that I've managed to forget about. We both have a strong do-it-yourself work ethic. I've always admired him for building a duplex and a vacation house.

Some other reasons that I love my Dad include:

  • teaching me the correct way to mow a lawn
  • teaching me how to change a tire and the oil in a car
  • the Apple computer christmas 1981
  • taking us camping and water skiing

And finally, my Dad is a consummate salesman. Except for a brief stint teaching and coaching, he's always been a salesman. He has the essential qualities of being outgoing and friendly. Unfortunately for me, I did not inherit these traits. However, one thing that I will forever cherish is that my-dad-the-salesman taught me the power of positive thinking. I still remember a little poem that used to hang in our house that went something like this:

If you think you dare not -- you don't.
If you think you are beaten -- you are.
something, something, something...
Life's battles don't always go to the faster or stronger man.
Sooner or late the man who wins is the man who thinks he can!

(ok, I had to look up the whole thing. It's a poem named "Thinking" by Walter D. Wintle.)

Happy Father's Day Dad.

Fishing For Trout

By Duane on May 30, 2010 8:38 PM

We originally planed to go mini-golfing today, but when our neighbor invited us to go fishing with him at Spring Valley, we jumped at the chance.

We were apparently sitting on the "lucky dock" because the first fish was on in about 30 seconds and more soon followed.

21602_600.jpg

(Fish appears larger than it was)

Triple Slide

By Duane on May 16, 2010 12:00 PM

We bought this slide back in February I think. Finally had a day that was warm enough to use it!

(If you don't see the slide show, please click on the post title above)

Super Slide

End of the soccer season

By Duane on May 12, 2010 12:00 PM

Well, we thought it was the last game of the season, so I made him pose for this trading card style money shot.

21501_600.jpg

Happy Mother's Day, Grandma Theresa!

By Duane on May 9, 2010 7:41 AM

My Uncle Larry writes a weekly family newsletter. Back in February he gave us all a homework assignment: send me what "Love" is to you. I didn't complete this simple task and I felt pretty bad about it after reading everyone else's submissions. So on this Mother's Day I'll attempt to make up for it by telling you about my Mom.

15285_600.jpg

Back in 2006 we sold our Colorado condominium a few months before our under-construction house in Moscow was ready. We looked around Moscow for somewhere to rent, but it was really hard to find (a) a nice place and (b) something that could be rented for only a few months (since almost all the rentals are tied to the school calendar). Also we didn't want to unpack/pack our stuff twice. Perhaps without realizing what she was getting into, my wonderful Mom offered to let us stay in her cozy house.

So the three of us--and our stinky dog!--moved in and took over Mom's basement (and upstairs too!) while most of our junk stayed in a storage unit. She sacrificed her sewing room for Colin's bedroom.  She let us fill her fridge with our crunchy food and allowed Colin to trample her backyard foliage.

06-17-06_1043.jpg

I'm sure it must have been stressful having us there. I don't remember exactly how many times the builder's schedule slipped, but we finally moved out of Mom's house and into our own about three months later.  I suspect she celebrated our departure by cleaning for a week.

I experienced another example of Mom's Love in 2008. I've written about it before. The short version is that, unknown to me, my Mom saved my box of childhood LEGO(s). She probably had to pack them up and move them about 10 times or more over the years. Opening the box some 30 years later I was overwhelmed with emotion and memories.

Another thing I love about my Mom is her social networking prowess. I'm not talking about Facebook (although she does partake). I'm talking about the old-fashioned kind. She knows more people that I could ever hope to meet. I love that when we go somewhere we'll run into at least one person she knows. Perhaps someone a family member or friend of a resident, or someone from the church, or someone that we're related to in some obscure way.

Something you might not know about my Mom is that she's a great writer and public speaker. It may be a Christmas letter, a short email to the family, or part of an elaborate graduation/shower/wedding gift. Mom is often called upon to give a prayer or reading at weddings (including our own!) and other special events. She has a real knack for choosing the right words. I attribute this to the time she spends in prayer and introspection.

Lastly, I really appreciate they way Mom gets everyone together for great family vacations. She's taken us and the O'Shaugnessy's to Wallowa Lake, McCall, and the Oregon Coast. This year we're spending a few days at Priest Lake!

Happy Mother's Day Grandma Theresa! We Love You!

Archives