IoT613 - September 2015

About CIRA

1. Operate the .CA top-level domain registry Registrant Registrar Registry .CA DNS

2. Operate the .CA top-level domain DNS Root “.” “.CA” 2nd Level .CA domains Internet Users ISP “.CA”

3. Invest in the Canadian Internet Promote development & adoption of IPv6 and DNSSEC D-Zone (Canadian DNS Secondary Anycast)

4. CIRA is a member-driven organization of over 70 employees and an elected 12-person board

IoT613 - September 2015

Internet of Things

• Things that are on the Internet• Things that are not on the Internet• Things referencing other Things on the Internet Things connecting to other Things on the Internet

• IoT is not here yet…• But marketing hype sure is!

IoT613 - September 2015

IoT Design Consideration

• Think about the Internet plumbing • For the things that are on the Internet:

Internet Protocol support: IPv6Trusted Domain Names & URL: .CASecurity: DNSSEC, IPSec

thebay.ca/olympics

Internet Infrastructure - Why .CA

• .CA is 2.4 million domain names– 100% Canadian– Top global rank for security, trusted– 800 million authoritative DNS queries a day

1069 TLDs & end-user confusion

IoT613 - September 2015

Internet Infrastructure - Why IPv6

• Design on IPv6 –> “The Future”– Scalable – 128 bits vs. 32 bits address scheme– Peer to peer (no NAT)– End to end security– Tiny stack, extensions, mobility, address mgmt.

Did you know?We ran out of IPv4 addresses (i.e. 1.1.1.1)

IoT613 - September 2015

Internet Infrastructure - Why IPv6

https://www.arin.net/knowledge/ipv6_info_center.html

IoT613 - September 2015

Internet Infrastructure - Why DNSSEC

• Think about integrity in domain name resolution– Domain name DNSSEC validation – prevents

domain/application hijacking

IoT613 - September 2015

Internet Infrastructure - Why DNSSEC

• Think about integrity in domain name resolution– Domain name DNSSEC validation – prevents

domain/application hijacking

IoT613 - September 2015

Internet Infrastructure - Why DNSSEC

• Platform for innovation– Cryptography, PKI based, application security

Signing an authoritative DNS zone with DNSSEC

www.cira.ca A 1.1.1.1 www.cira.ca RRSIG TaHZFGsjp…

DNS record(Private Key)

IoT613 - September 2015

Internet Infrastructure - Why DNSSEC

Resolver DNS Response - Calculate hashwww.cira.ca A 1.1.1.1

Resolver DNS Response - Decrypt signaturewww.cira.ca RRSIG TaHZFGsj….

(Public Key)

Links to Innovation & Research

• Think .CA, IPv6 and DNSSEC• IPv6 | Deploy360 Programme - ISOC• DNSSEC DANE| Deploy360 Programme - ISOC• The Physical web – Scott Jenson• IoT DNS Security - CircleID • IETF working on home network naming architecture

Thank you

Jacques LatourChief Technology Officer

Canadian Internet Registration Authority (CIRA) jacques.latour@cira.ca