Skip to main content

CEO Remarks on Black Hat / Def Con

Several ICANN staff members attended the Black Hat and Defcon conferences last week to launch DNSSEC to the global Internet security community.

Black Hat is one of the world’s premier security conferences; it attracts about 5,000 onsite participants and many more online. Defcon is a hacker event, also attended by government and security types, and nearly 10,000 people registered for this year’s conference. These are important communities for ICANN.

Black Hat Chair Jeff Moss addressed thousands of participants at the opening session and asked a challenging question. Security has been discussed and debated throughout Black Hat’s 13-year history, yet what progress have we made? What real successes can we celebrate? The growth in malicious traffic on the web is higher than the growth in legitimate traffic. The Internet security community, he said, has had no solid accomplishment to show for our efforts – until today. Today DNSSEC is being launched, and just days ago the root of the Internet was cryptographically signed. This is the first major Internet security enhancement since the beginning of Black Hat, and we thank ICANN for this accomplishment.

This set the tone for other successes, including:

Whit Diffie’s Keynote at Black Hat Executive Session

Eighty top leaders from governments and corporations participated in an exclusive one-day program the day before Black Hat officially began. Whit Diffie, ICANN’s new Vice President for Information Security and Cryptography, was the keynote luncheon speaker and greatly impressed the audience, many of whom knew of his global reputation as a groundbreaking cryptographer.

Black Hat DNS Vulnerability Panel

The event was well attended and focused entirely on how to deploy DNSSEC successfully at all levels. The lively discussion included Whit Diffie; Sandy Wilbourn, CTO of Nominum; Ken Silva, CTO of VeriSign; Mark Weatherford, former Chief Information Security Officer of the State of California, which implemented DNSSEC; Dan Kaminsky, Chief Scientist at Recursion Ventures and a DNS activist; and me.

Press conference launching DNSSEC, with a live hook-up to the IETF meeting in Maastricht

The press conference was well attended by the world’s media, both technical and mainstream. Russ Housely, Chair of the Internet Engineering Task Force, joined by video link along with Mark McLaughlin, CEO of VeriSign, and Dan Kaminsky. Russ provided excellent detailed explanations to numerous questions, and the press conference was greatly enhanced by his participation. Dozens of articles on DNSSEC have appeared, including an Agence France Presse article that has been picked up by media outlets around the world and stories in the National Journal, MSNBC, CBS News and ABC News. To get a sense of the coverage, please see:

Black Hat Kaminsky session on how to implement DNSSEC for browsing, email and websites

Over 1,000 people packed in to hear Dan present a set of tools that can rapidly and easily cryptographically sign any website. Though initially a skeptic about DNSSEC, Dan stated that he had been wrong and is now a huge believer. He urged everyone in the industry to implement this important technology. He showed a private version of the Google Chrome browser that is fully DNSSEC-enabled, as well as tools he has created to add DNSSEC to Internet Explorer and Mozilla Firefox browsers. He capped it off by demonstrating DNSSEC-enabled email and announced he will be posting code so that DNSSEC-protected email can be sent and received though Microsoft Outlook. The crowd was wowed.

Defcon DNS Vulnerability Panel

This panel included ICANN’s Rick Lamb and Mehmet Akcin, Nominum’s Sandy Wilbourn, VeriSign’s Ken Silva and Dan Kaminsky, and was attended by about 800 people. Mehmet reports that it was an interactive and constructive session with considerable input from the audience.

Successes and lessons learned

Participants’ high level of engagement on DNSSEC and interest in ICANN demonstrate that these two events have helped to kickstart the long-term push for universal adoption of DNSSEC.

The panels and presentations had a significant impact in promoting DNSSEC. The most important lesson of ICANN’s experience at Black Hat and Defcon remains one of our defining philosophies: collaboration works. We made clear that everyone has a role in enhancing the security of the global Internet and we invited everyone to be a part of the solution. Many participants said they would push their ccTLDS, their own companies and software companies to enhance their product offerings to leverage DNSSEC. Participants clearly understood that this first true centralized trust anchor is a foundation for further global security enhancements.

ICANN’s first formal participation at Black Hat and Defcon, with many senior officials from the national security communities of the United States and other governments attending, also helped position ICANN as an important player in global Internet security. I believe our greatest achievement was the goodwill we created with the global security community and the governments they work with.

And special thanks again to all in the Internet Engineering Task Force for championing DNSSEC from the early days. It wouldn’t have happened without their unwavering commitment.


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."