OARC 2015 Spring Workshop (Amsterdam)

Europe/Amsterdam
Heian I/II (Okura Hotel)

Heian I/II

Okura Hotel

Ferdinand Bolstraat 333 1072 LH Amsterdam
Keith Mitchell (DNS-OARC), Sebastian Castro (.nz Registry Services)
Description

DNS-OARC's Spring 2015 Workshop took place on the 9th and 10th of May, co-located with the RIPE70 meeting at the Hotel Okura in Amsterdam, sponsored by:

Gold and Social Sponsor                               Gold Sponsor
SIDN                            Verisign

 

   Silver Sponsor                              Bronze Sponsor                                 Contributory Sponsor
Comcast        Nominum           NZRS

DNS-OARC Workshop meetings are open to OARC members and to all other parties interested in DNS operations and research, with RIPE attendees particularly welcome this time around. Attendance is free for OARC Members, Speakers and Sponsors. There are charges for other attendees and late registrations.

The workshop was webcast via Google Hangouts on https://plus.google.com/+DnsoarcNetPlus/, and video of the presentation sessions is available on YouTube as follows:

If your organization is interested in sponsoring OARC workshops, please see our Sponsor Benefits or e-mail sponsor@dns-oarc.net for more information.

Please see the RIPE70 Meeting Site for further venue, and travel details.

Draft 2014 Accounts
Hotel Booking Forms
Participants
  • Adam Obszynski
  • Anand Buddhdev
  • Anlei Hu
  • Anne van Bemmelen
  • Antoin Verschuren
  • Anton Baskov
  • Arjen Zonneveld
  • Assis Guerreiro
  • Aziz Mohaisen
  • Ben Shelston
  • Benjamin Zwittnig
  • Benno Overeinder
  • Bert Hubert
  • Billy Glynn
  • Bjorn Hellqvist
  • Brett Carr
  • Bruce Van Nice
  • Carl Clements
  • Carsten Schiefner
  • Casey Deccio
  • Cathy Almond
  • Chris Grundemann
  • Christian Petrasch
  • Dalini Khemlani
  • Daniel Stirnimann
  • Dave Knight
  • David Cates
  • Denesh Bhabuta
  • Dmitrii Kovalenko
  • Dmitry Kohmanyuk
  • Duane Wessels
  • Eddy Winstead
  • Eduardo Mercader
  • Edward Lewis
  • Filippo Valsorda
  • Florian Maury
  • Florian Obser
  • Francisco Cifuentes
  • Francisco Irala
  • Frey Khademi
  • Gavin Brown
  • Geoff Huston
  • George Michaelson
  • Gilles Massen
  • Greg Choules
  • Henrik Levkowetz
  • Iñigo Ortiz de Urbina Cazenave
  • Jaap Akkerhuis
  • Jacob Zack
  • Jacques Latour
  • Jan Včelák
  • Jared Mauch
  • Jarle Fredrik Greipsland
  • Jaromir Talir
  • Jason Hughes
  • Jean-Yves Bisiaux
  • Jelte Jansen
  • Jim Martin
  • Jim Reid
  • Joao Luis Silva Damas
  • John Bond
  • John Crain
  • John Dickinson
  • Joseph Roselli
  • Karl Dyson
  • Kazunori Fujiwara
  • Keith Mitchell
  • Lanlan Pan
  • Lars-Johan Liman
  • Laura Hendriksen
  • Leo Vandewoestijne
  • Liam Hynes
  • Maarten Wullink
  • Maciej Korczynski
  • Magnus Sandberg
  • Marco Davids
  • Marco Díaz
  • Marek Majkowski
  • Martin Levy
  • Matt Larson
  • Matt Weinberg
  • Matthew Pounsett
  • Matthijs Mekking
  • Mehmet Akcin
  • Mick Begley
  • Naeem Ahmed
  • Nat Morris
  • Niall O'Reilly
  • Nicolas Cartron
  • Normen Kowalewski
  • Oleg Levchenko
  • Ondrej Filip
  • Ondrej Sury
  • Patrik Wallström
  • Paul Ebersman
  • Peter Hagopian
  • Peter Janssen
  • Peter Koch
  • Peter van Dijk
  • Piet Barber
  • Pieter Lexis
  • Raghavendra Hegde
  • Ralf Weber
  • Ray Bellis
  • Rayappa Mayakunthala
  • Robert Edmonds
  • Robert Schischka
  • Roisin King
  • Romeo Zwart
  • Roy Arends
  • Roy Hooper
  • Samuel Weiler
  • Sandoche Balakrichenan
  • Sara Dickinson
  • Sean Stuart
  • Sean Turner
  • Sebastian Castro
  • Sergey Myasoedov
  • Shane Kerr
  • Shumon Huque
  • Siôn Lloyd
  • Stephan Lagerholm
  • Stephen Morris
  • Stéphane Bortzmeyer
  • Susan Graves
  • Svitlana Tkachenko
  • Taras Geychenko
  • Thomas Dupas
  • Thomas Steen Rasmussen
  • Tim Armstrong
  • Victoria Risk
  • Vincent Levigneron
  • Warren Kumari
  • Willem Troop
  • Wouter Wijngaards
  • Yves Bovard
  • Zhihui Liu
  • Ólafur Guðmundsson
    • 8:30 AM 10:30 AM
      Setup 2h Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam

      Room not available

    • 10:00 AM 10:30 AM
      Welcome Coffee 30m Foyer Okura

      Foyer Okura

      Okura Hotel

    • 10:30 AM 12:15 PM
      Members Session Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      • 10:30 AM
        Welcoming Remarks 10m
        Speakers: Mr Jelte Jansen (SIDN), Mr Keith Mitchell (DNS-OARC), Mr Ondrej Filip (CZ.NIC)
        Slides
      • 10:40 AM
        10 years of OARC 20m
        This is a retrospective talk to cover how DNS-OARC has evolved in the past decade.
        Speaker: Mr Keith Mitchell (DNS-OARC)
        Slides
      • 11:00 AM
        OARC President Update 30m
        Report from Keith Mitchell, OARC's President, about the state of OARC.
        Speaker: Mr Keith Mitchell (DNS-OARC)
        Slides
      • 11:30 AM
        OARC Systems/Projects Update 25m
        An overview of OARC systems, services & projects and their status.
        Speakers: Ms Dalini Khemlani (DNS-OARC), Mr William Sotomayor (DNS-OARC)
        Slides
      • 11:55 AM
        "Yes means HET" - traffic increase by protocol mismatch 20m
        It is common wisdom that DNS server implementations must not respond to responses to prevent a denial of service by spoofed traffic injection. We will share an observation of a system that accidentally turned responses into new requests, generating a "loop" that might go unnoticed.
        Speaker: Mr Peter Koch (DENIC eG)
        Slides
    • 12:15 PM 1:50 PM
      Lunch 1h 35m Foyer Okura

      Foyer Okura

      Okura Hotel

    • 1:50 PM 2:20 PM
      A countermeasure of random subdomain attacks (Aggressive negative caching with NSEC) 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Random sub-domain attacks (also called as "Water Torture" attacks) send many non-existent queries to full resolvers. Negative cache does not work well because query names vary. However, NSEC resource records contain non-existent name ranges. Aggressive negative caching using NSEC resource records may be a countermeasure of random sub-domain attacks for signed domains. The presentation will explain a proposal of a protocol change, attack tool, a patch to Unbound, and an experiment result. It also decrease non-existent TLD queries to root DNS servers. (about 20 minutes without questions)
      Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)
      Slides
    • 2:20 PM 2:50 PM
      Caching of Negative DNS records 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Negative caching is a functionality within DNS that is being described in RFC 2308. Negative caching follows the same basic idea and principles as positive caching. That is that a record, or lack thereof, should be allowed to be cached by a recursive resolver and used for consecutive queries for the same QNAME and QCLASS. Since a negative response does not carry any record that can be used to indicate the TTL, the SOA record should be returned for said response. The benefit of negative caching is that a zone operator can limit the number of queries for a nonexistent record. For example if IPv6 is not enabled for a host it make sense to negatively cache the lack of AAAA records. The drawback of negative caching is that records that accidentally are removed from DNS takes longer to get back into a working state. This drawback is worsen by the fact that there is no easy way of doing an Internet wide cache flush. As such the zone operator must carefully dial in the Negative cache settings in their zones to achieve desired tradeoff between a long or short negative caching. Simplified speaking, RFC 2308 clarifies and defines that the Minimum TTL field in the SOA record is the TTL that should be used for negative responses. This field should then be copied to the SOA TTL field by the Authoritative server. However, in reality, it turns out that there are plenty of issues with how the returned SOA record for negative responses is interpreted by various brands of DNS software. A simple test for a non-existing record (asddas7754dadas.google.com) in the Alexa top 1 ranked google.com generates 3 different results depending on what recursive software is being used: Windows DNS: google.com. 300 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 ISC Bind: google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 Unbound (cold start): google.com. 600 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 This paper and presentation will shed some light into how various DNS systems interpret RFC 2308. We will try to answer the question on how long you can expect a negative record to be cached on the internet. The outcome of this talk is that domain owners can make an informative decision on what values to use for negative Caching. Additionally, operators of recursive servers will get some guidance into how to properly configure their negative caching settings on their end.
      Speaker: Mr Stephan Lagerholm (Microsoft)
      Slides
    • 2:50 PM 3:30 PM
      Query name minimization and authoritative server behavior 40m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      This talk will provide an overview of DNS query name minimization algorithms (an approach to DNS privacy), and discuss the behavior of some authoritative DNS servers in the presence of a resolver that performs qname minimization. I'll provide a survey of results of the Alexa top 1000 domains, and discuss some observed defective behavior of a few CDNs and DNS hosting providers that will need to be addressed before these new resolution algorithms can be used widely.
      Speaker: Mr Shumon Huque (Research Scientist)
      Slides
    • 3:30 PM 3:45 PM
      Afternoon Coffee Break 15m Foyer Okura

      Foyer Okura

      Okura Hotel

    • 3:45 PM 4:00 PM
      Hedgehog and DNS Monitoring 15m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      [Hedgehog][http://dns-stats.org/] is a replacement front-end for DSC datasets. In this talk we will present the latest version of Hedgehog and our future plans for its development. Future enhancements may include new graphs, visualization of anycast nodes and the origin of their queries and statistical analysis ideas. There will also be a discussion of requirements for a new DNS data collector, the "on node" data storage and preprocessing, the control of the data collector and a more efficient upload system. We hope this will be an opportunity for the wider community to provide input into the requirements and design.
      Speaker: Mr John Dickinson (Sinodun)
      Slides
    • 4:00 PM 4:30 PM
      Dealing with large DNS packet floods 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      DDoS attacks against DNS providers have been on the increase over the last few years. They have been growing in size and complexity, taking many prominent DNS providers offline. Today these attacks are a major concern to anyone running DNS servers. Operators are in a continual arms race against attackers. CloudFlare, one of the largest authoritative non-TLD providers, has had to learn the hard way how to deal with these attacks. We have learned how to keep our network operational, even with packet floods in excess of 200Gbps. In this talk, we'll explain what DNS packet floods look like and we'll share the details of our mitigation pipeline. In order to deflect the attacks we have developed some unique techniques that are not fully RFC compliant, but in an arms race operational realities win over protocol purity. Keywords: kernel bypass, sflow, flowspec, bpf
      Speaker: Mr Marek Majkowski (CloudFlare)
      Slides
    • 4:30 PM 5:00 PM
      Everyday attacks against Verisign-operated DNS infrastructure 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Verisign operates two root servers (A.root-servers.net, J.root-servers.net), the authoritative name servers for .com, .net, .edu and many other ccTLD and gTLDs. Alongside those TLD name services, Verisign offers a managed DNS service and DDoS attack mitigation platform for many big-name companies. Over the years, Verisign's infrastructure has been targeted for various volumetric attacks, and Verisign has adapted to these threats. Verisign employs many proactive and reactive strategies to combat such attacks. This presentation will show the means and methods for detecting and responding to these threats, including several real-world examples of attack traffic against Verisign infrastructure. We also will discuss current technologies and solutions for handling attack traffic, including large-scale infrastructure, custom name server and load balancer software, and dynamic resource allocation. We will also cover future plans including infrastructure upgrades, software enhancements, further anycast deployment, and more.
      Speakers: Mr Matt Weinberg (Verisign), Mr Piet Barber (Verisign)
      Slides
    • 5:00 PM 5:30 PM
      Drilling down into DNS DDoS Data 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Drawing upon high resolution worldwide resolver data this presentation will cover changes in attack vectors, intensity, duration and domains targeted. In mid march yet another twist on the attacks appeared - hybrid queries using randomized labels querying for names that amplify. This has numerous implications and tests of mitigation techniques will also be presented, comparing and contrasting alternatives.
      Speaker: Mr Ralf Weber (Nominum Inc)
      Slides
    • 7:00 PM 9:00 PM
      Social Event 2h CC Muziekcafé

      CC Muziekcafé

      Rustenburgerstraat 384 1072 HG Amsterdam

      http://www.cccafe.nl/
      Please bring your name badges.

    • 8:30 AM 9:00 AM
      Welcome Coffee 30m Foyer Okura

      Foyer Okura

      Okura Hotel

    • 9:00 AM 9:30 AM
      Observations on DNSSEC and ECDSA in the wild 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      This is a followup to a previous presentation to DNS OARC on the use of ECC as a digital signature algorithm. We report on the findings of a large scale field test of presentation of a DNS name signed using ECDSA, looking at the level of support in resolvers for DNSSEC validation and the behaviour when given a badly signed name.
      Speaker: Mr Geoff Huston (APNIC)
      Slides
    • 9:30 AM 10:00 AM
      Effects of Increasing the Root Zone ZSK Size 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      The effects of increasing the root zone KSK size are studied by replaying trace data from a.root-servers.net to different name server processes with different ZSK (and KSK) parameters. This work explores how differing key sizes might affect root server operations in terms of (a) percent of UDP responses with TC bit set; (b) the distribution of response sizes over both UDP and TCP; (c) the amount of fragmented UDP responses; and (d) traffic volume (bandwidth). We consider both normal operations and key rollover scenarios.
      Speaker: Duane Wessels (Verisign)
      Slides
    • 10:00 AM 10:30 AM
      Signing DNSSEC answers on the fly at the edge: challenges and solutions! 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      CloudFlare operates a DNS servers in a non traditional way: there are no zone files and answers can be assembled from multiple sources on the fly. This prevented us from using existing DNSSEC tools. In order to provide a reliable and scalable solution that is friendly to the Internet we started questioning every assumption ever made on DNSSEC deployment. The resulting design will hopefully be a roadmap for others to follow when implementing on-line DNS signing systems. The areas where we needed to focus include algorithm selection, negative answers, key distribution for large number of domains and rate limiting of signatures generated. In order to make sure our signatures would be validated we reached out the number of parties to upgrade their systems to support ECDSA algorithm. We have done extensive testing with available online resources and volunteers. Some of our design choices "stretch" protocol compliance and we will highlight those.
      Speakers: Mr Filippo Valsorda (CloudFlare Inc.), Mr Ólafur Guðmundsson (CloudFlare Inc.)
      Slides
    • 10:30 AM 10:45 AM
      Morning Coffee Break 15m Foyer Okura

      Foyer Okura

      Okura Hotel

    • 10:45 AM 11:15 AM
      A Day in the Life of a DNS Resolver 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Analysis of high resolution DNS data reveals intricate patterns. This presentation offers visualizations of 24 hours of query data for provider resolvers across time, type, TLDs, and names for both legitimate and malicious traffic. Drill downs into threat details – such as bot, DDoS, and malware will be presented. Other query data will also be evaluated and displayed.
      Speaker: Mr Bruce Van Nice (Nominum)
      Slides
    • 11:15 AM 11:45 AM
      Dissection and observation of traffic at a residential ISP 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Dissection and observation of traffic at a residential ISP We analyse the DNS traffic from residential and SOHO customers of a en eye-balls ISP over a 24h period. We will describe the observed query patterns, correlating to different types of usage such as CDNs and popular sites using DNS to manage their traffic engineering and different observed uses of DNS describing what are the actual, in-the-field, observed common practices and how that impacts resolver traffic. We hope this will provide hard data that people can use to validate or dispel urban legends about actual DNS traffic at DNS resolvers, as opposed to authoritative DNS servers.
      Speaker: Mr Joao Luis Silva Damas (Bond Internet Systems)
      Slides
    • 11:45 AM 12:00 PM
      Update on experimental BIND features to rate-limit recursive queries 15m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Unusual DNS query patterns have been the focus of many recent talks that have examined the sources, targets and intent of this traffic, as well as the impact seen by authoritative servers and resolvers alike. Over the past year ISC has been trialling experimental recursive client rate limiting techniques in BIND to limit impact of this unwanted traffic on both servers and DNS clients. This talk recaps some of the problems that can be encountered and then reviews of the effectiveness of the experimental techniques, including results from live production environments.
      Speaker: Ms Cathy Almond (Internet Systems Consortium)
      Slides
    • 12:00 PM 12:30 PM
      The iDNS attack (resolver loop) 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      ANSSI identified that several popular DNS resolver implementations could be led into following a large number of delegations. By doing so, these resolvers could inflict a denial of service either of the resolver itself by excessive resource consumption or its hosting network by flooding it with packets. Vulnerable implementations can also be enticed into sending to a victim ten times the number of packets sent by the attacker to the resolver, thus performing a distributed denial of service attack with packet amplification. This presentation covers the exploitation methodology for both kind of attacks, and presents ANSSI's disclosure plan, the mitigation strategies implemented by the various vendors and some workarounds when denial of service is caused by an overwhelmed Linux-based firewall.
      Speaker: Mr Florian Maury (ANSSI/FNISA)
      Slides
    • 12:30 PM 2:00 PM
      Lunch 1h 30m Foyer Okura

      Foyer Okura

      Okura Hotel

    • 1:00 PM 1:30 PM
      PGP Signing session 30m Meerman

      Meerman

      Okura Hotel

      Speaker: Matthew Pounsett (Rightside)
      notes
    • 2:00 PM 2:30 PM
      Zonemaster - do we need another DNS testing tool? 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Testing DNS delegations has a long history. Some TLD registries used to do pre-delegation testing before delegating a new or reconfigured domain, some do testing for statistics, but most people do it to find errors in their DNS configuration. Zonemaster is a new tool created by .SE and AFNIC, and builds on our previous experience on working with DNS delegation checking tools such as DNSCheck and Zonecheck. Zonemaster was built on the requirement that it should implement all test cases and functionality from both DNSCheck and Zonecheck combined. All the requirements were collected and then made into specifications for the new tool. The most important specifications are the test cases, what Zonemaster is testing and how. The test specifications are built on our previous experience of maintaining DNSCheck and Zonecheck, the test specifications rely on RFCs, RIPE BCP documents and the IANA registry. The test specifications will further be refined by the new TRTF working group within CENTR, and later on bring their work to the IETF. The result of this work will hopefully be a DNS delegation BCP document. This talk will focus on the collaborative work, presenting the released Zonemaster software and its tools, the specifications and further work.
      Speaker: Mr Patrik Wallström (.SE)
      Slides
    • 2:30 PM 2:45 PM
      Plan for Decommissioning the DLV 15m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      ISC has been operating the DNSSEC Look-aside validation registry for several years now. DLV allows a DNSSEC domain to validate before its parent is DNSSEC signed. We believe that the time has come to wean people off of this transition mechanism, and back onto using the chain of trust to the root.
      Speaker: Mr Jim Martin (ISC)
      Slides
    • 2:45 PM 3:00 PM
      ANSSI DNS guidelines 15m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      ANSSI published in May 2014 a document written in French, which lists a set of best current practices to improve the resiliency of the DNS. This document target audience is the French administration, the French companies and the general public. The guidelines cover the organizational, juridical and technical aspects that a domain name holder should consider when choosing a domain name and the various DNS service providers that could be part of the domain name operations. This presentation will list ANSSI's recommendations, and will try and prompt the public for inputs in order to determine if the DNS community thinks this document ought to be translated in a more vehicular language.
      Speaker: Mr Florian Maury (ANSSI/FNISA)
      Slides
    • 3:00 PM 3:10 PM
      Popularity ranking for domains based on DNS traffic 10m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      This will be a lightning talk to present a technique from text mining applied to DNS traffic. By using the TF-IDF method, it's possible to identify which domain names are more relevant to a set of IP addresses, and comparing a large volume of DNS traffic can provide insights of general domain name behaviour. This is a PoC, and there will be visualizations.
      Speaker: Mr Sebastian Castro (.nz Registry Services)
      Slides
    • 3:10 PM 3:20 PM
      Real time analytics applied to DNS traffic traces 10m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      DNS stream analysis is an appropriate environment to work with real time analytics due to the extremely large amount of queries that needs to be processed per second. There are some tools used to analyze DNS traffic, such as DSC, DSCng or Bumblebee, but they focus in statistical analysis, mainly providing visualization of data aggregations. We will show our system design for a filtering and grouping tool based on the Apache Storm streaming framework, in order to analyze a live stream of DNS packets received by a cloud of DNS servers, and some basics results from testing our prototype analyzing the traces recorded at DITL. By developing this Storm based tool we also aim to help DNS Admins to monitor some general statistics of their servers as the other tools do, such as the historical percentages of query types, query volume or alternative metrics like current state of load balancing between servers. Another goal we have is to analyze the historical data of the specific DNS traffic to determine what is the normal behavior of the statistics mentioned above.
      Speaker: Mr Francisco Cifuentes (NIC Chile Research Labs)
      Slides
    • 3:20 PM 3:50 PM
      Afternoon Coffee Break 30m Foyer Okura

      Foyer Okura

      Okura Hotel

    • 3:50 PM 4:05 PM
      dnsdist - DNS, latency and DoS-aware load balancing 15m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Recently, DNS systems have been under sustained attack via open relays or dedicated sources of malicious traffic. Simultaneously, many operators note poor support for DNS within their existing load balancing solutions. It has been noted that load balancing DNS is not like load balancing HTTP. For example, one highly loaded server delivers better response times than 10 lightly loaded servers. dnsdist offers realtime insight into DNS traffic patterns, and couples this with innovative blocking, modifying and query distribution strategies. Such strategies can either be implemented statically (but configured from Lua) or fully dynamically (entirely hosted by Lua). dnsdist is open source and not PowerDNS specific.
      Speaker: Mr bert hubert (PowerDNS)
      Slides
    • 4:15 PM 4:30 PM
      RSSAC-002: OARC's efforts and Analysis 15m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      An overview of RSSAC-002 metrics and OARC's efforts to collect them from various root server operators. Also include a preliminary analysis of the content.
      Speaker: Mr William Sotomayor (DNS-OARC)
      Slides
    • 4:30 PM 4:50 PM
      AS112 Operations and Surveys 20m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      This presentation is an overview of current AS112 happenings as well as the latest survey of detected AS112 nodes with a focus on research networks and AS112.
      Speaker: Mr William Sotomayor (DNS-OARC)
      Slides
    • 4:50 PM 5:05 PM
      Increase of Root and JP queries 15m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      It's said that the load to DNS is still increasing and queries to root and TLD DNS servers are still increasing. However, there is no materlal which indicates the increase of queries to root and TLD DNS servers. This presentation tries to show the increase of root and JP TLD DNS server queries and appeales evidence gathering about the increase of queries to DNS servers. (about 10 minutes without question)
      Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)
      Slides
    • 5:05 PM 5:35 PM
      Update on the DNS Root Key Rollover work 30m Heian I/II

      Heian I/II

      Okura Hotel

      Ferdinand Bolstraat 333 1072 LH Amsterdam
      Ed Lewis from ICANN will be presenting about the status of the work led by ICANN to execute a Root Zone KSK rollover. There will be space for discussion and feedback.
      Speaker: Mr Edward LEWIS (ICANN)
      Slides