Mr
Keith Mitchell
(DNS-OARC)
31/03/2016, 10:10
It has been another busy 6 months for the OARC Team. In particular, we're well down the path of executing a plan which will re-locate our primary infrastructure hosting site to multiple new locations. We also have a new staff member recently joined as Software Engineer, and are gearing up for our DITL2016 data gathering exercise shortly after the workshop.
This presentation will update OARC...
Anand Buddhdev
(RIPE NCC)
31/03/2016, 10:35
Member Business
In the last several weeks, the RIPE NCC's DNS infrastructure has experienced some DDoS events. In this presentation, I would like to talk about what we experienced, and how we tried to mitigate the attacks. I will talk about the nature of the attacks, and specifically what kind of methods and tools we used to try and defence our infrastructure.
Sara Dickinson
(Sinodun IT), Mr
Willem Toorop
(NLnet Labs)
31/03/2016, 11:00
Public Workshop
Many new and developing DNS features have emerged in recent years to improve both the security and privacy of DNS ( e.g. DNSSEC/DANE and DNS-over-TCP/TLS). A major reason for the lack of uptake and deployment of these features by applications is that existing DNS APIs either do not support the features or do not provide an application friendly interface. To solve this problem the getdns API...
Dr
Javier Bustos-Jiménez
(NIC Chile Research Labs (NICLabs). Universidad de Chile)
31/03/2016, 11:30
Public Workshop
In OARC 22 (Amsterdam) we gave a lightning talk about the possibilities and prospects of using Apache Storm for real-time analytics of DNS packets.
Now, after a year of work, we are glad to present RaTA-DNS, our modular system for realtime analytics. RaTA-DNS was designed as a set of self-contained modules aiming to an easy integration with existing systems such as DSC and Hedgehog, and...
Mr
Ralf Weber
(Nominum Inc)
31/03/2016, 13:30
Public Workshop
Much has been written about IPv6 adoption and its performance. One thing that has not been explored is how IPv6 DNS resolution contributes to overall user experience. What impact does transport, authoritative server configuration and other factors have on the “long tail” of domains queried over IPv6? This talk will present experimental results using a data set of approximately 35 million...
Mr
M Wullink
(SIDN)
31/03/2016, 14:00
Public Workshop
SIDN, the registry for the .nl ccTLD, managing 5,6 million .nl domain names, has recently made significant changes to its zone file publication policy:
- A new zone file is now available every hour, instead of every 2 hours.
- The delegation TTL value has been decreased to match the new publishing interval.
- The SOA minimum TTL value has been decreased from 900 to 600 seconds.
We used...
Mr
Bart Gijsen
(TNO)
31/03/2016, 14:30
Public Workshop
At the end of 2015 the Continuous Data-driven Analysis of Root Server System Stability (CDAR)[1] study was started by the consortium partners NLnet Labs, SIDN and TNO. The objective of the CDAR study is to analyze the technical impact of the introduction of New gTLDs in the root zone on the stability and security of the root server system.
With this in mind, we engaged in the collection...
Mr
Stéphane Bortzmeyer
(AFNIC)
31/03/2016, 16:00
Public Workshop
The "DNS privacy" project started at the IETF meeting in Vancouver a few months after the Snowden revelations. What is its current state? A problem statement has been published, RFC 7626. Two directions are followed: QNAME minimisation, to decrease the amount of data sent to the name servers. And encryption, to prevent a sniffer to get the data.
This talk will present the state of...
Ralph Dolmans
(NLnet Labs)
31/03/2016, 16:30
Public Workshop
Data stored in the DNS is publicly visible. DNS transactions, on the other hand, contain privacy sensitive information. The Snowden revelations about pervasive monitoring are seen as a wake up call for the internet community to increase the focus on privacy protection. One of the privacy threat mitigation methods mentioned in RFC6973, is the principle of data minimisation[0]. The RFC states...
Mr
Ondrej Sury
(CZ.NIC)
01/04/2016, 09:00
Public Workshop
Knot DNS Resolver is a new CZ.NIC project that builds a fully DNSSEC-validating DNS resolver. But it's more it's a powerful platform for building resolver service due its extensibility via modules and configuration in Lua.
Mr
Francisco Cifuentes
(NIC Chile Research Labs)
01/04/2016, 09:30
Public Workshop
In the 20th DNS-OARC workshop, we showed a virtual HSM based on threshold cryptography. This system has the purpose to be used with OpenDNSSEC in order to provide a low cost solution to DNS record signing automation. But that system had a single point of failure: the key manager. Single points of failure are undesirable, even more in a fault tolerant distributed system. After a reengineering...
Dr
Casey Deccio
(Verisign Labs)
01/04/2016, 10:00
Public Workshop
The ability to measure network and server behaviors from different network vantage points is important for understanding the general health of a network ecosystem. There are various platforms, frameworks, and APIs designed and built to accommodate this need. In this talk we discuss a new DNS looking glass framework designed for low-overhead deployment and great flexibility, and available for...
Duane Wessels
(Verisign), Mr
Matt Weinberg
(Verisign)
01/04/2016, 11:00
Public Workshop
On November 30 and December 1, 2015, some of the Internet's Domain Name System (DNS) root name servers received large amounts of anomalous traffic. The twelve root operators jointly published a report of the incident ([http://www.root-servers.org/news/events-of-20151130.txt][1]). The event also generated spirited discussion and speculation on public mailing lists, website forums, and blog...
Roy Arends
(ICANN)
01/04/2016, 11:30
Public Workshop
In an effort to create all possible 64K keytags for a DNSSEC signing key, an anomaly surfaced that caused 75% of the possible keytags to never appear.
This effort to generate certain cryptographic keys became an adventure in itself that included beautiful discrete math, flawed functions, carefully crafted primes, multiple cryptographic libraries, and some brilliant people.
The result of...
Duane Wessels
(Verisign)
01/04/2016, 12:00
Public Workshop
Verisign, in its role as Root Zone Maintainer, plans to increase the size of the root zone Zone Signing Key (ZSK) in 2016. The ZSK has been a 1024-bit RSASHA256 key since the initial deployment of DNSSEC to the root zone in 2010. In the latter half of 2016, the ZSK size will be increased to 2048-bits.
In this presentation we will outline the schedule for the change, describe various...
Mr
Ondrej Sury
(CZ.NIC)
01/04/2016, 14:00
Public Workshop
A generic testing framework was produced as a part of developing the Knot Resolver. This framework is written in python and can use UNIX domain sockets to bypass the underlying physical network and fake time using libfaketime. Apart from short introduction I will show the audience some real-life scenarios for testing the recursive and authoritative DNS servers and how to integrate Deckard...
Mr
Diaz Marco
(NIC Chile)
01/04/2016, 14:30
Public Workshop
NIC Chile, .CL ccTLD registry, started to offer a secondary name service to its customers as a way to improve the overall internet robustness in Chile more than 10 years ago. We are going to show the evolution of a free of charge service from an unicast ip server to an anycast cloud, and using a sort of "meta-slave" daemon for provisioning the nodes.
Mr
Geoff Huston
(APNIC)
01/04/2016, 14:50
Lightning Presentations
This is intended to be an update to an earlier presentation on the extent to which DNS resolvers are able to performance validation on ECDSA-signed data
Sara Dickinson
(Sinodun IT)
01/04/2016, 15:15
Mr
Matt Weinberg
(Verisign)
01/04/2016, 15:25
Mr
Stéphane Bortzmeyer
(AFNIC)
01/04/2016, 15:25
Mr
Geoff Huston
(APNIC)
01/04/2016, 16:00
Public Workshop
This is a report of one member's perspectives on the work of the Root Key Roll Design Team, looking at the various operational tradeoffs that were involved in preparing the plan to roll the root key. I would also like to make some comments on the state of standards and implementations of resolvers and the lack of clear standard specifications about how to signal a key roll. Where possible I...
Anand Buddhdev
(RIPE NCC)
01/04/2016, 16:30
Lightning Presentations
Algorithm roll-overs are part of any security system, because older algorithms lose their strength, and stronger and newer algorithms come along. At the RIPE NCC we recently rolled our algorithm from SHA1 and to SHA256. We had some interesting issues, and I'd like to talk about them, especially as more people may want to consider rolling their algorithms now.
Amongst these issues were...
Dr
Benno Overeinder
(NLnet Labs),
Dan York
(Internet Society),
Evan Hunt
(ISC),
Jan Včelák
(CZ.NIC), Mr
Ondrej Sury
(CZ.NIC),
Paul Wouters
(Redhat), Mr
Ralf Weber
(Nominum Inc)
01/04/2016, 17:00
Public Workshop
This is a proposal to have a discussion panel with DNS vendors (ISC, NlNetLabs, PowerDNS, CZ.NIC, Nominum,
Microsoft) and people from operating systems and Linux distros (Microsoft, Debian, Ubuntu, RedHat, SuSE) to come and discuss challenges of introducing new and deprecating old DNS(SEC) algorithms.
The proposed moderators are Dan York and Olaf Kolkman as neutral moderators. Also invited...
