Duane Wessels
(Verisign), Mr
Keith Mitchell
(DNS-OARC)
08/03/2018, 09:30
OARC Business
Mr
Jerry Lundström
(DNS-OARC)
08/03/2018, 10:05
OARC Business
Mr
Keith Mitchell
(DNS-OARC)
08/03/2018, 10:25
Duane Wessels
(Verisign), Mr
Keith Mitchell
(DNS-OARC)
08/03/2018, 10:45
Members-Only
A chance to update OARC Members on governance developments with OARC Board representation since the AGM, and a chance for any feedback/discussion.
Mr
Manu Bretelle
(Facebook)
08/03/2018, 11:30
At Facebook, we leverage the DNS for multiple purpose, internally, we use it to access servers via hostnames, service discovery and load balancing. Externally, our authoritative nameservers are helping us in steering the traffic of the people using our products to a point of presence that will provide them with the best experience.
With constant churn in our infrastructure, cluster coming up...
Robert Edmonds
(Fastly, Inc.)
08/03/2018, 12:00
Public Workshop
Virtually all client devices in homes connected to the Internet obtain recursive DNS server settings automatically. A home LAN can be expected to provide DHCP service, and DHCP can be expected to provide DNS servers that provide some minimal baseline of DNS service.
While many Internet users are completely unaware of the critical service that the DNS provides, a technically savvy user...
Pallavi Aras
(Salesforce),
Shumon Huque
(Salesforce)
08/03/2018, 14:00
This talk will give an overview of our planning and efforts so far to deploy DNSSEC for a large enterprise with a complex infrastructure, involving the services of several managed DNS providers. It will start by outlining our specific requirements and design choices (e.g. signing algorithms, authenticated denial mechanisms, signing of dynamically generated records, key rollover schedules,...
Mr
Petr Špaček
(CZ.NIC)
08/03/2018, 14:30
In this presentation we will analyze data from real recursors to quantify impact of RFC 8198 on real traffic. Was is worth the effort, or is it waste of energy to implement it?
Mr
Joseph Crowe
(Comcast)
08/03/2018, 15:30
This presentation will go over some of the issues and basic processes that happen at a large ISP in regards to implementing Negative Trust Anchors.
This will include going over:
- How to determine DNSSEC is broken.
- Determine severity of allowing failed site to stay in state
- Process on when to put in an NTA
- Basic automation efforts around implementation of NTA
Mr
Ondrej Sury
(Internet Systems Consortium)
08/03/2018, 16:30
BIND 9 is now 17 years old, the latest stable version 9.12 was releases in December and the BIND 9 Team has adopted changes to adapt to the ever change Internet landscape.
Mr
Jerry Lundström
(DNS-OARC)
08/03/2018, 17:00
# Background
Over the last two years I've been working on reducing the duplicated code that exists between OARC software.
This created a bunch of helper libraries, code that can be added as a git submodule to each software, to handle PCAPs, config files and more.
These libraries also helped creating drool, DNS Replay Tool, and whatever functionality that was missing got added and more...
Warren Kumari
(N/A)
09/03/2018, 10:00
The KSK Roll is coming -- but we still don't have good visibility into what the effects will be.
KSK Sentinel (draft-ietf-dnsop-kskroll-sentinel) provides a way to measure what the **user** effect will be (and also allows mass measurement, using ads).
Mr
Martin Hoffmann
(Open Netlabs BV)
09/03/2018, 10:30
As part of the assessment of the risk of rolling the root zone’s KSK, Verisign commissioned us to performe tests of the implementation of RFC 5011 support in past and present releases of the three open source DNS resolvers Unbound, Bind, and Knot Resolver with regards to the possible sequences of the roll of the root trust anchor. They kindly allowed us to share our findings.
The...
Mr
Alejandro Acosta
(LACNIC)
09/03/2018, 11:30
*Introduction*
As all of you know, having DNS servers considered Open Resolvers is very negative, both for those who leave the service open, for the Internet and for online security. To read about Open Resolvers I recommend reading this link: https://www.certsi.es/blog/dns
*Identifying a DNS Open Resolvers in IPv6 (open DNS servers)*
Identifying Open Resolvers servers or open DNS...
Mr
Geoff Huston
(APNIC), Mr
Joao Luis Silva Damas
(Bond Internet Systems)
09/03/2018, 12:15
Using queries issued by our test environment targetted at the root servers we analyse DNS traffic observed at the resolver used by the client, the anycast nodes at which the queries arrived and correlate this to the geographical location of the originating client to analyse the effectiveness of the routing system in delivering traffic to the closest Anycast node.
As a by-product we take a...
Mr
Geoff Huston
(APNIC), Mr
Joao Luis Silva Damas
(Bond Internet Systems)
09/03/2018, 14:00
Recently, L. Song, 宋林健, of BII proposed the use of Additional Truncated Responses (draft-song-atr-large-resp-00) as way to improve resolution success rates for clients in the presence of large DNS responses.
We are using our large distributed measurement platform to evaluate the effect of the proposed behaviour by implementing a modified DNS server that implements ATR behaviour. This talk...
Mr
Kazunori Fujiwara
(Japan Registry Services Co., Ltd)
09/03/2018, 14:30
Three drafts proposed authoritative servers to respond additional
resource records to pre-populate resolvers' cache. The author made
an authoritative server patch to add additional A/AAAA/NSEC RR in
additional section when the server receives A or AAAA query. This
talk reports evaluation result of multiple responses and
considerations. It contains brief introduction of...
Annie Edmundson
(Princeton University),
Paul Schmitt
(Princeton University)
09/03/2018, 14:45
It is well known that DNS leaks information that an Internet user may want to keep private, such as the websites she is visiting, user identifiers, MAC addresses, and the subnet in which she is located. This information can be visible to a 3rd party eavesdropping on the communication between a client and a recursive resolver, or even between a recursive resolver and an authoritative server. ...
Laura Roberts
(Princeton University)
09/03/2018, 15:30
Previous attacks that link the sender and receiver of traffic in the Tor network ("correlation attacks") have generally relied on analyzing traffic from TCP connections. The TCP connections of a typical client application, however, are often accompanied by DNS requests and responses. This additional traffic presents more opportunities for correlation attacks. Our work quantifies how DNS...
Mr
Frederico Augusto de Carvalho Neves
(Nic.br)
09/03/2018, 16:30
Peter DeVries
(Quotient Inc)
09/03/2018, 16:50
Results of testing different versions of BIND with Meltdown / Spectre patches installed on Redhat 7 servers.
Wes Hardaker
(USC/ISI)
09/03/2018, 17:00
I can present either screenshots or a live demo about how we process B-Root specific DITL data with infrastructure at USC/ISI. I'll describe the format we store data in, how it enables us to rapidly perform analysis on it, and how we can do bulk processing of DNS requests after it has been converted to our textual saved format.
Mr
Ondrej Sury
(Internet Systems Consortium), Mr
Petr Špaček
(CZ.NIC),
Ralph Dolmans
(NLnet Labs)
09/03/2018, 17:20
The major open-source DNS server vendors has a plan to deprecate workarounds for broken EDNS implementations in servers. In this lightning talk, we (CZ.NIC, ISC, PowerDNS, NLnet Labs) will announce our plan to remove the workarounds from our DNS servers.
