Conveners
Public Workshop: Operations and Infrastructure
- Ralph Dolmans (NLnet Labs)
Public Workshop: DNSSEC
- Robert Edmonds (Fastly, Inc.)
Public Workshop: Software
- Anand Buddhdev (RIPE NCC)
Public Workshop: Key Rolling
- Shumon Huque (Salesforce)
Public Workshop: Measurement
- Piet Barber (Verisign)
Public Workshop: Protocol Development
- Ralph Dolmans (NLnet Labs)
Public Workshop: Privacy
- Shumon Huque (Salesforce)
Mr
Manu Bretelle
(Facebook)
08/03/2018, 11:30
Public Workshop
Standard Presentation
At Facebook, we leverage the DNS for multiple purpose, internally, we use it to access servers via hostnames, service discovery and load balancing. Externally, our authoritative nameservers are helping us in steering the traffic of the people using our products to a point of presence that will provide them with the best experience.
With constant churn in our infrastructure, cluster coming up...
Robert Edmonds
(Fastly, Inc.)
08/03/2018, 12:00
Public Workshop
Virtually all client devices in homes connected to the Internet obtain recursive DNS server settings automatically. A home LAN can be expected to provide DHCP service, and DHCP can be expected to provide DNS servers that provide some minimal baseline of DNS service.
While many Internet users are completely unaware of the critical service that the DNS provides, a technically savvy user...
Pallavi Aras
(Salesforce),
Shumon Huque
(Salesforce)
08/03/2018, 14:00
Public Workshop
Standard Presentation
This talk will give an overview of our planning and efforts so far to deploy DNSSEC for a large enterprise with a complex infrastructure, involving the services of several managed DNS providers. It will start by outlining our specific requirements and design choices (e.g. signing algorithms, authenticated denial mechanisms, signing of dynamically generated records, key rollover schedules,...
Mr
Petr Špaček
(CZ.NIC)
08/03/2018, 14:30
Public Workshop
Standard Presentation
In this presentation we will analyze data from real recursors to quantify impact of RFC 8198 on real traffic. Was is worth the effort, or is it waste of energy to implement it?
Roy Arends
(ICANN)
08/03/2018, 15:00
Public Workshop
Standard Presentation
When a DNSSEC Key Signing Key (KSK) is rolled, the Delegation Signer (DS) records in the parent are updated as well. A DS record contains the "Digest Type" used to produce the digest over the KSK. Care must be taken when "rolling" the digest type during a KSK roll. It may well cause the entire zone to become bogus.
My presentation will show how a Top Level Domain went unreachable due to an...
Mr
Joseph Crowe
(Comcast)
08/03/2018, 15:30
Public Workshop
Standard Presentation
This presentation will go over some of the issues and basic processes that happen at a large ISP in regards to implementing Negative Trust Anchors.
This will include going over:
- How to determine DNSSEC is broken.
- Determine severity of allowing failed site to stay in state
- Process on when to put in an NTA
- Basic automation efforts around implementation of NTA
Mr
Ondrej Sury
(Internet Systems Consortium)
08/03/2018, 16:30
Public Workshop
Standard Presentation
BIND 9 is now 17 years old, the latest stable version 9.12 was releases in December and the BIND 9 Team has adopted changes to adapt to the ever change Internet landscape.
Mr
Jerry Lundström
(DNS-OARC)
08/03/2018, 17:00
Public Workshop
Standard Presentation
# Background
Over the last two years I've been working on reducing the duplicated code that exists between OARC software.
This created a bunch of helper libraries, code that can be added as a git submodule to each software, to handle PCAPs, config files and more.
These libraries also helped creating drool, DNS Replay Tool, and whatever functionality that was missing got added and more...
Matt Larson
(ICANN)
09/03/2018, 09:30
Public Workshop
Standard Presentation
After the root KSK roll originally intended for 11 October 2017 was postponed because of newly available trust anchor data reported by RFC 8145-capable resolvers, ICANN undertook an investigation to better understand that data and develop a plan for going forward. ICANN has collected community feedback and will publish that plan in early February. This presentation covers ICANN's findings...
Warren Kumari
(N/A)
09/03/2018, 10:00
Public Workshop
Standard Presentation
The KSK Roll is coming -- but we still don't have good visibility into what the effects will be.
KSK Sentinel (draft-ietf-dnsop-kskroll-sentinel) provides a way to measure what the **user** effect will be (and also allows mass measurement, using ads).
Mr
Martin Hoffmann
(Open Netlabs BV)
09/03/2018, 10:30
Public Workshop
Standard Presentation
As part of the assessment of the risk of rolling the root zone’s KSK, Verisign commissioned us to performe tests of the implementation of RFC 5011 support in past and present releases of the three open source DNS resolvers Unbound, Bind, and Knot Resolver with regards to the possible sequences of the roll of the root trust anchor. They kindly allowed us to share our findings.
The...
Mr
Alejandro Acosta
(LACNIC)
09/03/2018, 11:30
Public Workshop
Standard Presentation
*Introduction*
As all of you know, having DNS servers considered Open Resolvers is very negative, both for those who leave the service open, for the Internet and for online security. To read about Open Resolvers I recommend reading this link: https://www.certsi.es/blog/dns
*Identifying a DNS Open Resolvers in IPv6 (open DNS servers)*
Identifying Open Resolvers servers or open DNS...
Paul Hoffman
(ICANN)
09/03/2018, 11:45
Public Workshop
Standard Presentation
The DITL data collected at DNS-OARC can be used for a variety of research. Here, I analyze QNAMEs in queries to the roots during the DITL 2017 to look at the prevalence of collisions for strings from earlier collision studies (such as "corp" and "home") as well as leakage from TLDs that are not expected to be in the root zone at all. This required looking at the entire dataset, collecting just...
Mr
Geoff Huston
(APNIC), Mr
Joao Luis Silva Damas
(Bond Internet Systems)
09/03/2018, 12:15
Public Workshop
Standard Presentation
Using queries issued by our test environment targetted at the root servers we analyse DNS traffic observed at the resolver used by the client, the anycast nodes at which the queries arrived and correlate this to the geographical location of the originating client to analyse the effectiveness of the routing system in delivering traffic to the closest Anycast node.
As a by-product we take a...
Mr
Geoff Huston
(APNIC), Mr
Joao Luis Silva Damas
(Bond Internet Systems)
09/03/2018, 14:00
Public Workshop
Standard Presentation
Recently, L. Song, 宋林健, of BII proposed the use of Additional Truncated Responses (draft-song-atr-large-resp-00) as way to improve resolution success rates for clients in the presence of large DNS responses.
We are using our large distributed measurement platform to evaluate the effect of the proposed behaviour by implementing a modified DNS server that implements ATR behaviour. This talk...
Mr
Kazunori Fujiwara
(Japan Registry Services Co., Ltd)
09/03/2018, 14:30
Public Workshop
Standard Presentation
Three drafts proposed authoritative servers to respond additional
resource records to pre-populate resolvers' cache. The author made
an authoritative server patch to add additional A/AAAA/NSEC RR in
additional section when the server receives A or AAAA query. This
talk reports evaluation result of multiple responses and
considerations. It contains brief introduction of...
Annie Edmundson
(Princeton University),
Paul Schmitt
(Princeton University)
09/03/2018, 14:45
Public Workshop
Standard Presentation
It is well known that DNS leaks information that an Internet user may want to keep private, such as the websites she is visiting, user identifiers, MAC addresses, and the subnet in which she is located. This information can be visible to a 3rd party eavesdropping on the communication between a client and a recursive resolver, or even between a recursive resolver and an authoritative server. ...
Laura Roberts
(Princeton University)
09/03/2018, 15:30
Public Workshop
Standard Presentation
Previous attacks that link the sender and receiver of traffic in the Tor network ("correlation attacks") have generally relied on analyzing traffic from TCP connections. The TCP connections of a typical client application, however, are often accompanied by DNS requests and responses. This additional traffic presents more opportunities for correlation attacks. Our work quantifies how DNS...
Wes Hardaker
(USC/ISI)
09/03/2018, 16:00
Public Workshop
Standard Presentation
Processing of all DNS requests start at the root of the DNS tree and
make use of either cached data from previous requests, or by
traversing the DNS tree for the missing information. When \emph{QNAME
minimization} is not in use, queries forwarded to the parental nodes
in the DNS tree may leak private DNS query data. In this paper we
examine 31 days during the month of January 2017 of...