Conveners
Joint OARC & CENTR-Tech Public Workshop: Day 1, Session 1 (OARC Update)
- Keith Mitchell (DNS-OARC)
Joint OARC & CENTR-Tech Public Workshop: Day 1, Session 2
- Anand Buddhdev (RIPE NCC)
Joint OARC & CENTR-Tech Public Workshop: Day 1, Session 3
- Shumon Huque (Salesforce)
Joint OARC & CENTR-Tech Public Workshop: Day 2, Session 1
- Piet Barber (Verisign)
Joint OARC & CENTR-Tech Public Workshop: Day 2, Session 2
- Robert Edmonds (Fastly, Inc.)
Joint OARC & CENTR-Tech Public Workshop: Day 2, Session 3
- Ralph Dolmans (NLnet Labs)
Joint OARC & CENTR-Tech Public Workshop: Lightning Talks
- There are no conveners in this block
Cloudflare has launched support for DoT and DoH for its 1.1.1.1 resolver from day 1. With DNS traditionally carried over UDP, moving to connection-based and encrypted transport protocols brings new operational challenges. This talk will cover the protocol uptake, deployment challenges with both protocols, as well as the feasibility and overhead for providing the service. It will show the...
Verisign is planning to make a few changes to the operation of its TLDs in the coming months. These changes include increasing the truncation limit on large responses, increasing ZSK strength, reducing TTLs, and elimination of “cross-zone glue.” In this short presentation we explain the nature of the changes, the rationale, and when possible provide estimated timelines for their deployment.
In CZ.NIC, we completed our third DNSSEC KSK rollover in June. It was our second algorithm rollover and it resulted in the first usage of ECDSA algorithm for DNSSEC KSK in TLD space. The talk will summarize how did we get to the situation when ECDSA algorithm is the most used DNSSEC algorithm in .CZ zone, how the conservative algorithm rollover was done and what we have learned during whole...
On 20 and 21 April 2017, the RIPE DNS measurements hackathon took place. Our team created DNSThought: a measurements analysis portal providing insight into caching resolver's availability and capabilities. In the context of the project permanent running measurements were started for all resolvers of all probes in RIPE Atlas, measuring:
- Resolver identity (what IPs are seen at the...
Afnic has been working for a while towards the objective of extending
DNS for IoT use cases. Previously, Afnic worked with the GS1 standard
organisation (Barcode/RFID registry for the supply chain industry), and
contributed to the evolution of the Object Naming Service (ONS) standard
[EPCglobal standard]. The ONS standard uses DNS as an overlay for
service discovery. The use cases are - "track...
As noted recently, "getting" DNS now requires reading 2000 pages of RFCs. This partially explains the dire quality of new (closed source) DNS implementations. Hello-DNS is an effort to make DNS more accessible by explaining it in modern language, in the right order. This project has now also spawned a 'teachable authoritative server' (TDNS) which attempts to be a display of best-practices and...
A traditional route for DNS traffic capture is to record traffic in PCAP format. Recorded files are compressed and used as input for subsequent processing. PCAP files, though, suffer from two disadvantages; they record much transport layer data that is unnecessary, and compression requires significant system resources.
The C-DNS file format...
Internet bad actors have long been known to register look-alike domains and stand up phishing sites and create spam campaigns in order to hoodwink users into revealing personal information including login credentials, credit card numbers and social security numbers. Detecting and combatting criminal activity related to look-alike domains becomes a much more difficult problem when you start...
Using DNS traffic observed at the .nz nameservers, hand curated monitoring and resolver addresses, feature engineering and machine learning, we are able to identify resolver behaviour using traffic from an authorative nameserver. This technique can be extended to detect other patterns, like validating resolvers or QNAME minimization.
This talk will review the latest evolutions in encrypted DNS transports and the concept of 'Trusted Recursive Resolvers' (TRRs) from the operators perspective.
Mozilla and Firefox have partnered to operate a DoH (DNS-over-HTTPS) service for Firefox. There are currently no discovery mechanisms for DoH services (or Strict DNS-over-TLS) and as a result clients wanting to use them must use...
https://www.sidnlabs.nl/downloads/papers-reports/isi-tr-725.pdf
In 2017, we started a cycle of security exercises for our organisation so as to be prepared to face DNS major attack / outage scenarios (e.g. DDoS attack, zone file corruption...). While the first edition was focused on IT response skills, with some crisis management, the second one was more meant to cover - as much as possible – all relevant aspects one organization must handle should a major...
"Message Digest for DNS Zones" is a new Internet Draft describing a protocol and DNS Resource Record used to provide a message digest over DNS zone data. Although DNSSEC signs individual RRsets that can be validated, it is not sufficient in general because zones may also contain unsigned data (delegations and glue). This protocol can verify all data in a zone file.
In this presentation I...
In a cooperative effort, .CL and .NZ collected data about how many domains will be affected by the DNS Flag days changes on February 1st, 2019. We compare our results with ISC's efforts over the general TLD space and Alexa Top 1000 domains.
Major vendors of DNS software are going to remove workarounds for some types of EDNS non-compliance on February 1st, 2019. What impact can we expect?
In this talk we will look at EDNS compliance measurements on real TLD zones and evaluate the worst-case scenario.
Standard DNS does not allow CNAME records to coexist with other normal data, which is sometimes confusing for non-DNS experts who want to redirect one domain to the other, like example.com. -> example.net.
Various actors invented their own solution, be it ALIAS or ANAME RR types with non-standard backend software, and some others decided to just ignore the CNAME limitation in...
