OARC 32 (San Francisco, CA, USA)

America/Los_Angeles
Bayview Room (Hyatt Regency San Francisco)

Bayview Room

Hyatt Regency San Francisco

5 Embarcadero Center San Francisco CA 94111 United States
Keith Mitchell (DNS-OARC), Shumon Huque (Salesforce)
Description

DNS-OARC is coming to San Francisco, CA for its 32nd Workshop!

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research, with attendees from NANOG 78 and EDDI February Meet Up particularly welcome this time around - as OARC 32 takes place in the same venue, right before EDDI February and NANOG 78.


This will be a one-day workshop on the Saturday (February 8th) with some additional activities (Member-only round-table) and a EDDI Meet Up (hosting support by DNS-OARC) on Sunday 9th.


WORKSHOP PATRONS 2020


PROMOTER

Verisign

Annual Workshop Patrons for 2020 are available. Details at: https://www.dns-oarc.net/workshop/patronage-opportunities



OARC 32 SPONSORS


DELUXE

Comcast  

 

Sponsorship opportunities for OARC 32 are available. Details at: https://www.dns-oarc.net/workshop/sponsorship-opportunities


Video:

Jabber Chatroom: xmpp:dns-operations@conference.dns-oarc.net

Twitter hashtag: #OARC32

Sponsors: We have various sponsor opportunities for OARC workshops.

If your organization is interested in sponsoring OARC workshops, please e-mail sponsor@dns-oarc.net for more information.

OARC Members
Participants
  • Adam Phelps
  • Anand Buddhdev
  • Anbang Wen
  • Andrew Chen
  • Andrey Gusev
  • Andy Seabolt
  • Arman Baratifar
  • Baula Xu
  • Brantly Millegan
  • Brian Dickson
  • Brian Hartvigsen
  • Brian Luke
  • Brian Somers
  • Bruce Van Nice
  • Casey Deccio
  • Dan Mahoney
  • Dave Knight
  • David Blacka
  • David Lawrence
  • David Miller
  • Denesh Bhabuta
  • Dina Kozlov
  • Donavan Fritz
  • Duane Wessels
  • Eddy Winstead
  • Edward Lewis
  • Eli Lindsey
  • Elmar K. Bins
  • Enno Rey
  • Eric Rescorla
  • Erik Bishop
  • Evan Hunt
  • Fred Baker
  • Gavin Brown
  • Gavin McCullagh
  • Geoff Horne
  • Glenn Deen
  • Guobao Sun
  • Han Zhang
  • Ivan Laktyunkin
  • Jacques Latour
  • Jake Zack
  • James Li
  • Jan Včelák
  • Jeff Osborn
  • Jerry Lundström
  • Jesse Blazina
  • Jessy Vetter
  • Jinyuan Feng
  • Johan Stenstam
  • John Kristoff
  • John Todd
  • Jonathan Reed
  • Jorge Cano
  • Keith Mitchell
  • Leslie Daigle
  • Libor Peltan
  • Lu Zhao
  • Manu Bretelle
  • Mark Brady
  • Mark Dokter
  • Matt Larson
  • Matthew Dell
  • Matthew Pounsett
  • Mauricio Vergara Ereche
  • Michael Batchelder
  • Michael McNally
  • Miles McCredie
  • Nicolai Leymann
  • Ondřej Surý
  • Patrik Fältström
  • Paul Adair
  • Paul Ebersman
  • Paul Hoffman
  • Paul Mockapetris
  • Paul Vixie
  • Peter DeVries
  • Peter Hagopian
  • Phelps Williams
  • Puneet Sood
  • Ralf Weber
  • Ralph Dolmans
  • Ray Bellis
  • Robert Edmonds
  • Robert Jerrells
  • Rod Rasmussen
  • Shumon Huque
  • Steve DeJong
  • Susan Graves
  • Suzanne Woolf
  • Todd Medbury
  • Tom Arnfeld
  • Tom Flannagan
  • Tom Pusateri
  • Tyson Vinson
  • Ulrich Wisser
  • Vicky Risk
  • Vincent Levigneron
  • Wayne MacLaurin
  • Wes Hardaker
  • Yang Yu
  • YI SONG
  • Saturday, 8 February
    • 08:00 09:00
      Registration & Coffee 1h Bayview Room Foyer A

      Bayview Room Foyer A

      Hyatt Regency San Francisco

      5 Embarcadero Center, San Francisco, CA 94111, United States
    • 09:00 09:15
      Introduction to DNS-OARC 15m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      Introduction to DNS-OARC.

      Speaker: Mr Keith Mitchell (DNS-OARC)
    • 09:15 09:45
      DNSSEC Recursive Resolution From the Ground Up 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      RFC4033 introduced DNSSEC back in 2005. There are now many recursive
      resolver implementations which have evolved over the past 15 years,
      but implemeneting something from scratch can be a dangerous path.
      Are our RFCs clear? Are all of the "understood" pitfalls clear?

      This talk looks at OpenDNS/Cisco's path to DNSSEC support in their
      recursive resolver. It goes from understanding the protocol to
      coming up with a development and deploy strategy. Preparing the
      existing DNSSEC-unaware codebase was a difficult step, as was
      arranging our task board so that we could parallelize development.
      The implications of NSEC and NSEC3 were unexpected and the effect
      of wildcard records on validation behaviour was a surprise. There
      were even several points were RFCs were simply mis-read, causing
      turmoil way down the road (repeat something often enough and we all
      believe it's the truth!). Finally, executing on our deployment
      strategy didn't play out as expected.

      Maybe our path is unsurprising, but it's a story worth telling!

      Speaker: Brian Somers (OpenDNS, FreeBSD)
    • 09:45 10:15
      The Different Ways of Minimizing ANY 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      The DNS Protocol has features that have grown to become liabilities. The query type "ANY" is one. Earlier this year a published RFC document describes how a DNS server may respond to such queries while reducing the liability. But the document does not define a definitive means for a server to signal that it is differing from the original protocol. This presentation measures of the impact of having no definitive means specified and examines the "fear, uncertainty, and doubt" of lacking explicit signals.

      Speaker: Mr Edward Lewis (ICANN)
    • 10:15 10:30
      DNS response rate speedup by using XDP 15m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      For an authoritative DNS server, high response rate is not only useful to serve many clients, but also to withstand some flood attack attempts. While the basic answering routines are well optimized in most open-source DNS servers, profiling disclosed that 30% to 70% of CPU time of a highly-loaded server is spent on network I/O. It's not that Linux syscalls would be ineffectively implemented, but they do too much: firewall, routing, queuing, etc.

      Using Berkeley Packet Filter, we can capture DNS-over-UDP packets before they arrive to Linux network stack, while passing the other traffic to the stack. Further, using eXpress Data Path, we can process the captured packets in our DNS application, and send the responses also bypassing the Linux stack.

      In my talk, I will summarize the feature design, examine the obvious and hidden limitations, and share practical experiences from implementing XDP in Knot DNS authoritative server.

      Speaker: Libor Peltan (CZ.NIC)
    • 10:30 11:00
      Morning Break 30m Bayview Room Foyer A

      Bayview Room Foyer A

      Hyatt Regency San Francisco

      5 Embarcadero Center, San Francisco, CA 94111, United States
    • 11:00 11:30
      Motives and Methods for Managed Private Network DNS 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      With Resolverless DNS, and before that DNS over HTTPS, and soon HTTP/3 (QUIC), the web industry is making a very strong attempt to completely control the DNS metadata required for web browsers to reach web services. While there are some political aspects to this redrawing of the DNS resolution path, there are also security implications for operators of managed private networks which are not public, are not regulated, and have no "customers". These operators have reasons they consider important for keeping DNS resolution out of the hands of device, browser, and other app makers. In this presentation, Dr. Vixie will enumerate the DNS-related risks posed to operators of managed private networks by the increasing dominance of DNS-related web industry ambitions. Some proposals will be described as to the costs and benefits of absolute insistence upon local network control over DNS resolution.

      Speaker: Paul Vixie (Farsight Security)
    • 11:30 12:00
      DNS Encryption Operational Experience and Insights 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      ISPs play an essential role in the internet ecosystem and the new DNS encryption protocols change the landscape, introducing numerous new architectural and operational issues for their DNS resolution infrastructure. This presentation will cover deployment practices based on early implementations at numerous ISPs around the world. It will also discuss operating considerations introduced by the changes to the legacy DNS protocol. Data and insights from live servers will also be presented.

      Speakers: Ralf Weber (Akamai Technologies), Mr Mark Dokter (Akamai)
    • 12:00 12:30
      Status of DoH/TRR in Firefox 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      Mozilla has been working to deploy DNS over HTTPS (DoH) in Firefox. We
      report on the status of Mozilla's deployment, learnings from our
      rollout so far, our Trusted Recursive Resolver (TRR) program, and
      the future evolution of DoH/TRR.

      Speaker: Eric Rescorla (Mozilla)
    • 12:30 14:00
      Lunch Break 1h 30m Atrium Lobby

      Atrium Lobby

      Hyatt Regency San Francisco

      5 Embarcadero Center, San Francisco, CA 94111, United States
    • 14:00 14:30
      The Present and Future of BIND 9 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      A discussion of recent development work in BIND 9, including the "DNSSEC Made Easy" key and signing policy features, and advanced new networking code for improved performance and easier implementation of DNS-over-TLS and DNS-over-HTTPS in the next release.

      Speaker: Evan Hunt (ISC)
    • 14:30 15:00
      Updates to F-Root 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      This presentation will cover recent changes in ISC's F-root system, including how we have evolved from using legacy routers and hardware, to working with single-box solutions designed to work within a peering exchange.

      Brief mentions will be made about tooling on both the frontend and the backend, as well as routing table discoveries, and operating system choices, and some unexpected lessons learned.

      Speaker: Dan Mahoney (ISC)
    • 15:00 15:30
      Using the Ethereum blockchain to complement and expand the capabilities of DNS 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      The open source project Ethereum Name Service (ENS) is the leading blockchain-based naming infrastructure project. Managed by a small non-profit with support of the Ethereum Foundation, today we provide naming mostly for the cryptocurrency wallet naming space (we have around 50 wallets signed up) and the emerging decentralized (IPFS-based) web (native integration in Opera, a few blockchain-focused mobile browsers, and others via extension).

      But we're also doing research on using blockchain technology to serve the existing DNS tech stack, as well as various projects with EnCirca, .KRED, .ART, and others in the DNS space.

      This presentation will be a quick overview of how our system works, how it serves the DNS namespace (including how we've integrated that namespace for use on our system), and our ideas of how it can complement the existing DNS.

      Speaker: Mr Brantly Millegan (Ethereum Name Service (ENS))
    • 15:30 16:00
      Afternoon Break 30m Bayview Room Foyer A

      Bayview Room Foyer A

      Hyatt Regency San Francisco

      5 Embarcadero Center, San Francisco, CA 94111, United States
    • 16:00 16:30
      Forever Young - TTL and RRSIG lifetimes 30m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      A deep dive in the world of TTL values of the ccTLD world. Which values are used and why? Guidelines for choosing TTL values and the interdependencies of TTL values. A closer look on RRSIG lifetimes, the interdependencies on TTL values and what RRSIG lifetimes mean for disaster recovery including a view on real life examples.

      Speaker: Ulrich Wisser (IIS)
    • 16:30 16:45
      DNS Analysis and Threats with IPv6 Automatic Transition Mechanisms 15m Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      Large content providers such as Google and Akamai report that at least 20% of all client systems are using IPv6 and that most do so using native IPv6 transport. Until recently, Microsoft Windows operating systems shipped with with 6to4, ISATAP, and Teredo IPv6 transition mechanisms enabled by default. While these transition mechanisms are widely panned and increasingly obsolete, for millions of systems they are turned on and ready to be activated, and for many systems, they are used when only IPv4 transport is available. This talk summarizes DNS aspects of recent research work exploring the dangers that linger from these transition mechanisms. A very brief technical overview of 6to4, ISATAP, and Teredo IPv6 automatic transition mechanisms will be provided.

      Speaker: John Kristoff
    • 16:45 18:15
      Lightning Talks Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      Lightning Talks session

      • 16:45
        Two new tools from work in the RSSAC Caucus 5m

        A lightning talk that describes two tools that might be of general interest to DNS operators. Note: a 5-minute and a 10-minute version are attached. Either might be given.

        Speaker: Paul Hoffman (ICANN)
      • 16:50
        Improving DNSSEC Provisioning with 3rd Party DNS Providers 5m

        A group of DNS engineers have formed a design team to look at improving DNSSEC Provisioning with 3rd party DNS providers. Two issues are being looked at:

        1. DNSSEC requires the registry to have a DS record associated with the zone. When 3rd party DNS providers generate the key(s) and sign the zone, there is no well defined path for providing the DS record to the registry. (Some ccTLDs are implementing RFC 8078.)

        2. If multiple 3rd party DNS providers are serving the same zone, each is signing with its own key, they each need to include the ZSKs (or CSKs) of the other providers. “Multi-Signer DNSSEC Models” defines the general scheme, but there is no well defined protocol for coordination of the cross-signing process between the providers.

        We'll briefly discuss the planned work and tell you how to get involved.

        Speaker: Shumon Huque (Salesforce)
      • 16:55
        DNS Operator Feedback on draft-fujiwara-dnsop-avoid-fragmentation-01 5m

        Not everyone seems to consider DNS fragmentation harmful, and the authors of draft-fujiwara-dnsop-avoid-fragmentation-01 have heard some interesting feedback, which will be anonymized and presented briefly, to inspire ad-hoc bar BOFs to follow.

        Speaker: Paul Vixie (Farsight Security)
      • 17:00
        DNSSEC Algorithm Roll for .ORG 5m

        .ORG was the first gTLD signed with DNSSEC and remains one of the largest, but is still operating on parameters set originally in 2009. PIR, the registry responsible for .ORG, and Afilias, the registry services provider that handles technical operations for .ORG, are reviewing those original parameters and preparing to update them, primarily to move away from SHA1 as the signing algorithm. We want to take others' experience into our planning and make sure we're sharing ours, so this talk is a brief request for input that will inform our decisions and execution.

        Speaker: Suzanne Woolf (PIR)
      • 17:05
        DNS Houses (TLDs only-version) 5m

        Some interesting measurements "divided" by operator

        Speaker: Edward LEWIS (ICANN)
      • 17:10
        A DoT naming, publication, and discovery scheme 5m

        DNS over TLS Discovery

        The DNS over TLS (DoT) protocol is well defined and ideal for client-to-recursive privacy. However, there is currently no way for a client to upgrade its connection to an existing resolver, for a number of reasons.

        This talk concerns the impediments to doing an upgrade, and a proposal for a scheme that solves nearly all of them. The author has a PoC for the scheme, and will share the URI of that.

        Speaker: Brian Dickson (GoDaddy)
    • 18:30 20:30
      Social Event 2h Patriot House

      Patriot House

      2 Embarcadero Center 3rd floor, San Francisco, CA 94111

      http://www.patriothousepub.com/

  • Sunday, 9 February
    • 08:30 09:00
      EDDI Registration 30m Bayview Foyer A

      Bayview Foyer A

      Hyatt Regency San Francisco

      5 Embarcadero Center, San Francisco, CA 94111, United States
    • 09:00 12:30
      Encrypted DNS Deployment Initiative: EDDI February Meet-up Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States
      • 09:00
        Registration 20m
      • 11:00
        Morning Coffee Break 30m
    • 13:30 14:00
      OARC Members' Roundtable Registration 30m
    • 14:00 17:30
      OARC Members: Round Table Bayview Room

      Bayview Room

      Hyatt Regency San Francisco

      5 Embarcadero Center San Francisco CA 94111 United States

      Schedule
      - topics 14:00 - 15:30
      - break 15:30 - 16:00
      - open floor(?) 16:00 - 17:00

      Agenda/topics Ideas
      - agenda-bashing, any other topiics on the day
      - data privacy (board workgroup)
      - is it still a good use of OARC’s resources to maintain DITL and other large datasets, are they being used?
      - the purpose of OARC.. what OARC does best etc.. what other things it could do or not do
      - software licensing
      - reflection on round-table format, and how/whether/when we should do these better in future

      • 14:00
        Registration 30m
      • 16:00
        Afternoon Coffee Break 30m