OARC 32 Registration now open. Click the Registration Page for details.

OARC 32 (San Francisco, CA, USA)

Hyatt Regency San Francisco

Hyatt Regency San Francisco

5 Embarcadero Center San Francisco CA 94111 United States
Keith Mitchell (DNS-OARC), Shumon Huque (Salesforce)

DNS-OARC is coming to San Francisco, CA for its 32nd Workshop!

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research, with attendees from NANOG 78 and EDDI February Meet Up particularly welcome this time around - as OARC 32 takes place in the same venue, right before EDDI February and NANOG 78.

This will be a one-day workshop on the Saturday (February 8th) with some additional activities (tutorials & Member-only round-table) and a EDDI Meet Up (hosting support by DNS-OARC) on Sunday 9th.




Annual Workshop Patrons for 2020 are available. Details at: https://www.dns-oarc.net/workshop/patronage-opportunities





Sponsorship opportunities for OARC 32 are available. Details at: https://www.dns-oarc.net/workshop/sponsorship-opportunities


Twitter hashtag: #OARC32

Sponsors: We have various sponsor opportunities for OARC workshops.

If your organization is interested in sponsoring OARC workshops, please e-mail sponsor@dns-oarc.net for more information.

  • Adam Phelps
  • Anand Buddhdev
  • Anbang Wen
  • Andrey Gusev
  • Andy Seabolt
  • Arman Baratifar
  • Baula Xu
  • Brantly Millegan
  • Brian Dickson
  • Brian Hartvigsen
  • Brian Luke
  • Brian Somers
  • Dan Mahoney
  • Dave Knight
  • David Blacka
  • David Lawrence
  • David Miller
  • Denesh Bhabuta
  • Dina Kozlov
  • Donavan Fritz
  • Duane Wessels
  • Eddy Winstead
  • Edward Lewis
  • Eli Lindsey
  • Elmar K. Bins
  • Enno Rey
  • Eric Rescorla
  • Erik Bishop
  • Fred Baker
  • Gavin Brown
  • Gavin McCullagh
  • Geoff Horne
  • Glenn Deen
  • Guobao Sun
  • Han Zhang
  • Ivan Laktyunkin
  • Jacques Latour
  • Jake Zack
  • James Li
  • Jan Včelák
  • Jeff Osborn
  • Jerry Lundström
  • Jesse Blazina
  • Jessy Vetter
  • Jinyuan Feng
  • Johan Stenstam
  • John Kristoff
  • John Todd
  • Jonathan Reed
  • Jorge Cano
  • Keith Mitchell
  • Leslie Daigle
  • Libor Peltan
  • Lu Zhao
  • Manu Bretelle
  • Mark Dokter
  • Matt Larson
  • Matthew Dell
  • Matthew Pounsett
  • Mauricio Vergara Ereche
  • Michael Batchelder
  • Michael McNally
  • Miles McCredie
  • Nicolai Leymann
  • Ondřej Surý
  • Patrik Fältström
  • Paul Adair
  • Paul Ebersman
  • Paul Hoffman
  • Paul Mockapetris
  • Paul Vixie
  • Peter DeVries
  • Peter Hagopian
  • Phelps Williams
  • Puneet Sood
  • Ralf Weber
  • Ralph Dolmans
  • Ray Bellis
  • Robert Edmonds
  • Robert Jerrells
  • Rod Rasmussen
  • Shumon Huque
  • Steve DeJong
  • Susan Graves
  • Suzanne Woolf
  • Tom Arnfeld
  • Tom Flannagan
  • Tom Pusateri
  • Ulrich Wisser
  • Vicky Risk
  • Vincent Levigneron
  • Wayne MacLaurin
  • Wes Hardaker
  • Yang Yu
  • Saturday, 8 February
    • 09:00 09:15
      Introduction to DNS-OARC 15m

      Introduction to DNS-OARC.

      Speaker: Mr. Keith Mitchell (DNS-OARC)
    • 09:15 09:45
      DNSSEC Recursive Resolution From the Ground Up 30m

      RFC4033 introduced DNSSEC back in 2005. There are now many recursive
      resolver implementations which have evolved over the past 15 years,
      but implemeneting something from scratch can be a dangerous path.
      Are our RFCs clear? Are all of the "understood" pitfalls clear?

      This talk looks at OpenDNS/Cisco's path to DNSSEC support in their
      recursive resolver. It goes from understanding the protocol to
      coming up with a development and deploy strategy. Preparing the
      existing DNSSEC-unaware codebase was a difficult step, as was
      arranging our task board so that we could parallelize development.
      The implications of NSEC and NSEC3 were unexpected and the effect
      of wildcard records on validation behaviour was a surprise. There
      were even several points were RFCs were simply mis-read, causing
      turmoil way down the road (repeat something often enough and we all
      believe it's the truth!). Finally, executing on our deployment
      strategy didn't play out as expected.

      Maybe our path is unsurprising, but it's a story worth telling!

      Speaker: Brian Somers (OpenDNS, FreeBSD)
    • 09:45 10:15
      The Different Ways of Minimizing ANY 30m

      The DNS Protocol has features that have grown to become liabilities. The query type "ANY" is one. Earlier this year a published RFC document describes how a DNS server may respond to such queries while reducing the liability. But the document does not define a definitive means for a server to signal that it is differing from the original protocol. This presentation measures of the impact of having no definitive means specified and examines the "fear, uncertainty, and doubt" of lacking explicit signals.

      Speaker: Mr. Edward Lewis (ICANN)
    • 10:15 10:30
      DNS response rate speedup by using XDP 15m

      For an authoritative DNS server, high response rate is not only useful to serve many clients, but also to withstand some flood attack attempts. While the basic answering routines are well optimized in most open-source DNS servers, profiling disclosed that 30% to 70% of CPU time of a highly-loaded server is spent on network I/O. It's not that Linux syscalls would be ineffectively implemented, but they do too much: firewall, routing, queuing, etc.

      Using Berkeley Packet Filter, we can capture DNS-over-UDP packets before they arrive to Linux network stack, while passing the other traffic to the stack. Further, using eXpress Data Path, we can process the captured packets in our DNS application, and send the responses also bypassing the Linux stack.

      In my talk, I will summarize the feature design, examine the obvious and hidden limitations, and share practical experiences from implementing XDP in Knot DNS authoritative server.

      Speaker: Libor Peltan (CZ.NIC)
    • 10:30 11:00
      Morning Break 30m
    • 11:00 11:30
      Motives and Methods for Managed Private Network DNS 30m

      With Resolverless DNS, and before that DNS over HTTPS, and soon HTTP/3 (QUIC), the web industry is making a very strong attempt to completely control the DNS metadata required for web browsers to reach web services. While there are some political aspects to this redrawing of the DNS resolution path, there are also security implications for operators of managed private networks which are not public, are not regulated, and have no "customers". These operators have reasons they consider important for keeping DNS resolution out of the hands of device, browser, and other app makers. In this presentation, Dr. Vixie will enumerate the DNS-related risks posed to operators of managed private networks by the increasing dominance of DNS-related web industry ambitions. Some proposals will be described as to the costs and benefits of absolute insistence upon local network control over DNS resolution.

      Speaker: Paul Vixie (Farsight Security)
    • 11:30 12:00
      DNS Encryption Operational Experience and Insights 30m

      ISPs play an essential role in the internet ecosystem and the new DNS encryption protocols change the landscape, introducing numerous new architectural and operational issues for their DNS resolution infrastructure. This presentation will cover deployment practices based on early implementations at numerous ISPs around the world. It will also discuss operating considerations introduced by the changes to the legacy DNS protocol. Data and insights from live servers will also be presented.

      Speakers: Ralf Weber (Akamai Technologies), Mr. Mark Dokter (Akamai)
    • 12:00 12:30
      Status of DoH/TRR in Firefox 30m

      Mozilla has been working to deploy DNS over HTTPS (DoH) in Firefox. We
      report on the status of Mozilla's deployment, learnings from our
      rollout so far, our Trusted Recursive Resolver (TRR) program, and
      the future evolution of DoH/TRR.

      Speaker: Eric Rescorla (Mozilla)
    • 12:30 14:00
      Lunch Break 1h 30m
    • 14:00 14:30
      The Present and Future of BIND 9 30m

      A discussion of recent development work in BIND 9, including the "DNSSEC Made Easy" key and signing policy features, and advanced new networking code for improved performance and easier implementation of DNS-over-TLS and DNS-over-HTTPS in the next release.

      Speaker: Evan Hunt (ISC)
    • 14:30 15:00
      Updates to F-Root 30m

      This presentation will cover recent changes in ISC's F-root system, including how we have evolved from using legacy routers and hardware, to working with single-box solutions designed to work within a peering exchange.

      Brief mentions will be made about tooling on both the frontend and the backend, as well as routing table discoveries, and operating system choices, and some unexpected lessons learned.

      Speaker: Dan Mahoney (ISC)
    • 15:00 15:30
      Using the Ethereum blockchain to complement and expand the capabilities of DNS 30m

      The open source project Ethereum Name Service (ENS) is the leading blockchain-based naming infrastructure project. Managed by a small non-profit with support of the Ethereum Foundation, today we provide naming mostly for the cryptocurrency wallet naming space (we have around 50 wallets signed up) and the emerging decentralized (IPFS-based) web (native integration in Opera, a few blockchain-focused mobile browsers, and others via extension).

      But we're also doing research on using blockchain technology to serve the existing DNS tech stack, as well as various projects with EnCirca, .KRED, .ART, and others in the DNS space.

      This presentation will be a quick overview of how our system works, how it serves the DNS namespace (including how we've integrated that namespace for use on our system), and our ideas of how it can complement the existing DNS.

      Speaker: Mr. Brantly Millegan (Ethereum Name Service (ENS))
    • 15:30 16:00
      Afternoon Break 30m
    • 16:00 16:30
      Forever Young - TTL and RRSIG lifetimes 30m

      A deep dive in the world of TTL values of the ccTLD world. Which values are used and why? Guidelines for choosing TTL values and the interdependencies of TTL values. A closer look on RRSIG lifetimes, the interdependencies on TTL values and what RRSIG lifetimes mean for disaster recovery including a view on real life examples.

      Speaker: Ulrich Wisser (IIS)
    • 16:30 16:45
      DNS Analysis and Threats with IPv6 Automatic Transition Mechanisms 15m

      Large content providers such as Google and Akamai report that at least 20% of all client systems are using IPv6 and that most do so using native IPv6 transport. Until recently, Microsoft Windows operating systems shipped with with 6to4, ISATAP, and Teredo IPv6 transition mechanisms enabled by default. While these transition mechanisms are widely panned and increasingly obsolete, for millions of systems they are turned on and ready to be activated, and for many systems, they are used when only IPv4 transport is available. This talk summarizes DNS aspects of recent research work exploring the dangers that linger from these transition mechanisms. A very brief technical overview of 6to4, ISATAP, and Teredo IPv6 automatic transition mechanisms will be provided.

      Speaker: John Kristoff
    • 16:45 17:00
      TBD: Talk pending confirmation
    • 17:00 17:30
      Lightning Talks

      Lightning Talks session

Your browser is out of date!

Update your browser to view this website correctly. Update my browser now