OARC 32 (San Francisco, CA, USA)

8 Feb 2020, 08:00 → 9 Feb 2020, 18:00 America/Los_Angeles

Bayview Room (Hyatt Regency San Francisco)

Keith Mitchell (DNS-OARC), Shumon Huque (Salesforce)

DNS-OARC is coming to San Francisco, CA for its 32nd Workshop!

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research, with attendees from NANOG 78 and EDDI February Meet Up particularly welcome this time around - as OARC 32 takes place in the same venue, right before EDDI February and NANOG 78.

---

This will be a one-day workshop on the Saturday (February 8th) with some additional activities (Member-only round-table) and a EDDI Meet Up (hosting support by DNS-OARC) on Sunday 9th.

---

WORKSHOP PATRONS 2020

---

PROMOTER

Annual Workshop Patrons for 2020 are available. Details at: https://www.dns-oarc.net/workshop/patronage-opportunities

---

---

OARC 32 SPONSORS

---

DELUXE

 

Sponsorship opportunities for OARC 32 are available. Details at: https://www.dns-oarc.net/workshop/sponsorship-opportunities

---

Video:

• Morning Session One
• Morning Session Two
• Afternoon Session One
• Afternoon Session Two

Jabber Chatroom: xmpp:dns-operations@conference.dns-oarc.net

Twitter hashtag: #OARC32

Sponsors: We have various sponsor opportunities for OARC workshops.

If your organization is interested in sponsoring OARC workshops, please e-mail sponsor@dns-oarc.net for more information.

Attendee Information

OARC Members Members Report February 2020

Saturday, 8 February

08:00 Registration & Coffee

1 Introduction to DNS-OARC

Introduction to DNS-OARC.

Speaker: Mr Keith Mitchell (DNS-OARC)

OARC32-intro.pdf

Presentation Video

2 DNSSEC Recursive Resolution From the Ground Up

RFC4033 introduced DNSSEC back in 2005. There are now many recursive
resolver implementations which have evolved over the past 15 years,
but implemeneting something from scratch can be a dangerous path.
Are our RFCs clear? Are all of the "understood" pitfalls clear?

This talk looks at OpenDNS/Cisco's path to DNSSEC support in their
recursive resolver. It goes from understanding the protocol to
coming up with a development and deploy strategy. Preparing the
existing DNSSEC-unaware codebase was a difficult step, as was
arranging our task board so that we could parallelize development.
The implications of NSEC and NSEC3 were unexpected and the effect
of wildcard records on validation behaviour was a surprise. There
were even several points were RFCs were simply mis-read, causing
turmoil way down the road (repeat something often enough and we all
believe it's the truth!). Finally, executing on our deployment
strategy didn't play out as expected.

Maybe our path is unsurprising, but it's a story worth telling!

Speaker: Brian Somers (OpenDNS, FreeBSD)

20200201 DNSSEC Recursive Resolution From the Ground Up.pptx

3 The Different Ways of Minimizing ANY

The DNS Protocol has features that have grown to become liabilities. The query type "ANY" is one. Earlier this year a published RFC document describes how a DNS server may respond to such queries while reducing the liability. But the document does not define a definitive means for a server to signal that it is differing from the original protocol. This presentation measures of the impact of having no definitive means specified and examines the "fear, uncertainty, and doubt" of lacking explicit signals.

Speaker: Mr Edward Lewis (ICANN)

DNSOARC32.pdf

4 DNS response rate speedup by using XDP

For an authoritative DNS server, high response rate is not only useful to serve many clients, but also to withstand some flood attack attempts. While the basic answering routines are well optimized in most open-source DNS servers, profiling disclosed that 30% to 70% of CPU time of a highly-loaded server is spent on network I/O. It's not that Linux syscalls would be ineffectively implemented, but they do too much: firewall, routing, queuing, etc.

Using Berkeley Packet Filter, we can capture DNS-over-UDP packets before they arrive to Linux network stack, while passing the other traffic to the stack. Further, using eXpress Data Path, we can process the captured packets in our DNS application, and send the responses also bypassing the Linux stack.

In my talk, I will summarize the feature design, examine the obvious and hidden limitations, and share practical experiences from implementing XDP in Knot DNS authoritative server.

Speaker: Libor Peltan (CZ.NIC)

202002sf_xdp_v4.pdf

10:30 Morning Break

5 Motives and Methods for Managed Private Network DNS

With Resolverless DNS, and before that DNS over HTTPS, and soon HTTP/3 (QUIC), the web industry is making a very strong attempt to completely control the DNS metadata required for web browsers to reach web services. While there are some political aspects to this redrawing of the DNS resolution path, there are also security implications for operators of managed private networks which are not public, are not regulated, and have no "customers". These operators have reasons they consider important for keeping DNS resolution out of the hands of device, browser, and other app makers. In this presentation, Dr. Vixie will enumerate the DNS-related risks posed to operators of managed private networks by the increasing dominance of DNS-related web industry ambitions. Some proposals will be described as to the costs and benefits of absolute insistence upon local network control over DNS resolution.

Speaker: Paul Vixie (Farsight Security)

2020-02 Motives and Methods for Managed Private Network DNS.pptx

6 DNS Encryption Operational Experience and Insights

ISPs play an essential role in the internet ecosystem and the new DNS encryption protocols change the landscape, introducing numerous new architectural and operational issues for their DNS resolution infrastructure. This presentation will cover deployment practices based on early implementations at numerous ISPs around the world. It will also discuss operating considerations introduced by the changes to the legacy DNS protocol. Data and insights from live servers will also be presented.

Speakers: Ralf Weber (Akamai Technologies), Mr Mark Dokter (Akamai)

OARC 32 San Francisco Feb 8_9 2020 Ralf Weber Mark Dokter.pdf

7 Status of DoH/TRR in Firefox

Mozilla has been working to deploy DNS over HTTPS (DoH) in Firefox. We
report on the status of Mozilla's deployment, learnings from our
rollout so far, our Trusted Recursive Resolver (TRR) program, and
the future evolution of DoH/TRR.

Speaker: Eric Rescorla (Mozilla)

DoH Presentation_OARC(3).pdf

12:30 Lunch Break

8 The Present and Future of BIND 9

A discussion of recent development work in BIND 9, including the "DNSSEC Made Easy" key and signing policy features, and advanced new networking code for improved performance and easier implementation of DNS-over-TLS and DNS-over-HTTPS in the next release.

Speaker: Evan Hunt (ISC)

OARC 32 - BIND 9 development.pdf

9 Updates to F-Root

This presentation will cover recent changes in ISC's F-root system, including how we have evolved from using legacy routers and hardware, to working with single-box solutions designed to work within a peering exchange.

Brief mentions will be made about tooling on both the frontend and the backend, as well as routing table discoveries, and operating system choices, and some unexpected lessons learned.

Speaker: Dan Mahoney (ISC)

dmahoneyfrootupdates.pdf

10 Using the Ethereum blockchain to complement and expand the capabilities of DNS

The open source project Ethereum Name Service (ENS) is the leading blockchain-based naming infrastructure project. Managed by a small non-profit with support of the Ethereum Foundation, today we provide naming mostly for the cryptocurrency wallet naming space (we have around 50 wallets signed up) and the emerging decentralized (IPFS-based) web (native integration in Opera, a few blockchain-focused mobile browsers, and others via extension).

But we're also doing research on using blockchain technology to serve the existing DNS tech stack, as well as various projects with EnCirca, .KRED, .ART, and others in the DNS space.

This presentation will be a quick overview of how our system works, how it serves the DNS namespace (including how we've integrated that namespace for use on our system), and our ideas of how it can complement the existing DNS.

Speaker: Mr Brantly Millegan (Ethereum Name Service (ENS))

ENS OARC 32 slides.pdf

15:30 Afternoon Break

11 Forever Young - TTL and RRSIG lifetimes

A deep dive in the world of TTL values of the ccTLD world. Which values are used and why? Guidelines for choosing TTL values and the interdependencies of TTL values. A closer look on RRSIG lifetimes, the interdependencies on TTL values and what RRSIG lifetimes mean for disaster recovery including a view on real life examples.

Speaker: Ulrich Wisser (IIS)

ForeverYoung.pptx

12 DNS Analysis and Threats with IPv6 Automatic Transition Mechanisms

Large content providers such as Google and Akamai report that at least 20% of all client systems are using IPv6 and that most do so using native IPv6 transport. Until recently, Microsoft Windows operating systems shipped with with 6to4, ISATAP, and Teredo IPv6 transition mechanisms enabled by default. While these transition mechanisms are widely panned and increasingly obsolete, for millions of systems they are turned on and ready to be activated, and for many systems, they are used when only IPv4 transport is available. This talk summarizes DNS aspects of recent research work exploring the dangers that linger from these transition mechanisms. A very brief technical overview of 6to4, ISATAP, and Teredo IPv6 automatic transition mechanisms will be provided.

Speaker: John Kristoff

oarc32-dnsv6autotrans.pdf

Lightning Talks

Lightning Talks session

13 Two new tools from work in the RSSAC Caucus

A lightning talk that describes two tools that might be of general interest to DNS operators. Note: a 5-minute and a 10-minute version are attached. Either might be given.

Speaker: Paul Hoffman (ICANN)

OARC_32_lightning_longer.pptx

OARC_32_lightning_shorter.pptx

14 Improving DNSSEC Provisioning with 3rd Party DNS Providers

A group of DNS engineers have formed a design team to look at improving DNSSEC Provisioning with 3rd party DNS providers. Two issues are being looked at:

1. DNSSEC requires the registry to have a DS record associated with the zone. When 3rd party DNS providers generate the key(s) and sign the zone, there is no well defined path for providing the DS record to the registry. (Some ccTLDs are implementing RFC 8078.)

2. If multiple 3rd party DNS providers are serving the same zone, each is signing with its own key, they each need to include the ZSKs (or CSKs) of the other providers. “Multi-Signer DNSSEC Models” defines the general scheme, but there is no well defined protocol for coordination of the cross-signing process between the providers.

We'll briefly discuss the planned work and tell you how to get involved.

Speaker: Shumon Huque (Salesforce)

dnssec-prov.pdf

15 DNS Operator Feedback on draft-fujiwara-dnsop-avoid-fragmentation-01

Not everyone seems to consider DNS fragmentation harmful, and the authors of draft-fujiwara-dnsop-avoid-fragmentation-01 have heard some interesting feedback, which will be anonymized and presented briefly, to inspire ad-hoc bar BOFs to follow.

Speaker: Paul Vixie (Farsight Security)

Fragging DNS.pptx

16 DNSSEC Algorithm Roll for .ORG

.ORG was the first gTLD signed with DNSSEC and remains one of the largest, but is still operating on parameters set originally in 2009. PIR, the registry responsible for .ORG, and Afilias, the registry services provider that handles technical operations for .ORG, are reviewing those original parameters and preparing to update them, primarily to move away from SHA1 as the signing algorithm. We want to take others' experience into our planning and make sure we're sharing ours, so this talk is a brief request for input that will inform our decisions and execution.

Speaker: Suzanne Woolf (PIR)

AlgoRollFinal.pptx

17 DNS Houses (TLDs only-version)

Some interesting measurements "divided" by operator

Speaker: Edward LEWIS (ICANN)

DNSOARCLig.pdf

DNSOARCLig.pdf

18 A DoT naming, publication, and discovery scheme

DNS over TLS Discovery

The DNS over TLS (DoT) protocol is well defined and ideal for client-to-recursive privacy. However, there is currently no way for a client to upgrade its connection to an existing resolver, for a number of reasons.

This talk concerns the impediments to doing an upgrade, and a proposal for a scheme that solves nearly all of them. The author has a PoC for the scheme, and will share the URI of that.

Speaker: Brian Dickson (GoDaddy)

DNS-OARC-dot-upgrade-presentation.pptx

DoT_POC_overview.pdf

18:30 Social Event

http://www.patriothousepub.com/

Sunday, 9 February

08:30 EDDI Registration

Encrypted DNS Deployment Initiative: EDDI February Meet-up

Agenda

Webcast stream

09:00 Registration

11:00 Morning Coffee Break

13:30 OARC Members' Roundtable Registration

OARC Members: Round Table

Schedule
- topics 14:00 - 15:30
- break 15:30 - 16:00
- open floor(?) 16:00 - 17:00

Agenda/topics Ideas
- agenda-bashing, any other topiics on the day
- data privacy (board workgroup)
- is it still a good use of OARC’s resources to maintain DITL and other large datasets, are they being used?
- the purpose of OARC.. what OARC does best etc.. what other things it could do or not do
- software licensing
- reflection on round-table format, and how/whether/when we should do these better in future

Agenda

14:00 Registration

16:00 Afternoon Coffee Break