DNS-OARC is currently only running online workshops.
The second OARConline will take place on August 11th (13:00 - 15:00 UTC).
DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.
DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.
Social Media hashtag: #OARC32b and #OARConline
Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)
![]() |
Annual Workshop Patrons for 2020 are available. Details at:
https://www.dns-oarc.net/workshop/patronage-opportunities
Your company name here? |
Sponsorship opportunities for OARC (online) 32b are available. Details at:
https://www.dns-oarc.net/workshop/sponsorship-opportunities
Sign up for an account on the chat server, via:
If you are an OARC member contact (ie, with a Portal login), email admin@dns-oarc.net for your specific invitation
Anyone else via:
https://chat.dns-oarc.net/signup_user_complete/?id=pr3ycckbc7ygzg38uwyr9kz74y
The Border Gateway Protocol (BGP) is responsible for routing on the Internet. BGP has no security measures which makes it prone to IP prefix hijacking and route leaks. To defend against these threads, Resource Public Key Infrastructure (RPKI) has been developed by the IETF. RPKI secures the Internet’s routing infrastructure by signing & validating prefix origin data.
However, there are still situations that one may indirectly fall victim to prefix hijacks even if their own AS is RPKI protected. A good example of this is the Amazon Route 53 BGP hijack. In this example, the prefixes of the Amazon authoritative DNS servers were hijacked. Any AS with a DNS resolver not protected by RPKI would receive a valid but malicious response from the hijacked authoritative DNS server, even if the AS where the query originated from was RPKI protected. For end-users to be fully protected, in addition to the network in which they reside, they also need their DNS resolvers to be in RPKI protected networks.
In this talk we will present on a research on the state of RPKI protection of DNS resolvers. We used RIPE Atlas to send queries through the RIPE Atlas probe configured DNS resolvers. The queries resolution was through a CNAME referencing to a domain served on a invalid prefix. This enabled us to determine whether a probe’s DNS resolver was RPKI protected or not. Measurements have been done all DNS Resolvers on all RIPE Atlas probes, hourly since 23rd of January.
The LocalRoot project at ISI, driven by Wes Hardaker, is a project that allows users to:
A talk at DNS-OARC would concentrate on two aspects:
DNS uses the connectionless User Datagram Protocol (UDP) by default, which causes problems with Path MTU Discovery. This is because DNS servers are stateless, and do not remember queries they have already answered. The Path MTU (PMTU) should be used as maximum size to stop fragmentation from happening. Extension Mechanisms for DNS (EDNS(0)) expands DNS with the UDP Message Size field, which communicates the response size capability of the resolver. This allows resolvers to specify the EDNS(0) they support.
This presentation reports on a research, with as aim to provide data for a considered optimal maximum EDNS(0) UDP message size, by measuring the PMTU to which resolvers and stub resolvers on the Internet are subject. We did this by creating an environment to serve different sized DNS responses and querying this environment across the Internet. This aligns with the goals DNS Flag Day 2020. Our ambition is to suggest defaults for the maximum EDNS(0) message size for DNS.
For the purposes of long-term statistical studies of the DNS, a "DNS Statistical Core" is introduced. This is meant to be a basis for statistical studies but the development of the core's map has been its own interesting project. "Core" in the name refers to the inclusion of the global public Internet's root zone, top-level zones, reverse map zones and other affiliated zones, relying mostly on access to reports of process activity related to the Root Registry, widely available zone files and other resources. The map produces JSON-formatted files for consumption by observation and analysis scripts, with easy access to many features of zones, nameservers, and addresses involved.
Time to catch up with industry peers and colleagues. This will be a free-flow session and we will facilitate online breakout rooms if needed. Details will only be sent to those who attend the main Workshop prior to this.