OARC 34 (Online)

Name: OARC 34 (Online)
Start: 2021-02-04T15:45:00+00:00
End: 2021-02-05T22:00:00+00:00
Location: No location set

4 Feb 2021, 15:45 → 5 Feb 2021, 22:00 UTC

Jan Včelák (NS1), Keith Mitchell (DNS-OARC)

Description

OARC 34 will be an online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC34

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)

OARC 34 SPONSORS

Online Workshop Sponsor

Sponsorship opportunities for OARC 34 are available. Details at:

https://www.dns-oarc.net/workshop/sponsorship-opportunities

Participants

Adrian Beaudin
Alex Pion
Allison Mankin
Anand Buddhdev
Andreas Schulze
Andreas Taudte
Andrey Meshkov
Anthony Lieuallen
Arnaud Jolivet
Arunkumar Singaram
Atanas Argirov
Barry Greene
Baula Xu
Benjamin Schwartz
Benno Overeinder
Bill Snow
Brantly Millegan
Brett Carr
Brian Dickson
Brian Somers
Bryan Hughes
Carl Clements
Carlos Ganan
Cathy Almond
Christian Petrasch
Christian Simmen
Cricket Liu
Daniel Mahoney
Daniel Stirnimann
Daniel Weber
Dave Knight
David Blacka
David Kinzel
David Lawrence
Denesh Bhabuta
Denis Machard
Dmitry Kohmanyuk
Duane Wessels
Eddy Winstead
Eduardo Duarte
Edward Lewis
Elmar K. Bins
Enno Rey
Eric Mwobobia
Eric Orth
Eric Ziegast
Erik Bishop
Erik Kline
Evan Hunt
Felipe Barbosa
Frederico Neves
Geert Verheyen
Geoff Huston
Giovane Moura
Guillaume-Jean Herbiet
Han Zhang
Hazel Smith
Henri Laakso
Hugo Kobayashi
Jacob Zack
Jacques Latour
Jakob Dhondt
James Richards
Jan Horak
Jan Včelák
Jarle Fredrik Greipsland
Jaromír Talíř
Jason Lavigne
Jason Weil
Jeff Fern
Jeff Osborn
Jeff Westhead
Jelena Ilic
Jeroen Massar
Jerry Lundström
Jins De Jong
Joe Abley
Joey Salazar
John Todd
Jonas Andersson
Jonathan Reed
Jose Daniel Jimenez
Josh Simpson
João Luis Silva Damas
Karen Burke
Karl Reuss
Kazunori Fujiwara
Keith Mitchell
Ken Renard
Kristof Tuyteleers
Krzysztof Piwowar
Lars-Johan Liman
Lu Zhao
Luuk Hendriks
Maarten Bosteels
Maciej Andziński
Manu Bretelle
Marcelo Gardini
Mario Guerra
Mark Dokter
Markus Zeilinger
Martin George
Mat Ford
Matt Larson
Matthew Pounsett
Matthew Thomas
Matthias Pfeifer
Matthias Seitz
Mauricio Vergara Ereche
Merike Kaeo
Michael Jewell
Mick Begley
Mick Geraghty
Miles McCredie
Mohammad Zebetian
Moritz Müller
Nicklas Pousette
Nicolai Leymann
Oli Schacher
Olivier Benghozi
Ondřej Surý
Otto Moerbeek
Pallavi Aras-Mathai
Patrick Cullen
Patrick Fedick
Paul Duffy
Paul Ebersman
Paul Hoffman
Paul Muchene
Paul Vixie
Paul Vlaar
Peter Devries
Peter Janssen
Peter Koch
Peter Van Dijk
Petr Špaček
Phil Regnauld
Pieter Lexis
Piotr Glaska
Prashanth Suvarna
Priya Mohan
Puneet Sood
Ralf Weber
Ray Bellis
Ricardo Meleschi
Robert Edmonds
Robert Mortimer
Robert Story
Roger Murray
Roland Dobbins
Roy Arends
Sam Cheadle
Sara Dickinson
Sebastian Castro
Sergio Tenorio
Shane Kerr
Shinoj Pittandavida
Shinta Sato
Shivan Kaul Sahib
Shumon Huque
Sidan Qi
Sile Yang
Steve Dejong
Steve Dickinson
Steven Parsons
Sue Graves
Suzanne Woolf
Sven Van Dyck
Swapneel Patnekar
Thibaud Duble
Tim Wicinski
Todd Medbury
Tomas Krizek
Ulrich Wisser
Vicky Risk
Victor Mclane
Vincent Levigneron
Vladimir Cunat
Warren Kumari
Wayne Maclaurin
Wes Hardaker
Willem Toorop
Yang Li
Yaroslav Kolomiiets
Yoshitaka Aharen

OARC 34 Admin

admin@dns-oarc.net

meeting@dns-oarc.net

Thursday, 4 February
- Thu, 4 Feb
- Fri, 5 Feb
- 15:45 → 16:00
  
  Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net 15m
- 16:00 → 16:55
  OARC 34 Day 1: Session 1
  - 16:00
    
    Welcome 15m
    
    Speaker: Mr Keith Mitchell (DNS-OARC)
    
    Information.odp
    
    Introduction to DNS-OARC
    
    OARC34 Event Information and Welcome
    
    OARC34-intro.odp
  - 16:15
    
    Measuring DNS Flag Day 2020 25m
    
    This presentation measures the change in the behaviour of DNS recursive resolvers in response to DNS Flag Day 2020. The presentation then looks in more detail at the use of the EDNS(0) Buffer Size parameter and the considerations that guide the selection of a threshold for DNS truncation that will shift a DNS transaction to use TCP.
    
    Speaker: Geoff Huston (APNIC)
    
    2021-02-04-dns-flag.pdf
    
    2021-02-04-dns-flag.pptx
  - 16:40
    
    Does the DGA work? 15m
    
    We were concerned about the amount of noise vs signal seen in the decade-old Conficker sinkhole and doubted whether we were using the correct algorithm for generating sinkhole domains. We use 2020 DITL data to confirm one algorithm was more likely to get hits than another.
    
    Speaker: Eric Ziegast (Farsight Seurity, Inc.)
    
    Does-the-DGA-work.pdf
- 16:55 → 17:10
  
  15 Minutes Break 15m
- 17:10 → 18:00
  OARC 34 Day 1: Session 2
  - 17:10
    Old but Gold: Prospecting TCP to Engineer and Real-time Monitor DNS Anycast 25m
    
    This is a technical report that cover three things:
    
    Evaluation of using TCP to measure DNS client latencies to auth servers
    
    Use of DNS/TCP RTT to engineer anycast, and fix problems such as Anycast Polarization . We use it to improve latency between Google and SIDN's Anycast AS, reducing Google's latency to SIDN from 110ms to 20ms.
    
    We show anteater, a real-time monitoring system that evaluates auth servers and clients, and notifies SIDN OPs of latency problems.
    
    All of this is using only passive DNS data , so no extra active measurements are required. And it measures latency from real clients.
    
    Below we show the paper abstract, and include the original paper.
    
    An earlier version of this paper can be found at: https://ant.isi.edu/bib/Moura20a.html
    
    Speaker: Dr Giovane Moura (SIDN Labs/TU Delft)
    
    Moura-DNSRTT-OARC34.pdf
    
    Technical Report
  - 17:35
    Making DNS "just work" at Scale 25m
    
    Large environments and rapid growth create demands on DNS that require a range of approaches to ensure the service is operating reliably. This talk focuses on some of the latest changes in the DNS space at Facebook that are intended to ensure everything "just works".
    
    We take a look at some of the recent efforts by the DNS team at Facebook to keep DNS humming such as:
    
    Preventing invalid DNS queries from leaking
    
    Improving cache hit ratio
    
    Stop the sending of iterative queries to root servers
    
    Improving DNS response latency by 65%
    
    Reducing the memory usage on DNS servers
    
    Reducing the propagation time for DNS changes
    
    Scaling out the torrent infrastructure and removing the dependency on trackers
    and a discussion on some of the tradeoffs.
    
    Speaker: Patrick Cullen
    
    dns_jw_oarc.pdf
- 18:00 → 19:00
  
  1 Hour Break 1h
- 19:00 → 19:50
  OARC 34 Day 1: Session 3
  - 19:00
    
    Charter Communications Public DoH Trial - Lessons Learned 25m
    
    DNS over HTTPS is a new update to the venerable DNS protocol that provides security and privacy enhancements for Internet users by encrypting the communication channel between the DNS client on a device and the network DNS resolver. Charter launched a public DoH Trial in Q4 of 2020. Charter was also added as a participant in Google Chrome’s DoH experiment based on the SPAU (same provider auto-upgrade) model with the Chrome 87 deployment. Any Charter Chrome user with Charter’s Do53 public IPv4 or IPv6 server addresses are automatically upgraded to the DoH trial resolvers. This Trial resulted in valuable results that will be useful for other providers of DNS services interested in deploying DoH at scale. This presentation will cover some of the insights learned as part of the Charter DoH Trial including:
    · The quest for Load! - 100k QPS and beyond
    · Comparison of traffic utilization between DoH and Do53
    · Comparison of server resource utilization between DoH and Do53
    · DNS provider configuration Best Practices
    · Server optimizations for a DoH platform
    · Future areas of interest
    
    Speakers: Mr Jason Weil (Charter Communications), Mr Todd Medbury (Charter Communications)
    
    Spectrum DoH_OARC 34v3.pdf
    
    Spectrum DoH_OARC 34v3.pptx
  - 19:25
    First experience with DNS-over-QUIC 25m
    
    We recently developed the first implementation of DNS-over-QUIC: https://adguard.com/en/blog/dns-over-quic.html
    
    In this talk, I'd like to tell you more about it.
    
    Why we decided to try DNS-over-QUIC
    
    Implementation details, choices we made, tech we used
    
    Comparing DoQ to DoH, DoT and DNSCrypt
    
    First feedback from our users
    
    Speaker: Andrey Meshkov
    
    doq_first_experience.pdf
    
    doq_first_experience.pptx
- 19:50 → 20:05
  
  15 Minutes break 15m
- 20:05 → 21:00
  OARC 34 Day 1: Session 4
  - 20:05
    
    The Impact of Post-Quantum Cryptography on DNSSEC 25m
    
    Quantum computing is threatening current cryptography, especially the asymmetric algorithms used in many Internet protocols. More secure algorithms, colloquially referred to as Post-Quantum Cryptography (PQC), are under active development. These new algorithms differ significantly from current ones. They can have larger signatures or keys, and often require more computational power. This means we cannot just replace existing algorithms in DNSSEC by PQC alternatives, but need to evaluate if they meet its requirements.
    
    In this presentation we analyze the impact of PQC on the Domain Name System and its Security Extensions. We give an introduction to PQC and then evaluate current candidate PQC signature algorithms in the third round of the NIST competition on their suitability for use in DNSSEC.
    
    Speakers: Moritz Müller (SIDN), Mr Jins de Jong (TNO)
    
    pqc_dnssec_oarc.pdf
    
    pqc_dnssec_oarc.pptx
  - 20:30
    
    Hashed RPZ 15m
    
    Per 2020-01-01 in Switzerland it is mandatory to block CSAM on a DNS level as per instructions from the Swiss Federal Police (Fedpol) supported by the new Telecommunications Act [1][2][3].
    
    This thus involves a list of domain names that should be blocked that can be retrieved from a Fedpol server given proper credentials.
    
    Unfortunately this list is in clear text, and, thus any engineer/administrator that is able to interact with or administer the server thus would normally get access to the list in clear text. Having these domain names on your computer though could already be illegal, if one then accidentally tests the domain, one might be considered to be attempting to access the material...
    
    To avoid any public persecution we thus decided to hash the list so that we can never actually see or have access to the list and our administrators can do maintenance and other routine server maintenance without having to be scared of accidentally getting access to the list.
    
    To solve this we have created Hashed RPZ, a custom hashed variant of the ubiquitous and great RPZ [4] system by Paul Vixie and Vernon Schryver that is already in use around the world for blocking malware and other malicious content.
    
    We will also introduce a new open source DNS recursor system that implements this new scheme along with other needed features to scale the system for a large Swiss ISP, along with the supporting infrastructure, opening the system up for other ISPs to use and protect their employees.
    
    Hashed RPZ can also be used by RPZ list providers to limit exposure of the list as the contents of the list cannot easily be discovered.
    
    [1] https://www.bakom.admin.ch/bakom/de/home/das-bakom/organisation/rechtliche-grundlagen/bundesgesetze/fmg-revision-2017/revision-fmg-verordnungen.html
    [2] https://www.fedlex.admin.ch/eli/cc/2007/166/en
    [3] https://www.fedlex.admin.ch/eli/cc/1997/2187_2187_2187/de
    [4] https://dnsrpz.info
    
    Speaker: Mr Jeroen Massar
    
    DNSOARC34-HashedRPZ-massar.key
    
    DNSOARC34-HashedRPZ-massar.pdf
    
    DNSOARC34-HashedRPZ-massar.pptx
  - 20:45
    
    NSEC3 to NSEC transition of .NU 15m
    
    In November 2020 we updated the .nu TLD from NSEC3 to NSEC.
    This was along anticipated change that we finally managed to get into production.
    We will show what we did as preparation, data from the transition and some lessons learned.
    
    Speaker: Ulrich Wisser (IIS)
    
    NSEC3-NSEC-DNSOARC-20210204.pdf
- 21:00 → 22:00
  
  BYOD OARC Social Event 1h
Friday, 5 February
- Thu, 4 Feb
- Fri, 5 Feb
- 15:45 → 16:00
  
  Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net 15m
- 16:00 → 16:50
  OARC 34 Day 2: Session 1
  - 16:00
    
    Service Bindings: SVCB and HTTPS 25m
    
    Service Bindings are a new family of DNS record types that enable improved security, privacy, and performance for Internet services. By providing an extensible bound collection of endpoint metadata, these new RR types allow clients to learn more about a server before they initiate a connection.
    
    This session will review the technical architecture of the SVCB and HTTPS RR types, their current deployment status, and implications for DNS operators.
    
    Speaker: Benjamin Schwartz (Google LLC)
    
    SVCB_HTTPS_ DNS-OARC 2021.pdf
  - 16:25
    
    Adding stuff to DNS is easy - right? 25m
    
    New DNS record types are not added very often, and if they are in many cases they're highly specialized and not widely used. But this year two new record types (SVCB=64 and HTTPS=65) were introduced and are now used on devices which are widely deployed. For example, all Apple devices with recent software issue an HTTPS query for every lookup they do. This not only has a noticeable impact on the volume of queries seen by resolvers, but reveals in the long tail there are still authoritative servers that aren't ready to handle new resource record types. This can increase load further than anticipated on DNS servers.
    
    This presentation will dig into data and show the evolution of HTTPS requests since Apple released support and look at how authorities respond to HTTPS requests for millions of names. It will also identify and evaluate problematic responses.
    
    Speaker: Ralf Weber (Akamai Technologies)
    
    dns-https-rr-final.pdf
    
    dns-https-rr-final.pptx
- 16:50 → 17:05
  
  15 Minutes Break 15m
- 17:05 → 18:00
  OARC 34 Day 2: Session 2
  - 17:05
    
    XDPeriments: Tinkering with DNS and XDP 25m
    
    The eXpress Data Path (XDP) is a "hook" in the Linux kernel providing programmability at the lowest layer of the Network Stack (at the device driver layer) and can even be hardware offloaded to programmable devices (e.g. SmartNICs). XDP provides an easy way to perform some parts of DNS handling in the kernel but still have traditional userspace software 'after' that. XDP does not have to replace DNS software in userspace, it can augment it.
    
    XDP programs are well suited for dealing with Denial of Service attacks. Furthermore XDP programs can be put to work on an ad-hoc basis on a running system without interruption. We think using XDP to augment an existing DNS service is an exciting new idea, and a great new tool in the DNS operator's toolbox.
    
    In this presentation we will explore how DNS can benefit from XDP with hands-on examples of directly usable running code. We will show how operators can use XDP programs to deal with Denial of Service attacks and/or otherwise tweak their DNS service behaviour.
    
    Speakers: Willem Toorop (NLnet Labs), Dr Luuk Hendriks (NLnet Labs)
    
    XDPeriments: Tinkering with DNS and XDP
    
    XDPeriments: Tinkering with DNS and XDP
  - 17:30
    
    The state of DNS security records 15m
    
    A small survey of the adoption rates of various security related DNS records ( DNSSEC, SPF, DMARC etc. ). Looking at top 100 companies and DNS infrastructure companies.
    
    Speaker: Robert Mortimer (Nominet)
    
    nominet-oarc-DNS survey-rm-20210202.pdf
    
    nominet-oarc-DNS survey-rm-20210202.pptx
  - 17:45
    
    Not So Popular: A Sample of Domain Names for Typical Web Sites 15m
    
    Many measurements on the DNS are based on collections of "most popular" web sites, such as the Alexa list. Using these lists skew the results of analysis because those sites are often well-managed and available from many locations (such as through CDNs). A different tactic would be to look for collections of more typical web sites. For this study, data is collected from Wikipedia around the world to create a large list of domain names used in web URLs on Wikipedia pages. That data is used to analyze how many of those domain names are protected by DNSSEC, as well as how many have IPv6 addresses.
    
    This presentation explains an efficient method to collect the data from Wikipedia world-wide. Although the resulting data is more typical of names from the web than "most popular" lists, it cannot be considered "typical" of the web for many reasons, which are also discussed.
    
    Speaker: Paul Hoffman (ICANN)
    
    not-so-popular.pdf
    
    not-so-popular.pptx
- 18:00 → 18:30
  
  30 Minutes Break 30m
- 18:30 → 19:00
  OARC 34 Day 2: Session 3: Members Only Session
  - 18:30
    
    OARC Members Only Session: Vulnerability Disclosure (DDoS) 30m
    
    In this talk, we will disclose to OARC-members only a vulnerability that can be exploited to carry large DoS attacks against authoritative servers. It is not a theoretical threat, although it does not seem to have been yet exploited in full scale — not that we are aware.
    
    We have already notified pertinent parties that are vulnerable to this threat — and they are working to fix it.
    
    In the meantime, we want to notify authoritative server operators of how they can protect themselves. We will release accompanying source code to help in this process.
    
    Speaker: Giovane Moura (SIDN Labs/TU Delft)