OARC 34 (Online)

Jan Včelák (NS1), Keith Mitchell (DNS-OARC)

OARC 34 will be an online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC34

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)


Online Workshop Sponsor

Farsight Security Inc.

Sponsorship opportunities for OARC 34 are available. Details at:



  • Adrian Beaudin
  • Alex Pion
  • Allison Mankin
  • Anand Buddhdev
  • Andreas Schulze
  • Andreas Taudte
  • Andrey Meshkov
  • Anthony Lieuallen
  • Arnaud Jolivet
  • Arunkumar Singaram
  • Atanas Argirov
  • Barry Greene
  • Baula Xu
  • Benjamin Schwartz
  • Benno Overeinder
  • Bill Snow
  • Brantly Millegan
  • Brett Carr
  • Brian Dickson
  • Brian Somers
  • Bryan Hughes
  • Carl Clements
  • Carlos Ganan
  • Cathy Almond
  • Christian Petrasch
  • Christian Simmen
  • Cricket Liu
  • Daniel Mahoney
  • Daniel Stirnimann
  • Daniel Weber
  • Dave Knight
  • David Blacka
  • David Kinzel
  • David Lawrence
  • Denesh Bhabuta
  • Denis Machard
  • Dmitry Kohmanyuk
  • Duane Wessels
  • Eddy Winstead
  • Eduardo Duarte
  • Edward Lewis
  • Elmar K. Bins
  • Enno Rey
  • Eric Mwobobia
  • Eric Orth
  • Eric Ziegast
  • Erik Bishop
  • Erik Kline
  • Evan Hunt
  • Felipe Barbosa
  • Frederico Neves
  • Geert Verheyen
  • Geoff Huston
  • Giovane Moura
  • Guillaume-Jean Herbiet
  • Han Zhang
  • Hazel Smith
  • Henri Laakso
  • Hugo Kobayashi
  • Jacob Zack
  • Jacques Latour
  • Jakob Dhondt
  • James Richards
  • Jan Horak
  • Jan Včelák
  • Jarle Fredrik Greipsland
  • Jaromír Talíř
  • Jason Lavigne
  • Jason Weil
  • Jeff Fern
  • Jeff Osborn
  • Jeff Westhead
  • Jelena Ilic
  • Jeroen Massar
  • Jerry Lundström
  • Jins De Jong
  • Joe Abley
  • Joey Salazar
  • John Todd
  • Jonas Andersson
  • Jonathan Reed
  • Jose Daniel Jimenez
  • Josh Simpson
  • João Luis Silva Damas
  • Karen Burke
  • Karl Reuss
  • Kazunori Fujiwara
  • Keith Mitchell
  • Ken Renard
  • Kristof Tuyteleers
  • Krzysztof Piwowar
  • Lars-Johan Liman
  • Lu Zhao
  • Luuk Hendriks
  • Maarten Bosteels
  • Maciej Andziński
  • Manu Bretelle
  • Marcelo Gardini
  • Mario Guerra
  • Mark Dokter
  • Markus Zeilinger
  • Martin George
  • Mat Ford
  • Matt Larson
  • Matthew Pounsett
  • Matthew Thomas
  • Matthias Pfeifer
  • Matthias Seitz
  • Mauricio Vergara Ereche
  • Merike Kaeo
  • Michael Jewell
  • Mick Begley
  • Mick Geraghty
  • Miles McCredie
  • Mohammad Zebetian
  • Moritz Müller
  • Nicklas Pousette
  • Nicolai Leymann
  • Oli Schacher
  • Olivier Benghozi
  • Ondřej Surý
  • Otto Moerbeek
  • Pallavi Aras-Mathai
  • Patrick Cullen
  • Patrick Fedick
  • Paul Duffy
  • Paul Ebersman
  • Paul Hoffman
  • Paul Muchene
  • Paul Vixie
  • Paul Vlaar
  • Peter Devries
  • Peter Janssen
  • Peter Koch
  • Peter Van Dijk
  • Petr Špaček
  • Phil Regnauld
  • Pieter Lexis
  • Piotr Glaska
  • Prashanth Suvarna
  • Priya Mohan
  • Puneet Sood
  • Ralf Weber
  • Ray Bellis
  • Ricardo Meleschi
  • Robert Edmonds
  • Robert Mortimer
  • Robert Story
  • Roger Murray
  • Roland Dobbins
  • Roy Arends
  • Sam Cheadle
  • Sara Dickinson
  • Sebastian Castro
  • Sergio Tenorio
  • Shane Kerr
  • Shinoj Pittandavida
  • Shinta Sato
  • Shivan Kaul Sahib
  • Shumon Huque
  • Sidan Qi
  • Sile Yang
  • Steve Dejong
  • Steve Dickinson
  • Steven Parsons
  • Sue Graves
  • Suzanne Woolf
  • Sven Van Dyck
  • Swapneel Patnekar
  • Thibaud Duble
  • Tim Wicinski
  • Todd Medbury
  • Tomas Krizek
  • Ulrich Wisser
  • Vicky Risk
  • Victor Mclane
  • Vincent Levigneron
  • Vladimir Cunat
  • Warren Kumari
  • Wayne Maclaurin
  • Wes Hardaker
  • Willem Toorop
  • Yang Li
  • Yaroslav Kolomiiets
  • Yoshitaka Aharen
  • Thursday, February 4
    • 3:45 PM
      Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net
    • OARC 34 Day 1: Session 1
      • 1
      • 2
        Measuring DNS Flag Day 2020

        This presentation measures the change in the behaviour of DNS recursive resolvers in response to DNS Flag Day 2020. The presentation then looks in more detail at the use of the EDNS(0) Buffer Size parameter and the considerations that guide the selection of a threshold for DNS truncation that will shift a DNS transaction to use TCP.

        Speaker: Geoff Huston (APNIC)
      • 3
        Does the DGA work?

        We were concerned about the amount of noise vs signal seen in the decade-old Conficker sinkhole and doubted whether we were using the correct algorithm for generating sinkhole domains. We use 2020 DITL data to confirm one algorithm was more likely to get hits than another.

        Speaker: Eric Ziegast (Farsight Seurity, Inc.)
    • 4:55 PM
      15 Minutes Break
    • OARC 34 Day 1: Session 2
      • 4
        Old but Gold: Prospecting TCP to Engineer and Real-time Monitor DNS Anycast

        This is a technical report that cover three things:

        1. Evaluation of using TCP to measure DNS client latencies to auth servers
        2. Use of DNS/TCP RTT to engineer anycast, and fix problems such as Anycast Polarization . We use it to improve latency between Google and SIDN's Anycast AS, reducing Google's latency to SIDN from 110ms to 20ms.
        3. We show anteater, a real-time monitoring system that evaluates auth servers and clients, and notifies SIDN OPs of latency problems.

        All of this is using only passive DNS data , so no extra active measurements are required. And it measures latency from real clients.

        Below we show the paper abstract, and include the original paper.

        An earlier version of this paper can be found at: https://ant.isi.edu/bib/Moura20a.html

        Speaker: Dr Giovane Moura (SIDN Labs/TU Delft)
      • 5
        Making DNS "just work" at Scale

        Large environments and rapid growth create demands on DNS that require a range of approaches to ensure the service is operating reliably. This talk focuses on some of the latest changes in the DNS space at Facebook that are intended to ensure everything "just works".

        We take a look at some of the recent efforts by the DNS team at Facebook to keep DNS humming such as:

        1. Preventing invalid DNS queries from leaking
        2. Improving cache hit ratio
        3. Stop the sending of iterative queries to root servers
        4. Improving DNS response latency by 65%
        5. Reducing the memory usage on DNS servers
        6. Reducing the propagation time for DNS changes
        7. Scaling out the torrent infrastructure and removing the dependency on trackers
          and a discussion on some of the tradeoffs.
        Speaker: Patrick Cullen
    • 6:00 PM
      1 Hour Break
    • OARC 34 Day 1: Session 3
      • 6
        Charter Communications Public DoH Trial - Lessons Learned

        DNS over HTTPS is a new update to the venerable DNS protocol that provides security and privacy enhancements for Internet users by encrypting the communication channel between the DNS client on a device and the network DNS resolver. Charter launched a public DoH Trial in Q4 of 2020. Charter was also added as a participant in Google Chrome’s DoH experiment based on the SPAU (same provider auto-upgrade) model with the Chrome 87 deployment. Any Charter Chrome user with Charter’s Do53 public IPv4 or IPv6 server addresses are automatically upgraded to the DoH trial resolvers. This Trial resulted in valuable results that will be useful for other providers of DNS services interested in deploying DoH at scale. This presentation will cover some of the insights learned as part of the Charter DoH Trial including:
        · The quest for Load! - 100k QPS and beyond
        · Comparison of traffic utilization between DoH and Do53
        · Comparison of server resource utilization between DoH and Do53
        · DNS provider configuration Best Practices
        · Server optimizations for a DoH platform
        · Future areas of interest

        Speakers: Mr Jason Weil (Charter Communications), Mr Todd Medbury (Charter Communications)
      • 7
        First experience with DNS-over-QUIC

        We recently developed the first implementation of DNS-over-QUIC: https://adguard.com/en/blog/dns-over-quic.html

        In this talk, I'd like to tell you more about it.

        1. Why we decided to try DNS-over-QUIC
        2. Implementation details, choices we made, tech we used
        3. Comparing DoQ to DoH, DoT and DNSCrypt
        4. First feedback from our users
        Speaker: Andrey Meshkov
    • 7:50 PM
      15 Minutes break
    • OARC 34 Day 1: Session 4
      • 8
        The Impact of Post-Quantum Cryptography on DNSSEC

        Quantum computing is threatening current cryptography, especially the asymmetric algorithms used in many Internet protocols. More secure algorithms, colloquially referred to as Post-Quantum Cryptography (PQC), are under active development. These new algorithms differ significantly from current ones. They can have larger signatures or keys, and often require more computational power. This means we cannot just replace existing algorithms in DNSSEC by PQC alternatives, but need to evaluate if they meet its requirements.

        In this presentation we analyze the impact of PQC on the Domain Name System and its Security Extensions. We give an introduction to PQC and then evaluate current candidate PQC signature algorithms in the third round of the NIST competition on their suitability for use in DNSSEC.

        Speakers: Moritz Müller (SIDN), Mr Jins de Jong (TNO)
      • 9
        Hashed RPZ

        Per 2020-01-01 in Switzerland it is mandatory to block CSAM on a DNS level as per instructions from the Swiss Federal Police (Fedpol) supported by the new Telecommunications Act [1][2][3].

        This thus involves a list of domain names that should be blocked that can be retrieved from a Fedpol server given proper credentials.

        Unfortunately this list is in clear text, and, thus any engineer/administrator that is able to interact with or administer the server thus would normally get access to the list in clear text. Having these domain names on your computer though could already be illegal, if one then accidentally tests the domain, one might be considered to be attempting to access the material...

        To avoid any public persecution we thus decided to hash the list so that we can never actually see or have access to the list and our administrators can do maintenance and other routine server maintenance without having to be scared of accidentally getting access to the list.

        To solve this we have created Hashed RPZ, a custom hashed variant of the ubiquitous and great RPZ [4] system by Paul Vixie and Vernon Schryver that is already in use around the world for blocking malware and other malicious content.

        We will also introduce a new open source DNS recursor system that implements this new scheme along with other needed features to scale the system for a large Swiss ISP, along with the supporting infrastructure, opening the system up for other ISPs to use and protect their employees.

        Hashed RPZ can also be used by RPZ list providers to limit exposure of the list as the contents of the list cannot easily be discovered.

        [1] https://www.bakom.admin.ch/bakom/de/home/das-bakom/organisation/rechtliche-grundlagen/bundesgesetze/fmg-revision-2017/revision-fmg-verordnungen.html
        [2] https://www.fedlex.admin.ch/eli/cc/2007/166/en
        [3] https://www.fedlex.admin.ch/eli/cc/1997/2187_2187_2187/de
        [4] https://dnsrpz.info

        Speaker: Mr Jeroen Massar
      • 10
        NSEC3 to NSEC transition of .NU

        In November 2020 we updated the .nu TLD from NSEC3 to NSEC.
        This was along anticipated change that we finally managed to get into production.
        We will show what we did as preparation, data from the transition and some lessons learned.

        Speaker: Ulrich Wisser (IIS)
    • 9:00 PM
      BYOD OARC Social Event
  • Friday, February 5
    • 3:45 PM
      Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net
    • OARC 34 Day 2: Session 1
      • 11
        Service Bindings: SVCB and HTTPS

        Service Bindings are a new family of DNS record types that enable improved security, privacy, and performance for Internet services. By providing an extensible bound collection of endpoint metadata, these new RR types allow clients to learn more about a server before they initiate a connection.

        This session will review the technical architecture of the SVCB and HTTPS RR types, their current deployment status, and implications for DNS operators.

        Speaker: Benjamin Schwartz (Google LLC)
      • 12
        Adding stuff to DNS is easy - right?

        New DNS record types are not added very often, and if they are in many cases they're highly specialized and not widely used. But this year two new record types (SVCB=64 and HTTPS=65) were introduced and are now used on devices which are widely deployed. For example, all Apple devices with recent software issue an HTTPS query for every lookup they do. This not only has a noticeable impact on the volume of queries seen by resolvers, but reveals in the long tail there are still authoritative servers that aren't ready to handle new resource record types. This can increase load further than anticipated on DNS servers.

        This presentation will dig into data and show the evolution of HTTPS requests since Apple released support and look at how authorities respond to HTTPS requests for millions of names. It will also identify and evaluate problematic responses.

        Speaker: Ralf Weber (Akamai Technologies)
    • 4:50 PM
      15 Minutes Break
    • OARC 34 Day 2: Session 2
      • 13
        XDPeriments: Tinkering with DNS and XDP

        The eXpress Data Path (XDP) is a "hook" in the Linux kernel providing programmability at the lowest layer of the Network Stack (at the device driver layer) and can even be hardware offloaded to programmable devices (e.g. SmartNICs). XDP provides an easy way to perform some parts of DNS handling in the kernel but still have traditional userspace software 'after' that. XDP does not have to replace DNS software in userspace, it can augment it.

        XDP programs are well suited for dealing with Denial of Service attacks. Furthermore XDP programs can be put to work on an ad-hoc basis on a running system without interruption. We think using XDP to augment an existing DNS service is an exciting new idea, and a great new tool in the DNS operator's toolbox.

        In this presentation we will explore how DNS can benefit from XDP with hands-on examples of directly usable running code. We will show how operators can use XDP programs to deal with Denial of Service attacks and/or otherwise tweak their DNS service behaviour.

        Speakers: Willem Toorop (NLnet Labs), Dr Luuk Hendriks (NLnet Labs)
      • 14
        The state of DNS security records

        A small survey of the adoption rates of various security related DNS records ( DNSSEC, SPF, DMARC etc. ). Looking at top 100 companies and DNS infrastructure companies.

        Speaker: Robert Mortimer (Nominet)
    • 6:00 PM
      30 Minutes Break
    • OARC 34 Day 2: Session 3: Members Only Session
      • 16
        OARC Members Only Session: Vulnerability Disclosure (DDoS)

        In this talk, we will disclose to OARC-members only a vulnerability that can be exploited to carry large DoS attacks against authoritative servers. It is not a theoretical threat, although it does not seem to have been yet exploited in full scale — not that we are aware.

        We have already notified pertinent parties that are vulnerable to this threat — and they are working to fix it.

        In the meantime, we want to notify authoritative server operators of how they can protect themselves. We will release accompanying source code to help in this process.

        Speaker: Giovane Moura (SIDN Labs/TU Delft)