OARC 38 (Philadelphia, PA, USA)

US/Eastern
Liberty D (Sheraton Philadelphia Downtown)

Liberty D

Sheraton Philadelphia Downtown

201 North 17th Street Philadelphia PA 19103 United States
Keith Mitchell (DNS-OARC), Pallavi Aras (Salesforce)
Description

OARC 38 is planned to be a hybrid in-person and online workshop.

OARC 38 will be held in Philadelphia on Saturday 30th & Sunday 31st July, 2022 - after IETF 114.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC38

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)


WORKSHOP SPONSORS


DELUXE

 

Comcast  

 

Sponsorship opportunities for OARC 38 are available. Details at:

https://www.dns-oarc.net/workshop/sponsorship-opportunities


OARC PATRONS 2022

Verisign

Annual Workshop Patrons for 2022 are available. Details at:

https://www.dns-oarc.net/workshop/patronage-opportunities

 


 

    • 08:30
      In-person attendees registration Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 1: Session 1 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • 10:30
      Coffee Break (30 mins) Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 1: Session 2 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
      • 7
        AdGuard experience running a DNS-over-QUIC resolver

        We launched the first ever DNS-over-QUIC resolver about 18 months ago. In this presentation I'll talk about our experience running it and share some data on how it performs.

        Speaker: Andrey Meshkov
      • 8
        DoQ on authoritative: perspective, initial implementation, performance, DoS resilience

        QUIC might become mainstream transport for future DNS, including recursive to authoritative. The benefits are: privacy by encryption, low latency by zero-RTT handshake, no a-priori response size limit, no source address spoofing.

        With previous implementation of XDP stack in Knot DNS for UDP and TCP, the authoritative server can be resilient to many types of resource exhaustion attacks. However, QUIC measurements show high enough query-per-second numbers for legitimate traffic only, but without additional protection, the attacker might DoS the server by utilizing its CPU with encryption routines.

        Other quirks of athoritative DoQ may be discussed as well (certificate exchange, slow first handshake).

        Speaker: Libor Peltan (CZ.NIC)
      • 9
        ExternalDNS on AWS in Large Scale

        ExternalDNS is an open-source application to make Kubernetes resources discoverable via public DNS servers.

        We have deployed ExternalDNS on AWS in a large scale: externalDNS updates zones of more than 8000 resource records. During the external DNS development and deployment, we encountered challenges regarding AWS service limits, e.g. Route53 API frequency, Route53 resource record limit.
        We will cover the following items in this talk:

        • Overview of ExternalDNS in Cloud
        • AWS Usage and Limit
        • Challenges encountered to implement ExternalDNS in a large scale
        • Implementation Enhancements and Solutions
        Speakers: Sidan Qi, Sile Yang
    • 12:05
      Lunch Break (90 mins) Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 1: Session 3 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
      • 10
        Transitioning DNS for GTLDs

        Nominet operate around 50 GTLDs some as a registry and some as an operator on behalf of other registries. During the X years we have been operating in this space we have undertaken several projects to transition in and transition out many GTLDs. This has led us to develop a process (and some automation), this presentation will talk about the process we follow, the automation we use and further plans for the future. We would also welcome input from the community on what we do and how we can improve.

        Speaker: Brett Carr (Nominet)
      • 11
        Cache Poisoning Protection for Authoritative Queries

        We discuss standard and non-standard mechanisms for protecting DNS queries against cache poisoning attacks between resolvers and name servers. The techniques covered include DNS cookies, 0x20 bit munging, nonce prefixes and DNS over TLS/QUIC. We present data from implementing these techniques in Google Public DNS and some interesting behaviors observed during the implementation.

        The talk builds on the material covered at
        https://developers.google.com/speed/public-dns/docs/security.

        Speaker: Puneet Sood (Google)
      • 12
        How an Enterprise Manages Very Large Number of Records

        At Salesforce, to provide better resilience and performance, we host multiple zones containing millions of DNS records across many DNS providers. However, this increases the complexity for client applications, the operations teams, and even the DNS admin managing DNS records. The client applications would need to know which provider hosts which zone and make API calls for DNS CRUD to the specific provider. When we add new zones and migrate zones between DNS providers, things get more complex.

        To solve this problem, we built a highly available and scalable cloud-based microservice named Athena that hides all the complexity from the end-users. Athena acts as the single Rest API endpoint in front of all the DNS providers. The end-users send all DNS CRUD requests to Athena without needing to know which providers host the zones. Upon receiving a request, Athena automatically figures out the provider for the zone, converts the request to the right format based on the provider's Rest API specifications, sends the request to the provider, and converts the return message to a standard response for the end-user.

        In this presentation, we will talk about the architecture of Athena, availability, scalability, zone-vendor mappings management, account management, development/release pipeline, monitoring, and more.

        Speaker: Han Zhang (Salesforce)
    • 14:40
      Coffee Break (35 mins) Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 1: Session 4 - Part 1 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
      • 13
        Performance effects of DNSSEC validation on a busy resolver

        Traditionally DNSSEC how-tos start with a variation of:

        Be prepared for higher resource consumption when you enable DNSSEC validation.

        Is that still true in 2022? According to our measurements - not really.

        In this talk, we compare answer latency, resolver CPU usage, memory consumption, and network bandwidth between validating and non-validating configurations of a busy ISP resolver running BIND.

        Speaker: Petr Špaček (Internet Systems Consortium (ISC))
      • 14
        Round Trip Times Between Resolvers and a Root Server

        One of the stated goals of people asking for root server instances to be added near their resolvers is to get better round trip times. These requests are made without knowing any specific metric of what a good round trip time is, or knowing what round trip times typical resolvers are currently seeing. The research in this presentation focuses on the second question.

        Many root server operators can easily determine typical round trip times by sampling the addresses in the traffic stream to their anycast instances and sending pings from the instances to the querying addresses. The ICANN Managed Root Server (commonly also known as L-root) is not able to do this due to contractual agreements that prevent originating traffic measurement queries from their instances. However, this restriction does not completely prevent such measurements because the servers collect IP TTL values for incoming queries.

        This research shows how, using probing from RIPE Atlas systems, the IP TTL values seen can be converted to approximate round trip times and aggregated across instances. The research results estimate the median and 90th percentile measurements for round trip times for current resolvers.

        Speaker: Paul Hoffman (ICANN)
    • 15:55
      Break (10 mins) Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 1: Session 4 - Part 2 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
      • 15
        ZONEMD and the Root Zone

        Last year the IETF published RFC 8976, titled "Message Digest for DNS Zones." It describes a protocol and new DNS record that provides a cryptographic message digest over DNS zone data. When used in combination with DNSSEC, it allows recipients to verify zone data for integrity and origin authenticity, providing assurance that received zone data matches published data, regardless of how it was transmitted and received.

        This presentation provides an introduction to the zone digest protocol, its record format, parameters, and use cases. It also covers known implementations of the protocol and provides some benchmark measurements for zones of varying size. Lastly, it introduces plans to deploy the ZONEMD protocol in the root zone.

        Speaker: Duane Wessels (Verisign)
      • 16
        Are we ready for nsec3-guidance?
        • nsec3-guidance is going to be a BCP RFC soon
        • nsec3-guidance affects both zone publishers (authoritative DNS side) and DNSSEC validator operators (full resolver side), but timing of when they will follow nsec3-guidance may differ
        • Due to the timing difference, possibility of name resolution failure of TLDs (large outages) is highly concerned
        • Explain possibility of the large outages at TLDs and propose some mitigations
        • Aiming smooth deployment of nsec3-guidance
        Speaker: Mr Yoshiro YONEYA (JPRS)
      • 17
        TLS at a Root Experiment
        Speaker: Wes Hardaker (USC/ISI)
      • 18
        OARC 38 Day 1- Wrap up
    • 18:00
      Social Event (off-site)

      Details emailed to registered attendees

    • 09:30
      In-person attendees registration Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 2: Session 1 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
      • 19
        The Resolvers We Use

        The presentation looks at the various ways to measure the connection between recursive resolvers and end usewrs and the meanings associated with each measurement approaches.

        Speaker: Mr Geoff Huston (APNIC)
      • 20
        Bizarre and Unusual Uses of DNS

        Subtitle: Rule 53: If you can think of it, someone's done it in the DNS.

        DNS has been used -- and misused -- in more ways than you might think possible. Peter talks through a collection of some of the more interesting things people have done with it.

        Speaker: Peter Lowe (DNSFilter)
    • 10:50
      Coffee Break (30 mins) Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 2: Session 2 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
      • 21
        Open-source DNS Vendors Panel

        ISC
        NSD
        PowerDNS
        KnotDNS
        Q/A All panel

        Speakers: Benno Overeinder (NLnet Labs), John Todd, Libor Peltan (CZ.NIC), Peter van Dijk (PowerDNS), victoria risk (isc), Čunát Vladimir (NIC.cz)
    • 12:35
      Lunch Break (90 mins) Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 2: Session 3 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
      • 22
        Zero-Knowledge Middleboxes

        This talk will discuss a novel application of cryptography, the zero-knowledge middlebox. There is an inherent tension between ubiquitous encryption of network traffic and the ability of middleboxes to enforce network usage restrictions. An emerging battleground that epitomizes this tension is DNS filtering. Encrypted DNS (DNS-over-HTTPS and DNS-over-TLS) was recently rolled out by default in Firefox, with Google, Cloudflare, Quad9 and others running encrypted DNS resolvers. This is a major privacy win, protecting users from local network administrators observing which domains they are communicating with. However, administrators have traditionally filtered DNS to enforce network usage policies (e.g. blocking access to adult websites). Such filtering is legally required in many networks, such as US schools up to grade 12. As a result, Mozilla was forced to compromise, building a special flag for local administrators to instruct Firefox not to use Encrypted DNS.

        This example points to an open question of general importance, namely: can we resolve such tensions, enabling network policy enforcement while giving users the maximum possible privacy? We propose using zero-knowledge proofs for clients to prove to middleboxes that their encrypted traffic is policy-compliant, without revealing any other additional information. Critically, such zero-knowledge middleboxes don’t require trusted hardware or any modifications to existing TLS servers. We implemented a prototype of our protocol, which can prove statements about an encrypted TLS 1.3 connection such as “the domain being queried in this encrypted DNS packet is not a member of the specified blocklist.” With current tools, our prototype adds around fifteen seconds of latency to opening a new TLS 1.3 connection, and at least three seconds to produce one proof of policy-compliance. While this is too slow for use with interactive web-browsing, it is close enough that we consider it a tantalizing target for future optimization.

        This talk will cover the tension between encryption and policy-enforcing middleboxes, including recent developments in Encrypted DNS and the necessity of DNS filtering. It will then present and argue for the new zero-knowledge middlebox paradigm. Finally, the talk will describe our prototype implementation as well as future avenues for improvement, such as ways to reduce latency overheads.

        Speaker: Paul Grubbs (University of Michigan)
      • 23
        On the edge of small data

        At OARC 33, pktvisor (https://pktvisor.dev) was presented as a free and open source traffic analyzer that summarizes critical information from DNS edge networks in real time, making the resulting lightweight telemetry available locally on node and easily collectable into a central database for dashboarding and alerting.

        Since then we’ve introduced Orb (https://getorb.io), a free and open source dynamic edge observability platform which builds on our earlier work. Orb acts as a control tower for a distributed fleet of pktvisor agents, combining dynamic orchestration of analysis policies with data collection and sinking functionality, accessible via web UI and REST API.

        The agent can now analyze packet capture, dnstap, flow and other inputs, combining deep traffic analysis with data sketch algorithms to efficiently extract counts, top-k heavy hitters, set cardinality, quantiles and other key information from data streams directly on the edge. The result is lightweight time series metrics that plug into modern observability stacks.

        Together the goal of Orb and pktvisor is to deliver immediately actionable insights local to the traffic source and simultaneously collected and integrated into global result sets.

        This talk will introduce and advocate for the powerful “small data” use case, discuss the goals and status of the projects, and look to the future as they extend beyond traffic analysis and into general network debugging and analytics embedded at the edge.

        Speaker: Shannon Weyrick (NS1)
    • 14:55
      Coffee Break (30 mins) Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
    • OARC 38 Day 2: Session 4 Liberty D

      Liberty D

      Sheraton Philadelphia Downtown

      201 North 17th Street Philadelphia PA 19103 United States
      • 24
        DNS Talk Series - DANE

        DNS-based Authentication of Named Entities (DANE) is a framework
        for application security using DNSSEC. It uses signed DNS records
        to securely associate domain names with cryptographic keying
        material such as public keys and X.509 certificates. This tutorial
        will give an overview of DANE, and current and potential applications
        of it. It will go into details of the DANE protocol, DANE (and DANE
        like records) such as TLSA, SMIMEA, OPENPGPKEY, etc.

        Speakers: Shumon Huque (Salesforce), Viktor Dukhovni
      • 25
        OARC 38 Wrap up
        Speaker: Keith Mitchell (DNS-OARC)