OARC 38 (Philadelphia, PA, USA)

30 Jul 2022, 08:30 → 31 Jul 2022, 18:40 US/Eastern

Liberty D (Sheraton Philadelphia Downtown)

Keith Mitchell (DNS-OARC), Pallavi Aras (Salesforce)

OARC 38 is planned to be a hybrid in-person and online workshop.

OARC 38 will be held in Philadelphia on Saturday 30th & Sunday 31st July, 2022 - after IETF 114.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC38

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)

---

WORKSHOP SPONSORS

---

DELUXE

 

 

Sponsorship opportunities for OARC 38 are available. Details at:

https://www.dns-oarc.net/workshop/sponsorship-opportunities

---

OARC PATRONS 2022

Annual Workshop Patrons for 2022 are available. Details at:

https://www.dns-oarc.net/workshop/patronage-opportunities

 

---

 

Saturday, 30 July

08:30 In-person attendees registration

OARC 38 Day 1: Session 1

1 Welcome and Introduction

Speaker: Keith Mitchell (DNS-OARC)

Information.odp

Workshop Information

2 OARC Status Update

Speaker: Keith Mitchell (DNS-OARC)

Members Report Apr-Jul 2022

OARC38 Update

OARC38-update.odp

3 OARC Privacy Committee Report

Speaker: Benno Overeinder (NLnet Labs)

OARC Privacy Committee Progress Report OARC 38.pdf

4 OARC's Member Portal

Speaker: Steve Sullivan (DNS-OARC)

OARC 38.pdf

OARC 38.pptx

5 OARC Sofware Engineering Report

Speaker: Jerry Lundström (DNS-OARC)

OARC38-DNS-OARC-Software.pdf

6 OARC Systems Engineering Report

Speakers: Matthew Pounsett (DNS-OARC), Michael Baer (DNS-OARC)

OARC38-Systems-Engineering-Report.pdf

OARC38_Systems_Engineering_Report_Slides.pdf

10:30 Coffee Break (30 mins)

OARC 38 Day 1: Session 2

7 AdGuard experience running a DNS-over-QUIC resolver

We launched the first ever DNS-over-QUIC resolver about 18 months ago. In this presentation I'll talk about our experience running it and share some data on how it performs.

Speaker: Andrey Meshkov

DNS-over-QUIC, 1+ year experience for OARC.pdf

8 DoQ on authoritative: perspective, initial implementation, performance, DoS resilience

QUIC might become mainstream transport for future DNS, including recursive to authoritative. The benefits are: privacy by encryption, low latency by zero-RTT handshake, no a-priori response size limit, no source address spoofing.

With previous implementation of XDP stack in Knot DNS for UDP and TCP, the authoritative server can be resilient to many types of resource exhaustion attacks. However, QUIC measurements show high enough query-per-second numbers for legitimate traffic only, but without additional protection, the attacker might DoS the server by utilizing its CPU with encryption routines.

Other quirks of athoritative DoQ may be discussed as well (certificate exchange, slow first handshake).

Speaker: Libor Peltan (CZ.NIC)

KNOT-20220731-LP-OARC38-doq-005.pdf

9 ExternalDNS on AWS in Large Scale

ExternalDNS is an open-source application to make Kubernetes resources discoverable via public DNS servers.

We have deployed ExternalDNS on AWS in a large scale: externalDNS updates zones of more than 8000 resource records. During the external DNS development and deployment, we encountered challenges regarding AWS service limits, e.g. Route53 API frequency, Route53 resource record limit.
We will cover the following items in this talk:

• Overview of ExternalDNS in Cloud
• AWS Usage and Limit
• Challenges encountered to implement ExternalDNS in a large scale
• Implementation Enhancements and Solutions

Speakers: Sidan Qi, Sile Yang

ExternalDNS on AWS.pdf

12:05 Lunch Break (90 mins)

OARC 38 Day 1: Session 3

10 Transitioning DNS for GTLDs

Nominet operate around 50 GTLDs some as a registry and some as an operator on behalf of other registries. During the X years we have been operating in this space we have undertaken several projects to transition in and transition out many GTLDs. This has led us to develop a process (and some automation), this presentation will talk about the process we follow, the automation we use and further plans for the future. We would also welcome input from the community on what we do and how we can improve.

Speaker: Brett Carr (Nominet)

GTLD DNS Tranistions 2022 OARC38.pdf

GTLD DNS Tranistions 2022 OARC38.pptx

11 Cache Poisoning Protection for Authoritative Queries

We discuss standard and non-standard mechanisms for protecting DNS queries against cache poisoning attacks between resolvers and name servers. The techniques covered include DNS cookies, 0x20 bit munging, nonce prefixes and DNS over TLS/QUIC. We present data from implementing these techniques in Google Public DNS and some interesting behaviors observed during the implementation.

The talk builds on the material covered at
https://developers.google.com/speed/public-dns/docs/security.

Speaker: Puneet Sood (Google)

Cache Poisoning Protection for Authoritative Queries.pdf

12 How an Enterprise Manages Very Large Number of Records

At Salesforce, to provide better resilience and performance, we host multiple zones containing millions of DNS records across many DNS providers. However, this increases the complexity for client applications, the operations teams, and even the DNS admin managing DNS records. The client applications would need to know which provider hosts which zone and make API calls for DNS CRUD to the specific provider. When we add new zones and migrate zones between DNS providers, things get more complex.

To solve this problem, we built a highly available and scalable cloud-based microservice named Athena that hides all the complexity from the end-users. Athena acts as the single Rest API endpoint in front of all the DNS providers. The end-users send all DNS CRUD requests to Athena without needing to know which providers host the zones. Upon receiving a request, Athena automatically figures out the provider for the zone, converts the request to the right format based on the provider's Rest API specifications, sends the request to the provider, and converts the return message to a standard response for the end-user.

In this presentation, we will talk about the architecture of Athena, availability, scalability, zone-vendor mappings management, account management, development/release pipeline, monitoring, and more.

Speaker: Han Zhang (Salesforce)

How an Enterprise Manages Very Large Number of Records.pdf

14:40 Coffee Break (35 mins)

OARC 38 Day 1: Session 4 - Part 1

13 Performance effects of DNSSEC validation on a busy resolver

Traditionally DNSSEC how-tos start with a variation of:

Be prepared for higher resource consumption when you enable DNSSEC validation.

Is that still true in 2022? According to our measurements - not really.

In this talk, we compare answer latency, resolver CPU usage, memory consumption, and network bandwidth between validating and non-validating configurations of a busy ISP resolver running BIND.

Speaker: Petr Špaček (Internet Systems Consortium (ISC))

pspacek-performance-effects-of-dnssec-validation.pdf

video recording Video recording Video recording (YouTube)

14 Round Trip Times Between Resolvers and a Root Server

One of the stated goals of people asking for root server instances to be added near their resolvers is to get better round trip times. These requests are made without knowing any specific metric of what a good round trip time is, or knowing what round trip times typical resolvers are currently seeing. The research in this presentation focuses on the second question.

Many root server operators can easily determine typical round trip times by sampling the addresses in the traffic stream to their anycast instances and sending pings from the instances to the querying addresses. The ICANN Managed Root Server (commonly also known as L-root) is not able to do this due to contractual agreements that prevent originating traffic measurement queries from their instances. However, this restriction does not completely prevent such measurements because the servers collect IP TTL values for incoming queries.

This research shows how, using probing from RIPE Atlas systems, the IP TTL values seen can be converted to approximate round trip times and aggregated across instances. The research results estimate the median and 90th percentile measurements for round trip times for current resolvers.

Speaker: Paul Hoffman (ICANN)

RTTs to IMRS lightning.pdf

15:55 Break (10 mins)

OARC 38 Day 1: Session 4 - Part 2

15 ZONEMD and the Root Zone

Last year the IETF published RFC 8976, titled "Message Digest for DNS Zones." It describes a protocol and new DNS record that provides a cryptographic message digest over DNS zone data. When used in combination with DNSSEC, it allows recipients to verify zone data for integrity and origin authenticity, providing assurance that received zone data matches published data, regardless of how it was transmitted and received.

This presentation provides an introduction to the zone digest protocol, its record format, parameters, and use cases. It also covers known implementations of the protocol and provides some benchmark measurements for zones of varying size. Lastly, it introduces plans to deploy the ZONEMD protocol in the root zone.

Speaker: Duane Wessels (Verisign)

zonemd.pdf

16 Are we ready for nsec3-guidance?

• nsec3-guidance is going to be a BCP RFC soon
• nsec3-guidance affects both zone publishers (authoritative DNS side) and DNSSEC validator operators (full resolver side), but timing of when they will follow nsec3-guidance may differ
• Due to the timing difference, possibility of name resolution failure of TLDs (large outages) is highly concerned
• Explain possibility of the large outages at TLDs and propose some mitigations
• Aiming smooth deployment of nsec3-guidance

Speaker: Mr Yoshiro YONEYA (JPRS)

20220730-Are-we-ready-for-nsec3-guidance-01.pdf

17 TLS at a Root Experiment

Speaker: Wes Hardaker (USC/ISI)

google-tls-abbrev.pdf

18 OARC 38 Day 1- Wrap up

18:00 Social Event (off-site)

Details emailed to registered attendees

Sunday, 31 July

09:30 In-person attendees registration

OARC 38 Day 2: Session 1

19 The Resolvers We Use

The presentation looks at the various ways to measure the connection between recursive resolvers and end usewrs and the meanings associated with each measurement approaches.

Speaker: Mr Geoff Huston (APNIC)

2022-07-30-oarc38-resolvers.pdf

20 Bizarre and Unusual Uses of DNS

Subtitle: Rule 53: If you can think of it, someone's done it in the DNS.

DNS has been used -- and misused -- in more ways than you might think possible. Peter talks through a collection of some of the more interesting things people have done with it.

Speaker: Peter Lowe (DNSFilter)

Rule 53 - Bizarre And Unusual Uses of DNS.pdf

10:50 Coffee Break (30 mins)

OARC 38 Day 2: Session 2

21 Open-source DNS Vendors Panel

ISC
NSD
PowerDNS
KnotDNS
Q/A All panel

Speakers: Benno Overeinder (NLnet Labs), John Todd, Libor Peltan (CZ.NIC), Peter van Dijk (PowerDNS), victoria risk (isc), Čunát Vladimir (NIC.cz)

DNS-OARC38-vendorpanel.pdf

12:35 Lunch Break (90 mins)

OARC 38 Day 2: Session 3

22 Zero-Knowledge Middleboxes

This talk will discuss a novel application of cryptography, the zero-knowledge middlebox. There is an inherent tension between ubiquitous encryption of network traffic and the ability of middleboxes to enforce network usage restrictions. An emerging battleground that epitomizes this tension is DNS filtering. Encrypted DNS (DNS-over-HTTPS and DNS-over-TLS) was recently rolled out by default in Firefox, with Google, Cloudflare, Quad9 and others running encrypted DNS resolvers. This is a major privacy win, protecting users from local network administrators observing which domains they are communicating with. However, administrators have traditionally filtered DNS to enforce network usage policies (e.g. blocking access to adult websites). Such filtering is legally required in many networks, such as US schools up to grade 12. As a result, Mozilla was forced to compromise, building a special flag for local administrators to instruct Firefox not to use Encrypted DNS.

This example points to an open question of general importance, namely: can we resolve such tensions, enabling network policy enforcement while giving users the maximum possible privacy? We propose using zero-knowledge proofs for clients to prove to middleboxes that their encrypted traffic is policy-compliant, without revealing any other additional information. Critically, such zero-knowledge middleboxes don’t require trusted hardware or any modifications to existing TLS servers. We implemented a prototype of our protocol, which can prove statements about an encrypted TLS 1.3 connection such as “the domain being queried in this encrypted DNS packet is not a member of the specified blocklist.” With current tools, our prototype adds around fifteen seconds of latency to opening a new TLS 1.3 connection, and at least three seconds to produce one proof of policy-compliance. While this is too slow for use with interactive web-browsing, it is close enough that we consider it a tantalizing target for future optimization.

This talk will cover the tension between encryption and policy-enforcing middleboxes, including recent developments in Encrypted DNS and the necessity of DNS filtering. It will then present and argue for the new zero-knowledge middlebox paradigm. Finally, the talk will describe our prototype implementation as well as future avenues for improvement, such as ways to reduce latency overheads.

Speaker: Paul Grubbs (University of Michigan)

zkmb_talk_dnsoarc_07312022.pdf

23 On the edge of small data

At OARC 33, pktvisor (https://pktvisor.dev) was presented as a free and open source traffic analyzer that summarizes critical information from DNS edge networks in real time, making the resulting lightweight telemetry available locally on node and easily collectable into a central database for dashboarding and alerting.

Since then we’ve introduced Orb (https://getorb.io), a free and open source dynamic edge observability platform which builds on our earlier work. Orb acts as a control tower for a distributed fleet of pktvisor agents, combining dynamic orchestration of analysis policies with data collection and sinking functionality, accessible via web UI and REST API.

The agent can now analyze packet capture, dnstap, flow and other inputs, combining deep traffic analysis with data sketch algorithms to efficiently extract counts, top-k heavy hitters, set cardinality, quantiles and other key information from data streams directly on the edge. The result is lightweight time series metrics that plug into modern observability stacks.

Together the goal of Orb and pktvisor is to deliver immediately actionable insights local to the traffic source and simultaneously collected and integrated into global result sets.

This talk will introduce and advocate for the powerful “small data” use case, discuss the goals and status of the projects, and look to the future as they extend beyond traffic analysis and into general network debugging and analytics embedded at the edge.

Speaker: Shannon Weyrick (NS1)

On The Edge Of Small Data (OARC).pdf

14:55 Coffee Break (30 mins)

OARC 38 Day 2: Session 4

24 DNS Talk Series - DANE

DNS-based Authentication of Named Entities (DANE) is a framework
for application security using DNSSEC. It uses signed DNS records
to securely associate domain names with cryptographic keying
material such as public keys and X.509 certificates. This tutorial
will give an overview of DANE, and current and potential applications
of it. It will go into details of the DANE protocol, DANE (and DANE
like records) such as TLSA, SMIMEA, OPENPGPKEY, etc.

Speakers: Shumon Huque (Salesforce), Viktor Dukhovni

dane-overview-shumon.pdf

25 OARC 38 Wrap up

Speaker: Keith Mitchell (DNS-OARC)