RIPE Meeting: 54
Working Group: DNS
Status: Final
Revision Number: 1

DNS Working Group

Session 1. (10 May 2007)
Session 2. (10 May 2007)

Session 1

Date: Thursday, 10 May 2007
Time: 11:00 - 12:30 (UTC +0300)
Chair: Jim Reid
Minutes: Adrian Bedford
J-Scribe: Rumy Kanis

A. Administrative Matters

There were small changes to the agenda, Mats is unable to attend and so Eva Ornberg will present in his place.

B. Review of Action Items

48.1: TLD Support for Lameness at the Source.

Some progress has been made. Peter updated the Internet Draft in February; he also started a survey within CENTR and received good feedback. He has yet to write this up. He asked if the working group wanted Peter to continue working on this. There was no response. Marcos Sanz from DENIC asked Peter if he had tried approaching reverse mapping registries. Peter replied that he had not yet done such a survey. He asked if anyone in the room wanted to comment. Again there was no response. Peter agreed to add this to the write-up, however otherwise once this was completed, there seemed to be no further interest in the action point and it was closed.

48.2 Authenticate XFR into ns*

This was an action on Mans Nilsson. It has been overtaken by events and Mans suggested that the item be closed. There is a general sense that these things are being negotiated and more distributed than would be well served by a central nameserver. Distributed policy has made this less worthy.

49.1 Requirements for a Successor Hostcount

We expect to hear more on this from the RIPE NCC. New prototypes of the software will soon go to BETA testers. From point of view of the working group, this can be marked as done. The new version of Hostcount is due to be rolled out. The working group thanked the RIPE NCC for their work.

49.2 DNS Server Migration

Jim Reid apologised that he has yet to make any major progress on this action point. He hopes to have it ready for RIPE 55. There is also work to be scheduled in the IETF DNSOP WG to look at long versus short TTLs on NS-RRs.

51.4 RIPE 203 Update

There has been no progress, it will remain open.

52.1 DNSSEC Resource Consumption

Brett will present on this today. Tentatively this can be marked as done.

52.3 Lame Delegations to

Again Brett will report on this today and the item can most likely be marked as done.

52.5 Lameness Checks in

This action item was taken on by the DNS Quality Task Force - set up at RIPE 53 between the ENUM and DNS Working Groups. The main focus for the work lies with the ENUM Working Group. It can be marked as done from the perspective of this working group. Jim added that when the ENUM Working Group completes their work, they would be invited to present to the DNS Working Group.

C. IETF WG News Update
Antoin Verschuren, SIDN

There were no questions

D. NCC Update
Brett Carr

Niall O’Reilly asked if the level of ‘notify noise’ could be configurable by users who carry slave zones. Brett said this was being investigated.

Jim Reid suggested that following this report, both action points on the RIPE NCC be marked as done. Olaf Kolkman asked if there could be occasional reporting from the RIPE NCC on DNSSEC deployment at future meetings. Jim agreed that this should be added to regular reporting on DNS services from the RIPE NCC. Jim also suggested that there be a new action point (54.1) assigned to the RIPE NCC to generate feedback an a report through the mailing list on whether to require the use of as a secondary zone in reverse delegations and services for both IPv4 and IPv6.

E. Proposal on rev-srv
Peter Koch, DENIC

Gert Doering noted he was surprised to see this attribute was still active, he thought it had been deprecated five years ago. He agreed this should be killed off without delay. Daniel Karrenberg, speaking as one of those who invented the attribute agreed. This generated an action point on Peter (54.2). This will be taken to the Database Working Group tomorrow, Peter is hopeful that this might lead to quick action.

F. Finding a DNSSEC Trust Anchor
Eva Ornberg, TeliaSonera

There was a lengthy discussion following this presentation. The two core issues debated were whether having the RIPE NCC take on such a task would damage efforts to have the root signed. There was also a worry about whether taking on this role would be an appropriate fit for the RIPE NCC core activities.

A number of people noted introducing such a scheme would not be a quick fix. They also advised caution in how such an activity is described for fear of stepping into areas that could have political ramifications. A major bone of contention was the mention of DLV. Eva stressed that this proposal was simply to create a central key repository.

There were suggestions that the working group should approach ICANN and put pressure on it to make good on earlier commitments towards signing the root zones.

There was also a worry about what might happen further down the line, in particular that going fully into this role might leave the RIPE NCC without a clear exit strategy should the membership later decide to stop providing the service.

Others pointed out that alternative solutions might come along and provide better answers. Some people asked if this proposal was to make available a centralised service that is not truly scalable or truly central and only serves part of the community. There was further discussion that clarified that the proposal is to use the RIPE NCC as a trusted body for the whole Internet community and not just for its service region.

Overall, there was support for the concept of a central registry, but concern was voiced about the mechanics, the time involved and the political implications.

Jim Reid asked for guidance from the group. There was a split suggesting no clear consensus about going ahead with the proposal as it now stands. The RIPE NCC, it was suggested, needed a mandate if it was to react quickly rather than wait for others to catch up. Delaying progress in the name of as yet unknown solutions might not be wise. There is, as yet, no ‘Plan B’. Rejecting this might be missing a chance to be at the fore-front of technology in Europe.

Jim asked that those who are for and against the proposal come up with concrete documents to bring to the Amsterdam meeting. He suggests that the group then could discuss the next steps.

Peter Koch argued that six months might be a long time to wait and instead proposed the immediate formation of a task force to look at the proposal and its wording, perhaps removing specific mention of DLV which seems to be a major stumbling block. Andrei Robachevsky of the RIPE NCC offered support for this and agreed that it would be better to get moving quickly and formulate a service outline to put forward during the RIPE NCC Services Working Group at RIPE 55.

The group considered Jim’s proposal to provide arguments for and against the proposal by RIPE 55 and Peter’s suggestion of forming a task force and agreed that on balance, the latter made a stronger case. It would allow the group to formulate something it could send to ICANN within the next month.

Those who volunteered to serve on the task force are:

Sam Weiler (from Jabber)
Roy Arends
Joao Damas
Daniel Karrenberg
Peter Koch
Jim Reid
Marcos Sanz
Mats Dufberg (by proxy)

It was suggested that rather than have the message come purely from the DNS Working Group, the proposed message be taken through to the plenary and thus have the message originate from the RIPE community as a whole. Those in the room felt it was important to prepare a statement at RIPE 54 which could then be sent to ICANN in good time for their meeting next month.

G. Discussion Time for EOF Items

There were no further questions

Session 2

Date: Thursday, 10 May 2007
Time: 16:00 – 17:00 (UTC +0300)
Chair: Peter Koch
Minutes: Adrian Bedford
J-Scribe: Robert Kisteleki

H. IDN Progress at ICANN
Leo Vegoda, ICANN

Leo was presenting on behalf of Tina Dam. Patrik Fältström has also worked on this project and so offered to provide answers to any questions on this. There were no questions during the session.

I. OARC News and DNS DDoS Follow-up
Keith Mitchell, OARC

Bill Manning observed that the statement about the sources for the DDoS attack coming from two economic regions may be true, but added that the attack appeared to be controlled from elsewhere. Keith noted that investigations into the attack were very much 'a work in progress'.

J.Traffic Analysis the .se Way Using DNS2DB
Niclas Rosell, NIC-SE

Jim Reid commented that while it is interesting to look at domain names, he also wondered if it might be worth looking into the nature of the queries, perhaps identifying those caused by poor caching for example. Jim noted that the analysis could potentially be extended to report poorly configured nameservers and resolvers. Niclas replied that this might be something to consider in the future. Jim also felt that the data being produced might prove attractive to law enforcement agencies. Niclas agreed that it could be.

K. Anycast Experiences in Japan
Shinta Sato, JPRS

Jim Reid asked if there were plans to look into negotiating further probes in Europe. Was Shinta looking for more hosts in Europe and this service region. Shinta did not wish to clash with DNSMON and would liaise with those behind this project.

Z. A.O.B./General Discussion

Wilfried Woeber spoke about how he ran into problems trying to upgrade the rDNS details for a legacy Class B block and tried to use the checking script provided. The RIPE NCC resolved the issue. Wilfried asked if anyone uses the scripts and had the same experience. Nobody appeared to have encountered this.

Bill Manning gave an update on CADR, a toolkit for managing DNSSEC delegations. He invited those present to give it a test drive. Comments, questions and concerns are most welcome.

Jim Reid returned to the topic of root signing discussed this morning. Several people have asked to visit the issue again. The task force volunteers have been named and the mailing list will be the best place to follow this issue and make contributions.

Jim presented a draft statement to send to ICANN outlining the consequences of the lack of progress towards the deployment of DNSSEC and how it is undermining the stability and security of the Internet.

The text is available at:

The finished statement will be presented at the plenary and then sent to ICANN.

Those present during the WG session unanimously supported the "sign the root" statement.