Skip to main content

Remote Session - 24 March 2021

WG co-Chairs: Joao Damas, Shane Kerr, David Knight

On 24 March 2021 from 14:00 to 15:30 (UTC+1), the DNS Working Group held a remote session via Zoom.

Recording

1. A Balanced DNS Information Protection Strategy: Minimize at Root and TLD, Encrypt When Needed Elsewhere
Scott Hollenbeck and Burt Kaliski
Verisign

Slides

Edward Lewis commented that operators have to provide operational concerns about the global public Internet vs the protocol and that the protocol doesn’t understand the ideas that you have in SLDs or TLDs. He mentioned that this was concerning as you need to enforce these ideas in software for them to work. He added that it’s sometimes difficult to know when you’re dealing with these so-called SLDs and that a lot of gTLDs are flat (one level down). However, Edward mentioned that some of the ccTLDs go really deep in their layer hierarchy and that’s important to keep in mind when it comes to enforcing this strategy.

Steve Crocker pointed out that if we don’t know where the cut points are, it will still work but more queries than necessary will be needed. Also, he added that without minimisation there is an opportunity for servers to respond to more than one level at a time.

Scott replied that this might happen a little deeper in the hierarchy as it’s necessary to start experimenting at this level to see where the problems might be. He added that the TLD and Root levels should probably be the last levels to start experimenting.

Peter van Dijk asked a question on the aggregate interest of resolver’s clients. He mentioned that this assumes a certain scale of resolvers and that some people think that encryption will allow them to run a resolver at home again without exposing themselves more than by using plain text DNS. Peter felt that this angle was missing in Scott’s presentation. 

Scott answered that he was running his own recursive resolver and was part of the long tail of what Verisign sees in terms of DNS resolver users. He added that there is a really small pool of operators that is responsible for a lot of Verisign’s query traffic and that means that there is also a lot of other recursive resolvers that are sending a smaller percentage of traffic. He mentioned that it will potentially work a bit differently with those users, but that they also represent a different risk profile. Scott agreed with Peter that there is something else that need to be considered in this case.

Brett Carr agreed that the Root and TLD were the last places to experiment and that this should be done at lower levels first. He added that innovators in DNS are often at the root and TLD layers and that can be seen from DNSSEC. He also agreed that it was best to keep things simple but mentioned that when TLDs are served from the same infrastructure as lower levels (SLDs) having different behaviours with some resolvers doing minimization on one part and encryption on the other feels a bit messy and might increase fragility.

Finally, he pointed out that “encryption when needed” is a good concept but that people at the lower levels of the DNS probably don’t see when it’s needed as they didn’t see that DNSSEC was needed.

Scott added that minimization has no impact on the authoritative name server, but that it is potentially more complicated if you’re operating severs that are expected to deal with both minimized queries and encrypted traffic. Scott also agreed with Brett that if you force this top down in terms of innovation, it has a different rollout profile but it’s riskier.

Jim Reid pointed out that the community needs a much clearer understanding of how these technologies could impact the whole system (e.g. RPKI) and asked for a more holistic view to be considered.

There were no further questions.

2. Keeping up with the IETF DNSOP WG
Benno Overeinder
NLnet Labs

Slides

There were no questions.