Skip to main content

DNS Working Group Minutes - RIPE 90

Date: Wednesday, 14 May, 09:00 - 10:30 (UTC+1)
Chairs: Doris Hauser, Moritz Müller, Willem Toorop
Scribe: Alun Davies
Status: Draft

Welcome and Announcement of the New Co-chair

Doris Hauser (nic.at)

The presentation is available at:
https://ripe90.ripe.net/archives/video/1606

Doris welcomed attendees to the DNS Working Group session and announced a BoF scheduled for the following day on developing Best Current Practices for DNS authoritative servers. Phil, incoming president of DNS-OARC, added that OARC is also pursuing work on DNS operational BCPs and invited community involvement.

Doris then announced her upcoming departure as WG co-Chair and introduced her successor, Yevheniya Nosyk, who will formally join at the next RIPE Meeting. The group expressed appreciation for Doris’s contributions with applause and a small gift, after which the session moved on to the first presentation.

DNSSEC Post-Quantum Crypto Algorithms in BIND Ondřej Surý (ISC)

The presentation is available at:
https://ripe90.ripe.net/archives/video/1608

Ondřej presented his ongoing research into post-quantum cryptographic algorithms and their suitability for DNSSEC. He explored a range of candidate algorithms beyond Falcon (already approved by NIST), including Hawk, SQIsign, MAYO, and Antrag. Ondřej highlighted trade-offs such as signature and key sizes, signing speeds, implementation maturity, and the challenges of integrating these algorithms into DNS resolver and signer infrastructure. He reported test results using real-world data, and demonstrated that some algorithms, while efficient in size, present unacceptable performance costs or stability issues.

Geoff Huston (APNIC) questioned the relevance of post-quantum cryptography to DNSSEC, arguing that DNS data does not require long-term secrecy and asking what justifies the urgency of deployment. Ondřej agreed, stating there is no immediate need for deployment and that the community should focus on continued research. He also suggested engaging with NIST to ensure DNS-specific requirements are considered in their post-quantum work.

Geoff followed up with a technical query about whether the test data Ondřej used included positive or negative DNS responses, as the size and performance implications differ greatly. Ondřej replied that this was addressed in his thesis and is an area of planned future research.

Ulrich Wisser (ICANN) complemented Ondřej on the great work and noted that, while deployment may not be urgent, DNS has a history of delayed cryptographic upgrades. Research and early preparation are therefore important. Ondřej agreed and clarified the distinction between research and deployment timelines, reiterating that he is focused on the former.

There were no further questions.

SPF, DKIM, DMARC within .FR: A Quick Look at Over 4 Million Domains Marc van der Wal (Afnic)

The presentation is available at:
https://ripe90.ripe.net/archives/video/1610

Marc presented his two-year study into the adoption of email authentication mechanisms—SPF, DKIM, and DMARC—among domains under .FR. He reported rising adoption rates, particularly for SPF, and explored policy trends, configuration issues, and deployment behaviours. He shared examples of misconfigurations, such as multiple SPF records, oversized TXT responses, and machine-translated documentation errors. The talk concluded with a discussion on the risks posed by neglected parked domains being exploited for spoofing and phishing.

Ondřej Surý (ISC) asked whether the analysis included a classification of domains and whether this correlated this with policy adoption. Marc replied that earlier attempts were made, but the classifier used proved unreliable. He left this analysis out of the most recent work but noted it could be a good topic for future exploration.

Greg Choules (ISC) commented on the lack of accessible best practices for domain operators, especially around SPF configuration. Marc agreed and noted he is compiling his own best practices.

Niall O’Reilly (RIPE) shared concerns from a small operator's perspective, emphasising the risks of making configuration mistakes that could impact other users, such as family members. Marc, who also maintains a personal mail server, agreed with this concern.

There were no further questions.

Best Current Operating Practices for DNS Filtering

Asbjørn Sloth Tønnesen (Fiberby)

The presentation is available at:
https://ripe90.ripe.net/archives/video/1612

Asbjørn Sloth Tønnesen spoke about the technical and regulatory landscape of DNS filtering in Europe. He covered reasons for filtering, such as legal requirements (e.g., EU sanctions), parental control, and security filters. He explained how traditional approaches like NXDOMAIN responses and HTTP block pages are increasingly ineffective due to HTTPS and modern browser behaviors. Asbjørn introduced the use of Extended DNS Error (EDE) codes as a potential solution for providing meaningful filtering feedback to users, but noted limited support across DNS software. He presented data from RIPE Atlas showing inconsistent filtering practices across the EU and concluded by calling for greater standardization in how DNS filtering is implemented and communicated.

Éric Vyncke (Cisco) clarified that the structured DNS errors draft discussed is still in IETF last call and lacks consensus. Asbjørn acknowledged he was unfamiliar with the latest procedural status. Matthijs Mekking (ISC) pointed out that BIND now supports EDE codes, though not with customisable text. Asbjørn confirmed this brings it in line with other implementations like Unbound and DNSdist.

Warren Kumari (Google) warned against block pages, stating they condition users to ignore HTTPS warnings, which undermines security. Asbjørn agreed and shared an example from Denmark, where block page instructions are distributed as PDFs without HTML content.

Jim Reid (freelance consultant) suggested cataloguing details of implementations that are not capturing error codes. Asbjørn said this might be feasible through a RIPE Labs article. Lutz Donnerhacke (IKS Service GmbH) noted that the RIPE Atlas dataset may skew toward enterprise networks, possibly underrepresenting consumer-level DNS behaviours. Asbjørn acknowledged this limitation.

Moritz Muller (SIDN) mentioned a study he and his colleagues have produced on blocking of Russian ISPs, noting that there are different definitions of what blocking is, what domain to block, etc. National and ISP-level variations across the EU create a confusing and inconsistent landscape. Asbjørn shared that this issue has also drawn public scrutiny in Denmark due to mismatched government and ISP block lists.

There were no further questions.

Updates from the 2025 DNS Hackathon

Denesh Bhabuta

The presentation is available at:
https://ripe90.ripe.net/archives/video/1613

Denesh Bhabuta provided an update on the DNS Hackathon held in Stockholm in March 2024, hosted by Netnod. He described the collaborative, non-competitive nature of Hackathons and highlighted the workflow from idea pitching to team formation and project development. Seven projects were developed during the event, including canned DNS servers, DNS visualisation tools, IoT behaviour profiling, and drafts for IETF submission. Denesh emphasised that these projects continue post-event and encouraged participants to get involved. He concluded with acknowledgements and a call for future contributions.

Alex Semneyaka (RIPE NCC) read out a question from remote attendee Riyadh Zehrah (TeleYemen) who asked whether future Hackathons would support remote participation. Denesh responded that this event did not offer a remote option due to timing and resource constraints, but future Hackathons may consider it.

There were no further questions.

DNS Update from the RIPE NCC Anand Buddhdev (RIPE NCC)

The presentation is available at:
https://ripe90.ripe.net/archives/video/1615

Anand Buddhdev gave an update on the RIPE NCC’s DNS operations. He reported four new Anycast locations for the NCC's authoritative DNS service and invited participants to consider hosting additional instances. He discussed the recent retirement of ns.ripe.net, including the communication process and database cleanup efforts. Anand outlined the renumbering of IPv6 space for the authoritative DNS cloud to ensure greater routing flexibility using covering prefixes. He also described updates to monitoring systems, with a move toward Prometheus and Grafana, and shared plans to replace aging DNSSEC signers with new hardware while maintaining existing operational models.

There were no questions.

Doris Hauser closed the session by thanking all speakers and attendees for their participation.