Remote Session - 18 November 2020

WG co-Chairs: Joao Damas, Shane Kerr, David Knight

On 18 November 2020 from 15:00 to 16:30 (UTC+2), the DNS Working Group held a remote session via Zoom.

Recording

1. How we made DNSSEC simple(r)
Brett Carr
Nominet

Slides

Steve Crocker thanked Brett and asked if he had thought of a potential nightmare scenario where the government would operate a forceful overtake.

Brett Carr mentioned that as the UK is a quite stable state, it’s unlikely that this would happen. He added that it might be something to discuss with the UK government.

Dave Knight commented that Brett’s approach to DNSSEC is less complex and far more appropriate than what was in place before.

Brett agreed.

Joao Damas asked if Brett had considered how to protect the database itself.
Brett answered that they don’t put the same level of security into protecting the database and that it might be something to reconsider.

Erwin Lansing mentioned that he was using a similar set-up and that the biggest reason for that was to avoid complexity. He also mentioned that his organisation decided to protect to the database first of all, then the DNSSEC at a similar level.

There were no further questions.

2. Deploying Hyperlocal
Paul Muchene
ICANN

Slides

Shane Kerr asked the presenter if he was accounting for the latency between his host, dig @8.8.8.8, and dig @9.9.9.9 while comparing latencies between the local servers and the company resolvers.

Paul Muchene answered that dig @8.8.8.8 and dig @9.9.9.9 could potentially be implementing hyperlocal in cache.

Anand Buddhev mentioned that the presenter was comparing the performance of NS queries for existent versus nonexistent domains. He added that NS records in a parent zone are delegation records (not signed) and that resolvers don’t ask for them directly unless a client asks for them. When a client asks for a NS record, a resolver can’t use the record from the delegation and has to query the child zone and the relevant keys to validate them. This adds to the latency as all of this is happening in the background. Anand pointed out that only looking at the response time in this case might be too simplistic.

Paul thanked Anand for his comment.

Robert Story talked about local root which has a similar set-up and is run by ISI. He added that local root was also making sure that zone files were kept up to date by tracking the root and sending updates.

There were no further questions.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum