On 24 February 2021 from 15:00 to 16:30 (UTC+1), the DNS Working Group held a remote session via Zoom.
1. Implementing RFC 7344
Ondřej Caletka
RIPE NCC
Peter Koch asked Ondrej if the RIPE NCC considered offering an opt-in or opt-out for objects in the database in addition to the CDS record.
Ondrej replied that they never considered that before. He added that the presence of a CDS record is a sort of an opt-in and that the RIPE NCC decided to go with secure delegation updates rather than bootstrapping from insecure to secure.
Peter asked if the RIPE NCC was still performing pre-delegations checks in the Reverse DNS and if a CDS would trigger a name service check.
Ondrej replied that these checks are still in place when you submit objects but are skipped when the “RIPE NCC superpowers” are used. Anand Buddhdev (RIPE NCC) confirmed what Ondrej said: the RIPE NCC only check if the DNSSEC chain is still intact but don’t check, for example, whether the name servers are responding over TCP.
There were no further questions.
2. Trends in the DNS resolver market
Roxane Radu
University of Oxford
Michael Hausding
Internet Society (Switzerland chapter)
Michael Hausding asked the community if RIPE Atlas was a good tool for long term measurement of recursive resolver trends.
Joao Damas mentioned that RIPE Atlas will most likely not be the best tool for this type of measurement as people hosting probes are tech-savvy, so the results will be biased. Joao added that the Google Ads network might be better suited for this kind of measurements.
Shane Kerr pointed out that if the goal was only to look at trends, RIPE Atlas could probably be used.
Michael Hausding mentioned that other measurements are also biased, and that the most important criteria is to look at a user group over a long time.
Joao mentioned that ISPs in developing countries are switching their DNS system to Google Public DNS rather than maintaining their own DNS. He added that he could also see local offices delegating their DNS to Google because they observed a drop in traffic over the weekend.
Michael agreed and added that they could also see similar trends via the type of equipment used and via the state of the DNS after outages.
Michael asked another question about alternative methods to monitor recursive resolver trends and increase transparency.
Shane mentioned that one possibility would be to look at network traffic (in a privacy protected way). More specifically, at the number of packets going to a public resolver.
Willem Toorop mentioned that he has a project running together with Jerry Lundström on resolvers that are used by RIPE Atlas probes. The results are collected on this webpage. He mentioned that they could observe different trends across resolvers.
Moritz Müller mentioned that they also ran their own measurements at SIDN and shared a link to their research.
Benno Overeinder added that on the transparency front, there is an RFC document (RFC 8932: Recommendations for DNS Privacy Service Operators) that might help. Operators are asked to implement this RFC to be more transparent with their data.
Shane asked Michael about Quad9, a public DNS resolver, and their recent move to Switzerland.
Michael replied that he was involved in the move as SWITCH is a Quad9 sponsor. He added that he will ask the Quad9 team if there are interested to present in front of the working group.
There were no further questions.