On 27 May 2020 from 13:00 to 14:00 (UTC+2), the DNS Working Group held a remote session via Zoom.
Scribe: Boris Duval
Status: Draft
1. DNS and IPv6
Geoff Huston and João Damas
APNIC
Shane Kerr asked if moving from RSA signatures to Elliptic Curve Digital Signature Algorithm (ECDSA) will help the DNS community to buy some time to come up with a longer-term solution to process big packets.
Geoff Huston replied that as long as you don’t do key roll or pack multiple keys into the packet, ECDSA could be a viable solution. Also, he mentioned that ECDSA will not be compatible with quantum computing.
Peter van Dijk asked what buffer size was used by the resolvers that couldn’t handle large fragmented UPD.
Geoff Huston replied that they didn’t specify the buffer size when doing the test. He added that a lot of resolvers are trying to treat this problem by either not specifying buffer sizes or specify one that they can handle. He also mentioned that they observed a large number of resolvers advertising 4096 sizes. Those resolvers seemed to accept it but were doing recovery by running a second query with a smaller buffer size. Geoff suggested that they should have set the original buffer size at 2080 instead and directly truncate.
Shane Kerr mentioned that there was a DNS flag day coming up with a focus on buffer sizes.
Geoff Huston replied they had originally planned to present this research at this meeting but didn’t know if the meeting was still happening due to the situation around COVID-19.
There were no further questions.
2. Changes to .ORG Signing
Joe Abley and Suzanne Woolf
PIR
Geoff Huston asked if the marginal benefits from going from algorithm 7 to 9 were worth all of the implementation efforts and if they had considered directly going to algorithm 13 instead.
Joe Abley replied that, in normal circumstances, they will consider directly rolling out to 13, but they wanted to roll out algorithm 8 this year as it was more manageable, and also because it was good practice to move away from CHAR-1.
João Damas asked if PIR was still planning to move to NSEC.
Joe Abley replied that they will have to work out the details with their backend provider and that it was not planned for this year. However, he added that he was confident that they will eventually move to NSEC as it will be beneficial for them on a technical level.
Daniel Stirnimann asked if there was a study about how many resolvers support aggressive use of DNSSEC validated cache.
Joe Abley answered that he didn’t know any study tackling this topic but mentioned that this feature should normally be turned on by default on most resolvers.
Christian Petrasch asked if PIR planned to renew their signing hardware.
Joe replied that their current signing hardware was still good enough for their purposes but might need to be patched and upgraded. He added that the only problem with the current hardware is that it’s not optimised for algorithm 13 but was confident that it could potentially be fixed later with a firmware update.
Ulrich asked if there was any documentation available on how to move safely from NSEC 3 to NSEC.
Joe Abley replied that he and his team didn’t find any documentation on this topic. He added that they will probably try to minimize the risk of moving to NSEC by first trying it out with a smaller TLDs than .org as it will have a smaller impact if there was an issue.
Jarle Greipsland mentioned that the presenter talked about developing novel ways of handling KSKs without having a large number of people in the same room and was wondering what the alternatives were here and if new routines might also be applicable for the root zone management.
Joe Abley replied that PIR was in a different situation than the root zone as they are not managing a trust anchor. He added that they were following a DPS (DNSSEC Practice Statement) to make sure that everything was stable and secure for their purposes but that they don’t have the same kind of multi-party controls than the root zone.
Shane Kerr asked if there was any major modification to PIR’s DPS document planned.
Joe Abley mentioned that the current DPS published was applicable to all TLDs and that he will have to look into to it to see if some details would need to be updated.
Petr Spacek mentioned that as NSEC and NSEC 3 are self-contained there should be no risk.
Joe Abley answered that he was thinking the same but that things can always go wrong during the implementation phase.
Shane Kerr asked Joe Abley if he knew the portion of .org that was already DNSSEC signed.
Joe Abley replied that it was probably around 100,000 out of 10 million domains.
There were no further questions.