You're viewing an archived page. It is no longer being updated.
Wednesday, 17 October, 9:00-10:30
WG Co-Chairs: João Damas, Shane Kerr
Scribe: Alastair Strachan
Status: Final
The presentation is available at:
https://ripe77.ripe.net/presentations/4-ripe77-dnswg-agenda.pdf
The minutes of the previous session of the working group were declared final. David Knight was welcomed back as the new co-Chair of the DNS Working Group. There were no questions or comments.
The presentation is available at: https://ripe77.ripe.net/archives/video/2227/
There were no questions. Shane Kerr complimented the OARC meeting that had taken place earlier in the week.
The presentation is available at:
https://ripe77.ripe.net/archives/video/2230/
João mentioned Edward referred to the KSK available to the given name server as configuration. He expressed his desire for people to think more about these as being the state of the server rather than the configuration.
Ondřej Caletka said he wants the configurations to be more dynamic.
Peter van Dijk, PowerDNS, suggested not treating the KSK state or configure but as a property of the software because patch cycles are always shorter than rolling cycles.
Edward mentioned that this was an interesting comment and explained that some people in their configuration files had hard-configured the option to not update the key and so on. They found people were updating their software but not updating the configure.
Mark Andrews, ISC, commented that the year's delay actually helped a lot in terms of all the Open Source vendors had several maintenance releases in that time and that really flushed out the old key.
Share Kerr asked if when IPv6 doesn’t work, it can just be turned off, has there been any tracking to see if people just turned off DNSSEC rather than updated etc.
Edward said it was hard to find that information out, they would love to be able to estimate that, but it is not that easy to monitor.
The presentation is available at:
https://ripe77.ripe.net/archives/video/2233/
Shane Kerr asked if anyone is working on this project directly with reports of problem or if people are just fixing their own stuff with it?
Petr confirmed that it turned out that he was asked by a developer to send some domains to test and it turned out that half of them were already fixed, so naming and shaming really works.
Petr addedthat in all seriousness operators are not aware of the problem in a lot of cases and expressed the importance of contacting them with problems.
John Dickinson from Sinodun asked if anyone in the room was running a name server behind an SRX file from Juniper to make sure their DNS ALG is turned off, otherwise it does break. He also asked if anyone from Juniper was present, and invited them to talk to him.
An audience member then asked about software versions which are okay. Petr explained why they don't do that explicitly and the reason is that the DNS software is only part of the equation and that having a new enough version of the DNS software was not enough.
Mark Andrews, ISC, highlighted the fact that thesoftware for doing all these tests is available and any TLD operators should test all the delegations. Registrars should also test the servers that are being delegated to before they get delegated.
Shane asked Mark if the software is optimised to pull out individual IPs of name servers and test in that way? Mark confirmed that this is possible.
Matthijs Mekking, Oracle Dyn, mentioned the test mainly focuses on the path put in by one client and the authoritative name servers but doesn't tell you if all your clients can reach you, it only shows you one vantage point.
Petr replied only around 10% of clients worldwide are DNSSEC validating and they wouldn't be able to validate if it didn't work.
The presentation is available at:
https://ripe77.ripe.net/archives/video/2234/
Benno Overeinder gave a brief update on Open DNSSEC development.
Niall O'Reilly asked to know perhaps in an offline follow‑up, whether Ondřej had isolated the cause of the problems he was having with S Q light.
Ondřej replied that this was question for NetLabs.
Tony Finch, University of Cambridge highlighted his contribution to the DNSSEC DNS tool for ISC dot.org for BIND. He thanked Ondrej for his presentation.
Ondřej thanked Tony for the tool as well as the NSF tool.
Matt Pounsett asked if anyone was big enough to be a reseller as there are a bunch of wholesalers that provide APIs for this sort of thing but the only registrar that he was aware of that provides it directly to registrants is Gandy.
John Dickenson asked if Ondrej had looked at the zone editing tools in Knot C.
Ondřej confirmed that he had looked into it but there is a legacy of zone comments. His primary goal was to not change zone files in any dynamic way and so used the most straightforward solution for himself.
Thursday, 18 October, 14:00-15:30
WG co-Chairs: Shane Kerr, Dave Knight, João Damas
Scribe: Ulka Athale
João Damas, DNS WG Co-Chair, informed the working group that the current working group chair selection process may be unfair, so the process will be modified so that there is an open period and once that is over, all candidates will be published at the same time
The presentation is available at:
https://ripe77.ripe.net/archives/video/2290/
Niall O’Reilly, Tolerant Networks, asked if there were any plans to clean up e164.arpa. Anand replied that while there are lame delegations in e164.arpa, there was no ongoing community discussion in relation to this, and so there were no plans at present to change anything.
Magnus Frühling, Freifunk Frankfurt, asked via chat why there was no Hardware Security Module (HSM) since the key can be extracted. Anand replied that he had spoken to the community about switching away from HSMs and using keys on discs as they provide good enough security for the type of zones the RIPE NCC is signing. He added that he is open to using HSMs.
João Damas pointed out that during the community discussion, the issue of protecting keys more than protecting data that are going to be signed cropped up. Anand replied that people who have access to editing the zone can do more damage than someone stealing a key.
Giovane Moura, SIDN, asked how the RIPE NCC plans to choose a site to run the 100 Gig, and that he has a tool for that. Anand replied that they didn’t have any concrete results yet and that his colleague Colin could also discuss this further.
Tony Finch, University of Cambridge added that he had started a discussion on the DNS mailing list about the CDS update and invited comments.
Tobias Gruber, LWLcom, asked about the HSM decision made by community responses and Anand replied that he had written a RIPE Labs article in relation to this, which was available to view.
The presentation is available at:
https://ripe77.ripe.net/archives/video/2293/
João asked if this was a generic mapping of IP addresses that could be used as any sort of policy engine. Petr replied that you can write your own database with the desired mapping. Joao asked further about BIND, and Petr answered that whether Knot DNS or BIND should be used depended on the use case.
Warren Kumari, Google, asked why there was a difference between an unsigned zone and pre-signed zone in terms of performance, was it just bigger responses?
Petr replied that this is what he had measured and assumed that it is mainly the size of the responses.
The presentation is available at:
https://ripe77.ripe.net/archives/video/2294/https://ripe77.ripe.net/archives/video/2296/
David Lawrence, Oracle Dyn, commented that the intention behind this is to cover DDoS attacks like the one that took down Dyn in October 2016. He pointed out that if you have a monitoring system that relies on a resolver beyond your control, you might not know if the data is stale and whether your testimony works as intended. He asked what the opinion was about running software that would not work as intended in the presence of stale data.
Tony Finch added that they have been working on a camel-sensitive simplification process of the protocol and that they were hoping to get an updated draft before the IETF submission deadline of that Monday, and that the currently published draft was not the one they were working on.
Warren asked the group if they found the discussion useful and the co-Chair João asked for a show of hands.
The presentation is available at:
https://ripe77.ripe.net/archives/video/2297/
Matthew Pounsett, DNS-OARC, asked if using more recursive data sets like the ones in OARC could be useful in answering questions of how recursive clients move traffic around.
Sara replied that they had considered converting it into data they would need out the other end, but she would continue the conversation beyond the working group.
David Lawrence, from Oracle Dyn, asked what plans they had of looking at the different platforms they were running on as TCP stat would make a big difference. He pointed out that there are simple client profiles at normal DNS clients and take a different profile, thus there are different implications for how you provision systems to withstand attacks.
Sara answered that this was one of the things they wanted to understand from the requirement gathering and that it was something they probably could not model with their current tools.
Phil Stanhope, Oracle, remarked that the drop off at 5k was probably related to TCP stack tuning, and that storms apply to TCP more than UDP in general. Secondly, they have a tool for distributed attacks, and that she should look at Grafana Labs.
Giovane offered support with data on traffic between recursives.
The video is available at:
https://ripe77.ripe.net/archives/video/2299/
Shane Kerr commented that he supported this effort and recommended a detailed analysis of security risk and profiles which could be done by the community in conjunction with the RIPE NCC staff and database teams as well.
Petr said Cz was already doing this and they scanned over the name space. If there was a new record they made a TCP connection to, the authoritative server to verify it was there and scanned over TCP repeats every day for one week.
The video is available at:
https://ripe77.ripe.net/archives/video/2300/
There were no questions. Jordi requested the group to reach out to him via email or meet him to share feedback.
The video is available at:
https://ripe77.ripe.net/archives/video/2301/
João asked if this would be configurable. Ondřejreplied that the software would be downloaded by default but there would be configuration options.
Petr recommended talking to other vendors. Benno suggested sending the confidence model to a trusted third party like the DNS org. Speaking as an operator, he felt that it would be better for them to have an idea of what is out there in the wild, even if it takes a long time to get all the data. They could also go a step further and notify operators in their log when they are significantly out of date or if they have known vulnerabilities.
Ondřej agreed and said that was why he first sends a version check and why they should upgrade and log in to the system.
Pieter Lexis, PowerDNS.com, said that they have this data point in both the recursive and authoritative server, but they are not analysing it. They use it to signal out of date information to the process itself. Critical updates are signalled loudly in the syslog.
With V DNS, they ask if they want their own subdomain, but they do this for their own packages and people on IRC mailing list are pleased to be notified about a critical software update.
The video is available at:
https://ripe77.ripe.net/archives/video/2302/
João concluded the session and hoped to see everyone on the mailing list and in Iceland.