DNS Working Group Minutes - RIPE 83

Date: 25 November 2021 16:00 - 17:00 (UTC+1)
WG Co-Chairs: João Damas; Shane Kerr; David Knight
Scribe: Boris Duval
Status: Draft

A. Welcome and Agenda Bashing

Presentation available at:
https://ripe83.ripe.net/archives/video/706

João presented the session’s agenda and handed over the chairing to Dave for his last DNS session has co-chair.

B. DNS Working Group Co-Chair Selection

Dave was thanked by his co-chairs and the community for his work as co-chair. João Damas and Shane Kerr announced that Moritz Müller will replace Dave as the third co-chair of the working group.

C. PROXYv2 in DNS

Peter van Dijk and Pieter Lexis, PowerDNS

Presentation available at:
https://ripe83.ripe.net/archives/video/709

Pieter Lexis, PowerDNS, presented on the PROXY v2 protocol, a binary protocol that prefixes proxied data. 

Brett Carr, Nominet, asked if there were plans to move towards UDP.

Pieter said that the PROXY protocol is specifically adapted to TCP as you put it in front of the packet and use the same proxy information in the backend. Regarding UDP, Pieter said that they prefix every query they send out but it’s not a use case for many big Load Balancers vendors. He added that it might become interesting when QUIC becomes a thing.

Brett asked if they had plans to standardise this protocol in IETF.

Pieter replied that there were no current plans to standardise it because the document already exists (from the HA proxy project) that has been implemented in many other types of software.

Benno Overeinder, NLnet Labs, mentioned that you could add Unbound to the list of software products that will be roadmapping PROXY from next year.

Dirk Meyer asked if Pieter was seeing any impact by MTU.

Pieter said that they didn’t thoroughly test this. He added that if you look at the protocol description the header is quite small and the idea is to use it between a proxy and a backend which usually lives within the same network. He concluded that the MTU shouldn’t be a big issue and added that DNS queries are tiny which helps.

D. Measuring RSA 4096 validation

Geoff Huston and Joao Damas, APNIC

Presentation available at:
https://ripe83.ripe.net/archives/video/710

Geoff Huston, APNIC, presented measurements on RSA 4096 validation in light of quantum computing.

Jim Reid asked where the trade was off between short keys that change frequently and longer (lived) keys.

Geoff replied that NIST is not evaluating these algorithms in the context of DNSSEC but in the context of “can someone in the future bust open this document you encrypted?”. He added that the future they look at is around 25 years. He explained that their advice about RSA 1024 was based on current technics for cracking a code within 20 years using anticipated brute force computing. He also pointed out that when you make this shorter, the situation changes. 

Andrew Campling, 419 Consulting Ltd, commented that no one really knows where the development for quantum computing is at. For instance, the Chinese government is unlikely to be public about their quantum computing progress if they plan to use it as a cyberweapon.

Geoff replied that if you encrypt a document it needs to be encrypted for the lifetime of the secrets it described. He added that when you use DNSSEC, you protect a response in the context of the parent key and validation. Once you roll the parent key, it doesn’t matter what happened to the old data as you can’t replay it. When you look at DNSSEC as the replay protection mechanism, all these windows that you refer to in cryptography don’t apply in the context of DNSSEC because they shut down. This why the considerations are different.

He also added that he didn’t agree that RSA 1024 is lousy to do things like DANE (as some have argued) as it’s all about the lifetime of the protection not the lifetime of the encrypted information.

E. Accessing the Public Suffix List as a Service

Peter Thomassen, Secure Systems Engineering

Presentation available at:
https://ripe83.ripe.net/archives/video/712

Peter Thomassen, Secure Systems Engineering, talked about the Public Suffix List (PSL). which informs about organisation and policy boundaries in the domain space and is maintained by the community (on GitHub). He asked the audience if there was any interest in making it a permanent service.

Geoff Huston, APNIC, asked what happened to the IETF DBOUND effort that was supposed to do this "in band" in the DNS.

Peter replied that he hasn’t heard of this initiative before but that he will look it up. 

G. RIPE NCC DNS Update

Anand Buddhdev, RIPE NCC

Presentation available at:
https://ripe83.ripe.net/archives/video/715

Anand Buddhdev, RIPE NCC, gave an update on DNS activities. This included the recent revamp of AuthDNS. Anand mentioned that it is now possible to apply for both K-root and AuthDNS. He also encouraged the community to host an instance of AuthDNS outside of Europe to improve the quality of the network.

Kurt Kayser, Kurt Kayser Konsultation, asked what helped the decision to place a node in Ponta Grossa.

Anand replied that the RIPE NCC accept applications from most places but is particularly keen on requests from places that are not well connected. In this case, the RIPE NCC noticed that adding a node in Ponta Grossa would benefit the area.

Peter Koch, DENIC eG, asked if the preference for non-EU for Hosted DNS was related to the NIS2 directive.

Anand replied that the only motivation was to get better coverage outside of Europe and that it wasn’t linked to the NIS2 directive.

Giovane Moura, SIDN Labs, commented that it would be nice to measure the impact of TTL changes in query volumes the RIPE NCC sees. Anand replied that his team will consider this feedback, try to measure the effect and report back if there are significant results.

F. BIND 9.16

Petr Špaček, ISC

Presentation available at:
https://ripe83.ripe.net/archives/video/716

Finally, Petr Špaček, ISC, gave an update on the BIND 9.16 resolver speedup.
Dave asked Petr if he had data for the number of queries per second.

Petr mentioned that he intentionally was not showing any numbers as the results will be different if one is using different datasets.

Libor Peltan, CZ.NIC, asked what was causing that some queries were answered in exactly 1.0 millisecond.

Petr replied that it was mostly due to cache hits and the precision of the measurement.

Gert Doering, representing himself, asked if it was possible to have a comparison across different resolvers for the next DNS WG meeting as much has happened in that field (knot, pdns_recursor, bind, unbound) since he saw the last comparisons.

Petr answered that if you look at his slides, there is a link to RIPE 79 slides to compare but it doesn’t compare exactly. He said that giving figures on this topic is tricky as different configurations will produce different results.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum