RIPE 74 DNS Working Group Minutes

Thursday, May 11 2017, 14:00 - 15:30
WG Co-Chairs: Shane Kerr, David Knight, Jaap Akkerhuis
Scribe: Massimiliano Stucchi
Status: Draft

A. Administriva [5 minutes]

There was nothing to add to the agenda and no comments from the room on the draft minutes from RIPE 73. Minutes are considered approved.

B. Review of Outstanding DNS WG Actions [5 minutes]

Only two items were found as “ongoing”:

“51.4 Peter Koch - Draft text and initiate discussion on the mailing list towards an update of RIPE 203 along the lines of the presentation brought to the WG.”

Peter was not in the room at the moment this was discussed. Shane said they discussed the item and Peter will talk to Carsten Strotman in order for something to be done before the next RIPE Meeting.

“57.1 RIPE NCC (Anand) - Consider the pros and cons of submitting the Trust Anchors of zones signed by the RIPE NCC into ISC DLV.”

This item was considered overtaken by events. Anand went to the microphone and said that the RIPE NCC withdrew all the DLV anchors from the root zone, so this item can be considered closed.
There were no further questions nor discussions on the open action points.


C. RIPE NCC Presentation [30 minutes]
Anand Buddhdev

You can find the presentation at:
https://ripe74.ripe.net/presentations/138-RIPE74_AnandBuddhdev_DNS_Update_v2.pdf

Mohsen Souissi, AFNIC, thanked the RIPE NCC for the services offered. He commented that some of the measures that the RIPE NCC was taking in regards to protection from DDoS attacks - such as upgrading the core nodes to 10g - can be very helpful in fighting attacks, but are just a small step.

Lars-Johan Liman, Netnod, commented that Netnod had also issues contacting some of the operators of TLDs that were not responding to requests/emails, and asked about the next steps the RIPE NCC intended to take for this issue.

Romeo Zwart, RIPE NCC, added that the RIPE NCC does not have a plan on how to get in touch with them, nor what to do about the issues with the operators, so the RIPE NCC is likely to continue offer the service and will probably go back to the Working Group for guidance.

Shane Kerr asked when Zonemaster acts in checking the DNS zones of reverse zones.

Anand replied that it checks zones with every update to a domain object.

Niall O'Reilly, no affiliation, asked about scoping the checks from zonemaster, so that changing a minor attribute in a domain object would not trigger zonemaster checks.

Anand suggested to leave it as it is because changing it would require too much modification to the code.

There were no further questions.

D. A Software-Based Approach to Generate and Detect Flooding Attacks Against DNS Infrastructure [30 minutes]
Santiago Ruano Rincón


The presentation is available at:
https://ripe74.ripe.net/presentations/13-DNS-software-based-testbed-10GbE.pdf

Ondřej Surý, CZ.NIC, asked where the tool could be found, adding that that French regulation forbids it from being distributed so there's no public distribution at the moment even though it's supposed to be free software. He then asked about the packet loss happening in the tests, and where it happens.

Santiago explained that the packets were indeed received, but there's no explanation on how they got lost.

Ondřej offered to help in finding out the issues.

Pieter Lexis, PowerDNS, asked about the issue reported on PowerDNS and offered help in fixing them.

Shane asked about the origin of the Intel specific hardware and framework, and where they were available.

There were no further questions.

E. RIPE NCC DNS Hackathon Report [20 minutes]
Vesna Manojlovic


The presentation is available at:
https://ripe74.ripe.net/presentations/145-report-from-DNS-Measurements-hackathon-DNS-WG-RIPE74-v2.key

Shane Kerr asked if there was going to be another DNS-focused hackathon in the future. Vesna replied that there could be one in the future, but with a slightly different theme. She added that the RIPE NCC is open to suggestions on the upcoming hackathons.

Jim Reid commented about the positiveness of the hackathon and acknowledged the support from the RIPE NCC in organising, running and counselling the projects.

Vesna added that the RIPE NCC plans to keep an ongoing cooperation and funding for such events.

No further questions were asked.

—— Break ——

F. DNS Privacy Enhanced Services [30 minutes]
Benno Overeinder


The presentation is available at:
https://ripe74.ripe.net/presentations/149-RIPE-74-DNS-Privacy.pdf

Philip Homburg (no affiliation) asked about the correlation between setting up privacy DNS and the setup of TLS connections then “leaking” the information about the lookup that was just encrypted.

Benno answered that he has no idea.

Ondřej Surý asked about integration of DNS Privacy in DNSSEC Trigger. Benno explained what DNSSEC Trigger does and said that work is in progress to replace DNSSEC Trigger with Stubby.

Jaap Akkerhuis added that Paul Wouters is also helping on making DNSSEC default and setting up the required infrastructure at RedHat.

There were no more questions.

G. DNS Violations [30 minutes]
Ondřej Surý


The presentation is available at:
https://ripe74.ripe.net/presentations/139-The-DNS-Violations-Project-1.pdf

Jelte Jansen, SIDN, asked if what was observed in the presentation comes from findings in the wild or if it just happens running authoritative servers software.

Ondřej replied that the findings were just “from the wild”.

Tamas Csillag, Morgan Stanley, asked if there were any test suites that could be used to gather similar data.

Ondřej answered that it's just dig, and that there are no specific tools they used.

Benno Overeinder, NLNETLabs, offered to help and coordinate with NIC.cz to write a RIPE Document about DNS findings for the operational community.

Peter Koch, DENIC, asked about the interaction with operators and/or vendors once they were notified about violations in their code or tools.

Ondřej answered that listing workarounds can be a way to acknowledge the problem and work on a longer term solution with a plan to fix the issue.

Peter also remarked that qname minimisation is just an experimental RFC, and breaking it shouldn't be considered an offence.

Anand Buddhev, RIPE NCC, asked about the tool used, dig, and suggested vendors put information about the workarounds used in their logs, so that looking for anomalies would be easier.

Ondřej thanked him for the suggestion, and explained that this would require a non-trivial amount of work.

Pieter Lexis, PowerDNS, commented that logging all the violations would make looking for them harder, as some of them are very common and would take up a lot of space in the logs.

Mohsen Souissi, AFNIC, commented that publishing violations could be considered name-and-shame, and suggested to publish only those where the actors are more responsive, so that help can be channelised.

There were no more questions.

H. Drool (DNS Replay Tool)
Jerry Lundström


The presentation is available at:
https://ripe74.ripe.net/presentations/79-RIPE74-DNSWG-drool.pdf

Philip Homburg, RIPE NCC, asked to add a note in the tool's documentation about how to better deploy it to reduce the damage to other parties. Sometimes users just replay all types of traffic, and could cause damage.

Shane Kerr, Oracle, asked about the behaviour of the tool, especially what happens if it's not able to replay the traffic at the same rate it was recorded.

Jerry replied that the tool issues warnings when this happens and that it does not buffer.

Dominic Marks, Oracle, asked if it's possible to integrate machine readable output in the tool.

Jerry answered it is.

There were no further questions.

I. dnsdist: Denial of Service Protection for DNS [10 minutes]
Pieter Lexis


The presentation is available at:
https://ripe74.ripe.net/presentations/122-PLexis-dnsdist-lightning.pdf

Shane asked about the details of using protobuf and do DNSTap.

Pieter replied that DNSTap is not implemented in the tool, but it's something very similar. Full DNSTap support is going to be implemented, but not yet.

Philip Stanhope, Oracle, said he was going to submit a patch to do full DNSTap. He asked about implementing destination filtering. Pieter mentioned it's already there, but not in the release version.

Magnus Sandberg, Netnod, asked a clarification about the name.

Pieter replied that the tool is an old one, but they changed the name and focus.

Shane Kerr asked if it was possible to do RRL with this tool. Pieter answered positively. RRL is low maintenance compared to other techniques, and Shane suggested to include information about it in the documentation.

Pieter answered that there's a plan for it for default configuration to be shipped.

Dmitry Kohmanyuk, Hostmaster Ltd, asked if there were any pointers about the scripting language included in the tool.

Pieter pointed out it's LUA.

Shane asked if a python tool was available.

Pieter replied that it is not.

Shane asked about RPZ support.

Pieter replied that there is no RPZ support, and there's no plan on implementing it.

Matthijs Mekking, Oracle, asked if DNSDist can be used in front of authoritative servers, and how this impacts performance.

Pieter answered that yes, it's possible, and it may make the answers faster. Some hosters already use it, so it should just work.

Mohsen Souissi, AFNIC, asked about hints on what to do to discriminate between legitimate and malicious traffic.

Pieter answered that every case is very specific and there's no unique or simple way to classify traffic. You can use inspection tools and machine learning to create hints.

There were no further questions.

Z. Any Other Business (AOB)


No AOB was mentioned.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum