DNS Working Group Minutes - RIPE 78

Date: 23 May 2019, 16:00 – 17:30
WG co-Chairs: Joao Damas; Shane Kerr; David Knight
Scribe: Alun Davies
Status: Draft

1. Administravia

2. RIPE NCC DNS Update

Anand Buddhev (RIPE NCC)

Video available at: https://ripe78.ripe.net/archives/video/124

Ondřej Caletka (CESNET) commented he is happy with the implementation. Since everyone doing reverse DNS will know what they're doing, it's good to have a lightweight implementation.

3. Updated ENUM Instructions

Marco Hogewoning (RIPE NCC)

Video available at: https://ripe78.ripe.net/archives/video/125

Peter Koch (DENIC eG) asked whether the technical work the RIPE NCC is now enabled to do in this area would actually allow DNSSEC signing down the chain. Marco responded that he would be happy to take this off‑line and look into it, adding that these are supposed to be DNSSEC signed and that the infrastructure is in place to do that.

4. Overview of the DNS Privacy Software Landscape

Carsten Strotmann (Men & Mice)

Video available at: https://ripe78.ripe.net/archives/video/127

Nicolai Leymann (Deutsche Telekom) asked whether the speaker had checked whether both DoT and DoH were implemented usually. He also asked how many of the implementations were using DoT and DoH.

The speaker responded no to the first part of the question. The added that desktop browsers such as Firefox and Chrome do DoH, whereas other browsers based on Chrome implement DoT. Many proxies both, proxies, most of them do ‑‑ other way, most of them do just one. Overall, it would be hard to say whether, for instance, DoH is just in the application and DoT is in the operating system, as you can find a lot of DoH proxies that run on the operations system level.

Geoff Houston (APNIC) asked a follow up question on the speaker's comment that using DANE in TLS gives you circularity issues. He disagreed with that. The speaker agreed that Geoff was correct on this point. Geoff added that DANE should be used on the grounds that implementations that depend on borrowing handshakes from SSL get messy. He asked the speaker to confirm whether they would be proceeding with DANE. The speaker pointed out that they had explored this option, but that there had been some issues. He suggested he and his colleague would be happy to revisit this, and that Geoff should contact them offline.

Brian Dickson (GoDaddy) commented that standardisation is not required to actually do implementation and that the speaker should implement. He pointed to further benefits of DANE and encouraged the speaker to pursue DoT. The speaker seconded Brian's comments.

Audience speaker thanked the speaker for his research and asked whether he and his colleagues had actually run all the projects out there and check that they worked? Carsten responded that if anyone looks on the implementation dot HTML it lists the all the operating systems. People should go to those lists and tell us what's happening there.

Matthijs Mekking (ISC) pointed to the question that had come up in the previous conversation as to why they implement DoH, given fairly widespread disapproval. He added that there are reasons, such as that DoH is out there and is being provided. So it'd be a problem if DNS operators don't at least have the choice to turn on DoH.

A remote participant asked if the speaker has operational experience of any of these projects? Carsten answered yes. He has run Unbound for DoT. For DoH he has two open source projects that he has used to run and test it. He also uses a couple of laptops that he takes to conferences and text on hotel networks to see if it breaks something. Christoph added that they will share some of their experience at DNS in Vienna.

5. Unwind, a Validating DNS Recursive Nameserver

Carsten Strotmann

Video available at: https://ripe78.ripe.net/archives/video/129

Ondřej Caletka (CESNET) pointed out that this reminds him of a project called DNSSEC trigger from some years ago. Back then I was trying to use this regularly and discovered some strange issues with trying to validate wildcard DNSSEC responses. He went through a range of cases where this issue arises for validating in the context of wildcard queries. so it'd be good to test these queries against the proposed approach. Carsten responded that DNSSEC trigger was based on unbound. Unwind is based on Lib Unbound. So either these issues have been fixed in Unbound, or they are still there. He said they would test this as recommended.

Warren Kumari (Google) pointed out that there is a DHCP option which tells you if you are behind a captive portal. Carsten said he was aware of this. Warren added that there will be an update available soon.

6. Tag You're It!: Revisiting the Reality of DNSSEC Keytags

Roland M. van Rijswijk-Deij

Video available at: https://ripe78.ripe.net/archives/video/131

Warren Kumari (Google) pointed out that some of the things brought up in the RSA pictures the speaker had pointed to are caused by the fact that OpenSSL and Ganew TLS generate their keys differently. He also pointed to some optimisation methods that are being used in this area and made some suggestions to the speaker.

Shane Kerr (Oracle Dyn) asked about the potential for DDoS if you put lots of DNS keys with the same keytag, but added that there are lots of other ways to cripple resolvers. He commented that it might be useful to start a list of ways you can break resolvers with DNSSEC.

The speaker responded that yes, while there are other ways you could overburden a resolver it is a relevant point that there are different ways to do this because it means you have to protect against all of them. AHE added that whilst it may take time to figure out how, you only have to do so once as an attacker, then reuse that key set.

7. Root KSK Rollover Wrap Up

DNS WG Co-Chairs (Joao Damas presenting)

Video available at: https://ripe78.ripe.net/archives/video/134

Roland M. van Rijswijk-Deij raised a question for the root people in the room. He asked, after the key was revoked, was there a huge increase in DNS queries to the root? While he had heard from some root operators that their systems could manage because they had the capacity, he wondered what it was like for K-root.

Anand Buddhev responded there was a huge increase in DNSKEY traffic, but operations were not effected. The RIPE NCC has enough capacity, and the increase did not get close to exceeding it. He added that other parties have carried out analysis that confirms this.

Joao asked, as follow up, what Anand made of the fact that some results for A and J root showed that the rate did not abate at all. Roland responded that he is keeping up with this and the rate is not going up dramatically as far as he knows.

Roland asked how own follow up question to Anand about at what point these issues would become problematic for him as a root operator. Anand responded that his team at the RIPE NCC have monitoring in place for our traffic, and get alerts when the router ports are at around 80%. They would get worried if those alerts went off, but they did not reach any such levels.

Lars-Johan Liman (Netnod) commented that the rise in the queries for DNSKEY records was a very small fraction of the entire number of queries. The change was barely noticeable on the big charts.

Warren Kumari added that it wasn't that much traffic in the grand scheme of things but it continued to climb for initially unknown reasons. So there was some concern. He suggested that there does still seem to be an active bug in certain versions of code which have been released.

Jim Reid (RTFM llp) made the point that we should try to get these repositories outside the United States. He added that the point is especially relevant in Iceland because of the relatively recent volcanic eruption in the north Atlantic. This stopped travel. If we have another similar incidence like that it would be hard to get the trusted representatives together to get a key signing ceremony. So he thought it would be good if ICANN could sort out to get a some key repository outside of the United States just to give us the additional diversity.

8. DNS-OARC Summary

Dave Knight

Video available at: https://ripe78.ripe.net/archives/video/135

Brian Dickson asked, since the speaker is on the Programme Committee, he was wondering if the speaker had a comment on the numbers of the DNS OARC and the Indico. Dave responded that was a good question because between the last two meetings he wrote a script to pull the presentations down from the web page to the presentation laptop and was quite confused when they proved to be off by one. He had no idea why that had happened.

Denis from DNS org. I just want to give some details about the meetings next year. So the one in February is going to be beside NANOG in San Francisco and the one in May is going to be beside the ICANN DNS symposium. I know where it is but I'm not sure where I can actually say whereabouts it's going to be because it's not confirmed yet but it should be in Europe.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum