RIPE 73 DNS Working Group Minutes

Thursday, 27 October 2016
WG Co-Chairs: Jaap Akkerhuis, Dave Knight, Jim Reid
Scribe: Matt Parker (session I) and Alex Band (session II)
Status: Final

Session I - 15:00 - 16:30

A. Administrative Matters

• Welcome
• Scribe selection/introduction
• Jabber selection/introduction
• Microphone Etiquette
• Finalise agenda

Jim opened the session, reviewed microphone etiquette and introduced the chat monitor and the scribe from the RIPE NCC.

B. Matters Arising from RIPE 72 Minutes

Jim asked the working group to accept and formally approve the meeting minutes from RIPE 72. No objections were raised and Jim interpreted the silence as consent that the minutes were approved.

C. Review of Action Items

Jim advised the working group that there were no open action items and therefore nothing to review.

D. New Co-Chair Appointments

Jim expressed some disappointment at the number of people who had participated in the appointment of the new Working Group co-chair. About 10 to 12 people expressed an opinion and he hoped that more people would come forward the next time around. Nevertheless, the Working Group made a clear and definitive choice and Jim was happy to announce that Shane Kerr would be the next DNS Working Group co-chair.

E. RIPE NCC Reports

Anand Buddhdev (RIPE NCC)

The presentation is available at:
https://ripe73.ripe.net/presentations/179-RIPE73_AnandBuddhdev_DNS_Updatev2.pdf

Geoff Huston, APNIC, commented that a lot of time, money and effort had been spent on provisioning the infrastructure around the name servers to answer every query. Given this investment, he was curious to know how many of those queries generated NXDOMAIN responses. Anand explained that the RIPE NCC publishes stats about this and, from what he remembered, about 60% of the queries generate NXDOMAIN records. Geoff enquired whether there was a better way of ‘saying no’.

Anand commented that he was not aware of any other method but he would be interested in hearing a smarter way of managing this. Anand also mentioned that they were interested in where these queries are coming from and that his colleague, Colin Petrie, had done some work on this. Colin discovered that products such as Chrome were generating lots of queries to determine, for example, if they were behind a firewall. Anand questioned whether this activity is an abuse of the DNS system and whether we should be speaking with them about doing this in a smarter way.

Geoff further commented that around 15,000 IP addresses accommodate about 96% of eyeballs. If you put a router with a FIB of those 15,000 IP addresses and treated those addresses as very important, what would be the query rate for just those? Anand agreed that would be a very interesting experiment, which somebody should run.

F. OMG! A DNS firewall - Powerful DNS Filtering in Knot Resolver

Ondřej Surý

The presentation is available at:
https://ripe73.ripe.net/presentations/177-OMG-A-DNS-Firewall.pdf

Remote participant, Leo Vandwoestijne, Unicycle, commented that he had been using knot-resolver for a while and made some very nice setups that were virtually impossible before. Leo complimented and thanked Ondřej for making this. Leo asked when there would be a new release and whether it would support DNSTAP.

Ondřej replied that there were still a few features in the queue but that he believed they will be able to release before the end of the year. DNSTAP is not in the current plan but if Leo writes to them they will try to include it.

Leo commented that dnsdist of PowerDNS.com B.V. is also a nice Lua tool to filter specific abuse. It can also be used to configure failover, in fact, Leo prefers this to load balancing with eBGP or iBGP. He asked whether Ondřej would be providing similar load-balancing functionality.

Ondřej responded that they certainly want to expand the available features. They openly communicate their plans and are receptive to suggestions for new features requests.

Jim Reid, DNS WG Co-Chair, was interested in the filtering capabilities described during the presentation. He asked whether they would consider having the ability to filter based on things like the DNS packet headers? He also asked about the action side of the filtering rules, whether they could choose not to acknowledge the drop in the flow and instead have a separate one return NXDOMAIN or ServFail?

Ondřej stated that whilst preparing the presentation he already identified the need to extend the set of selectors so that should be possible.

Jim specifically raised the nine key buffer attacks that were prevalent a few years ago and Ondřej confirmed that it should be quite easy to write the code for this.

G. Impact of New gTLD on the Root System - Preliminary Results

Jaap Akkerhuis (CDAR)

The presentation is available at:
https://ripe73.ripe.net/presentations/147-cdar-ripe-73.pdf

There were no questions.

Z. AOB(1)

There was no other business at the working group session. Jim thanked everyone for their participation and said he looked forward to seeing everyone in the second session.

Session II - 15:00 - 16:30

H. Welcome Back

I. The Changing DNS Market - A Technical Perspective

Johan Ihrén

The presentation is available at:
https://ripe73.ripe.net/presentations/154-dnsmarket.slides.pdf

Matthijs Mekking from Dyn comments that he disagrees with the statement that there will probably be less open source implementations and that things will go to closed source. Some vendors have specific logic next to the standard DNS that they try to sell, but many zones don't really need that. Matthijs believes that open source improved the quality of the product. Johan agrees for the most part, but if all of the zones move under some professional provider and expose it in an API then it no longer matters if it's open source or not. From the point of view of the world, it's closed source, because it's an API and not named.conf.

Kurtis Lindqvist from LINX mentions that there is a tendency in the market to outsource IT instead of thinking about having a DNS department. Johan completely agrees. Olafur Gudmundsson from CloudFlare thinks Johan is on the right track but doesn't know if it's a good or a bad thing. One thing he did observe is that in recent years it has become so much easier to write DNS tools because of libraries and better languages. For example, Olafur was able to write an authoritative DNS server for a specific purpose in about six hours. Yet, resolvers are the hardest part to get right and that is not mentioned in the presentation at all and this is where the biggest threat to the ecosystem is.

J. Zonemaster, a DNS Validation Tool

Sandoche Balakrichenan

The presentation is available at:
https://ripe73.ripe.net/presentations/178-Zonemaster-RIPE73-Final.pdf

Jaap Akkerhuis from NLnet Labs comments that he had a FreeBSD port ready to goHe was waiting for the latest release and was surprised there was no announcement when it happened. Jaap also thinks Zonemaster contains an awful lot of dependencies making it difficult to install. Sandoche explains that their initial idea was not to package Zonemaster at all, but rather assist with packaging it. In relation to the dependencies, it turned out LDNS was causing the most difficulties. Lastly, Jaap thinks that the documentation should be improved.

Anand Buddhev from the RIPE NCC mentions that they are switching from DNSCheck to Zonemaster for the reverse delegations. One of the things they needed to do was packaging, and also there the dependencies were a pain. They have solved it using locallib which puts everything Zonemaster needs into one directory that lives independently of the OS. Another option is to stuff everything in a Docker container.

K. DNS for Egyptians

Shane Kerr

The presentation is available at:
https://ripe73.ripe.net/presentations/171-2016-10-27-domain-like-an-egyptian.pdf

Ondřej Surý from CZ.NIC commented that Shane didn't do his homework between DNSOARC and this slot, because in the mean time Letsencrypt actually enabled IDN.

L. In the Search of Resolvers

Sebastian Castro

The presentation is available at:
https://ripe73.ripe.net/presentations/172-In-the-search-of-resolvers-RIPE-73.pdf

ZZ. AOB(2)

The presentation is available at:
https://ripe73.ripe.net/presentations/183-dnscap_cbor.pdf

Shane Kerr from BII wants to know if the presented work has any relation to the work Terry Manderson from ICANN was talking about. Jerry said it doesn't, they are probably going to announce completely different work on CBOR. Jerry says that CBOR can be completely exported into JSON which will allow compression.

Shane continues by saying that the DNS in JSON draft allowed for a lot of flexibility, he wants to know if Jerry has documented which path they have chosen. Jerry says that the CBOR code uses LDNS to parse the packets, the draft will allow you to whatever you want afterwards. Roy Arends from ICANN wants to know if Jerry talked to Paul Hoffman about DNS in JSON. Jerry says not yet but is definitely planning to do so in addition to talking to Terry Manderson once they have released their CBOR draft work.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum