From jim at rfc1035.com Tue Oct 1 11:02:03 2013 From: jim at rfc1035.com (Jim Reid) Date: Tue, 1 Oct 2013 10:02:03 +0100 Subject: [dns-wg] yet another final version of the agenda for Athens Message-ID: Oops! There was a cut and paste error in the version of the agenda I circulated yesterday. Sorry about that. This has been fixed in the updated version below. Which should be the final version until the next change. :-) # # $Id: Agenda,v 1.7 2013/10/01 08:56:56 jim Exp $ # FINAL DNS WG AGENDA - RIPE 67 [0] Usual Administrivia 5 mins [1] ENUM WG Announcement 5 mins Niall O'Reilly, UCD [2] PMTU for better IPv6 Performance 10 mins Willem Toorop, NLnet Labs Options for utilising ICMPv6 Packet-Too-Big (PTB) messages to increase DNS responsiveness are explored. Working solutions, evaluated with RIPE Atlas, are presented. The effect of the solutions in the real world are further assessed with the help of traffic captures from SIDN and SURFnet. [3] DNS over TCP analysis 20 mins Geoff Huston, APNIC The Host requirements Specification, RFC 1123, states that "DNS resolvers and recursive servers MUST support UDP, and SHOULD support TCP". There has been some recent discussion about the viability of employing TCP rather than UDP for large DNS responses as a means of mitigating the vulnerability to large scale DNS DDOS attacks, and this got us wondering whether resolvers still supported TCP. This is a report of an experiment to measure what proportion of the Internet's users use DNS resolvers that are capable of using TCP to query authoritative name servers. [4] Defeating DNS Amplification Attacks 15 mins Ralf Weber, Nominum Discussions of amplification attacks have largely focused on authoritative servers. These attacks are beginning to use recursive resolvers. The current generation of attacks leverages home gateways that forward DNS queries coming in on their WAN interface, masking their origin when they arrive at a resolver. It's unlikely vulnerable home gateways can be updated anytime soon, so this presentation will describe how log data from DNS resolvers can be used to identify attacks and detail proposals for mitigating them without impacting legitimate DNS traffic. [5] UDP Fragmentation/PMTU attack mitigation 20 mins Ond?ej Sur?, CZ.NIC Recent work has indicated transport- and link-level fragmentation issues are a concern for the DNS. CZ.NIC have been working on a proof of concept to illustrate these potential problems and what might be done to defend against them. [6] Open discussion of [2], [3], [4] & [5] 15 mins LUNCH BREAK [7] NCC DNS Report 10 mins Anand Buddhev, RIPE NCC [8] Which habitat fits your name server's nature best? 15 mins Willem Toorop, NLnet Labs The performance measurements used for NSD version 4 will be discussed. The core architectural choices in the implementations of various popular name servers are explained. An analyisis given of which environments and under what circumstances these implementations flourish best. [9] Introducing Hedgehog 10 mins Dave Knight, ICANN Hedgehog, a replacement for DSC which is snazzier in many ways, has been developed for ICANN and will be published as Free/Open Source Software. [10] Client-IP EDNS Option Concerns 15 mins Florian Streibelt, TU Berlin Adoption of the proposed DNS extension, EDNS-Client-Subnet (ECS) offers unique, but likely unintended, opportunities to discover details about operational practices by ECS adopters at almost no cost. By utilising only a single residential vantage point and relying solely on publicly available information, we are able to (i) uncover the global footprint of ECS adopters with very little effort; (ii) infer the DNS response cacheability and end-user clustering of ECS adopters for an arbitrary network in the Internet; and (iii) capture snapshots of user to server mappings as practiced by major ECS adopters. While pointing out such new measurement opportunities, our work is also intended to make current and future ECS adopters aware of which operational information gets exposed when utilizing this recent DNS extension. [11] OTE's resolver infrastructure/design/rollout 20 mins Kostas Zorbadelos, Otenet * Initial presentation of the resolving service * Why anycast, motives for the service redesign * Design choices for anycast nodes in OTE's network * Software choices and anycast node setup * Transition to the new setup for existing users * Monitoring / alerting / measurement tools * Future work / discussion [12] DITL Data Analysis for ICANN gTLD Collision Study 10 mins Jim Reid, RTFM LLP Earlier this year ICANN commissioned a study into the issues and risks of name collision which may be caused by the addition of new gTLDs. This presentation describes how several terabytes of DNS traffic comprising 150+ billion queries, mostly provided by root server operators for DNS-OARC's DITL exercise, were processed and the technical challenges/constraints on doing this work. [13] AOB From jaap at NLnetLabs.nl Tue Oct 1 18:07:20 2013 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Tue, 01 Oct 2013 18:07:20 +0200 Subject: [dns-wg] Minutes DNS-wg RIPE 66 Message-ID: <201310011607.r91G7KKF030941@bela.nlnetlabs.nl> All, The minutes have been posted at the usual place . Please review so they can be approved. Thanks! jaap From jim at rfc1035.com Tue Oct 15 08:53:23 2013 From: jim at rfc1035.com (Jim Reid) Date: Tue, 15 Oct 2013 07:53:23 +0100 Subject: [dns-wg] yet another "final" agenda for the WG Message-ID: <80D73677-AEA1-4C56-AE34-CE8566F207FB@rfc1035.com> There have been a couple of tweaks to what had been the final agenda. Tom?? Hlav??ek will be speaking instead of Ond?ej Sur? and I've found 5 minutes to squeeze in an update on the ISC from its new CEO, Jeff Osborn. Here's what should be the final, definitive agenda for tomorrow. Maybe. :-) # # $Id: Agenda,v 1.8 2013/10/15 06:45:47 jim Exp $ # FINAL FINAL DNS WG AGENDA - RIPE 67 [0] Usual Administrivia 5 mins [1] ENUM WG Announcement 5 mins Niall O'Reilly, UCD [2] PMTU for better IPv6 Performance 10 mins Willem Toorop, NLnet Labs Options for utilising ICMPv6 Packet-Too-Big (PTB) messages to increase DNS responsiveness are explored. Working solutions, evaluated with RIPE Atlas, are presented. The effect of the solutions in the real world are further assessed with the help of traffic captures from SIDN and SURFnet. [3] DNS over TCP analysis 20 mins Geoff Huston, APNIC The Host requirements Specification, RFC 1123, states that "DNS resolvers and recursive servers MUST support UDP, and SHOULD support TCP". There has been some recent discussion about the viability of employing TCP rather than UDP for large DNS responses as a means of mitigating the vulnerability to large scale DNS DDOS attacks, and this got us wondering whether resolvers still supported TCP. This is a report of an experiment to measure what proportion of the Internet's users use DNS resolvers that are capable of using TCP to query authoritative name servers. [4] Defeating DNS Amplification Attacks 15 mins Ralf Weber, Nominum Discussions of amplification attacks have largely focused on authoritative servers. These attacks are beginning to use recursive resolvers. The current generation of attacks leverages home gateways that forward DNS queries coming in on their WAN interface, masking their origin when they arrive at a resolver. It's unlikely vulnerable home gateways can be updated anytime soon, so this presentation will describe how log data from DNS resolvers can be used to identify attacks and detail proposals for mitigating them without impacting legitimate DNS traffic. [5] UDP Fragmentation/PMTU attack mitigation 20 mins Tom?? Hlav??ek, CZ.NIC Recent work has indicated transport- and link-level fragmentation issues are a concern for the DNS. CZ.NIC have been working on a proof of concept to illustrate these potential problems and what might be done to defend against them. [6] Open discussion of [2], [3], [4] & [5] 15 mins LUNCH BREAK [7] NCC DNS Report 10 mins Anand Buddhev, RIPE NCC [8] ISC News 5 mins Jeff Osborn, ISC/DNSco [9] Which habitat fits your name server's nature best? 15 mins Willem Toorop, NLnet Labs The performance measurements used for NSD version 4 will be discussed. The core architectural choices in the implementations of various popular name servers are explained. An analyisis given of which environments and under what circumstances these implementations flourish best. [10] Introducing Hedgehog 10 mins Dave Knight, ICANN Hedgehog, a replacement for DSC which is snazzier in many ways, has been developed for ICANN and will be published as Free/Open Source Software. [11] Client-IP EDNS Option Concerns 15 mins Florian Streibelt, TU Berlin Adoption of the proposed DNS extension, EDNS-Client-Subnet (ECS) offers unique, but likely unintended, opportunities to discover details about operational practices by ECS adopters at almost no cost. By utilising only a single residential vantage point and relying solely on publicly available information, we are able to (i) uncover the global footprint of ECS adopters with very little effort; (ii) infer the DNS response cacheability and end-user clustering of ECS adopters for an arbitrary network in the Internet; and (iii) capture snapshots of user to server mappings as practiced by major ECS adopters. While pointing out such new measurement opportunities, our work is also intended to make current and future ECS adopters aware of which operational information gets exposed when utilizing this recent DNS extension. [12] OTE's resolver infrastructure/design/rollout 20 mins Kostas Zorbadelos, Otenet * Initial presentation of the resolving service * Why anycast, motives for the service redesign * Design choices for anycast nodes in OTE's network * Software choices and anycast node setup * Transition to the new setup for existing users * Monitoring / alerting / measurement tools * Future work / discussion [13] DITL Data Analysis for ICANN gTLD Collision Study 10 mins Jim Reid, RTFM LLP Earlier this year ICANN commissioned a study into the issues and risks of name collision which may be caused by the addition of new gTLDs. This presentation describes how several terabytes of DNS traffic comprising 150+ billion queries, mostly provided by root server operators for DNS-OARC's DITL exercise, were processed and the technical challenges/constraints on doing this work. [14] AOB From pk at DENIC.DE Wed Oct 16 13:29:38 2013 From: pk at DENIC.DE (Peter Koch) Date: Wed, 16 Oct 2013 13:29:38 +0200 Subject: [dns-wg] action item 67.1: gather input for guidance on ccTLD secondary service by the RIPE NCC Message-ID: <20131016112938.GZ29701@x28.adm.denic.de> Dear WG, with reference to slide 7 in Anand's presentation we are looking for volunteers to join a small short lived group that will look into the current situation and help inform a wg discussion with the intended goal of providing guidance to the NCC if and how to continue the ccTLD DNS secondary service. Please identify yourselves to the WG chairs at . The result of our short deliberations will serve as input to the open WG discussion. Thanks, Peter