You're viewing an archived page. It is no longer being updated.
RIPE 69
RIPE DNS Working Group - RIPE 69 Minutes
6 November 2014 - 9:00-10:30
WG Co-Chairs: Jim Reid, Peter Koch, Jaap Akkerhuis
Scribe: Emile Aben
A. Administrative Matters
Co-chair Peter Koch opened the session. Peter asked for comments on previous minutes and there were none.
B. RIPE NCC Report
- Anand Buddhdev, RIPE NCC
The presentation is available at:
https://ripe69.ripe.net/presentations/132-RIPE69_AnandBuddhdev_DNS_Update.pdf
Jelte Jansen, SIDN, mentioned a problem with algorithm roll-over because unbound was overly strict, which has been fixed.
Anand said he was aware, but there might be other validating resolvers.
Jelte didn't like the idea of going insecure for an algorithm roll-over.
Matthijs Mekking, Dyn, wanted clarification on what a 'brief period' is exactly.
Anand clarified by saying that is twice the TTL, which is under control of the parent zone. In some cases that is two days, so it would have to be insecure for four to five days.
Matthijs further commented that authoritative servers must still sign with both, validators should accept one valid.
Jim said the RIPE NCC should do the roll-over, but give plenty notice and accept there are corner cases.
Anand had a question: The current signer vendor doesn't support algorithm roll-over, so the RIPE NCC would need to ask for support for this, or migrate to a different signer platform. This would take a bit more time, and key roll-overs are normally mid-November, which is soon. He asked for community input on whether it was okay for the RIPE NCC to keep using the current keys for the time being, or if the RIPE NCC should roll-over to new SHA1 keys for now.
Jim suggested Anand write to the dns-wg mailing list about this.
Joao Damas, Dyn, urged the RIPE NCC not to go insecure in a non-emergency situation. He suggested to move to a new vendor, if the vendor doesn't respond to request for a feature. He suggested to take it easy with the algorithm roll-over, because SHA1 attacks are not dire.
Geoff Huston, APNIC, pointed out that 20% of users use validating resolvers, so it's not just corner cases. He further warned about creating out-of-date keys because the query rate goes up by at least a factor 35 to 40, which will look like a DDoS attack.
Geoff concluded by seconding Joao's point about vendor support.
Peter Koch made it an action item for the RIPE NCC to send something to the list about algorithm roll-over. He suggested that setting an example and doing it right in public for the RIPE NCC is something good to do.
C. DNS Attacks: Can we Still Afford to Use Old, Ineffective Solutions?
- Nicolas Cartron, efficientip.com
The presentation is available at:
https://ripe69.ripe.net/presentations/133-EfficientIP_DNS_Update_RIPE69_v4.5.pdf
Mohsen Souissi, AFNIC, commented that in DNS it is about how many packets per second you can absorb. He further said that genetic diversity in engines is useful for zero-day attacks, but isn't going to help for attacks on the protocol itself. He urged the community to think about this case too.
Nicolas clarified his presentation was more about zero-days on the specific engines.
D. Dynamic DNS Abuse Overview
- Chris Baker, Dyn
The presentation is available at:
https://ripe69.ripe.net/presentations/128-RIPE_69_DynDDNSAbuse.pdf
Ralf Weber, Nominum, asked if outreach is for infected IPs and not for the domains.
Chris confirmed it was.
E. Please Don't Pick the ECDSA-ies
- George Michaelson, APNIC
The presentation is available at:
https://ripe69.ripe.net/presentations/135-18-2014-11-01-ecc.pdf
Jelte Jansen asked George to clarify if he suggested SERVFAIL-ing for unknown crypto.
George clarified that would hit 75% of the population that does validation, which is 20% to 30%. He acknowledged the impact to this population would be big, but they would know.
Jelte said that validation should be done at the end user anyway.
An audience speaker suggested setting the CD bit, and Jelte acknowledged that. He expressed worry about the lack of upgrade paths to new algorithms. George expressed fear for breakage in the chain to go undetected. George and Jelte agreed to take discussion about upgrade paths offline.
Ralf Weber and George clarified the role of the DS record in this.
Ralf noted the discrepancy between people fetching the DS and DNSKEY records, and offered the explanation that if you don't know the algorithm to do the validation it is no use of fetching the DNSKEY at all.
George replied they saw Google doing the fetches anyways, and then send the user no effective signal about the crypto-downgrade. He clarified that they can't assume it's a fringe issue and the algorithm is not viable for widespread use right now.
Martin Levy, Cloudflare, asked what would happen if they forced the issue and en masse started using this algorithm.
Geoff suspected that ISPs that don't do it don't know they don't do it. Sending SERVFAIL will make these ISPs change.
Martin stated it's still a finite number of people to make a change.
Geoff responded that DNS is not a source of revenue for them, so there is no incentive to fix. Geoff urged the ISPs they identified to go fix the problem.
George Michaelson stated that there was not enough richness in signalling in DNS which was the key problem here, there have been drafts to address this, and he thought it to be useful to have.
Peter Losher (ISC) asked if there was a breakdown by server version.
George responded that he didn't have those kind of statistics.
Peter suspected that the people causing problems are still using very old resolver software.
Geoff says BIND version is not the problem, the OpenSSL build is. Geoff gave the example of a FreeBSD 10 with crippled OpenSSL build being affected by this.
F. DNS Working Group Organisational Discussion
- Jim Reid, WG Co-Chair
The presentation is available at:
https://ripe69.ripe.net/presentations/48-JR-Selection.pdf
Brett Carr, ICANN, supported the proposal Jim presented.
Gilles Massen, Fondation RESTENA, asked the chairs what number of chairs they were proposing.
Jim responded that three co-chairs is probably right for two DNS Working Group sessions, if there's only one session then two could be alright.
Jim said he would post text to the mailing list and assuming the process is in place the first selection will take place at RIPE 70.
Z. AOB
There were two items under AOB
1) Ondřej Surý, CZ.NIC, presented on the KNOT DNS resolver
The presentation is available at:
https://ripe69.ripe.net/presentations/131-RESOLVER-20141106-RIPE69.pdf
2) Kaveh Ranjbar, RIPE NCC, gave an update about the usage of the historical DNSMON system. He said there were still a few thousand hits every months, and based on that the RIPE NCC decided to keep the historical DNSMON system alive and the visualisations available. He clarified that the RIPE NCC would give plenty of announcement time if they wanted to change that.
Peter closed the session.