DNS Working Group Minutes - RIPE 85
Thursday, 27 October 2022 11:00 - 12:30 (UTC+2)
Chairs: Moritz Müller, João Damas and Shane Kerr
Scribe: Boris Duval
Status: Final
Administrivia
Joao proposed the charter for a new task force the “DNS Resolver Best Common Practice Task Force” which will work toward producing recommendations for operational practices for the operation of DNS resolvers.
New Working Group Co-Chair: Selection Results
Shane Kerr welcomed Willem Toorop as the new working group co-chair, as he will be stepping down from his role as chair.
DNS Privacy with Speed? Evaluating DNS over QUIC and Its Impact on Web Performance
Luca Schumann and Mike Kosek , Technical University of Munich
The presentation is available at:
https://ripe85.ripe.net/wp-content/uploads/presentations/82-Luca_Schumann_doq_web_perf.pdf
Luca Schumann gave a presentation on DNS over QUIC to see if encrypted DNS could be fast in the context of web applications.
Shane asked Luca if there was anything unexpected in the results. Luca replied that it was pretty much what they expected. Mike agreed but added that it was interesting to see how these dimensions shift the more DNS queries are involved when loading a web page.
Farzana Badii, Digital Medusa, asked Luca if the presenters had seen diversity among resolver providers or if it was just large technology companies.
Luca replied that as far as DNS on QUIC is concerned, there is no Google DNS, and that it was a huge mix. He added that most of them have probably not been designed to be production ready, but this had yet to be confirmed.
Shane said that he was surprised that there was no 0 RTT support and asked the presenters if they intended to compare results on this topic.
Mike replied that they did an experiment on this in the lab and got the expected results, namely speed results on par with DNS over UDP.
Fewer Name Servers, More Addresses
Dave Knight, Neustar Security Services
The presentation is available at:
https://ripe85.ripe.net/wp-content/uploads/presentations/96-dknight-fewnsmanyips-ripe85-dnswg.pdfDave Knight presented statistics on TLD registry delegation size constraints regarding name servers.
Christian Bretterhofer, representing himself, asked whether the presenter had filed a bug with ISC for Bind and which version had been tested.
Dave replied that as of 23:00 last night, he had not filed a bug with ISC.
Chris Amin, RIPE NCC, explained that for DNSMON and by default DomainMON, they had taken the decision not to treat DNS records other than names as something special, so they only have a bundle of IP addresses.
Edward Lewis, ICANN, asked if the presenter had tried to get the same IP address to two name servers and if not, advised him to try it.
Ralf Weber, Akamai, said that the presenter gave each address to all the name servers, so that the domain had an IP twice. He added that this worked but that there was a one in twelve chance that the second resolver request would hit the same broken name server.
Lars-Johan Liman, Netnod, asked the presenter if he required all customers to use in-bailiwick glue.
Dave explained that they had clients who wanted to use vanity domains, so they didn't know if they needed to create glue.
In response, Dave said that some of these things were performance measurement tools that indicated how good we were, so we were a bit motivated to get them right. On the other side, he added that there were compliance issues where things were done in the TLD registration space and that it was inconvenient when companies were not up to date on this front.
David Lawrence, Salesforce, said that the flip side of this issue was not how many name servers you can have but how few. He added that as a company that had a very large amount of domain names they actually preferred that park domains had no DNS at all because that way they didn’t have to worry about defensive SPF or any other records that would be necessary for it. He added that some domains, such as dotcom and dotnet, allowed zero name servers, but others had very strict testing requirements as to what they expected from name servers. He added that you can even run into some very odd situations like a CCTLD that allowed you to have zero name servers as long as you only initiated with zero name servers, if you've had name servers before, you were still required to have name servers.
Dave agreed and said that this was why he came up with a workaround as the behaviour of some registries was puzzling.
Measuring Encrypted-DNS Censorship Using OONI Probes
Arturo Filastò, OONI
The presentation is available at:
https://ripe85.ripe.net/wp-content/uploads/presentations/93-2022-10-dnscheck-ripe85-arturo.pdfArturo Filastò, Open Observatory of Network Interference (OONI), presented results from the DNSCheck experiment, which measured the accessibility of DOH and DOT servers in countries with Internet censorship.
Éric Vyncke, Cisco, asked if OONI also tested some IPv6 DoX as some censorship devices may have behave differently.
Arturo said that at that time, there were very few probes in IPv6 networks but there were a few in the bootstrap. He added that they were starting to mix IPv4 and IPv6 data but that few of their probes had IPv6 support.
Vladislav Vodopian, Global Legal Entity Identifier Foundation, asked the presenter if they would consider looking at Russia as part of this experiment, given that they were intensifying their censorship efforts.
Arturo replied that they had many measurements from Russia but had had little time to look at them. He offered to provide some pointers to whoever was interested in looking into this data.
Farzaneh Badii, Digital Medusa, shared the hypothesis that since DNS over TLS had its own ports, port 853, it was easier for governments using censorship to block it than DNS over HTTPS. She asked if this could be one of the reasons why the Iranian government was more successful in blocking DoT and not DoH.
Arturo didn’t have a reply but mentioned that this was an interesting observation.
Meta's DNS Server
Balint Csergo, Meta
The presentation is available at:
https://ripe85.ripe.net/wp-content/uploads/presentations/17-DNSRocks.pdfBalint presented the new authoritative DNS software, DNSROCKs from Meta. He also said that this software was going to be open source.
Shane asked if anyone had already approached Balint to use the software.
Balint replied that some people were already interested to use it for specific use cases and that he had received feedback from the community.
RIPE NCC Update
Anand Buddhdev, RIPE NCC
The presentation is available at:
https://ripe85.ripe.net/wp-content/uploads/presentations/103-RIPE85_DNS_Update.pdfAnand provided an update on what the RIPE NCC was busy with in terms of DNS since RIPE 84. This included updates on K-root, AuthDNS, Hosted DNS and Zonemaster.
Lars-Johan Liman, Netnod, asked Anand if the RIPE NCC tests for delegation were solely dependent on Zonemaster's exit code or if there was a way to get delegation based on one's own preference rather than Zonemaster's.
Anand said that Zonemaster came with a default set of policies, but that these could be overwritten locally. He added that there may be rare cases where users encounter problems with Zonemaster and in such cases they should open a ticket with the RIPE NCC to solve the issue.