I have to admit, I’m slightly biased as a board member of the Domain Name System Operations, Analysis, and Research Centre (DNS-OARC), but the recent two-day workshop held in San Jose, USA, really was an amazing experience.
The agenda covered off on a large field of DNS research topics: packet sizes, cache behaviours, priming queries, IPv6, DNSSEC, transport security, future modes of operation, and the consequences of deciding to cancel the impending KSK roll.
Video recordings and pdfs of the presentations are available from the OARC website, which I recommend watching and reading if you have even a passing interest in the DNS.
Fast in the form of lightning talk presentations, which are strictly time-limited, and furious because they were chaired by APNIC’s own Chief Scientist, Geoff Huston, also on the DNS-OARC program committee. 😉
Lightning talks are a low-cost, high-speed coverage of a topic — the best way to get a feel for them is to watch some.
One of the talks that captured my interest was by Vincent Levigneron from AFNIC (France). He gave a fascinating talk entitled ‘Exercise your organization’.
Because of the nature of the subject matter, I cannot give either a pointer to his slides or the video as it was shared in confidence. However, I can share the takeaways I Iiked.
Vincent explored the way you can take real-world DDoS and DNS attack scenarios and use them in a constrained environment to ‘cold test’ your staff to analyze how people react in attacks, diagnose the problem, and respond.
What I liked in his talk is that Vincent’s attack model was remarkably realistic, based on real-world packet flows that had been captured, and were replayed using software developed by OARC. This is one of the beautiful aspects of the DNS research community: we talk, and we share ideas and experiences.
Jerry Lundström from OARC has written DNS packet replay code, now available on GitHub. If you want to see talks like Vincent’s in the future, you’re going to have to join OARC because we can’t reveal stuff that the authors bring into the room under restrictions, but we can share them with the membership on the day.
IPv6 and the DNS: the risks
Apart from his chairing duties, Geoff spoke on his work analyzing the DNS risks when using IPv6 transport.
IPv6 is my favourite kind of network because it preserves the end-to-end principle that I adhere to. However, I do recognize it has (at least) one major failure — it doesn’t handle fragmentation well.
Most IPv6 seen ‘in the wild’ is TCP based and has negotiated a transfer unit that fits the pipe. The DNS, over UDP, doesn’t do this and as a result, Geoff can show that DNSSEC won’t work well over IPv6. Instead, it depends on IPv4 for the fallback.
A number of observations stem from this work, some of which go to the emerging DNS session work (DNS over TLS, DNS over QUIC) that would bypass the problem. Some of these are ‘hackier’ than others, for example sending two responses, one over v6 and one with truncation flagging (if the v6 one is ‘lost’ the truncation signal will cause fallback to TCP, and the problem is avoided).
All in all, it’s a worrisome situation. IPv6 was not designed with a long-lived dual-stack future in mind. Now we’re there, the consequences are emerging.
Reducing unnecessary traffic on the roots
Daniel Karrenburg and Kazunori Fujiwara presented on cache priming and caching effects of shared and private resolvers to the same space.
Daniel spoke about his view inside K-root, and the fascination of the more inexplicable queries seen at the root. He estimates that at times, 95% of the traffic is effectively redundant. This is likely to change as the aggressive NSEC work deploys in the BIND codebase and beyond.
Fujiwara-san is the principal author of the highly significant work on NSEC being included in BIND under a contract from APNIC and deserves recognition for his contribution to defining sensible approaches to retaining negative-cache data.
The likelihood is that this work will reduce unnecessary traffic on the roots significantly, based on around 60% deployment of BIND code worldwide, and the vast amount of repeated NXDOMAIN responses being sent by the roots, which Fujiwara’s RFC8198 defines as cacheable negative secure responses.
Heralding a new age of DNS-OARC
The day ended with the DNS-OARC member meeting. OARC has turned a corner by adopting a significant proposal to regard board directors as individuals (albeit requiring membership personally, or in an incorporated member body) rather than company representatives.
This is the last board election that was held under the old model. A mix of old- and new-blood is now on the board, and I look forward to a year of more developments and more OARC meetings.
Next time, why not come along too?
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.