DNS Working Group

Thursday, 26 May 14:00 - 15:30

A. Administrivia [5 min]
  • Agenda Bashing
  • Review of Action Items
  • Approval of Previous Minutes

B. RIPE NCC Report [30 min]
Anand Buddhdev
C. Root Zone ZSK Size Increase [25 min]
Duane Wessels

Verisign, in its role as Root Zone Maintainer, plans to increase the size of the root zone Zone Signing Key (ZSK) in 2016. The ZSK has been a 1024-bit RSASHA256 key since the initial deployment of DNSSEC to the root zone in 2010. In the latter half of 2016, the ZSK size will be increased to 2048-bits.

In this presentation we will outline the schedule for the change, describe various technical and non-technical details for implementing the change, describe how the change will affect root zone response sizes, and discuss our plans for emergency fallback to a 1024-bit in the unlikely event it should be necessary.

A brief update from ICANN on the status of the change to the KSK which will follow the ZSK size change.

D. QNAME Minimization in Unbound [25 min]
Ralph Dolmans

This talk is about the QNAME minimisation implementation in Unbound. QNAME minimisation is a technique to improve DNS privacy by limiting the amount of privacy sensitive data exposed to authoritative nameservers. Although resolving using QNAME minimisation is not strictly forbidden in the original DNS RFCs, not all nameservers handle these queries the way they should. Unbound is shipped with an implementation that will resolve queries “as usual” when broken nameservers are detected. Also covered in this talk is the effect of QNAME minimisation on the number of queries, and some side benefits of QNAME minimisation.

E. Follow-up From Plenary Topics [5 min]
  • What’s So Hard About DNSSEC?
    Paul Ebersman

Thursday, 26 May 16:00 - 17:30

F. BIND 9.11 Release Update [25 min]
Vicky Risk

BIND 9.11, the first new major version in over two years, will be in alpha testing during RIPE 72, and is scheduled for release this summer. This version will include a new database API, contributed by RedHat, a new provisioning mechanism called Catalog zones, improvements to RNDC, an IPv6 bias, and the DNSSEC negative trust anchor, among other things. We will also give an update on BIND performance testing at ISC, and would like to discuss a possible change in the open source licensing for BIND.

G. DNS Privacy Public Resolver Proposal [5 min]
Allison Mankin/Sara Dickinson

Proposal that the RIPE NCC operates the first DNS over TLS privacy-enhanced public recursive to provide service to the community and to research additional privacy enhancing mechanisms.

H. Panel on DNSSEC Algorithm Flexibility [55 min]
Ondřej Surý et al

A panel with representatives of DNS Operators and DNS Hosters, discussing the challenges of introducing new and deprecating old DNS features and DNS(SEC) algorithms. The panel will discuss the deployment of new DNS standards at the customer DNS servers.
The proposed moderator is Ondřej Surý. The members of the panel are yet to be determined and will be announced in a separate update closer to the meeting.
  • Ondřej Surý, Moderator
  • Lars-Johan Liman, Netnod, Panelist
  • Marco d'Itri, Seeweb, Panelist
  • Dave Knight, Dyn, Panelist
  • Phil Regnauld, Network Resource Startup Center, Panelist