May 2023 - dns-wg - mailman.ripe.net

OARC 41 - Call for Contribution
by Hazel 23 May '23

23 May '23

OARC 41 will be a two-day hybrid meeting and the tentative dates are 6th and 7th September to be co-located with ICANN DNS Symposium in Asia. The Programme Committee is seeking contributions from the community. All DNS-related subjects and suggestions for discussion topics are welcome. For inspiration, we provide a non-exhaustive list of ideas: - Operations: Any operational gotchas, lessons learned from an outage, details/reasons for a recent outage (how to improve TTR, tooling). - Deployment: DNS config management and release process. - Monitoring: Log ingestion pipeline, analytics infrastructure, anomaly detection. - Scaling: DNS performance management and metrics. Increasing DNS Server Efficiency - Security/Privacy: DNSSEC signing and validation, key storage, rollovers, qname minimization, DoH/DoT The presentations can be either 10 or 20 minutes in length (plus 5 minutes for Q&A). Proposals for in-person lightning presentations will be opened at the Workshop. *Workshop Milestones:* 2023-04-16 Submissions open via Indico 2023-06-10 Deadline for submission (23:59 UTC) 2023-06-27 Preliminary list of contributions published 2023-07-11 Full agenda published 2023-08-08 Deadline for slideset submission and Rehearsal 2023-09-06 OARC 41 Workshop - Day1 2023-09-07 OARC 41 Workshop - Day2 The Registration page and details for presentation submission are published at: <https://www.dns-oarc.net/oarc41> To allow the Programme Committee to make objective assessments of submissions, so as to ensure the quality of the workshop, submissions SHOULD include slides. Draft slides are acceptable on submission. Example guidelines for presentation slides: https://www.grammarly.com/blog/presentation-tips/ Additional information for speakers of OARC 41 - your talk will be broadcast live and recorded for future reference - your presentation slides will be available for delegates and others to download and refer to, before, during and after the meeting - *Remote speakers have mandatory rehearsal on 2023-08-08 at 14:00 UTC.* It would be very useful to have your slides (even if draft) ready for this. Note: DNS-OARC provides registration fee waivers for the workshop to support those who are part of underrepresented groups to speak at and/or attend DNS-OARC. More details will be provided when registration opens. If you have questions or concerns you can contact the Programme Committee: https://www.dns-oarc.net/oarc/programme via submissions(a)dns-oarc.net Hazel Smith, for the DNS-OARC Programme Committee OARC depends on sponsorship to fund its workshops and associated social events. Please contact sponsor(a)dns-oarc.net if your organization is interested in becoming a sponsor. (Please note that OARC is run on a non-profit basis, and is not in a position to reimburse expenses or time for speakers at its meetings.)

1 0

DNSSEC and DHCP
by Julian Fölsch 23 May '23

23 May '23

Hi, First of all: If you think, I should discuss this somewhere else, please tell me. :) During my quest to get my SSH client to use SSHFP records and not annoy me with trust questions anymore, I fell into the rabbit hole that is DNSSEC. Our domain already uses DNSSEC, so I only had to set up the resolver in our office and my PC to verify it. This however had the side effect that child zones that are not signed were no longer resolving so I thought "Lets just sign them. Can't be that hard, right?" I was very wrong. One of the child zones is for hosts using DHCP and is managed by dnsmasq that unfortunately can't sign the zone. But it can do zone transfers. So we tried a setup using opendnssec as a signing proxy that transfers the zone to an unbound. Unfortunately this has proven unreliable at best and broken at worst so I am looking to replace that. I was just looking around for a DHCP server that directly can sign the zone but I was unable to find something so far. So I was wondering how other people are doing this. Are you signing DHCP zones? Would you recommend (not) doing it? If you are doing it, how are you doing it? Kind regards, Julian PS: If you are at RIPE86 I also would be happy to discuss this in person :) -- Julian Fölsch Arbeitsgemeinschaft Dresdner Studentennetz (AG DSN) Teamsprecher Computing Tel.: +49 351 271816 69 E-Mail: julian.foelsch(a)agdsn.de StuRa der TU Dresden Helmholtzstr. 10 01069 Dresden

4 4

Proposed Service Criticality Forms
by Paul de Weerd 15 May '23

15 May '23

Dear Colleagues, During the DNS WG session at RIPE 84 in May, we discussed the Service Criticality Framework (https://ripe84.ripe.net/wp-content/uploads/presentations/101-101-Technology… and https://ripe84.ripe.net/archives/video/811). We mentioned that we would like the Working Group's input on the criticality ratings for K-Root and AuthDNS. We have completed the forms internally and would like to share them with you. We hope to receive your feedback by 23 December. Best regards, Paul de Weerd RIPE NCC

1 1

DNS-WG at RIPE 86: Agenda
by Moritz Muller 12 May '23

12 May '23

Hi all, Below you can find our packed agenda for the DNS-WG session at the upcoming meeting. - Shielding Europe - DNS4EU's Pan-European Protective DNS Service for 100 Million Users: Andronikos Kyriakou - Update on the resolver task-force: Shane Kerr - Measuring Open Resolver Use in EU: Geoff Huston - Connectbyname and the Proxy Control option: Philip Homburg - DNSSEC multi-signer models: Matthijs Mekking - RIPE NCC update: Anand Buddhdev - Short presentation by a notable project of the DNS hackathon See you in Rotterdam or online! — Moritz

1 0