Colleagues, Here's the updated agenda for the RIPE 72 meeting of the DNS working group in Copenhagen. Updated: C. Root Zone ZSK Size Increase, adds a brief update from ICANN on the status of the change to the KSK which will follow the ZSK size change. H. Panel on DNSSEC Algorithm Flexibility, adds a list of panelists Dave On behalf of the chairs === Session one, Thursday 26 May, 14:00-15:30 === A. [05] Administrivia - Agenda bashing - Review of action items - Approval of previous minutes B. [25] RIPE NCC Report, Anand Buddhdev C. [30] Root Zone ZSK Size Increase, Duane Wessels Verisign, in its role as Root Zone Maintainer, plans to increase the size of the root zone Zone Signing Key (ZSK) in 2016. The ZSK has been a 1024-bit RSASHA256 key since the initial deployment of DNSSEC to the root zone in 2010. In the latter half of 2016, the ZSK size will be increased to 2048-bits. In this presentation we will outline the schedule for the change, describe various technical and non-technical details for implementing the change, describe how the change will affect root zone response sizes, and our plans for emergency fallback to a 1024-bit in the unlikely event it should be necessary. At the end of this discussion, there will be a very short presentation by ICANN about the status of the change to the KSK that will happen after the ZSK size change. D. [25] QNAME Minimization in Unbound, Ralph Dolmans This talk is about the QNAME minimisation implementation in Unbound. QNAME minimisation is a technique to improve DNS privacy by limiting the amount of privacy sensitive data exposed to authoritative nameservers. Although resolving using QNAME minimisation is not strictly forbidden in the original DNS RFCs, not all nameservers handle these queries the way they should. Unbound is shipped with an implementation that will resolve queries "as usual" when broken nameservers are detected. Also covered in this talk is the effect of QNAME minimisation on the number of queries, and some side benefits of QNAME minimisation. E. [05] Followup from Plenary topics - What’s so hard about DNSSEC?, Paul Ebersman === Session two, Thursday 26 May, 16:00-17:30 === F. [25] BIND 9.11 Release Update, Vicky Risk BIND 9.11, the first new major version in over 2 years, will be in alpha testing during RIPE, and is scheduled for release this summer. This version will include a new database api, contributed by RedHat, a new provisioning mechanism called Catalog zones, improvements to RNDC, an IPv6 bias, and the DNSSEC negative trust anchor, among other things. We will also give an update on BIND performance testing at ISC, and would like to discuss a possible change in the open source licensing for BIND. G. [05] DNS Privacy Public Resolver Proposal, Allison Mankin/Sara Dickinson Proposal that RIPE operate the first DNS over TLS privacy-enhanced public recursive to provide service to the community and to research additional privacy enhancing mechanisms. H. [55] Panel on DNSSEC Algorithm Flexibility Ondřej Surý, Moderator Lars-Johan Liman, Netnod, Panelist Marco d'Itri, Seeweb, Panelist Dave Knight, Dyn, Panelist Phil Regnauld, Network Resource Startup Center, Panelist A panel with representatives of DNS Operators and DNS Hosters, discussing the challenges of introducing new and deprecating old DNS features and DNS(SEC) algorithms. The panel will discuss the deployment of new DNS standards at the customer DNS servers. I. [05] AOB