I attended the OARC 32 in San Francisco workshop today and in this post I’ll provide some notes on talks I found particularly interesting. For those interested the full agenda can be found here and some information on the DNS-OARC organization themselves here.
Brian Somers: Recursive Resolution from the ground up
This was a super-interesting talk from Brian Somers, Cisco, in which he laid out how they implemented DNSSEC in OpenDNS. He discussed the – various – challenges they faced on that journey, together with some design decisions. Initially they had planned to support fragmented responses which, in hindsight, he called a ‘huge debacle’, for reasons shown on this slide (regular readers might have an idea why I mention this ;-):
This one gives an idea of the inherent complexity of their undertaking (well, more correctly: of the complexity of DNSSEC…):
Furthermore he mentioned that they only saw a 10% increase of network traffic after setting the DO (‘DNSSEC OK’ => ‘willing to get signed responses’) flag, and that they didn’t notice a significant CPU penalty (but they had performed some optimizations in the course of the project, plus hardware upgrades).
Paul Vixie gave a related lightning talk (PPT slides here) on the “Avoid IP fragmentation in DNS” Internet-Draft in the afternoon, out of which one might find this slide particularly interesting:
Slides of Brian Somers talk here (PPT).
Video here (starts 17:30).
Slides of their DEF CON 27 talk on DNS poisoning attacks based on fragmentation here.
Some notes on DNS flag day 2020 plus links to the relevant research papers in this post.
Edward Lewis: The Different Ways of Minimizing ANY
RFC 8482 discusses potential approaches how DNS servers can react to queries of the ‘ANY’ type. Measurements performed by Edward show that different servers respond in many different flavors:
which in turn raises several questions/concerns:
Again, regular readers know I have a certain stance on protocol complexity – as an IPv6 person I heavily suffer from it on a daily basis ;-), see also this post and my RIPE 74 presentation on IPv6 security aspects. I hence very much liked this part of Edward’s talk
Ralf Weber & Mark Dokter (both Akamai): DNS Encryption Operational Experience and Insights
Another good talk with real-life measurements, this time on the behavior of different DoH/DoT clients. Two quick points on this one: first, having done some work in the space of X.509 certificate infrastructures in an ancient stage of life, I’m a bit worried when looking at this 😉
Secondly I found their notes on tuning the stack/kernel of the lab servers (quicker re-use of ports and increase of filehandles, as every connection needs one) quite interesting:
Dan Mahoney (from ISC): F-Root Updates
Yet another real-life case-study talk – lovely! ;-). Dan discussed challenges, design decisions and choices of hardware & software during their recent upgrade of the F-Root. While one might think that ‘the F-Root’ is mainly about DNS-related components, in reality many pieces are involved like network hardware and routing daemons:
While DNS is not my primary domain of work or expertise I really enjoyed the day incl. some good conversations during the breaks.
Wishing everybody a great Sunday, and those of you still in SFO have a good NANOG 78 meeting.