There’s a good bit of DNS secrurity and privacy activity happening at IETF 99 next week in Prague, although not all of that is in working groups. Here is a view of what is going on.
IETF 99 Hackathon
Once again there will be a good-sized “DNS team” at the IETF 99 Hackathon over the weekend (15-16 July). The IETF 99 Hackathon wiki outlines the work (scroll down to see it). From a security point of view, major projects include:
- Continuing work on how DNS implementations deal with the impending KSK rollover in October 2017.
- RFC 5011 compliance testing (related to the KSK rollover)
- Implementation of the new elliptic curve crypto algorithm, Ed25519, defined in RFC 8080.
There is also work on multiple other DNS records and tools, including a new packet capture format focused on DNS. Anyone is welcome to join us for part or all of that event.
DNS Privacy Tutorial
On Sunday, July 16, there will be a “DNSPRIV Tutorial” from 12:30-13:30 CEST (UTC+2). This will explain the work of the DPRIVE working group to add a layer of confidentiality to DNS queries. Much of this involves sending DNS queries over TLS.
It is possible (and I’ll update the post if it is) that this tutorial may be streamed out over the IETF YouTube channel and recorded. The www.ietf.org/live page doesn’t have it listed yet, but I would check there to see closer to the date.
DNS PRIVate Exchange (DPRIVE)
On the same theme, the DPRIVE working group meets Tuesday morning from 9:30-12:00 CEST. The draft agenda shows their should be good discussion on several of the current working group drafts. I am also looking forward to the discussion about DNS over the QUIC protocol. The group will also discuss measuring the usage of DNS-over-TLS and talk about what comes next.
DNS Operations (DNSOP)
The DNS Operations (DNSOP) Working Group meets twice in Prague. First on Tuesday, July 18, from 15:50-17:50 CEST, and then on Thursday, July 20, from 18:10-19:10.
The agenda isn’t out yet, but two drafts related to DNSSEC that might be up for discussion include:
- draft-mglt-dnsop-dnssec-validator-requirements – Work led by Daniel Migault to define requirements for DNSSEC-validating DNS resolvers. (I am a co-author, although Daniel has definitely led the work.)
- draft-york-dnsop-deploying-dnssec-crypto-algs – The author team of which I am part updated the document. A question now is where exactly this draft goes next.
There are a range of the other documents related to DNS security or privacy – or that can have impacts on those topics. We’ll have to see what gets onto the agenda.
DNSSEC Coordination informal breakfast meeting
Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.
Other Working Groups
The DNS-SD working group will also have a brief discussion of DNS-SD Privacy drafts. Agendas aren’t posted yet, but the Using TLS in Applications (UTA) working group often has drafts of interest, as does the Security Area Open Meeting (SAAG). The thing about DNS is that it is so critical to every service that it often shows up in many different groups.
P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:
Relevant Working Groups at IETF 99:
DPRIVE (DNS PRIVate Exchange) WG
Tuesday, 18 July 2017, 09:30-12:00 CEST (UTC+2), Congress Hall III
DNSOP (DNS Operations) WG
Tuesday, 18 July 2017, 15:50-17:50 CEST (UTC+2), Congress Hall II
DNSSD (Extensions for Scalable DNS Service Discovery) WG
Wednesday, 19 July 2017, 15:20 – 16:50 CEST (UTC+2), Athens/Barcelona
There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf99.