It is a remarkably quiet week for DNS security and privacy topics at the IETF 98 meeting in Chicago next week. Both the DANE and DPRIVE working groups are moving along very well with their work on their mailing lists and so chose not to meet in Chicago. Similarly, with DNSSEC deployment steadily increasing (as we outlined in the 2016 State of DNSSEC Deployment report in December), the work to be discussed in DNS Operations (DNSOP) is more about exploring ideas to make DNSSEC even more secure.
Here is a quick view of what is happening in Chicago.
IETF 98 Hackathon
Over the weekend (25-26 March) we’ll have a good-sized “DNS team” in the IETF 98 Hackathon working on various projects around DNSSEC, DANE, DNS Privacy, using DNS over TLS and much more. This time the work will include a team looking at how some DNS toolkits can work with the impending Root KSK Rollover in October 2017. More specific information is in the IETF 98 Hackathon wiki. Anyone is welcome to join us for part or all of that event.
DNS Operations (DNSOP)
The DNS Operations (DNSOP) Working Group meets on Monday afternoon from 13:00-15:00 CDT. The DNSOP agenda includes the following items related to DNSSEC:
- draft-vcelak-nsec5 – a proposed new mechanism for authenticated denial of existence
- draft-sury-dnssec-nsec3-blake2 – a proposal from Ondrej Sury to use the BLAKE2 cryptographic hash function in NSEC3 responses (Ondrej’s draft is not yet in the datatracker, but he has a version in a Github repo.)
Some of the other discussions, such as DNS over TCP, also have potential impacts on DNS security and privacy.
DNS Service Discovery (DNSSD)
On Tuesday, the Extensions for Scalable DNS Service Discovery (DNSSD) Working Group meets from 16:40-18:40 CDT. DNSSD is not one of the groups we regularly follow as its focus is around how DNS can be used to discover services available on a network (for example, a printer or file server). However, in Chicago the DNSSD agenda specifically has a discussion around “Privacy Extensions” (see draft-ietf-dnssd-privacy).
DNSSEC Coordination informal breakfast meeting
Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.
Other Working Groups
Right before the DNSSD Working Group on Tuesday, the Using TLS in Applications (UTA) WG will meet from 14:50 – 16:20 and will be covering several ideas for “Strict Transport Security” (STS) for email. While not directly tied to DNSSEC or DANE, they do use DNS for these security mechanisms. And then in the final session on Friday, from 11:50-13:20, the IPSECME WG will have a discussion about “split DNS” and how that impacts VPNS (see draft-ietf-ipsecme-split-dns).
P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:
- http://www.internetsociety.org/deploy360/dnssec/
- http://www.internetsociety.org/deploy360/resources/dane/
Relevant Working Groups at IETF 98:
DNSOP (DNS Operations) WG
Monday, 27 March 2017, 13:00-15:00 CDT (UTC-5), Zurich D
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: https://datatracker.ietf.org/group/dnsop/about/
DNSSD (Extensions for Scalable DNS Service Discovery) WG
Tuesday, 28 March 2017, 16:40 – 18:40 CDT (UTC-5), Zurich B
Documents: https://datatracker.ietf.org/wg/dnssd/
Charter: https://datatracker.ietf.org/group/dnssd/about/