1 of 13

Results from project DNS

IETF 113

19-20 March 2022

Vienna, Austria

IETF Hackathon results - Project DNS

2 of 13

Hackathon Plan

Extended DNS Errors [RFC8914]�

While implementing –�More situations�came up

IETF Hackathon results - Project DNS

3 of 13

Hackathon Plan

Extended DNS Errors [RFC8914]�

While implementing –� More situations for an EDE info-code emerged
Registry if First Come First Served
D raft-carpay-extra-ede-codes-dnssec-bogus

Discussed between Tom Carpay, Petr Špaček, Libor Peltan, and *

IETF Hackathon results - Project DNS

4 of 13

Hackathon Plan

Dry-run DNSSEC

Try out DNSSEC for your zone first, before going live
d raft-yorgos-dnsop-dry-run-dnssec-00
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3� 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1� +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+� | Key Tag | Algorithm | DRY-RUN |� +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+� | Digest Type | /� +-+-+-+-+-+-+-+-+ Digest /� / /� +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IETF Hackathon results - Project DNS

5 of 13

Dry-run DNSSEC�- operation

Validate RRset

DRY–RUN DS?

Select DS

Prefer the DRY-RUN DS

DSes?

SECURE�set AD bit

DNSSEC valid?

Remove DRY-RUN DSes�From DS RRset

yes

INSECURE

BOGUS�SERVAIL

yes

DNS Error�reporting

yes

6 of 13

Dry-run DNSSEC

RIPE Atlas measurements to measure backwards compatibility by Tom Carpay

Insecure

Dry-run

Dry-run BOGUS

Secure

Secure +�Dry-run

Secure +�Dry-run BOGUS

IETF Hackathon results - Project DNS

7 of 13

Hackathon Plan

DNS Catalog Zones�

draft-ietf-dnsop-dns-catalog-zones-05�

Interoperability testing�
New! BIND implementation for draft version!

Petr Špaček, Libor Peltan, Willem Toorop

IETF Hackathon results - Project DNS

8 of 13

Hackathon Plan

DNS Catalog Zones�

draft-ietf-dnsop-dns-catalog-zones-05�

Interoperability testing�
New! BIND implementation for draft version!

Petr Špaček, Libor Peltan, Willem Toorop

IETF Hackathon results - Project DNS

9 of 13

Hackathon Plan

DNS Dynamic Update over Encrypted Transport (QUIC / TLS)�

SERVER SIDE: BIND 9.18 with DoT + quiqdoq as DoQ proxy
CLIENT:

Trust DNS (Rust impl) - Success using DoT
Dnsjava - Success using DoT
Efforts to integrate QUIC libraries hit problems �

Allison Mankin, Benjamin Fry, Han Zhang, John Dickinson, Pallavi Aras, Sara Dickinson, Shane Kerr, Sidan Qi, Sile Yang

IETF Hackathon results - Project DNS

10 of 13

Hackathon Plan

DNS Dynamic Update over Encrypted Transport (QUIC / TLS)�

SERVER SIDE: BIND 9.18 with DoT + quiqdoq as DoQ proxy
CLIENT:Trust DNS (Rust imp
l) - Success using DoT

Dnsjava - Success using DoT
Efforts to integrate QUIC libraries hit problems �

Allison Mankin, Benjamin Fry, Han Zhang, John Dickinson, Pallavi Aras, Sara Dickinson, Shane Kerr, Sidan Qi, Sile Yang

IETF Hackathon results - Project DNS

11 of 13

qp-trie for NSD

patches by Tony Finch, July 2021
small fast DNS name lookup data structure
discussion between Tony and NLnetLabs
updated notes on experimental branches

IETF Hackathon results - Project DNS

12 of 13

What got done

What we learned

Lots and lots of excellent conversation!�
Open Source DNS Software developers align! (Extra EDEs)�
Developers align with operators!

You can’t beat an in person hackathon!

IETF Hackathon results - Project DNS

13 of 13

Wrap Up

Team members:

Tom Carpay�Petr Špaček�Libor Peltan�Willem Toorop�Allison Mankin�Benjamin Fry�Han Zhang�John Dickinson�Pallavi Arres

John Dickinson�Pallavi Arres�Sara Dickinson�Shane Kerr�Shivan Kaul Sahib�Sidan Qi�Sile Yang�Benno Overeinder�more…

IETF Hackathon results - Project DNS