Wow! There is a crazy amount of DNS activity happening at IETF 93 next week in Prague! Beyond the usual working groups we follow such as DNSOP and DANE, there are a wide range of other groups where DNS security and privacy are under discussion. It’s going to be a VERY busy week for all of us involved with DNS! (And, there’s also the IETF 93 Hackathon starting on Saturday and Sunday where several of us will be working on code related to DNSSEC, DANE and more.)
Let’s walk through the week…
NOTE: If you are unable to attend IETF 93 in person, there are multiple ways to participate remotely and listen to these sessions. Also, all times below are Central European Summer Time (CEST) which is UTC+2.
DNS Operations (DNSOP)
Monday turns out to be a big DNS day with DNSOP starting off the back-to-back marathon in the 15:20 to 17:20 block. The major piece of DNSSEC-related work will be two different drafts from Joe Abley and Warren Kumari around publication of DNSSEC trust anchors. Both of these are work items out of the ongoing work around how we successfully perform a key rollover with critical DNSSEC keys such as the Key Signing Key at the root of DNS. After that, DNSOP will continue the ongoing discussion related to “special-use” names which, while not directly connecting to DNS security, should still be quite interesting.
Domain Boundaries (DBOUND)
Next up on Monday in the 17:40 to 18:40 session will be the DBOUND group. This group is look at the boundaries used to determine when an address being requested in DNS is “private” versus “public”. This impacts security policies.
DNS-based Authentication of Named Entities (DANE)
Finally in the 18:50 – 19:50 slot on Monday, the working group looking after the DANE protocol will be meeting to focus on three drafts:
- TLS extension for DNSSEC
- Client Certificates in DANE TLSA Records
- DANE and SMIME
Given the amount of activity with using DANE in email communication these days, I expect there to be some good discussion.
Tuesday is TLS Day
Tuesday turns out to be “TLS Day” with both the core Transport Layer Security (TLS) and the Using TLS in Applications (UTA) groups meeting. Because of the connection to DANE, the TLS meeting is important to understand in terms of the evolution of the protocol with TLS 1.3 and beyond. There is a packed agenda for the TLS WG and it spans two days – both Tuesday and Wednesday. If time permits, there is also a specific presentation for the group about DNSSEC and DANE validation chains. The UTA working group has a lighter agenda this time, but again is something we’ll follow because of the connection to TLS and DANE.
DNS Service Discovery (DNSSD)
Wednesday morning will begin with the 9:00-11:30 session having both the second session of the TLS Working Group and also the only session of DNSSD. The key reason to mention the group this time is that the DNSSD agenda includes a discussion of the threat model and security considerations for multicast DNS (mDNS).
Crypto Forum Research Group (CFRG)
Wednesday afternoon from 13:00-15:30 brings the meeting of the CFRG which has nothing specific to DNS security on its agenda, but there looks to be a lengthy discussion planned about the use of elliptic curve cryptography (ECC). This is something we’ve certainly been looking at within the DNSSEC space with regard to using ECDSA and other algorithms for DNSSEC signatures. It will be interesting to see what emerges out of this discussion in terms of future directions for IETF crypto algorithms.
Extensible Provisioning Protocol Extensions (EPPEXT)
In the last session slot on Wednesday from 17:40-19:40 the EPPEXT group will be meeting to discuss extensions to the EPP protocol used between DNS registrars, registries and similar entities. An agenda has not yet been published but several of the past documents have related to exchanging DNSSEC-related information.
Thursday is for TRANS
The only working group we’re tracking on Thursday related to DNS or TLS is the Public Notary Transparency (TRANS) group meeting in the 17:40-19:10 block at the end of the day. No agenda yet, so it’s not clear what will be discussed. Certificate Transparency is one of the number of technologies that are working to make TLS more secure and so this remains of interest.
DNS PRIVate Exchange (DPRIVE)
In the unenviable slot of Friday morning from 9:00-11:30 will be the third meeting of the DPRIVE Working Group that is chartered to develop: “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” A great bit of work has been going on and the DPRIVE agenda shows discussion being planned for several possible solutions to provide this level of privacy and confidentiality.
It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!
P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:
Relevant Working Groups at IETF 93:
DNSOP (DNS Operations) WG
Monday, 20 July 2015, 1520-1720 CEST, Congress Hall II
DBOUND (Domain Boundaries) WG
Monday, 20 July 2015, 1740-1840 CEST, Athens/Barcelona
DANE (DNS-based Authentication of Named Entities) WG
Monday, 20 July 2015, 1850-1950 CDT, Venetian
EPPEXT (Extensible Provisioning Protocol Extensions) WG
Wednesday, 22 July 2015, 1740-1940 CEST, Karlin III
DPRIVE (DNS PRIVate Exchange) WG
Friday, 24 July 2015, 0900-1130 CEST, Karlin I/II
There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf93.