The most passionate discussions involving “DNS security” at IETF 95 in Buenos Aires may possibly take place not in the “traditional” DNS-related Working Groups, but rather over in the Using TLS in Applications (UTA) Working Group on Monday, April 4, 2016, at 14:00 ART where what looks like a vigorous discussion is shaping up about how to protect and secure email communication. Yes, email! On the UTA agenda there is not one but three different proposals for securing email – and all three include some discussion of DNSSEC and DANE (particularly after the publication of RFC 7672 in October about securing email with the DANE protocol). Based on the lengthy threads on the UTA mailing list, I expect a strong amount of discussion.
A second strong thread of activity will be around efforts to increase the security of DNSSEC through the use of elliptic curve cryptography. This will be discussed in both the DNSOP working group and also a new focused working group called CURDLE. It’s also the topic of a recent Internet-Draft I published with a number of others about the steps needed to implement elliptic curve cryptography.
The DPRIVE Working Group will also be meeting to continue its work on securing the connection between DNS clients and recursive resolvers. The DNSSD and TRANS groups will also be meeting and a new Birds-of-a-Feather (BOF) session on ARCING will also meet. The DANE Working Group will not be meeting in BA, but as mentioned above, there will be a good discussion related to DANE as part of the broader UTA discussions on Monday.
Beyond UTA, here are how some of the other groups are looking at IETF95…
DNS Operations (DNSOP)
The DNS Operations (DNSOP) Working Group meets twice: first for an hour on Wednesday (in the timeslot previously scheduled for DANE) and then again for two hours on Friday. Two pieces of DNSSEC work in the new business area of the DNSOP agenda: a draft from Warren Kumari about speeding up negative answers from NSEC records at the root of DNS; and then a draft from Paul Wouters and Ondrej Sury about requirements and usage guidance for DNSSEC cryptographic algorithms. This second draft is interesting because the intent is to phase out usage of older cryptographic algorithms. Beyond that, DNSOP typically winds up with discussions that affect the overall performance and operations of DNS that make for an interesting time.
DNS PRIVate Exchange (DPRIVE)
The DPRIVE Working Group will be meeting on Wednesday morning to continue the discussions about DNS over TLS and DNS over DTLS. All of this DPRIVE work is focused on securing the connection between DNS clients and the recursive resolvers that people use (such as those typically at an Internet Service Provider (ISP) or on the edge of a network) to add a layer of confidentiality. We see this as an important part of the overall encryption work being done by the IETF to protect against the pervasive monitoring that we’ve seen on the Internet. Mechanisms such as what DPRIVE is developing will raise the overall amount of trust in Internet-based communication.
CURves, Deprecating and a Little more Encryption (CURDLE)
The CURDLE Working Group potentially wins the award for biggest stretch of a name to fit an acronym… but on a serious level the group is focused on an extremely important area of work – increasing the cryptographic security of a number of common protocols, including DNSSEC. On the CURDLE agenda are two drafts from Ondrej Sury and Robert Edmonds that specify new algorithms for DNSSEC.
DNS Service Discovery (DNSSD)
We haven’t covered the DNS Service Discovery (DNSSD) Working Group too often in the past, but at IETF 95 the DNSSD agenda has two interesting drafts up for discussion: one is related to the overall threat model and the other about privacy extensions. This WG is looking at how you “discover” services on a network using DNS when that “network” is bigger than just your own local network. For instance, how do you discover a printer that might be at, say, your parents’ house? And of course, how do you do all that securely? DNSSEC is not directly part of these discussions, but they are part of the broader “DNS security” area of our interest.
Other Working Groups
The TRANS WG focused on “certificate transparency” (CT), a mechanism for tracking changes in TLS certificates, is meeting on Monday and has a draft out about the attack model and threats on CT. This isn’t exactly related to DNS, but we’ll pay attention because it is looking at the same “securing TLS for the Web” area that is applicable to DANE. We’ll also of course be monitoring the TLS WG (because of the connection to DANE), the Security Area open meeting and other similar sessions. There is also a BOF called “Alternative Resolution Contexts for Internet Naming (ARCING)” that doesn’t directly affect “DNS security”, per se, but is looking at the larger issue of “alternate” systems of name resolution on the Internet. For example, the naming resolution that happens within the Tor onion routing system. More info can be found on the BOF page and also in the ARCING mailing list archive.
It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!
Please see the main Rough Guide to IETF 95 page to learn about more of what we are paying attention to in Buenos Aires.
P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:
Relevant Working Groups at IETF 95:
UTA (Using TLS in Applications) WG
Monday, 4 April 2016, 1400-1530 ART, Room Antlico C
TRANS (Public Notary Transparency) WG
Monday, 4 April 2016, 1550-1720 ART, Room Quebracho A
DNSSD (Extensions for Scalable Service Discovery) WG
Monday, 4 April 2016, 1550-1720 ART, Room Buen Ayre B
CURDLE (CURves, Deprecating and a Little more Encryption) WG
Tuesday, 5 April 2016, 1620-1720 ART, Room Buen Ayre B
DPRIVE (DNS PRIVate Exchange) WG
Wednesday, 6 April 2016, 1000-1230 ART, Room Atlantico C
DNSOP (DNS Operations) WG
Wednesday, 6 April 2016, 1620-1720 ART, Room Atlantico B
Friday, 8 April 2016, 1000-1200 ART, Room Buen Ayre C
There’s a lot going on in Buenos Aires, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see https://www.internetsociety.org/tag/ietf95/.
The post Rough Guide to IETF 95: DNSSEC, DPRIVE, DANE and DNS Security appeared first on Internet Society.