Category: DNS-OARC

DNS-OARC 24 Streaming Live March 31 / April 1 from Buenos Aires


Today and tomorrow you have a great opportunity to listen to some of the newest research into the Domain Name System (DNS) operations and security through the live video stream of the 24th meeting of the DNS Operations Analysis and Research Center (DNS-OARC). You can watch live at:

and view the past recordings on the DNS-OARC YouTube channel.  The DNS-OARC 24 agenda covers a wide range of topics related to the overall operations of DNS.  Some of the sessions that Deploy360 readers may find of interest include:

  • Thursday, March 31
    • How we are developing a next generation DNS API for applications
    • State of the “DNS privacy” project: running code
    • QNAME minimisation in Unbound (DNS privacy)
  • Friday, April 1
    • Knot DNS Resolver
    • Threshold-Cryptography Distributed HSM
    • Review and analysis of attack traffic against A-root and J-root on November 30 and December 1, 2015
    • ECDSA – Reviewed
    • Rolling the Root Key
    • Algorithm roll-over experiences
    • Panel: DNSSEC algorithm flexibility

The last four sessions that I highlighted in bold all fit into the larger work of moving to use newer elliptic curve cryptographic algorithms within DNSSEC that I wrote about recently.  As I mentioned in that article, I’ll be moderating this final panel tomorrow afternoon.

I would encourage people to tune in and watch the sessions.  Do visit the DNS-OARC 24 timetable to find out the times when different sessions will be happening. All times are in Argentina time (ART) which is UTC-3.

And if you want to get started with DNSSEC yourself, please visit our Start here page to begin.

Image credit: a photo of the DNS-OARC 24 room I took this morning.


Watch DNS-OARC Live This Weekend For DNSSEC, DANE, DNS Privacy and more

DNS-OARC logoThis weekend in Montreal the OARC Fall 2015 Workshop will take place filled with all sorts of excellent talks about DNSSEC, DANE, DNS privacy, DNS performance and much, much more.  The best part is that if you can’t get there in person, you can watch the live video stream on YouTube at:

All the sessions will also be recorded for later viewing. The sessions most interesting to remote viewers start at 14:00 US EDT (UTC-4) on Saturday, October 3, 2015, and include these:

  • An Overview of DNS Privacy Mechanisms
  • Using TLS for DNS privacy in practice
  • Next Steps in DANE Adoption
  • Benchmarking of authoritative DNS servers and DNSSEC impact assessment

Sunday morning (October 4) brings a whole set of “DNS security” talks related to DDoS attacks and attacks against DNS servers.  There are performance-related talks, detailed research sessions, and a whole set of talks related to DNS resolvers, including an exploration of IPv6 vs IPv4 performance.

There were so many interesting proposals to DNS-OARC this time that some of them occupy the Monday DNS Track inside of NANOG 65.  Again there look to be some great DNSSEC topics including a session about the KSK Key Rollover. (One note: I’m not sure if the live stream on Monday will still be on the DNS-OARC YouTube channel – the NANOG agenda only says it will be “recorded”.)

All in all it looks to be a great event!  Due to a personal scheduling conflict, I won’t be there in person… but I intend to watch a few of the sessions, either live or later.

And if you want to get started NOW with deploying DNSSEC, please visit our Start Here page to learn more!

DNS-OARC 2015 Spring Workshop This Weekend (May 9-10) Covers DNSSEC and DNS Security

dns-oarcThe 2015 Spring Workshop of the DNS Operations Analysis and Research Center (DNS-OARC) takes place this weekend, May 9-10, right before the RIPE 70 meeting in Amsterdam. As per usual the agenda is packed full of all sorts of sessions related to DNS in general, with a number getting into DNSSEC and overall DNS security.  Here’s the full agenda:

There are currently 137 people scheduled to attended representing a broad range of participants across the DNS community.  I will not be there myself, but know a great number of the people who will be in the room.

Sessions of Interest

Saturday looks to have some great sessions related to operational experience with various attacks against the DNS, including distributed denial of service (DDoS) attacks.  These kind of actual case studies in handling attacks are incredibly useful to get out to the wider community.

Sunday morning begins with a series of DNSSEC-related talks:

  • Observations on DNSSEC and ECDSA in the wild – by Geoff Huston of APNIC
  • Effects of Increasing the Root Zone ZSK Size – by Duane Wessels of Verisign Labs
  • Signing DNSSEC answers on the fly at the edge: challenges and solutions! – by Olafur Gudmundsson of CloudFlare

All of those are ones I’d love to see – I’m hoping there will be a video recording as they start at 9:00 am in Amsterdam… which is 3:00 am here on the US East Coast where I live.  As much as I’d like to see them… well… I can’t see me getting up that early! :-)

The remainder of Sunday includes a great number of talks that I’d personally find interesting, diving into various tools, analytics, testing and more.  A couple of interest to those focused on DNSSEC include:

  • 14:30 – Plan for Decommissioning the DLV – by Jim Martin of ISC
  • 17:05 – Update on the DNS Root Key Rollover work – by Ed Lewis of ICANN

This last talk, in particular, should be useful to hear the status of the work related to the Root KSK rollover. (See our background page on why this matters.)

Remote Participation

I don’t see any information on the DNS-OARC website right now about remote participation, but the sessions are almost always streamed live.  Given that the event is co-located with RIPE 70, I suspect that they may make use of the RIPE 70 live streaming. I’d watch the RIPE 70 remote participation page or the main 2015 Spring Workshop page for more information.

The good news is that all the materials should be available from links off of the main agenda page, so at least we who are remote should be able to see what slides were discussed.

I also see Stéphane Bortzmeyer is among the attendees and when he is at an event he is usually tweeting out a good bit at, so that’s another way to stay up to date, along with the #DNSOARC hashtag search.

If you are there in Amsterdam, I hope you do have a great DNS-OARC meeting and I look forward to hearing the results.

Next DNS-OARC Meeting May 10-11, 2014, Before RIPE68 in Warsaw

dns-oarcIf you are interested in all matters related to DNS, including DNSSEC, the next meeting of the DNS Operations Analysis and Research Center (DNS-OARC) will take place May 10-11, 2014, in Warsaw, Poland.  Sponsored this time by Microsoft, the “OARC 2014 Spring Workshop” is immediately before the RIPE 68 meeting taking place in the same location.

The agenda for the OARC 2014 Spring Workshop is still evolving but already includes a range of what look like excellent presentations related to DNSSEC and other similar topics.  The attendee list, too, is also filling up with many people with deep experience from across the industry.

It should be an excellent event for those interested in DNS and DNSSEC!

Meeting registration is free if you can get to Warsaw.  If you were already planning to go to the RIPE 68 meeting why not go a couple of days earlier and immerse yourself in DNS? :-)

DNSSEC and DNS Security Talks At DNS-OARC Spring Forum Streaming Live Out of Dublin Today And Tomorrow

dns-oarcCan’t get to Dublin, Ireland, to attend the DNS-OARC Spring Forum 2013 but interested in all the DNS and DNSSEC-related talks?  The good news is that there is a webcast / livestream of the event via Adobe Connect at:

As I wrote about last week, there are a good number of the talks related to DNSSEC and DNS security. The event has been extremely interesting so far today.

To watch the livestream, you should reference the DNS-OARC timetable – and remember that all times are Irish Standard Time (currently UTC/GMT+1).

Slides for the talks are also listed on the timetable page.

I’ll be speaking this afternoon at 5:35pm Dublin time about some of the challenges we’ve seen related to DNSSEC deployment and asking for feedback.

Tomorrow morning, Monday, May 13, the timetable is full of DNSSEC talks from 9:00 to 10:40 am that should make for good listening.


Excellent DNSSEC Sessions Coming Up At DNS-OARC Spring Forum This Weekend

dns-oarcThis weekend begins the “Spring Forum” of the Domain Name System Operations Analysis and Research Center, a.k.a. “DNS-OARC” and it once again represents a gathering of many of the prominent people within the DNS / DNSSEC community.  The event takes place in Dublin, Ireland, on the Sunday and Monday morning prior to the RIPE 66 meeting happening for the rest of the week.

In look at the list of contributions to the DNS-OARC Spring Forum, a number are related to DNSSEC and I’m quite looking forward to listening to them.  They include:

DNS Security: Beyond DNSSEC, A “He Must Be Nearing Retirement” Manifesto
Ed Lewis said on a call that he’s going to be talking about ways he thinks DNS can be better secured. Ed has been around the DNS/DNSSEC world for a long time, so I’m looking forward to his ideas.

Measuring DNSSEC
Geoff Huston recently published a long blog post about “Measuring DNSSEC Performance” that got quite deep into analysis. I am assuming Geoff and George Michaelson will be explaining their findings live at this event.

The Use of Elliptic Curve Cryptography in DNSSEC
This presentation by Francis Dupont should be an interesting view into the viewpoint that we ought to be doing more with elliptic curve cryptography (and specifically ECDSA) within DNSSEC.

GPU-based NSEC3 Hash Breaking
Based on the description, this appears to be about a tool that can be used to break the hashes used in NSEC3 records. Not entirely sure where this one is going… so I will be interested to hear it.

Next Steps In Accelerating DNSSEC Deployment
How do we get DNSSEC more rapidly deployed. I’ll be speaking about what we’ve found in the process of developing the DNSSEC side of Deploy360 as well as what has come up through the dnssec-coord mailing list / conference calls and other industry efforts.

Beyond those DNSSEC-related sessions, I’m definitely interested in the sessions around DNS amplification attacks, DNS monitoring and really all the other topics. Definitely a place for those of us interested in DNS and DNSSEC to gather!

I don’t believe there is a livestream, but I do believe the slides will be available as links off the agenda page as they become available.  If you are going to be there at the DNS-OARC Spring Forum, do say hello – and please do let me know your ideas around how we can help here at Deploy360 with resources related to DNSSEC deployment.