Category: Domain Name System (DNS)

Rough Guide to IETF 99: DNS Privacy and Security, including DNSSEC

There’s a good bit of DNS secrurity and privacy activity happening at IETF 99 next week in Prague, although not all of that is in working groups. Here is a view of what is going on.

IETF 99 Hackathon

Once again there will be a good-sized “DNS team” at the IETF 99 Hackathon over the weekend (15-16 July). The IETF 99 Hackathon wiki outlines the work (scroll down to see it). From a security point of view, major projects include:

  • Continuing work on how DNS implementations deal with the impending KSK rollover in October 2017.
  • RFC 5011 compliance testing (related to the KSK rollover)
  • Implementation of the new elliptic curve crypto algorithm, Ed25519, defined in RFC 8080.

There is also work on multiple other DNS records and tools, including a new packet capture format focused on DNS. Anyone is welcome to join us for part or all of that event.

DNS Privacy Tutorial

On Sunday, July 16, there will be a “DNSPRIV Tutorial” from 12:30-13:30 CEST (UTC+2). This will explain the work of the DPRIVE working group to add a layer of confidentiality to DNS queries. Much of this involves sending DNS queries over TLS.

It is possible (and I’ll update the post if it is) that this tutorial may be streamed out over the IETF YouTube channel and recorded. The www.ietf.org/live page doesn’t have it listed yet, but I would check there to see closer to the date.

DNS PRIVate Exchange (DPRIVE)

On the same theme, the DPRIVE working group meets Tuesday morning from 9:30-12:00 CEST.  The draft agenda shows their should be good discussion on several of the current working group drafts. I am also looking forward to the discussion about DNS over the QUIC protocol. The group will also discuss measuring the usage of DNS-over-TLS and talk about what comes next.

DNS Operations (DNSOP)

The DNS Operations (DNSOP) Working Group meets twice in Prague. First on Tuesday, July 18, from 15:50-17:50 CEST, and then on Thursday, July 20, from 18:10-19:10.

The agenda isn’t out yet, but two drafts related to DNSSEC that might be up for discussion include:

There are a range of the other documents related to DNS security or privacy – or that can have impacts on those topics. We’ll have to see what gets onto the agenda.

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

The DNS-SD working group will also have a brief discussion of DNS-SD Privacy drafts. Agendas aren’t posted yet, but the Using TLS in Applications (UTA) working group often has drafts of interest, as does the Security Area Open Meeting (SAAG). The thing about DNS is that it is so critical to every service that it often shows up in many different groups.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 99:

DPRIVE (DNS PRIVate Exchange) WG 
Tuesday, 18 July 2017, 09:30-12:00 CEST (UTC+2), Congress Hall III
Agenda: https://datatracker.ietf.org/meeting/99/agenda/dprive/ 
Documents: https://datatracker.ietf.org/wg/dprive/ 
Charter: http://tools.ietf.org/wg/dprive/charters/

DNSOP (DNS Operations) WG 
Tuesday, 18 July 2017, 15:50-17:50 CEST (UTC+2), Congress Hall II
Agenda: https://datatracker.ietf.org/meeting/99/agenda/dnsop/ 
Documents: https://datatracker.ietf.org/wg/dnsop/ 
Charter: http://tools.ietf.org/wg/dnsop/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG 
Wednesday, 19 July 2017, 15:20 – 16:50 CEST (UTC+2), Athens/Barcelona
Agenda: https://datatracker.ietf.org/meeting/99/agenda/dnssd/ 
Documents: https://datatracker.ietf.org/wg/dnssd/ 
Charter: http://tools.ietf.org/wg/dnssd/charters/

Follow Us

There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blogTwitterFacebookGoogle+, via RSS, or see http://www.internetsociety.org/rough-guide-ietf99.

The post Rough Guide to IETF 99: DNS Privacy and Security, including DNSSEC appeared first on Internet Society.

Rough Guide to IETF 98: DNS Privacy and Security, including DNSSEC

It is a remarkably quiet week for DNS security and privacy topics at the IETF 98 meeting in Chicago next week. Both the DANE and DPRIVE working groups are moving along very well with their work on their mailing lists and so chose not to meet in Chicago. Similarly, with DNSSEC deployment steadily increasing (as we outlined in the 2016 State of DNSSEC Deployment report in December), the work to be discussed in DNS Operations (DNSOP) is more about exploring ideas to make DNSSEC even more secure.

Here is a quick view of what is happening in Chicago.

IETF 98 Hackathon

Over the weekend (25-26 March) we’ll have a good-sized “DNS team” in the IETF 98 Hackathon working on various projects around DNSSEC, DANE, DNS Privacy, using DNS over TLS and much more. This time the work will include a team looking at how some DNS toolkits can work with the impending Root KSK Rollover in October 2017. More specific information is in the IETF 98 Hackathon wiki. Anyone is welcome to join us for part or all of that event.

DNS Operations (DNSOP)

The DNS Operations (DNSOP) Working Group meets on Monday afternoon from 13:00-15:00 CDT. The DNSOP agenda includes the following items related to DNSSEC:

Some of the other discussions, such as DNS over TCP, also have potential impacts on DNS security and privacy.

DNS Service Discovery (DNSSD)

On Tuesday, the  Extensions for Scalable DNS Service Discovery (DNSSD) Working Group meets from 16:40-18:40 CDT. DNSSD is not one of the groups we regularly follow as its focus is around how DNS can be used to discover services available on a network (for example, a printer or file server). However, in Chicago the DNSSD agenda specifically has a discussion around “Privacy Extensions” (see draft-ietf-dnssd-privacy).

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

Right before the DNSSD Working Group on Tuesday, the Using TLS in Applications (UTA) WG will meet from 14:50 – 16:20 and will be covering several ideas for “Strict Transport Security” (STS) for email. While not directly tied to DNSSEC or DANE, they do use DNS for these security mechanisms. And then in the final session on Friday, from 11:50-13:20, the IPSECME WG will have a discussion about “split DNS” and how that impacts VPNS (see draft-ietf-ipsecme-split-dns).

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 98:

DNSOP (DNS Operations) WG 
Monday, 27 March 2017, 13:00-15:00 CDT (UTC-5), Zurich D
Agenda: https://datatracker.ietf.org/meeting/98/agenda/dnsop/ 
Documents: https://datatracker.ietf.org/wg/dnsop/ 
Charter: http://tools.ietf.org/wg/dnsop/charters/

DNSSD (Extensions for Scalable DNS Service Discovery) WG 
Tuesday, 28 March 2017, 16:40 – 18:40 CDT (UTC-5), Zurich B
Agenda: https://datatracker.ietf.org/meeting/98/agenda/dnssd/ 
Documents: https://datatracker.ietf.org/wg/dnssd/ 
Charter: http://tools.ietf.org/wg/dnssd/charters/

Follow Us

There’s a lot going on in Chicago, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blogTwitterFacebookGoogle+, via RSS, or see http://www.internetsociety.org/rough-guide-ietf98.

The post Rough Guide to IETF 98: DNS Privacy and Security, including DNSSEC appeared first on Internet Society.

Watch Live Today! DNS Privacy Workshop Streaming from NDSS 2017

lifeguard-beach

Want to learn the latest about DNS privacy? About the latest research and techniques to protect the confidentiality of your DNS info and queries?

Starting at 8:55 am PST (UTC-8) today, there will be what looks to be an outstanding workshop on DNS Privacy streaming live out of the Network and Distributed System Security Symposium (NDSS) in San Diego, California.

View the agenda of the DNS Privacy Workshop to see all the excellent sessions.  You can then join live at:

https://isoc.zoom.us/j/935912695

(Other remote connection options can be found at the bottom of the agenda page.)

Note – this workshop is not about DNSSEC, which is a method to protect the integrity of DNS (to ensure DNS info is not modified in transit), but rather new work being done within the IETF to improve the confidentiality of DNS.

The sessions include:

  • How DNS Works in Tor & Its Anonymity Implications
  • DNS Privacy through Mixnets and Micropayments
  • Towards Secure Name Resolution on the Internet – GNS
  • Changing DNS Usage Profiles for Increased Privacy Protection
  • DNS-DNS: DNS-based De-NAT Scheme
  • Can NSEC5 be practical for DNSSEC deployments?
  • Privacy analysis of the DNS-based protocol for obtaining inclusion proof
  • Panel Discussion: The Tension between DNS Privacy and DNS Service Management
  • The Usability Challenge for DNS Privacy and End Users
  • An Empirical Comparison of DNS Padding Schemes
  • DNS Service Discovery Privacy
  • Trustworthy DNS Privacy Services
  • EIL: Dealing with the Privacy Problem of ECS
  • Panel Discussion: DNS-over-TLS Service Provision Challenges: Testing, Verification, internet.nl

If you are not there in person (as I will not be), you can also follow along on the #NDSS17 hashtag on Twitter. There will also be tweets coming out of:

Stéphane Bortzmeyer will also be attending (and speaking at) the workshop – and he is usually a prolific tweeter at @bortzmeyer.

The sessions will also be recorded for later viewing. I’m looking forward to seeing the activity coming out of this event spur further activity on making DNS even more secure and private.

Please do follow along remotely – and please do share this information with other people you think might be interested. Thank you!


Image from Unsplash – I thought about showing the wide beaches, but the reality is that the conference participants won’t really get a chance to visit them. I thought “Lifeguard” was appropriate, though, because lifeguards are all about protecting people and keeping things safe.

The post Watch Live Today! DNS Privacy Workshop Streaming from NDSS 2017 appeared first on Internet Society.

How To Survive A DNS DDoS Attack – Consider using multiple DNS providers

How can your company continue to make its website and Internet services available during a massive distributed denial-of-service (DDoS) attack against a DNS hosting provider? In light of last Friday’s attack on Dyn’s DNS infrastructure, many people are asking this question.

One potential solution is to look at using multiple DNS providers for hosting your DNS records. The challenge with Friday’s attack was that so many of the affected companies – Twitter, Github, Spotify, Etsy, SoundCloud and many more – were using ONLY one provider for DNS services. When that DNS provider, Dyn, then came under attack, people couldn’t get to the servers running those services.  It was a single point of failure.  

You can see this yourself right now. If you go to a command line on a Mac or Linux system and type “dig ns twitter.com,”[1] the answer you will see is something like:

twitter.com.	10345  IN  NS   ns4.p34.dynect.net.
twitter.com.	10345  IN  NS   ns3.p34.dynect.net.
twitter.com.	10345  IN  NS   ns1.p34.dynect.net.
twitter.com.	10345  IN  NS   ns2.p34.dynect.net.

What this says is that Twitter is using only Dyn. (“dynect.net” is the domain name of Dyn’s “DynECT” managed DNS service.)

Companies using Dyn who also used another DNS provider, though, had less of an issue. Users may have experienced delays in initially connecting to the services, but they were still able to eventually connect.  Here is what Etsy’s DNS looks like after Friday (via “dig ns etsy.com”):

etsy.com.	9371  IN  NS   ns1.p28.dynect.net.
etsy.com.	9371  IN  NS   ns-870.awsdns-44.net.
etsy.com.	9371  IN  NS   ns-1709.awsdns-21.co.uk.
etsy.com.	9371  IN  NS   ns3.p28.dynect.net.
etsy.com.	9371  IN  NS   ns-1264.awsdns-30.org.
etsy.com.	9371  IN  NS   ns-162.awsdns-20.com.
etsy.com.	9371  IN  NS   ns4.p28.dynect.net.
etsy.com.	9371  IN  NS   ns2.p28.dynect.net.

Etsy is now using a combination of Dyn’s DynECT DNS services and Amazon’s Route 53 DNS services.

But wait, you say… shouldn’t this be “DNS 101”?

Aren’t you always supposed to have DNS servers spread out across the world?
Why don’t they have “secondary DNS servers”?
Isn’t that a common best practice?

Well, all of these companies did have secondary servers, and their DNS servers were spread out all around the world. This is why users in Asia, for instance, were able to get to Twitter and other sites while users in the USA and Europe were not able to do so.

So what happened? 

It gets a bit complicated.

20 Years Ago…

Jumping back, say, 20 years or so, it was common for everyone to operate their own “authoritative servers” in DNS that would serve out their DNS records. A huge strength of DNS that it is “distributed and de-centralized” and anyone registering a domain name is able to operate their own “authoritative servers” and publish all of their own DNS records. 

To make this work, you publish “name server” (“NS”) records for each of your domain names that list which DNS servers are “authoritative” for your domain. These are the servers that can answer back with the DNS records that people need to reach your servers and services. 

You need to have at least one authoritative server that would give out your DNS records. Of course, in those early days if there was a problem with that server and it went offline, people would not be able to get the DNS records that would get them to your other computers and services.  Similarly you could have a problem with your connection to the Internet and people could not get to your authoritative server.

For that reason the best practice emerged of having a “secondary” authoritative DNS server that contained a copy of all of the DNS records for your domain. The idea was to have this in a different geographic location and on a different network.

On the user end, we use what is called a “recursive DNS resolver” to send out DNS queries and get back the IP addresses that our computers need to connect. Our DNS resolvers will get the list of name servers (“NS records”) and choose one to connect to. If an answer doesn’t come back after some short period of time, the resolver will try the next NS record, and the next… until it runs out of NS records to try. 

Back in July 1997, the IETF published RFC 2821 dedicated to this topic: Selection and Operation of Secondary DNS Servers. It’s fun to go back and read through that document almost 20 years later as a great bit has changed. But back in the day, this was a common practice:

 The best approach is usually to find an organisation of similar size, and agree to swap secondary zones – each organization agrees to provide a server to act as a secondary server for the other organisation’s zones. 

As noted in RFC 2821, it was common for people to have 2, 3, 4 or even more authoritative servers. One would be the “primary” or master server where changes were made – the others would all be “secondary” servers grabbing copies of the DNS records from the primary server.

Over the years, companies and organizations would spend a great amount of time, energy and money building out their own DNS server infrastructure.  Having this kind of geographic and network resilience was critical to ensure that users and customers could get the DNS records that would get them to the organizations servers and services.

The Emergence of DNS Hosting Providers

But most people really didn’t want to run their own global infrastructure of DNS servers. They didn’t want to deal with all the headaches of establishing secondary DNS servers and all of that. It was costly and complicated – and just more than most companies wanted to deal with. 

Over time companies emerged that were called “DNS hosting providers” or “DNS providers” who would take care of all of that for you. You simply signed up and delegated operation of your domain name to them – and they did everything else. 

The advantages were – and are today – enormous. Instead of only a couple of secondary DNS servers, you could have tens or even hundreds.  Technologies such as anycast made this possible. The DNS hosting provider would take care of all the data center operation, the geographic diversity, the network diversity… everything.  And they provided you with all this capability on a global and network scale that very few companies could provide all by themselves. 

The DNS hosting providers gave you everything in the RFC 2821 best practices – and so much more!

And so over the past 10 years most companies and people moved to using DNS hosting providers of some form. Often individuals simply use the DNS hosting provided by whatever domain name registrar they use to register their domain name.  Companies have outsourced their DNS hosting to companies such as Dyn, Amazon’s Route 53, CloudFlare, Google’s Cloud DNS, UltraDNS, Verisign and so many more. 

It’s simple and easy … and probably 99.99% of the time it has “just worked”.

And you only needed one DNS provider because they were giving you all the necessary secondary DNS services and diversity protection.

Friday’s Attack

Until Friday. When for some parts of the Internet the DNS hosting services of Dyn didn’t work. 

It’s important to note that Dyn’s overall DNS network still worked. They never lost all their data centers to the attack. People in some parts of the world, such as Asia, continued to be able to get DNS records and connect to all the affected services without any issues.

But on Friday, all the many companies and services that were using Dyn as their only DNS provider suddenly found that a substantial part of the Internet’s user community couldn’t get to their sites. They found that they were sharing the same fate as their DNS provider in a way that would not have been true before the large degree of centralization with DNS hosting providers.

Some companies, like Twitter, stayed with Dyn through the entire process and weathered the storm. Others, like Github, chose to migrate their DNS hosting to another provider.  Still others chose to start using multiple DNS providers. 

Why Doesn’t Everyone Just Use Multiple DNS Providers? 

This would seem the logical question.  But think about that for a second – each of these major DNS providers already has a global, distributed DNS architecture that goes far beyond what companies could provide in the past.

Now we want to ask companies to use multiple of these large-scale DNS providers?

I put this question out in a number of social networks and a friend of mine whose company was affected nailed the issue with this comment:

Because one DNS provider, with over a dozen points-of-presence (POPs) all over the world and anycast, had been sufficient, up until this unprecedented DDoS. We had eight years of 100% availability from Dyn until Friday. Dealing with multiple vendors (and paying for it) didn’t have very good ROI (and I’m still not sure it does, but we’ll do it anyway). 

Others chimed in and I can summarize the answers as:

  • CDNs and GLBs – Most websites no longer sit on a single web server publishing a simple set of HTML files. They are large complex beasts pulling in data from many different servers and sites. And they very often sit behind content delivery networks (CDNs) that cache website content and make it available through “local” servers or global load balancers (GLBs) that redirect visitors to different servers. Most of these CDNs and GLBs work by using DNS to redirect people to the “closest” server (chosen by some algorithm). When using a CDN or GLB, you typically wind up having to use only that service for your DNS hosting.  I’ve found myself in this situation with a few of my own sites where I use a CDN.
  • Features – Many companies use more sophisticated features of DNS hosting providers such as geographic redirection or other mechanisms to manage traffic. Getting multiple providers to modify DNS responses in exactly the same way can be difficult or impossible.
  • Complexity – Beyond CDNs and features, multiple DNS providers simply adds complexity into IT infrastructure. You need to ensure both providers are publishing the same information, and getting that information out to providers can be tricky in some complex networks.
  • Cost – The convenience of using a DNS hosting provider comes at a substantial financial cost. For the scale needed by major Internet services, the DNS providers aren’t cheap. 

For all of these reasons and more, it’s not an easy decision for many sites to move to using multiple DNS providers.

It’s complicated.

And yet… 

And yet the type of massive DDoS attacks we saw on Friday may require companies and organizations to rethink their “DNS strategy”. With the continued deployment of the Internet of Insecure Things, in particular, these type of DDoS attacks may become worse before the situation can improve. (Please read Olaf Kolkman’s post for ideas about how we move forward.) There will be more of these attacks.

As my friend wrote in further discussion:

  These days you outsource DNS to a company that provides way more diversity than anyone could in the days before anycast, but the capacity of botnets is still greater than one of the biggest providers, and probably bigger than the top several providers combined.

 And even more to the point:

  The advantage of multiple providers on Friday wasn’t network diversity, it was target diversity.

The attackers targeted Dyn this time, so companies who use DNS services from Amazon, Google, Verisign or others were okay.  Next time the target might be one of the others. Or perhaps attackers may target several.

The longer-term solutions, as Olaf writes about, involve better securing all the devices connected to the Internet to reduce the potential of IoT botnets. They involve the continued work collaboratively to reduce the effects of malware and bad routing info (ex. MANRS).  They involve the continued and improved communication and coordination between network operators and so many others.

But in the meantime, I suspect many companies and organizations will be considering whether it makes sense to engage with multiple DNS providers.  For many, they may be able to do so. Others may need the specialized capabilities of specific providers and find themselves unable to use multiple providers. Some may not find the return on investment warrants it. While others may accept that they must do this to ensure that their services are always available.

Sadly, taking DNS resilience to an even higher level may be what is required for today.

What do you think? Do you use multiple DNS providers?  If so, what worked for you? If not, why not? I would be curious to hear from readers, either as comments here or out on social networks.

 


[1] Windows users do not have the ‘dig’ command by default. Instead you can type “nslookup -type=NS <domainname>”. The results may look different that what is shown here, but will have similar information.

NOTE: I want to thank the people who replied to threads on this topic on Hacker News, in the /r/DNS subreddit and on social media. The comments definitely helped in expanding my own understanding of the complexities of the way DNS providers operate today.

Image credit: a photo I took of a friend’s T-shirt at a conference.

The post How To Survive A DNS DDoS Attack – Consider using multiple DNS providers appeared first on Internet Society.

Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security

DNS privacy will be the main topic at IETF 94 in Yokohama related to the overall theme of “DNS security”. The DPRIVE Working Group will be meeting on Monday afternoon to dive into what look like some lengthy discussions about DNS over TLS and DNS over DTLS.  Stateless DNS encryption will also be discussed and there will be a general discussion of how to move the DPRIVE work forward.

All of this DPRIVE work is focused on securing the connection between DNS clients and the recursive resolvers that people use (such as those typically at an Internet Service Provider (ISP) or on the edge of a network) to add a layer of confidentiality.  We see this as an important part of the overall encryption work being done by the IETF to protect against the pervasive monitoring that we’ve seen on the Internet.  Mechanisms such as what DPRIVE is developing will raise the overall amount of trust in Internet-based communication.

DNS Operations (DNSOP)

DNSSEC will be a major topic in the DNS Operations (DNSOP) Working Group on Thursday.  First will be a review of the “DNSSEC Roadblock Avoidance” draft, draft-ietf-dnsop-dnssec-roadblock-avoidance. This is an important document that is capturing the challenges found in networks today that get in the way of DNSSEC validation – and also suggesting solutions to ensure DNSSEC validation can occur.

Second, DNSOP will discuss draft-ogud-dnsop-maintain-ds, a document seeking to improve the usage of the CDS and CDNSKEY records to communicate a DS record from a child to a parent to maintain the global chain-of-trust used by DNSSEC. In particular this draft is proposing a fix to an omission in RFC 7344 where no mechanism to delete DS records was stated.

Finally, a new draft-wessels-edns-key-tag will be brought to DNSOP where Duane Wessels is proposing a new way for resolvers to signal to a DNS server which DNSSEC keys are in their chain-of-trust. This is useful for monitoring key rollovers.

Domain Boundaries (DBOUND)

The DBOUND Working Group will meet on Tuesday and while no agenda has been posted yet, the list of documents shows the topics likely to be covered. We monitor this WG primarily because the “boundaries” of how you look at domain names can impact other security mechanisms such as TLS certificates. The DBOUND problem statement gives a good view into what the group is trying to do.

Public Notary Transparency (TRANS)

Another group we don’t always monitor but will this time is the TRANS WG focused on “certificate transparency” (CT), a mechanism for tracking changes in TLS certificates.  The TRANS agenda includes some potential new work on logging of DNSSEC key changes in draft-zhang-trans-ct-dnssec.

Other Working Groups

The DANE Working Group is not meeting due to some scheduling challenges with some key participants and a couple of the working groups that sometimes have DNS security items (such as EPPEXT) have completed their work and so are on to other matters. The DNS-SD WG is meeting, but the agenda does not appear to intersect with the work we are focused on here at the Internet Society.  We’ll also of course be monitoring the TLS WG (because of the connection to DANE), the Security Area open meeting and other similar sessions.

It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!

On a personal note, I’ll mention that I will not be in Yokohama… but I’ll be monitoring the activities from afar!

Please see the main Rough Guide to IETF 94 page to learn about more of what we are paying attention to in Yokohama.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 94:

TRANS (Public Notary Transparency) WG
Monday, 2 November 2015, 1300-1500 JST, Room 4ll/412
Agenda: https://datatracker.ietf.org/meeting/94/agenda/trans/
Documents: https://datatracker.ietf.org/wg/trans/
Charter: http://tools.ietf.org/wg/trans/charters/

DPRIVE (DNS PRIVate Exchange) WG
Monday, 2 November 2015, 1710-1910 JST, Room 304
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dprive/
Documents: https://datatracker.ietf.org/wg/dprive/
Charter: http://tools.ietf.org/wg/dprive/charters/

DBOUND (Domain Boundaries) WG
Tuesday, 3 November 2015, 1710-1840 JST, Room 303
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dbound/
Documents: https://datatracker.ietf.org/wg/dbound/
Charter: http://tools.ietf.org/wg/dbound/charters/

DNSOP (DNS Operations) WG
Thursday, 4 November 2015, 0900-1130 JST, Room 304
Agenda: https://datatracker.ietf.org/meeting/94/agenda/dnsop/
Documents: https://datatracker.ietf.org/wg/dnsop/
Charter: http://tools.ietf.org/wg/dnsop/charters/

Follow Us

There’s a lot going on in Yokohama, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://www.internetsociety.org/rough-guide-ietf94.

The post Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security appeared first on Internet Society.