Amsterdam day 5

I was out late last night so I'm writing yesterday's notes this morning.

Yesterday I attended the DNS and MAT meetings, and did some work outside the meetings.

CDS

Ondřej Caletka presented his work on keeping DNS zone files in git.

• Lots of my favourite tools :-) Beamer, Gitolite, named-compilezone

• How to discover someone has already written a program you are working on: search for a name for your project :-)

BCP 20 classless in-addr.arpa delegation led to problems for Ondřej: RFC2317 suggests putting slashes in zone names, which causes problems for tools that want to use zone names for file names. In my expired RFC2317bis draft I wanted to change the recommendation to use dash ranges instead, which better matches BIND's $GENERATE directive.

At the end of his talk, Ondřej mentioned his woork on automatically updating the RIPE database using CDS records. As planned, I commented afterwards in support, and afterwards I sent a message to the dns-wg mailing list about CDS to get the formal process moving.

DNS tooling

I spoke to Florian Streibelt who did the talk on BGP community leaks on Tuesday. I mentioned my DNS-over-TLS measurements; he suggested looking for an uptick after christmas, and that we might be able to observe some interesting correlations with MAC address data, e.g. identifying manufacturer and age using the first 4 octets of the MAC addresss. It's probably possible to get some interesting results without being intrusive.

I spent some time with Jerry Lundstrom and Petr Špaček to have a go at getting respdiff working, with a view to automated smoke testing during upgrades, but I ran out of battery :-) Jerry and Petr talked about improving its performance: the current code relies on multiple python processes for concurrency.

I talked to them about whether to replace the doh101 DNS message parser (because deleting code is good): dnsjit message parsing code is C so it will require dynamic linking into nginx, so it might not actually simplify things enough to be worth it.

DNS miscellanea

Ed Lewis (ICANN) on the DNSSEC root key rollover

• next step is January 11 when the old key gets revoked and the DNSKEY response size will grow a few bytes bigger than it has been before

• Geoff Huston says see http://www.potaroo.net/ispcol/2017-08/xtn-hdrs.html and http://www.potaroo.net/ispcol/2016-11/rootstars.html for information about the risks of the large response size

Petr Špaček (CZ.NIC) on the EDNS flag day, again

• "20 years is enough time for an upgrade"

Ermias Malelgne - performance of flows in cellular networks

• DNS: 2% lookups fail, 15% experience loss - apalling!

Tim Wattenberg - global DNS propagation times

• zero TTLs actually work! (with caveats!)

• https://ismydnslive.com/ propagation checker using RIPE Atlas

Other talks

Maxime Mouchet - learning network states from RTT

• traceroute doesn't explain some of the changes in delay

• nice and clever analysis

Trinh Viet Doan - tracing the path to YouTube: how do v4 and v6 differ?

• many differences seem to be due to failure to dual-stack CDN caches in ISP networks

Kevin Vermeulen - multilevel MDA-lite Paris traceroute

• MDA = multipath detection algorithm

• I need to read up on what Paris traceroute is ...

• some informative notes on difficulties of measuring using RIPE Atlas due to NATs messing with the probe packets

Amsterdam day 6

(Fri Sat Sun Mon Tue Wed)

I'm posting these notes earlier than usual because it's the RIPE dinner later. As usual there are links to the presentation materials from the RIPE77 meeting plan.

One hallway conversation worth noting: I spoke to Colin Petrie of RIPE NCC who mentioned that they are rebooting the Wireless APs every day because they will not switch back to a DFS channel after switching away to avoid radar interference, so they gradually lose available bandwidth.

DNS WG round 2

Anand Buddhdev - RIPE NCC update

• k-root: 80,000 qps, 75% junk, 250 Mbit/s on average, new 100Gbit/s node

• RIPE has a new DNSSEC signer. Anand gave a detailed examination of the relative quality of the available solutions, and explained why they chose Knot DNS. Their migration is currently in progress using a key rollover.

• Anand also spoke supportively about CDS/CDNSKEY automation

Ondřej Caletka - DS updates in the RIPE DB

• Some statistics from the RIPE database to help inform decisions about CDS automation.

Benno Overeinder - IETF DNSOP update

• Overview of work in progress, including ANAME. I spoke at the mic to explain that there is a "camel-sensitive" revamped draft that has not yet been submitted

• Matthijs Mekking has started a prototype provisioning-side implementation of ANAME https://github.com/matje/anamify

Sara Dickinson - performance of DNS over TCP

• With multithreading, TCP performance is 67% of UDP performance for Unbound, and only 25% for BIND

• Current DNS load generation tools are not well suited to TCP, and web load generation tools also need a lot of adaptation (e.g. lack of pipelining)

• There's a lack of good models for client behaviour, which is much more pertinent for TCP than UDP. Sara called for data collection and sharing to help this project.

Petr Špaček - DNSSEC and geoIP in Knot DNS

• Details of how this new feature works with performance numbers. Petr emphasized how this king of thing is outside the scope of current DNS standards. It's kind of relevant to ANAME because many existing ANAME-like features are coupled to geoIP features. I've been saying to several people this week that the key challege in the ANAME spec is to have a clearly described an interoperable core, which also allows tricks like these.

Ondřej Surý - ISC BIND feature telemetry

• Ondřej asked what is the general opinion on adding a phone home feature to BIND which allows ISC to find out what features people are not using and which could be removed.

• NLnet Labs and CZ.NIC said they were also interested in this idea; PowerDNS is already doing this and their users like the warnings about security updates being available.

Open Source

Sasha Romijn on IRRd v4

• Nice to hear a success story about storing JSON in PostgreSQL

• RPSL has horrid 822 line continuations and interleaved comments, oh dear!

Mircea Ulinic (Cloudflare) Salt + Napalm for network automation

• Some discussion about why they chose Salt: others "not event-driven nor data-driven"

Andy Wingo - a longer talk about Snabb - choice quotes:

• "rewritable software"

• "network functions in the smallest amount of code possible"

Peter Hessler on OpenBSD and OpenBGPD - a couple of notable OpenBSD points

• they now have zero ROP gadgets in libc on arm64

• they support arbitrary prefix length for SLAAC

Martin Hoffman - "Oxidising RPKI" - NLnet Labs Routinator 3000 written in Rust:

• write in C? "why not take advantage of the last 40 years of progress in programming languages?"

IPv6

Jen Linkova on current IETF IPv6 activity:

• IPv6 only RA flag

• NAT64 prefix in RA

• path MTU discovery "a new hope?" - optional packet truncation and/or MTU annotations in packet header

• Indefensible Neighbour Discovery - Jen recommends this summary of mitigations for layer 2 resource exhaustion

Oliver Gasser on how to discover IPv6 addresses:

• You can't brute-force scan IPv6 like you can IPv4 :-)

• Use a "hitlist" of known IPv6 addresses instead, obtained from DNS, address assignment policies, crowdsourcing, infering nerby addresses, ...

• It's possible to cover 50% of prefixes using their methods

• Cool use of entropy clustering to discover IPv6 address assignment schemes.

Jens Link talked about IPv6 excuses, and Benedikt Stockebrand talked about how to screw up an IPv6 addressing plan. Both quite amusing and polemical :-)