Rough Guide to IETF 91: DNSSEC, DANE and DNS Security Thumbnail
‹ Back
Domain Name System (DNS) 5 November 2014

Rough Guide to IETF 91: DNSSEC, DANE and DNS Security

Dan York
By Dan YorkDirector, Online Content

IETF 91 will once again be busy for those of us interested in DNSSEC, DANE and DNS security in general. Two of the major DNS-related working groups, DNSOP and DANE, are both meeting with busy agenda and a new working group called DPRIVE will be meeting to talk about DNS privacy concerns. There are naturally other items related to DNSSEC and “DNS security” in general scattered throughout the week – here is what the week looks like…

NOTE: If you are unable to attend IETF 91 in person, there are multiple ways to participate remotely and listen to these sessions.

Public Notary Transparency (TRANS)

The week starts off on Monday at 15:20 with the TRANS Working Group focused on “Certificate Transparency” (CT) where the bulk of the agenda is about how to apply CT to the existing TLS/SSL certificate-based infrastructure. However, one draft, draft-zhang-trans-ct-dnssec, looks at how CT could be applied to DNSSEC. It’s an interesting idea and I’m looking forward to the discussion.

Extensible Provisioning Protocol Extensions (EPPEXT)

At the same time as the TRANS WG but over in the Lehua Suite, the EPPEXT Working Group will be meeting to discuss extensions to the EPP protocol used to communicate between registrars and registries for DNS and domain name information.  The DNSSEC angle here is that there will be a discussion of draft-ietf-eppext-keyrelay that documents the current way that SIDN performs secure transfers of a DNSSEC-signed domain from one registrar to another. (SIDN is the registry for the .NL domain in the Netherlands.) There was a good bit of discussion earlier this year about whether the goal is to document existing extensions and practices – or to create new standards-track extensions that could be used more widely.  The author team would like to document the current practice and there was further discussion around the best path forward.  Our interest here is primarily that we see further automation needed within the registry/registrar interactions to make DNSSEC-signing of domains more seamless to the users who are registering and signing domains.

DNS PRIVate Exchange (DPRIVE)

On Tuesday from 13:00-15:00 HST there is the brand new DPRIVE Working Group that is chartered to develop: “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” The DPRIVE agenda for IETF 91 is full of a number of discussions about how we can best improve the confidentiality and privacy of DNS communication. Much of the discussion that led to the creation of this working group has centered around Stephane Bortzmeyer’s draft-ietf-dprive-problem-statement which lays out many of the concerns. This should be a session of vigorous and passionate discussion with many very different opinions about what needs to be done to improve this aspect of DNS security!

DNS Operations (DNSOP)

Tuesday afternoon from 15:20-17:20 HST the DNSOP Working Group has a busy agenda that includes a bit less about DNSSEC this time around (after the heavy discussion last time at IETF 90). The major DNSSEC-related draft under discussion will be Jason Livingood’s draft-livingood-dnsop-negative-trust-anchors that has generated a substantial bit of discussion on the dnsop mailing list.

Beyond that, though, there will be significant discussion on other DNS security topics such as a new proposed “DNS Cookies” security mechanism , the ideas around qname minimization to improve privacy (a topic coming out of the DPRIVE discussion) and a discussion around improving support for DNS over TCP. All in all it should be quite an interesting session!

DNS-based Authentication of Named Entities (DANE)

On Wednesday afternoon, the working group looking after the DANE protocol will be actively discussing how various other protocols can use DANE / DNSSEC to provide a higher level of security for TLS (SSL) certificates. At IETF 91 the DANE agenda looks to mostly focus on the DANE+S/MIME issues that have been heavily discussed in the working group email list. There are some strong disagreements and most recently an intellectual property rights (IPR) disclosure from Verisign that should ignite some discussion. Speaking of Verisign, the DANE agenda shows that Eric Osterweil may be presenting about their DANE+S/MIME prototype so we’ll have a chance to hear about true “running code”.

Matt Miller will also be discussing draft-ietf-dane-srv that specifies a mechanism for application protocols that use SRV records to find and use DANE’s TLSA records. Examples of such protocols include XMPP (Jabber) and SIP, so this draft will help expand DANE usage within real-time communications tools.

I will be closing out the current DANE WG agenda with a discussion of a draft I wrote, draft-york-dane-deployment-observations, that seeks to collect some of the feedback we’ve seen to date as more people roll out DANE usage within their applications and services. My main point is to encourage discussion around questions such as these:

  • What roadblocks are people running into with implementing DANE? (outside of the broader issue of getting DNSSEC validation and signing more widely available) are there lessons we can feed back into our process of developing DANE-related standards?
  • Are there more “Using DANE with <foo>” types of documents that we can or should create? (And who is willing to do so?)
  • Are there some good examples/case studies of DANE implementations that we could perhaps capture as informational RFCs? (The Jabber community’s implementation comes to mind)
  • Are there places where it would be helpful if there were reference implementations of DANE support? For example, DANE for email got a boost when support was added to postfix. Are there other commonly-used open source projects where the addition of DANE support would help move deployment along?
  • Are there test tools that need to be developed? Or existing ones that need to be better promoted? Are there interop tests we can arrange?

Some of these items might fit into work that can be done within the IETF – others might be better for projects like what we are doing here with the Deploy360 Programme. The key point is – what can we do to accelerate deployment of DANE?

Other Working Groups

Beyond the two main DNSSEC-related working groups and the new DPRIVE working group there will be a number of other DNSSEC-related discussions going on in other working groups. Here are some of the other groups that I’ll be monitoring:

HOMENET – On Wednesday morning the HOMENET working group does not have anything on its agenda specifically about DNSSEC, but draft-jeong-homenet-device-name-autoconf explores how home network devices and appliances and sensors that make up the “Internet of Things” (IoT) can be automatically configured with DNS names for monitoring and remote control. Our interest is naturally in how this interaction with DNS can be secured.

DNSSD – Similarly the DNSSD working group continues its work at how to extend “DNS service discovery (DNS-SD)” and “multicast DNS (mDNS)” outside of a simple local network such as a home network. This kind of service discovery is what happens when you, for instance, look to add a local printer or file server and your computer “discovers” the devices available on your network. The question is how to extend this beyond your local network to other networks to which you may want to connect. Hosnieh Rafiee’s draft-rafiee-dnssd-mdns-threatmodel is on the agenda and should generate some good discussion about DNS security.

As per usual at recent IETF meetings, it’s going to be a very busy week for those of involved with strengthening the Internet through improved DNS security!

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 91:

TRANS (Public Notary Transparency) WG
Monday, 10 November 2014, 1300-1500 HST, Hibiscus

EPPEXT (Extensible Provisioning Protocol Extensions) WG
Monday, November 10, 2014, 1520-1720 HST, Lehua Suite

DPRIVE (DNS PRIVate Exchange) WG
Tuesday, 11 November 2014, 1300-1500 HST, Coral 5

DNSOP (DNS Operations) WG
Tuesday, 11 November 2014, 1520-1720 HST, Coral 4

DANE (DNS-based Authentication of Named Entities) WG
Wednesday, 12 November 2014, 1300-1500 HST, Coral 3

DNSSD (Extensions for Scalable DNS Service Discovery) WG
Thursday, 13 November 2014, 1300-1500 HST, Coral 4

HOMENET (Home Networking) WG
Wednesday, 12 November 2014, 0900-1130 HST, Coral 3

Follow Us

There’s a lot going on next week, and whether you plan to be there or join remotely, there’s much to follow. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see


‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Join the conversation with Internet Society members around the world