Rough Guide to IETF 92: DNSSEC, DANE and DNS Security Thumbnail
‹ Back
Domain Name System (DNS) 18 March 2015

Rough Guide to IETF 92: DNSSEC, DANE and DNS Security

Dan York
By Dan YorkDirector, Online Content

As per usual, DNSSEC, DANE and DNS security in general are all topics of great attention at IETF 92. The major DNS-related working groups, DNSOP and DANE, are both meeting with busy agendas and the DPRIVE working group is back again with a focus on DNS privacy concerns. Here is a rough view of what the week looks like…

NOTE: If you are unable to attend IETF 92 in person, there are multiple ways to participate remotely and listen to these sessions.

DNS PRIVate Exchange (DPRIVE)

Starting out the week on Monday from 15:20-16:50 will be the second meeting of the DPRIVE Working Group that is chartered to develop: “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” As the DPRIVE agenda for IETF 92 shows, there should be a good set of discussions about how we can make DNS transactions more secure and confidential.  I’m looking forward to this session!

DNS Operations (DNSOP)

Tuesday afternoon from 15:20-17:20 CDT the DNSOP Working Group has a full agenda that includes some drafts around securing DNS in general (ex. QNAME minimization, restricting DNS meta-queries) as well as some new work about DNS terminology, reserving new TLDs and operational issues with DNS.  The most relevant draft to DNSSEC will be draft-fujiwara-dnsop-nsec-aggressiveuse looking at ways to improve the use of NSEC/NSEC3 to indicate non-existance of domain names.  Overall, though, it should be a strong session looking at ways to make DNS more secure!

DNS-based Authentication of Named Entities (DANE)

Immediately following DNSOP, the working group looking after the DANE protocol  will be meeting from 17:30-18:30 CDT to discuss how various other protocols can use DANE / DNSSEC to provide a higher level of security for TLS (SSL) certificates. At the moment I am writing this, the meeting agenda only lists updates from Glen Wiley and Eric Osterweil to the S/MIME library, but we’ll have to see what else gets added. The DANE mailing list has been extremely actively lately and the topics under discussion there may get some time at the Dallas meeting.

Extensible Provisioning Protocol Extensions (EPPEXT)

In the unenviable final session on Friday from 11:50-13:20 CDT, the EPPEXT working group will be meeting to discuss extensions to the EPP protocol used between DNS registrars, registries and similar entities.  An agenda has not yet been posted but the group has a number of documents under active consideration and many participants will also have attended the Registration Operations Workshop on the Sunday prior to IETF 92.  Of most interest to us here are the extensions being proposed that will further automate DNSSEC operations and deployment.

Other Working Groups

Beyond the groups listed above, we’ll also be monitoring working groups such as DNSSD, HOMENET and TRANS.  While none of these groups have anything on their IETF 92 agendas specifically related to DNSSEC or DANE, the topics of DNS security or certificates do come up and its interesting to understand how they may or may not interact with other DNS security efforts.


Outside of the regular working group sessions, on Thursday evening from 19:00-21:00 CDT there will be the “Bits-and-Bites” reception where attendees can get food and drink and also see various exhibits from sponsors and other organizations.  I’m told that one table will be from Verisign Labs where they will be showing demonstrations of the getdns API being used with DNSSEC and DANE.  I’m not exactly sure what will be there, but if you are going to Bits-and-Bites you may want to stop by their table and see what it is about.

It will be a busy week – but the outcomes of all these sessions should go far to make the DNS more secure!

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 92:

dprive (DNS PRIVate Exchange) WG
Monday, 23 March 2015, 1520-1650 CDT, Venetian

dnsop (DNS Operations) WG
Tuesday, 24 March 2015, 1520-1720 CDT, Gold

dane (DNS-based Authentication of Named Entities) WG 
Tuesday, 24 March 2015, 1730-1830 CDT, Venetian

eppext (Extensible Provisioning Protocol Extensions) WG 
Friday, 27 March 2015, 1150-1320 CDT, Oak

Follow Us

There’s a lot going on next week, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blogTwitterFacebookGoogle+, via RSS, or see

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Join the conversation with Internet Society members around the world