Rough Guide to IETF 93: DNSSEC, DANE, DPRIVE and DNS Security Thumbnail
‹ Back
Domain Name System Security Extensions (DNSSEC) 15 July 2015

Rough Guide to IETF 93: DNSSEC, DANE, DPRIVE and DNS Security

Dan York
By Dan YorkDirector, Online Content

Wow! There is a crazy amount of DNS activity happening at IETF 93 next week in Prague! Beyond the usual working groups we follow such as DNSOP and DANE, there are a wide range of other groups where DNS security and privacy are under discussion. It’s going to be a VERY busy week for all of us involved with DNS!  (And, there’s also the IETF 93 Hackathon starting on Saturday and Sunday where several of us will be working on code related to DNSSEC, DANE and more.)

Let’s walk through the week…

NOTE: If you are unable to attend IETF 93 in person, there are multiple ways to participate remotely and listen to these sessions. Also, all times below are Central European Summer Time (CEST) which is UTC+2.

DNS Operations (DNSOP)

Monday turns out to be a big DNS day with DNSOP starting off the back-to-back marathon in the 15:20 to 17:20 block. The major piece of DNSSEC-related work will be two different drafts from Joe Abley and Warren Kumari around publication of DNSSEC trust anchors. Both of these are work items out of the ongoing work around how we successfully perform a key rollover with critical DNSSEC keys such as the Key Signing Key at the root of DNS. After that, DNSOP will continue the ongoing discussion related to “special-use” names which, while not directly connecting to DNS security, should still be quite interesting.

Domain Boundaries (DBOUND)

Next up on Monday in the 17:40 to 18:40 session will be the DBOUND group. This group is look at the boundaries used to determine when an address being requested in DNS is “private” versus “public”. This impacts security policies.

DNS-based Authentication of Named Entities (DANE)

Finally in the 18:50 – 19:50 slot on Monday, the working group looking after the DANE protocol will be meeting to focus on three drafts:

  • TLS extension for DNSSEC
  • Client Certificates in DANE TLSA Records
  • DANE and SMIME

Given the amount of activity with using DANE in email communication these days, I expect there to be some good discussion.

Tuesday is TLS Day

Tuesday turns out to be “TLS Day” with both the core Transport Layer Security (TLS) and the Using TLS in Applications (UTA) groups meeting. Because of the connection to DANE, the TLS meeting is important to understand in terms of the evolution of the protocol with TLS 1.3 and beyond. There is packed agenda for the TLS WG and it spans two days – both Tuesday and Wednesday. If time permits, there is also a specific presentation for the group about DNSSEC and DANE validation chains. The UTA working group has a lighter agenda this time, but again is something we’ll follow because of the connection to TLS and DANE.

DNS Service Discovery (DNSSD)

Wednesday morning will begin with the 9:00-11:30 session having both the second session of the TLS Working Group and also the only session of DNSSD. The key reason to mention the group this time is that the DNSSD agenda includes a discussion of the threat model and security considerations for multicast DNS (mDNS).

Crypto Forum Research Group (CFRG)

Wednesday afternoon from 13:00-15:30 brings the meeting of the CFRG which has nothing specific to DNS security on its agenda, but there looks to be a lengthy discussion planned about the use of elliptic curve cryptography (ECC). This is something we’ve certainly been looking at within the DNSSEC space with regard to using ECDSA and other algorithms for DNSSEC signatures. It will be interesting to see what emerges out of this discussion in terms of future directions for IETF crypto algorithms.

Extensible Provisioning Protocol Extensions (EPPEXT)

In the last session slot on Wednesday from 17:40-19:40 the EPPEXT group will be meeting to discuss extensions to the EPP protocol used between DNS registrars, registries and similar entities.  An agenda has not yet been published but several of the past documents have related to exchanging DNSSEC-related information.

Thursday is for TRANS

The only working group we’re tracking on Thursday related to DNS or TLS is the Public Notary Transparency (TRANS) group meeting in the 17:40-19:10 block at the end of the day. No agenda yet, so it’s not clear what will be discussed.  Certificate Transparency is one of the number of technologies that are working to make TLS more secure and so this remains of interest.

DNS PRIVate Exchange (DPRIVE)

In the unenviable slot of Friday morning from 9:00-11:30 will be the third meeting of the DPRIVE Working Group that is chartered to develop: “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” A great bit of work has been going on and the DPRIVE agenda shows discussion being planned for several possible solutions to provide this level of privacy and confidentiality.

It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 93:

DNSOP (DNS Operations) WG
Monday, 20 July 2015, 1520-1720 CEST, Congress Hall II

DBOUND (Domain Boundaries) WG
Monday, 20 July 2015, 1740-1840 CEST, Athens/Barcelona

DANE (DNS-based Authentication of Named Entities) WG 
Monday, 20 July 2015, 1850-1950 CDT, Venetian

EPPEXT (Extensible Provisioning Protocol Extensions) WG 
Wednesday, 22 July 2015, 1740-1940 CEST, Karlin III

DPRIVE (DNS PRIVate Exchange) WG
Friday, 24 July 2015, 0900-1130 CEST, Karlin I/II

Follow Us

There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Open Standards Everywhere 11 June 2020

Listen to the Hedge Podcast 39 to Learn about the Open Standards Everywhere Project

What is our Open Standards Everywhere (OSE) project all about? How did it get started? What are the project...

Deploy360 19 February 2019

DNS Privacy & IPv6 Security @ APTLD 75

The Internet Society will be actively contributing to the APTLD 75 meeting on 20-21 February 2019 in Dubai, United...

Domain Name System (DNS) 8 February 2019

DNS Flag Day

The 1st of February was DNS Flag Day, which is an initiative of several DNS vendors and operators to...

Join the conversation with Internet Society members around the world