Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security Thumbnail
‹ Back
Domain Name System (DNS) 30 October 2015

Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security

Dan York
By Dan YorkDirector, Online Content

DNS privacy will be the main topic at IETF 94 in Yokohama related to the overall theme of “DNS security”. The DPRIVE Working Group will be meeting on Monday afternoon to dive into what look like some lengthy discussions about DNS over TLS and DNS over DTLS.  Stateless DNS encryption will also be discussed and there will be a general discussion of how to move the DPRIVE work forward.

All of this DPRIVE work is focused on securing the connection between DNS clients and the recursive resolvers that people use (such as those typically at an Internet Service Provider (ISP) or on the edge of a network) to add a layer of confidentiality.  We see this as an important part of the overall encryption work being done by the IETF to protect against the pervasive monitoring that we’ve seen on the Internet.  Mechanisms such as what DPRIVE is developing will raise the overall amount of trust in Internet-based communication.

DNS Operations (DNSOP)

DNSSEC will be a major topic in the DNS Operations (DNSOP) Working Group on Thursday.  First will be a review of the “DNSSEC Roadblock Avoidance” draft, draft-ietf-dnsop-dnssec-roadblock-avoidance. This is an important document that is capturing the challenges found in networks today that get in the way of DNSSEC validation – and also suggesting solutions to ensure DNSSEC validation can occur.

Second, DNSOP will discuss draft-ogud-dnsop-maintain-ds, a document seeking to improve the usage of the CDS and CDNSKEY records to communicate a DS record from a child to a parent to maintain the global chain-of-trust used by DNSSEC. In particular this draft is proposing a fix to an omission in RFC 7344 where no mechanism to delete DS records was stated.

Finally, a new draft-wessels-edns-key-tag will be brought to DNSOP where Duane Wessels is proposing a new way for resolvers to signal to a DNS server which DNSSEC keys are in their chain-of-trust. This is useful for monitoring key rollovers.

Domain Boundaries (DBOUND)

The DBOUND Working Group will meet on Tuesday and while no agenda has been posted yet, the list of documents shows the topics likely to be covered. We monitor this WG primarily because the “boundaries” of how you look at domain names can impact other security mechanisms such as TLS certificates. The DBOUND problem statement gives a good view into what the group is trying to do.

Public Notary Transparency (TRANS)

Another group we don’t always monitor but will this time is the TRANS WG focused on “certificate transparency” (CT), a mechanism for tracking changes in TLS certificates.  The TRANS agenda includes some potential new work on logging of DNSSEC key changes in draft-zhang-trans-ct-dnssec.

Other Working Groups

The DANE Working Group is not meeting due to some scheduling challenges with some key participants and a couple of the working groups that sometimes have DNS security items (such as EPPEXT) have completed their work and so are on to other matters. The DNS-SD WG is meeting, but the agenda does not appear to intersect with the work we are focused on here at the Internet Society.  We’ll also of course be monitoring the TLS WG (because of the connection to DANE), the Security Area open meeting and other similar sessions.

It will be a busy week – but the outcomes of all these sessions should go far to make the DNS – and the overall Internet – more secure!

On a personal note, I’ll mention that I will not be in Yokohama… but I’ll be monitoring the activities from afar!

Please see the main Rough Guide to IETF 94 page to learn about more of what we are paying attention to in Yokohama.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 94:

TRANS (Public Notary Transparency) WG
Monday, 2 November 2015, 1300-1500 JST, Room 4ll/412

DPRIVE (DNS PRIVate Exchange) WG
Monday, 2 November 2015, 1710-1910 JST, Room 304

DBOUND (Domain Boundaries) WG
Tuesday, 3 November 2015, 1710-1840 JST, Room 303

DNSOP (DNS Operations) WG
Thursday, 4 November 2015, 0900-1130 JST, Room 304

Follow Us

There’s a lot going on in Yokohama, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Join the conversation with Internet Society members around the world