Rough Guide to IETF 96: DNSSEC, DANE and DNS Security Thumbnail
‹ Back
Domain Name System (DNS) 13 July 2016

Rough Guide to IETF 96: DNSSEC, DANE and DNS Security

Dan York
By Dan YorkDirector, Online Content

Once again, it looks like the most vigorous area of DNS security discussion at next week’s IETF 96 meeting in Berlin may be in the Using TLS in Applications (UTA) working group. As was the case earlier this year at IETF 95 in Buenos Aires, the UTA working group is exploring different options for securing email communication. DNSSEC and DANE both feature to different degrees in some of the proposals.

There will also be a great amount of DNS security activity at the IETF 96 Hackathon this weekend. ICANN will also be hosting a special session on Tuesday to talk about the DNSSEC Root Key Rollover.

Beyond that, though, IETF 96 will be a much quieter week than usual on the DNS front. Two of the main IETF working groups related to DNS security, DANE and DPRIVE, have been able to accomplish most of their work via email and therefore did not have a need to meet next week. Similarly, the CURDLE and TRANS working groups also decided not to meet. The ARCING BOF we mentioned last time is also not meeting this week.

IETF 96 Hackathon

On this coming weekend over 20 people will gather as the “DNS team” in the IETF 96 Hackathon working on various projects around DNSSEC, DANE, DNS Privacy, using DNS over TLS and much more. I wrote about this on the Deploy360 blog and you can also get more info in the IETF 96 Hackathon wiki. Anyone is welcome to join us for part or all of that event.

DNS Operations (DNSOP)

The DNS Operations (DNSOP) Working Group meets on Monday afternoon from 15:40-17:40. There is a lengthy agenda. Discussion areas of interest to us include:

  • a proposal to allow recursive resolvers to cache negative (NSEC/NSEC3) answers.
  • an implementation of DNS over TLS
  • multiple drafts up for discussion about ways to pass multiple DNS responses to a query (the interest here is in potentially speeding up DNSSEC responses)

If there is time remaining, which may depend upon how long the “special names” discussion goes, I intend to talk about our Internet Draft on DNSSEC cryptographic algorithm agility.

ICANN DNSSEC Root Key Rollover Discussion

On Tuesday from 12:30 – 13:45, representatives of ICANN and Verisign will be holding a discussion in the Bellevue room on “Upcoming ZSK and KSK Changes to the Root Zone“.  This is part of their broader outreach to make sure people are aware of upcoming changes to the size of the keys and the “rolling” of the root key.  Duane Wessels (Verisign) and Matt Larson (ICANN) made a similar presentation at ICANN 56 in Helsinki last month and I’m looking forward to the discussion here in Berlin.

Other Working Groups

We will be monitoring the TLS WG, particularly given the focus on TLS 1.3, the Security Area open meeting and other similar sessions. The DNSSD working group will also be meeting although it’s not clear that security topics will be covered there right now.

While the week will be quieter, we’re definitely looking forward to seeing the work move forward.

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 96:

DNSOP (DNS Operations) WG
Monday, 18 July 2016, 1540-1740 CEST, Room Bellevue

UTA (Using TLS in Applications) WG
Tuesday, 19 July 2016, 1620-1820 CEST, Room Potsdam II

Follow Us

There’s a lot going on in Berlin, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Join the conversation with Internet Society members around the world