Rough Guide to IETF 97: DNSSEC, DANE and DNS Privacy and Security Thumbnail
‹ Back
Domain Name System (DNS) 11 October 2016

Rough Guide to IETF 97: DNSSEC, DANE and DNS Privacy and Security

Dan York
By Dan YorkDirector, Online Content

DNS privacy will get a good bit of focus at the IETF 97 meeting in Seoul with a special tutorial as well as a meeting of the DPRIVE working group and activity in the IETF 97 Hackathon. DNS privacy will also come up in the DNSSD group this time, too. The DNS Operations working group will meeting and a new DNS BOF will take place. In contrast to the past few meetings, the Using TLS in Applications (UTA) working group where DANE has been discussed will not meet as their work is moving along on the mailing lists. Similarly, the DANE working group felt that work was moving along and no physical meeting was needed.

DNS Privacy Tutorial – Streamed Live On YouTube

On Sunday, November 13, one of the education tutorials will focus on DNS privacy and the work emerging out of the DPRIVE Working Group related to protecting the confidentiality of your DNS queries. Sara Dickinson will be leading this session and I expect it will be quite good. The session will be from 13:45-14:45 KST (UTC+9). The good news for anyone remote is that it will be streamed live on YouTube – it will also be available at that URL as a recording for those who can’t tune in live.

IETF 97 Hackathon

Over the weekend (12-13 Nov) we’ll have a good-sized “DNS team” in the IETF 97 Hackathon working on various projects around DNSSEC, DANE, DNS Privacy, using DNS over TLS and much more. You can also get more info in the IETF 97 Hackathon wiki. Anyone is welcome to join us for part or all of that event.

DNS Operations (DNSOP)

The DNS Operations (DNSOP) Working Group meets on Tuesday afternoon from 13:30-15:30. Unfortunately at the time I am writing this post the DNSOP agenda does not have many details. There are a significant number of documents under discussion on the mailing list and I expect a busy session.

I am not sure if there will be discussion of the Internet Draft on DNSSEC cryptographic algorithm agility in the meeting, but I do intend to meet with the other authors to plan our next steps.

DNSBUNDLED Birds of a Feather (BOF) session

On Wednesday morning from 9:30-11:00 there will be a BOF about “bundled domains”. It’s an interesting issue:

Bundled Domain will work on a DNS solution for fully mapping one domain name to another domain name. With the emergence of internationalized domain names and new TLDs, it is often useful to redirect one domain name tree fully to another domain name tree. Current DNS protocols have not provided such ability to satisfy these requirements.

These documents – draft-yao-bundled-name-problem-statement and draft-yao-dnsext-identical-resolution - go into more detail. The security issue here is really to understand how solutions here might work in a world of DNSSEC.

This BOF is not looking to form a working group but rather to identify work to be done by the IETF in general.

DNS Service Discovery (DNSSD)

On Thursday, the  Extensions for Scalable DNS Service Discovery (DNSSD) Working Group meets in the morning from 9:30-11:00am. DNSSD is not one of the groups we regularly mention as its focus is around how DNS can be used to discover services available on a network (for example, a printer or file server). But this time the DNSSD agenda includes specific discussion around the privacy of DNS queries when used in this context.

DNS Privacy (DPRIVE)

The DNS Privacy (DPRIVE) Working Group drew the short straw this IETF meeting and wound up in the last session block on Friday afternoon from 11:50-13:20. Regardless of how many people will be there, discussion should be lively as the group looks at expanding its efforts in a “Step 2” block of work. 

To date, DNS privacy work right now has been focused around using DNS over TLS from the stub resolver on a computer or device to the recursive resolver. This has been defined in RFC 7858 published in May 2016 and several other related documents are in the path to publishing (including using DNS over DTLS).

But back with the DPRIVE BoF first took place there was recognition that the next step was to look at protecting the privacy of queries between the recursive resolver and the authoritative servers. It was decided to focus on the stub-to-recursive area first, but now that that work is finishing up, Stephane Bortzmeyer will lead a discussion about moving on to the recursive-to-authoritative space. He’s written a draft that explores this issue. The outcome of the discussion will guide the future work of DPRIVE.

DNSSEC Coordination informal breakfast meeting

Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We’ve done this at many of the IETF meetings over the past few years and it’s been a good way to connect and talk about various projects. True to the “informal” nature, we’re not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please drop me an email or join the dnssec-coord mailing list.

Other Working Groups

We will be monitoring the TLS WG, particularly given the focus on TLS 1.3, the Security Area open meeting and other similar sessions. The DNSSD working group will also be meeting although it’s not clear that security topics will be covered there right now.

It will be busy week!

P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site:

Relevant Working Groups at IETF 96:

DNSOP (DNS Operations) WG
Tuesday, 15 November 2016, 1330-1530 KST (UTC+9), Grand Ballroom 1

DNSBUNDLED (Bundled Domains) BOF 
Wednesday, 16 November 2016, 930-1100 KST (UTC+9), Grand Ballroom 1
Problem statement: draft-yao-bundled-name-problem-statement/ 

DNSSD (Extensions for Scalable DNS Service Discovery) WG 
Thursday, 17 November 2016, 0930-1100 KST (UTC+9), Studio 4

Friday, 18 November 2016, 1150-1320 KST (UTC+9), Grand Ballroom 1

Follow Us

There’s a lot going on in Seoul, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Join the conversation with Internet Society members around the world