RIPE 85

Archives

Valentino Dijkstra - 2022-10-27 10:56:19
Hi everyone, I'm Valentino from the RIPE NCC. This chat panel is meant for discussion ONLY.  If you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.         
Please note that all chat transcripts will be archived and made available to the public on https://ripe85.ripe.net/. 
The RIPE Code of Conduct: https://www.ripe.net/publications/docs/ripe-766.

Gert Doering - 2022-10-27 11:00:40
Good morning, DNS!

Andrew Campling - 2022-10-27 11:02:42
The WG is welcome to use / adapt the European Resolver Policy (see www.european resolverpolicy.com)

Desiree Zeljka Miloshevic - 2022-10-27 11:02:55
:)

Andrew Campling - 2022-10-27 11:03:25
* www.europeanresolverpolicy.com

Gert Doering - 2022-10-27 11:04:07
@shane, you have no chance of getting away...

Marc van der Wal - 2022-10-27 11:05:08
Loud and clear

Vladimír Čunát - 2022-10-27 11:05:10
All OK for me.

Mike Kosek - 2022-10-27 11:05:11
audio works

Arturo Filastò - 2022-10-27 11:05:12
yup!

Tobia Castaldi - 2022-10-27 11:05:12
yes

Tobia Castaldi - 2022-10-27 11:05:18
we can hear you

Marco Davids - 2022-10-27 11:05:21
👍🏼

Shane Kerr - 2022-10-27 11:06:36
Sorry for the chaos. Technology is hard.

Andrew Campling - 2022-10-27 11:07:42
DoQ/H/T does not prevent user profiling by resolver operators

Arturo Filastò - 2022-10-27 11:08:21
How do I see the presentation slides? I only see a static slide with the RIPE 85 logo.

Shane Kerr - 2022-10-27 11:08:39
True Andrew. Whoever runs your resolver knows you very intimately.

João Luis Silva Damas - 2022-10-27 11:08:51
try reloading the page. slides are advancing on my meetecho window

Valentino Dijkstra - 2022-10-27 11:08:59
Hi Arturo, please write your question in the Q&A panel (icon with question mark) or please wait until the end of the talk and ask your question using audio. Thank you!

Tobia Castaldi - 2022-10-27 11:09:22
@Arturo, double click one of the videos should also show you the slides

Arturo Filastò - 2022-10-27 11:09:28
Ah ok thanks, reloading the page worked.

Mike Kosek - 2022-10-27 11:09:33
True @andrew, but at least DoT/H/Q do solve the issues of passive observing on a link

Andrew Campling - 2022-10-27 11:09:47
@Shane Indeed - ODoH claims to fix this, although you can have colluding proxies so you don't know for sure whether you have privacy

Éric Vyncke - 2022-10-27 11:10:31
@Andrew, indeed the colluding proxies is an issue

Éric Vyncke - 2022-10-27 11:14:58
I wonder whether the DNS resolution time is a drop in the actual HTTP download time though

Vladimír Čunát - 2022-10-27 11:20:15
A client browsing web will probably have completed handshake already (from previous resolutions) and should re-use it, so handshake shouldn't really matter much in there.

Peter van Dijk - 2022-10-27 11:21:47
https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/

Peter van Dijk - 2022-10-27 11:21:52
> Cloudflare does not enable 0-RTT connection resumption by default

Andrew Campling - 2022-10-27 11:23:12
Andrey Meshkov, AdGuard CTO, gave a presentation on their DoQ implementation which you can watch at https://419.consulting/encrypted-dns/f/doq-in-the-wild

João Luis Silva Damas - 2022-10-27 11:26:56
did Dave just say he doesn't care about names? in the DNS WG?

Shane Kerr - 2022-10-27 11:27:31
Possibly it should be renamed the Anti-DNS working group?

Peter van Dijk - 2022-10-27 11:28:20
names are protocol overhead

Peter van Dijk - 2022-10-27 11:28:24
this is not ICANN ;)

Shane Kerr - 2022-10-27 11:31:31
Unhappy eyeballs? :thinking_face:

Peter van Dijk - 2022-10-27 11:34:10
same source tuple is a great way to repeatedly hit broken network paths, I've found during an incident with a specific VPS provider

Shane Kerr - 2022-10-27 11:35:08
So that sounds like using the same source tuple would be something to avoid?

Gert Doering - 2022-10-27 11:35:09
I'm an immediately fan of OpenDNS! IPv6 FTW! :-)

Peter van Dijk - 2022-10-27 11:35:13
Shane, yes

Peter van Dijk - 2022-10-27 11:35:23
Quad9: you're measuring a mix of PowerDNS and Unbound

Peter van Dijk - 2022-10-27 11:35:32
(not a rumour or a secret)

Tristan Bruns - 2022-10-27 11:36:11
preference for v6 makes sense when you use randomized source addresses against cache poisoning (which unbound can be configured to do, and I assume is done by the two resolvers preferring ipv6)

Robert Scheck - 2022-10-27 11:36:46
Isn't preferring IPv6 over IPv4 for DNS lookups in-line with RFC, while preferring IPv4 over IPv6 is not?

Shane Kerr - 2022-10-27 11:37:17
I am not aware of any RFC recommending preferring a specific address family for DNS.

Vladimír Čunát - 2022-10-27 11:37:23
Me neither.

Robert Scheck - 2022-10-27 11:37:35
Okay, then I was mixing this up, sorry.

Tristan Bruns - 2022-10-27 11:37:45
since there is an infinite amount of DNS RFCs, one of them certainly makes that recommendation

Vladimír Čunát - 2022-10-27 11:37:58
At least I never thought that Happy Eyeballs apply here.

Valentino Dijkstra - 2022-10-27 11:38:02
Hi All, please write your question in the Q&A panel (icon with question mark) or please wait until the end of the talk and ask your question using audio. Thank you!

Kurt Kayser - 2022-10-27 11:41:33
#define modernDNS

Kurt Kayser - 2022-10-27 11:41:41
LOL...

João Luis Silva Damas - 2022-10-27 11:47:20
yes, we see

Marc van der Wal - 2022-10-27 11:47:20
Yes I can see the slides.

Shane Kerr - 2022-10-27 11:53:13
Is dot:// a defined URL format? I like it, but haven't seen it.

Shane Kerr - 2022-10-27 11:53:30
(I know that real questions are supposed to go to the Q&A tab, no worries.)

Éric Vyncke - 2022-10-27 11:54:23
@Shane I do not see it in https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml

Shane Kerr - 2022-10-27 11:54:56
Thanks @Eric!

Vladimír Čunát - 2022-10-27 11:55:45
Uh, dns:// exists in there?!

Peter van Dijk - 2022-10-27 11:58:07
yes, but learning about it will not improve your life ;)

Éric Vyncke - 2022-10-27 11:58:39
@PvD it remains to be proven though ;-)

Shane Kerr - 2022-10-27 11:58:40
Timeout after TLS handshake seems like the most painful blockage.

Kurt Kayser - 2022-10-27 12:04:37
I wonder what will happen during the soccer-championship in December in Quatar?!

Kurt Kayser - 2022-10-27 12:05:02
more or less filtering/DNSblocking/censorship?

Kurt Kayser - 2022-10-27 12:05:37
Great data! I love it!

Kurt Kayser - 2022-10-27 12:05:46
:clap:

Christian Bretterhofer - 2022-10-27 12:05:52
nice data

Éric Vyncke - 2022-10-27 12:07:36
@arturo thanks for your answer

Shane Kerr - 2022-10-27 12:12:22
I would have loved more time especially about that last point regarding the difficulty of blocking DoH, and also whether using encrypted DNS makes sense at all if you are not using a VPN or Tor or some other encrypted connection.

Kurt Kayser - 2022-10-27 12:13:18
+1 Shane!

Shane Kerr - 2022-10-27 12:17:39
I also look forward to the work on ECH, since apparently there is SNI-based blocking!

Arturo Filastò - 2022-10-27 12:18:21
Yes that's a very good point. It's probably worth also redoing the analysis based on the latest data. A lot has changed in the blocking methods in Iran since Sept 2022.

Andrew Campling - 2022-10-27 12:18:50
For additional thoughts on the impact of encrypted DNS on Internet filtering, you can view a presentation by Nguyen Phong Hoang of the University of Chicago at https://419.consulting/encrypted-dns/f/domain-name-encryption-and-internet-filtering

Shane Kerr - 2022-10-27 12:18:51
Which is incredible!

Arturo Filastò - 2022-10-27 12:18:55
For reference here is a link to the paper of my colleague which the first charts were taken from: https://www.ndss-symposium.org/wp-content/uploads/dnspriv21-02-paper.pdf

Gert Doering - 2022-10-27 12:23:24
I like that IPv6 only bit (no surprise)

Shane Kerr - 2022-10-27 12:24:05
My brain kept trying to interpret that chart at percentage and kept failing.

Shane Kerr - 2022-10-27 12:24:11
s/at/as/

Kurt Kayser - 2022-10-27 12:24:14
Looking at Anands's buttons, he seems to be pretty proud of this :-)

Kurt Kayser - 2022-10-27 12:26:11
There nothing such as an inhouse root-instance!

Shane Kerr - 2022-10-27 12:26:55
Well. If you run your own resolver you can configure it to read the root zone file and not need any root server. :wink:

Gert Doering - 2022-10-27 12:28:12
I have an f.root node in 0.8 ms distance, so "in-house" starts becoming less important...

Marco Davids - 2022-10-27 12:30:33
So many cool buttons on Anand's lynyard :grin:

Valentino Dijkstra - 2022-10-27 12:30:46
This session has now ended. The next session is Database and it will start at 14:00. More info on the RIPE 85 meeting plan: https://ripe85.ripe.net/programme/meeting-plan/

Marc van der Wal - 2022-10-27 12:30:46
Yeah, there’s one I also want.

Kurt Kayser - 2022-10-27 12:30:47
Routerdam

Marco Davids - 2022-10-27 12:30:58
:sweat_smile:

Vladimír Čunát - 2022-10-27 12:31:15
Apart from startup, root's latency seems important mainly for latency of denying non-existent TLDs.