Re: [dns-wg] Lower TTLs for NS and DS records in reverse DNS delegations
On 12/2/21 2:46 PM, Petr Špaček wrote: Why not make the TTL _dynamic_, based on time of last change in the RIPE database? Here is a wild example how it could work - all constants are made up, feel free to substitute your own: Step 1: Define upper bound for NS & DS TTLs which are "stable". Say 1 day for both NS and DS. Step 2: At the moment when someone updates NS or DS, lower respective TTL to 1 minute. Step 3: Cycle: [...] What do you think? It seems so simple that I now have to wonder why registries are not doing it? One problem I see is that if you change or add NS/DS records, and the TTL is set to a low value without your active participation, you can no longer figure out for how long old values (pre-change) are cached somewhere, so you don't know when stale stuff will globally expire. But knowing this may be relevant in some recovery scenarios. For example, if you remove a DS record and throw away the corresponding key, and later realize that this was an error, you will see a DS TTL on the order of a minutes. That may make you think that it would not be worth recovering the old key from the backup, and that it would be better to create a new key pair and deploy it (including the DS). Unfortunately, that won't work, because resolvers may have cached the old values for a time period that you can't determine in hindsight. Only if modifying the TTL would be an explicit step, you could know this (by first looking, then changing).* So it seems to me that explicit is better than implicit (as usual). If communication channels for that are missing (e.g in EPP), perhaps that's what the actual problem is? * One could keep a history of TTL values somewhere, but that seems overengineered. Thanks, Peter -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
Re: [dns-wg] DNS wg co-chair selection: candidates
I support Willem, too! He seems to be a great fit. ~Peter On 10/9/22 19:43, Shane Kerr wrote: Colleagues, The deadline for the DNS co-chair candidate volunteering is now over. We have a single excellent candidate. The period to express support (or concern) for the candidate starts now and runs until Wednesday, 26 October 2022. Below find a few words from the candidate. Willem Toorop I propose myself as a candidate to follow-up Shane as DNS working group co-chair. DNS has been the focus of my working life for the past 12 years and I've been loving it. The DNS has a lively, creative and very pleasant technical community and I truly enjoy working in and with that community. DNS plays (more and more) a central role in the tussle around the responsibilities and the capabilities of the different stakeholders on the Internet (i.e. the content vs network operators vs end-users). A good venue for this debate is the RIPE DNS working group. A well balanced program on the RIPE DNS working group is crucial for forming a well-founded point of view for all the participants in this debate. I think that I, as an open source DNS software developer, have a good perspective on the DNS world, the current state of the art and the possible future directions of development, and that I am in a good position to help out in assembling such a program. Sorry if the previous paragraph sounds (a bit) pompous. I just want to say that I would love to help out to put in the spotlight a well balanced selection of all the interesting new stuff that's going on in the DNS and that I think it is very important to do so too! Also, I am a huge fan of the current co-chairs João and Moritz (and of course Shane too!!!) and I would be honored and delighted to work with you guys! Cheers, -- Shane on behalf of the DNS WG co-chairs -- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Kyffhäuserstr. 5 10781 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
Re: [dns-wg] Draft of RIPE DNS Resolver Best Common Practices
Hi all, Thanks a lot for this draft. I know my response is kinda late, but I understand that this is still an active endeavor. In addition to the comments below, I'd like to raise the point of a "false-positive" rate for any kind of filtering. This is, in my view, a crucial aspect, and not currently considered sufficiently in the draft. The problem is that it's really difficult to come up with a good number for this, partly because it's not even clear what the denominator of the false positive rate should be! (Complaints? ... those may be orders of magnitude off the real number.) I have some more thoughts (but not solutions), but would first like to hear what others think / how other filter operators approach this. In any case, the policies published by a (filtering) resolver operator should say something on what is considered an acceptable rate of false positives. (FWIW, deSEC is a member of the DNS4EU consortium. We're trying to keep an eye on privacy and security matters.) On 11/26/23 18:01, Shane Kerr wrote: In the future it will be possible to use ZONEMD to validate the copy of the root zone obtained before using it. This is currently being deployed for the root zone, but not yet available. [RFC8976](https://www.rfc-editor.org/rfc/rfc8976.html) describes ZONEMD. Small update: this is now in production, so this paragraph can be updated accordingly. https://lists.dns-oarc.net/pipermail/dns-operations/2023-December/022388.html Logging considerations 1. Public privacy policy: DNS resolvers are recommended to publish their privacy policies transparently on their website. It can be a brief privacy commitment as well or be more elaborate on how the privacy policy was made. (See for example [Cloudflare's statement](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver) or [Quad9's privacy page](https://www.quad9.net/service/privacy/).) We should add here that such policies should explicitly mention the sampling rate of (anonymized) DNS queries/responses that are kept. Cloudflare does this (0.05%). I'm not sure about Quad9. 5. Ad policy and encryption: explain the ad policy and how it can potentially affect the users privacy. If data is encrypted, explain how it has been encrypted (DoH, DoT, or so on). This is under "logging considerations". It's not clear to me at all why an "ad policy" appears here? Best, Peter -- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Kyffhäuserstr. 5 10781 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
Re: [dns-wg] Candidates for the open co-chair position at the RIPE DNS working group
Hi, Moritz has my support! Peter On 4/23/24 20:52, Willem Toorop wrote: Dear all, The deadline for volunteers/nominations has passed and I am very pleased to announce that we received a single self-nomination: Moritz Müller applying for a second term as co-chair. We will now collect expressions of support (or opposition) from the mailing-list, until Monday 20 May 2024, and will announce the results on Wednesday 22 May 2024 during the DNS working group session at the RIPE 88. Find below Moritz' motivation to apply for a second term: ### I'd like to volunteer for a second term as RIPE DNS-WG co-chair. In my last term, I've helped organizing (hopefully) interesting and diverse working-group meetings and I'd like to continue doing this for another 3 years. For the next term, I'd like to go on organizing meetings that are relevant not only for DNS experts but also for the broader RIPE community with interest in the DNS. ### Timeline * Monday, 20 May 2024 Deadline for showing support for candidates/volunteers on the mail list * Wednesday, 22 May 2024 DNS WG session at RIPE 88 References The RIPE working group chair job description is included in ripe-692: https://www.ripe.net/publications/docs/ripe-692 The DNS working group chair selection process is documented here: https://www.ripe.net/participate/ripe/wg/dns/dns-wg-chair-selection-process We have 3 co-chairs so the term is 3 years. The current approach was announced on this mailing list on 2018-07-17: https://www.ripe.net/ripe/mail/archives/dns-wg/2018-July/003566.html As always, please feel free to reach out to any of the chairs directly, to us as a group at dns-wg-chairs AT ripe.net, or discuss this or any other any relevant topic on this mailing list. -- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Kyffhäuserstr. 5 10781 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
[dns-wg] Re: Co-chair selection for the RIPE DNS working group
Hi, I'm not sure if this is an invitation for reactions (or if the appointment is automatic in case of one candidate), but I'd like to express support Yevheniya's appointment. I assume that the RIPE DNS WG will, as per its charter, remain mostly focused on operational and deployment stuff. That's not to disencourage the occasional academic contribution! :) Cheers, Peter On 4/25/25 16:39, Willem Toorop wrote: Dear all, The deadline for volunteering or nominating someone for DNS working group co-chair is now over and we have received one submission in response to our call. We are overjoyed to announce that Yevheniya Nosyk volunteered for the position! Find below a few words from Yevheniya. I am a cybersecurity researcher at KOR Labs, where I conduct large-scale Internet measurements with a particular focus on DNS. I obtained my Ph.D. in Cybersecurity from Université Grenoble Alpes in 2024. Over the past two years, I have presented my research at RIPE, OARC, and IETF meetings. I was awarded the IRTF Applied Networking Research Prize for my work on Extended DNS Errors. I also have experience serving on scientific conference program committees. If selected for this position, I would aim to bridge the academic and operational communities by encouraging researchers to attend RIPE meetings and present their work at the DNS WG. Cheers and warm regards, Willem Toorop for the RIPE DNS working group co-chairs - To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/dns-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/ -- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Möckernstraße 74 10965 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525 - To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/dns-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
