DNS Engineering Practice and community engagement

At Nominet, as the registry for the UK’s national namespace, we are experts in the Domain Name System (DNS) that underpins the internet. I’ve spent my whole career engaged with DNS but working at Nominet continues to be a particular pleasure; I relish being part of the deep dive into this complex but critical system and finding ways to optimise it.

Recent investment has allowed us to build a dedicated DNS engineering practice in-house, facilitating greater development of our expertise as well as more capacity to engage with the global DNS community. We may be a national registry, but solely looking inwards serves no benefit in an interconnected world. It’s crucial that we keep in touch with the wider industry to remain abreast of industry developments and trends – this can improve the work we do at Nominet.

We are also keen to share some of our specialist DNS knowledge and experience to help others with their own activity. By reaching out to the community, we help to develop the combined abilities of DNS experts worldwide and further our understanding of how we can all use the DNS to our benefit and security.

To that end, we work with a number of important organisations that may not be familiar to those outside the DNS community. I’ve summarised the role we play below:

DNS Operations and Analysis Research Center (DNS-OARC)

DNS-OARC is a globally dispersed group of DNS Operators and researchers who come together three times a year to exchange ideas and share the results of research.

Nominet’s recent engagement with the group include my own appointment as a member of the programme committee (soliciting and reviewing content submissions); I also chaired sessions at one of the recent online meetings. One of our senior engineers, Robert Mortimer presented to the group at the last OARC meeting on the deployment of security related records within the DNS – it was well received by the other members.

Council for European Nation Top Level Registries (CENTR)

CENTR is a European-focused organisation tasked with technical, security and policy co-ordination as well as promotion of best practice between country code top level domain (ccTLD) registries like Nominet. CENTR meets three times a year within three groups: technical, security and policy.

Members of the Nominet team attended the last two technical meetings and provided an overview on developments being planned within the DNS and registry services that we provide. I also recently gave a presentation at a meeting detailing the innovative way we balance security and operational complexity in our DNSSEC signing systems.

Internet Engineering Task Force (IETF)

The IETF develops standards for how the internet functions at its core, with many different working groups looking into different areas. For Nominet’s DNS engineering practice, the important groups are:

• dns-op: Looking at the operational aspects of DNS and developing or amending the standards to improve interoperability
• dprive: DNS is a very old protocol and as such was not originally designed with security or privacy in mind. The focus of this group is to bring DNS into the modern era, improving security and privacy to make it fit for the future.
• Add: Also known as Adaptive DNS Discovery, this group is tasked with exploring ways for DNS resolvers to be discovered in a post-encryption DNS world

Our recent activity with the IETF has been more passive in nature, although we do leverage additional resource to support our research and engagement with this group. Some interesting developments we are keeping an eye on at the IETF include:

• DNS Cookies: A way for recursive and authoritative servers to establish trust
• Multi signerdnssec models: Ways to work with multiple external DNS providers while maintaining DNSSEC signing
• DNS Extended Errors: Improving the way error reporting works to make DNS easier to troubleshoot
• DNS overQuic: A new way of encrypting the DNS protocol – this is a new competitor to the better known DOH (DNS over HTTPs)
• Zone Transfer Encryption: Like many other parts of the DNS, zone transfers are currently done in the clear, so this encryption helps to close that security hole and ensure the transactions are protected from prying eyes
• Auth Encryption: Proposals have been submitted for opportunistic encryption between recursive and authoritative servers. This would have positive and negative implications; the DNS engineering practice at Nominet is reviewing the pros and cons of this development currently.

Encrypted DNS Deployment Initiative (EDDI)

This is an informal group of DNS Operators and implementors who meet weekly to discuss encrypted DNS. A representative of Nominet’s DNS engineering practice attends weekly calls and reports back on items of interest.

It was in this forum that we first became aware of the recent Firefox consultation on DOH expansion, which helped us to formulate a response for the public consultation. It’s also where we learnt of Apple and Microsoft developments in relation to DOH. These are important insights. One area which we are currently monitoring closely is the development of a European DNS resolver policy.

Reseaux IP Europeens (RIPE) 

RIPE is a European-focused community of network providers and operators. As DNS is such an intrinsic part of all networks, it includes a dedicated DNS Working Group that meets regularly. Nominet DNS staff attend these meetings and I recently delivered a presentation to the Working Group on how we’ve simplified operations of our DNSSEC infrastructure to make it more robust. This presentation prompted some lively discussion and feedback, which is always valuable for us.

Internet Corporation for Assigned names and numbers (ICANN)

The best known of the organisations we work with, ICANN, is the point at which the technology and policy of DNS intertwine. Nominet DNS staff regularly attend the ‘Tech Day’ of each ICANN meeting and I have presented to this group, most recently on Nominet’s moving of DNS infrastructure to the cloud. I fielded many questions from attendees following the presentation on the benefits and drawbacks of our decision, which will help others to make their own changes. The other area of the ICANN meetings we get involved in is the DNSSEC Workshops; these are invaluable in learning about and utilising best practices.

On a less technical note, I am vice chair of the Customer Standing Committee (CSC) at ICANN and help to co-ordinate the group that ensures IANA (Internet Assigned Numbers Authority) is meeting performance objectives. I am also a member of the TLD-OPS standing committee; this group provide security co-ordination activities between TLD Operators and runs workshops at ICANN meetings. Recent sessions have covered defending against DDOS attacks and effective DR for TLD Registries, with documentation to support.

~~

It may sound like a busy calendar of engagement activities for the DNS Engineering practice at Nominet, but it’s hugely stimulating and useful to regularly engage with the international community. This is an area that is changing all the time, after all, and we always have more to learn. Over the coming months and years we plan to take our engagement in these communities to the next level, ensuring we both benefit from the knowledge we can gain from them but also give back to others where we can.

If you’re eager to learn more, Nominet’s team also give regular briefings to our external stakeholders on DNS developments and are always happy to speak to any interested party. After all, we love talking about DNS and we could all understand a little more about the system that allows the internet that we rely on to function.