After two years of remote meetings, the Internet Engineering Task Force (IETF) started up the engines of in-person engagement and brought more than 300 people to Vienna, Austria. A welcome change for many, the IETF still had more than three times the number of remote attendees as those in the rooms in Vienna. Even so, a clear feeling of friendliness and renewed eagerness seemed to fill the rooms of IETF 113.

What is the IETF?

The IETF is the premier standards body for the Internet, dating back to its earliest days. Industry-led, with a strong ethos of expertise, it works through bottom-up consensus processes—reflected even in the name of its standards documents, ‘Requests for Comment’ or RFCs—and has a suspicion of top-down, government-led imposition of rules.

Domain Name System Operations

DNSOP (Domain Name System Operations), the key working group for the DNS protocol at the IETF, was notably busy with more than 120 people attending its single session on Tuesday. The importance of the DNS is reflected in the fact that DNSOP has a queue of potential work items waiting to be prioritized for standardization. 

Like that rude person at the grocery store, DNSOP has had one piece of work jump the queue: an attempt to document best current practices for DNSSEC. The IETF has produced a Tower of Babel for DNSSEC and anyone trying to implement the protocol, or run a resolver that supports the protocol, is faced with an extensive library of standards and informational documents. Like other protocols with many related protocol specifications (for instance, the security protocol called OAuth [https://oauth.net/2/], which lets you log into third party-websites and services using security credentials from Facebook or Google), the variety of DNSSEC publications is challenging to track and leads to errors in implementation and deployment.

The best practice document is intended to bring together all the DNSSEC-related RFCs into a coherent, single document. The working group has just started down this path and wants to try to have a work product finished in the summer of 2022.

Encryption and the DNS

Another important DNS-related activity is the ability to send DNS messages over encrypted connections – thus ensuring the privacy of those communications. This work led to some controversial protocol development, including DNS over TLS (called simply, DoT) and DNS over HTTPS (DoH). During the discussion of these protocols, a significant operational issue emerged that needed to be considered: how do clients pick which DNS resolvers they will use?

If clients want to use a resolver that is different from the one provided by their ISP, how do they locate the available servers, and how do they choose between servers when more than one is available. An answer is an approach called Adaptive DNS Discovery – ADD for short.

In Vienna, ADD was also well-attended with more than 120 participants in-person and online. That level of interest directly results from the motivation to use privacy-enhancing features of the DNS and make those features more widely available. ADD has successfully moved at least three proposed documents down the patch toward becoming RFCs. A few experimental add-ons for major browsers can be found that do implementations of ADD and we can expect more as the drive for further DNS privacy continues (that will be the topic of our next post).

The Vienna meeting showed that the IETF can organize and run hybrid meetings that meet the needs of both those who need to get together in person and those who are yet to be able to travel. Now that the engine is started, the IETF caravan next goes to Philadelphia in July 2022. 

The DNS is one of the oldest set of Internet protocols. Yet, the high levels of DNS-related activity and the focus on encouraging implementation of strong encryption and other security measures, highlights the continuing strategic importance of the DNS. The remaining challenge is how to maintain the openness and transparency that used to be hallmarks of IETF standards, while also driving uptake of strong privacy and security measures throughout the system.