The 44th DNS-OARC Workshop is a two-day event that took place in Atlanta, Georgia on 6-7 February 2025. With over 100 people in attendance, there were some engaging presentations, followed by detailed Q&A, plenty of networking opportunities and a Mentor-Mentee program.
DNS Operations, Analysis, and Research Center (DNS-OARC) is a non-profit, membership organization that aims to improve the security, stability and understanding of the internet’s DNS infrastructure. For someone that works with DNS or is interested in the technology of DNS, then the DNS-OARC Workshops are one of the best events to attend.
The format of a DNS-OARC Workshop
DNS-OARC is single-track, meaning that there is only one presentation or discussion happening at any one time. The range of topics is probably surprisingly broad if you are not deep into DNS. We would suggest reviewing the topics in advance and focus on the ones that are most relevant to your business or that you personally find interesting!
The IBM NS1 Connect team uses a Slack channel, where we have a form of an internal “live blog” during conferences – including the DNS-OARC Workshops. We include links to the summaries and slides, and reference items that we think comrades not attending would like to know about.
There were many interesting and informative presentations throughout the two days. There were four presentations that we found particularly enlightening and we would like to share those with you.
How are Internet users affected by DNS resolver authoritative server selection
In the DNS we have authoritative servers which have information about names, for example ibm.com can be reached at the IPv6 address 2a02:26f0:1180:19c::3831. We also have recursive resolvers which find the correct authoritative servers and retrieve this information. The details of how recursive resolvers do this depend on the implementation and can be a bit of a mystery.
Geoff Huston presented research that he and João Damas have been doing regarding how resolvers decide which server to use. This is similar to earlier research presented at DNS-OARC 42 by Shane Kerr, Backend Engineer at IBM - Using Multiple DNS Authoritative Vendors Does Not Work Like You Thought, although Geoff and João’s research was more comprehensive.
Luckily the recommendations are not far from IBM NS1 Connects setup – although it has inspired us to continue to reflect and innovate on how we can improve things! Presentation materials are available on the DNS-OARC event page.
In spite of the name, this talk was not really about Anycast, but rather about the performance of virtual machines (by which we mean Linux containers) versus bare metal performance for serving DNS.
The results showed thatopen source Iit can be 2 to 4 times faster! The performance being better for bare metal is not surprising, but the difference in performance is somewhat surprising. In fact, there was a presentation 11 years ago by Joao Damas and Dave Knight which showed that DNS servers run in Docker were roughly the same performance. This is interesting for anyone running DNS servers, so hopefully further research will be done. Further information and presentation materials are available here.
Kobayashi Maru: Packet Sizes
This was a presentation given by Shane Kerr of IBM, fancifully titled after a fictional “no-win scenario” from Star Trek. In this case, the conflict is between limiting packet sizes in responses to allow them to work over networks with lower maximum transmission unit (MTU), and resolvers that don’t support DNS over TCP that truncating such responses will generate.
Ultimately, there was not much appetite to make any changes in the best current practices (BCP) for DNS operation to try to work around such issues. The consensus seems to be that these are an edge case, and that we should not spend engineering resources to improve things for operators who have networks with are effectively broken. Further information and presentation materials.
The Last Leg: The case for Encryption for Recursive to Authoritative
DNS currently has support for encryption between the applications (either via stub resolvers or OS-based resolvers) and the recursive resolvers, by several different methods. The connection between resolvers and authority servers, like the ones run for IBM NS1 Connect, can be encrypted, but only through opportunistic methods, and this is not supported by many authoritative providers.
IBM has been a long-term member of DNS-OARC, meaning that IBM supports OARC commercially and participates in the governance of OARC. Since OARC is a valuable resource both for the DNS community in general and for IBM, we value our engagement with the OARC team.
In addition, IBM regularly attends OARC workshops, both as participants and to present on various topics that we hope are of interest and benefit to other operators or researchers.
IBM was also an event sponsor at OARC 44 Workshop.
Other presentations included:
DNS OARC also has a YouTube channel where recordings of the presentations are added over time.
#TechnicalBlog
#Event