The 44th DNS-OARC Workshop is a two-day event that took place in Atlanta, Georgia on 6-7 February 2025. With over 100 people in attendance, there were some engaging presentations, followed by detailed Q&A, plenty of networking opportunities and a Mentor-Mentee program.  

DNS Operations, Analysis, and Research Center (DNS-OARC) is a non-profit, membership organization that aims to improve the security, stability and understanding of the internet’s DNS infrastructure. For someone that works with DNS or is interested in the technology of DNS, then the DNS-OARC Workshops are one of the best events to attend. 

The format of a DNS-OARC Workshop  

DNS-OARC is single-track, meaning that there is only one presentation or discussion happening at any one time. The range of topics is probably surprisingly broad if you are not deep into DNS. We would suggest reviewing the topics in advance and focus on the ones that are most relevant to your business or that you personally find interesting! 

The IBM NS1 Connect team uses a Slack channel, where we have a form of an internal “live blog” during conferences – including the DNS-OARC Workshops. We include links to the summaries and slides, and reference items that we think comrades not attending would like to know about.  

Four Stand Out Presentations 

There were many interesting and informative presentations throughout the two days. There were four presentations that we found particularly enlightening and we would like to share those with you. 

How are Internet users affected by DNS resolver authoritative server selection  

In the DNS we have authoritative servers which have information about names, for example ibm.com can be reached at the IPv6 address 2a02:26f0:1180:19c::3831. We also have recursive resolvers which find the correct authoritative servers and retrieve this information. The details of how recursive resolvers do this depend on the implementation and can be a bit of a mystery.  

Geoff Huston presented research that he and João Damas have been doing regarding how resolvers decide which server to use. This is similar to earlier research presented at DNS-OARC 42 by Shane Kerr, Backend Engineer at IBM - Using Multiple DNS Authoritative Vendors Does Not Work Like You Thought, although Geoff and João’s research was more comprehensive.  

Luckily the recommendations are not far from IBM NS1 Connects setup – although it has inspired us to continue to reflect and innovate on how we can improve things! Presentation materials are available on the DNS-OARC event page. 

DNS Anycast Stack  

In spite of the name, this talk was not really about Anycast, but rather about the performance of virtual machines (by which we mean Linux containers) versus bare metal performance for serving DNS.  

The results showed that bare metal is significantly faster than containers for every open source DNS implementation that was tested., Iit can be 2 to 4 times faster! The performance being better for bare metal is not surprising, but the difference in performance is somewhat surprising. In fact, there was a presentation 11 years ago by Joao Damas and Dave Knight which showed that DNS servers run in Docker were roughly the same performance. This is interesting for anyone running DNS servers, so hopefully further research will be done. Further information and presentation materials are available here.  

Kobayashi Maru: Packet Sizes  

This was a presentation given by Shane Kerr of IBM, fancifully titled after a fictional “no-win scenario” from Star Trek. In this case, the conflict is between limiting packet sizes in responses to allow them to work over networks with lower maximum transmission unit (MTU), and resolvers that don’t support DNS over TCP that truncating such responses will generate.  

Ultimately, there was not much appetite to make any changes in the best current practices (BCP) for DNS operation to try to work around such issues. The consensus seems to be that these are an edge case, and that we should not spend engineering resources to improve things for operators who have networks with are effectively broken. Further information and presentation materials. 

The Last Leg: The case for Encryption for Recursive to Authoritative  

DNS currently has support for encryption between the applications (either via stub resolvers or OS-based resolvers) and the recursive resolvers, by several different methods.  The connection between resolvers and authority servers, like the ones run for IBM NS1 Connect, can be encrypted, but only through opportunistic methods, and this is not supported by many authoritative providers.  

John Todd, from Quad9 (9.9.9.9), a large public DNS resolver operator, laid out the case for encrypting this last bit, both operationally but also by encouraging standards to provide for this case. Further information and presentation materials. 

IBM and DNS-OARC  

IBM has been a long-term member of DNS-OARC, meaning that IBM supports OARC commercially and participates in the governance of OARC. Since OARC is a valuable resource both for the DNS community in general and for IBM, we value our engagement with the OARC team. 

In addition, IBM regularly attends OARC workshops, both as participants and to present on various topics that we hope are of interest and benefit to other operators or researchers.  

IBM was also an event sponsor at OARC 44 Workshop. 

Learn more 

Since DNS-OARC has a packed schedule, there were many other talks. Summaries are available on the Speakers & Presentations page. 

Other presentations included: 

Zone transfer performance 

Exploration of the deployment and use of the DNS HTTPS Resource Record 

A survey of authenticated denial of existence in DNSSEC 

DNS OARC also has a YouTube channel where recordings of the presentations are added over time.