The Governance of the Root of the DNS

DNS at IETF 123: A Comprehensive Report on Standards, Debates, and Future Directions

Introduction: The IETF’s Role in DNS Evolution

The Internet Engineering Task Force (IETF) remains the principal standards development organization for the Domain Name System, shaping its technical evolution through a consensus-driven, open participation model. IETF 123, held in Vienna in November 2022, represented a significant moment in DNS standardization, marked by both technical maturation of existing work and the emergence of new challenges. This article provides a detailed examination of DNS-related discussions, controversies, and decisions at this critical meeting.

As Dr. Warren Kumari, former DNS Directorate co-chair, noted: “IETF meetings are where the rubber meets the road for DNS standards. What gets discussed—or more importantly, what gets implemented—here shapes the internet’s fundamental infrastructure for years to come.”

1. IETF 123 Meeting Context and Significance

1.1 Meeting Overview

  • Dates: November 12-18, 2022

  • Location: Vienna, Austria (first fully in-person meeting since pandemic)

  • Format: Hybrid (in-person/virtual) participation

  • Attendance: ~1,300 participants with significant DNS community representation

  • Historical context: Coming amid increased attention to DNS privacy, security, and new use cases

1.2 Why IETF 123 Mattered for DNS

  • Post-pandemic reset: First opportunity for extensive face-to-face DNS community discussions

  • Critical standards maturation: Several DNS RFCs approaching finalization

  • Emerging tensions: Privacy vs. operational requirements coming to a head

  • New work items: Response to evolving DNS abuse patterns and architectural challenges

2. Key DNS Working Groups and Their Agendas

2.1 DNSOP (DNS Operations) Working Group

Chairs: Tim Wicinski, Willem Toorop
Key Discussions:

DNS Transport:

  • DoT/DoH deployment experiences: Operational reports from major providers

  • QUIC for DNS (DoQ): Progress on RFC 9250 implementation feedback

  • Issue: Middlebox interference with encrypted DNS, particularly in enterprise networks

  • Action: Formation of design team to document middlebox best practices

Zone Management:

  • DNS Zone Transfer over TLS (XFR-over-TLS): Implementation reports

  • Secondary Notify: Draft-ietf-dnsop-secondary-notify nearing WGLC

  • Discussion: Balancing security improvements with operational complexity

DNSSEC Operations:

  • Algorithm rollover procedures: Experiences with SHA-1 deprecation

  • ZONEMD (RFC 8976) implementation: Early deployment challenges

  • Key finding: Need for better automation tools for DNSSEC management

2.2 DPRIVE (DNS PRIVate Exchange) Working Group

Chairs: Sara Dickinson, Tommy Pauly
Focus Areas:

Oblivious DNS:

  • Oblivious DoH (ODoH): RFC 9230 implementation status

  • Operational considerations: Proxy deployment models and incentives

  • Controversy: Whether ODoH addresses real-world threats or creates new centralization risks

  • Notable quote from debate: “We’re solving technical privacy problems while ignoring the business model privacy problems.”

Encrypted DNS Deployment:

  • Discovery mechanisms: Service binding records and implementation experiences

  • Enterprise deployment challenges: Documenting split-horizon DNS with encryption

  • Work item: Draft-ietf-dprive-unilateral-probes for detecting encrypted DNS support

2.3 ADD (Adaptive DNS Discovery) Working Group

Chairs: Tirumal Reddy, Christopher Wood
Primary Focus:

  • Adaptive DNS Discovery mechanisms: Balancing user choice with network requirements

  • Discovery of Designated Resolvers (DDR): Protocol for network-advertised encrypted DNS

  • Enterprise use case prioritization: Significant debate about requirements from different stakeholders

2.4 SIDROPS (Secure Inter-Domain Routing Operations)

Relevant DNS Discussions:

  • RPKI and DNS integration: Using DNS to distribute RPKI repository information

  • TAL (Trust Anchor Locator) distribution via DNS: Security considerations

  • Intersection with DNSSEC: Potential for combined trust infrastructures

3. Major Technical Discussions and Breakthroughs

3.1 DNS over HTTP/3 (DoH3)

Status at IETF 123:

  • Draft-ietf-dprive-dnsoquic now published as RFC 9250

  • Early implementation in Firefox and Cloudflare

  • Performance discussions: QUIC’s 0-RTT offering advantages over HTTP/2 for DNS

  • Deployment challenges: UDP fragmentation issues in some network paths

Key Debate:

  • Google representative: “DoH3 represents the natural evolution, combining QUIC’s transport advantages with HTTP semantics.”

  • ISP network engineer: “We’re concerned about bypassing local caching and policy enforcement.”

  • Compromise: Agreement to document operational considerations for network operators

3.2 QNAME Minimization and Aggressive Use

draft-ietf-dnsop-rfc7816bis:

  • Updates to QNAME minimization (RFC 7816) based on operational experience

  • Aggressive mode proposal: Always minimizing QNAME, not just for unknown servers

  • Privacy vs. functionality debate: Concerns about breaking certain DNSSEC validations

  • Outcome: Agreement to proceed with aggressive mode as optional

3.3 DNS Error Reporting

draft-ietf-dnsop-dns-error-reporting:

  • Standardizing how DNS servers report operational problems

  • Use case: Helping operators detect configuration errors

  • Privacy considerations: What information should be included in error reports

  • Status: Advanced to Working Group Last Call during meeting

4. Security-Focused Discussions

4.1 DNS Attack Mitigation

DDoS Response:

  • Sharing of attack data from root and TLD operators

  • New technique: “DNS Water Torture” attacks using random subdomains

  • Collaboration with MANRS: Mutually Agreed Norms for Routing Security

Cache Poisoning Defenses:

  • 0x20 encoding deployment status

  • Source port randomization effectiveness assessment

  • Finding: Both techniques remain necessary despite DNSSEC adoption

4.2 DNSSEC Operational Practices

Algorithm Transition:

  • Progress report on moving from RSA/SHA-256 to ECDSA/P-256

  • Root KSK 2022 rollover: Post-event analysis presented

  • ccTLD experiences: Varied adoption rates, with some registries delaying deployment

Automation Tools:

  • OpenDNSSEC 2.2.0 features: Presented by NLnet Labs

  • BIND 9.19 updates: Include automated KSK rollover support

  • Gap identified: Need for better monitoring of DNSSEC validation rates

5. Privacy Debates and Controversies

5.1 The Centralization Debate

Encrypted DNS’s Unintended Consequence:

  • Data point: 85% of Firefox DoH traffic goes to Cloudflare (per Mozilla report)

  • Alternative proposal: “Oblivious DoH with multiple proxies” to distribute trust

  • Economic reality: Small providers struggle with encrypted DNS infrastructure costs

Regulatory Implications:

  • European Commission representative: “We’re monitoring DNS centralization as part of Digital Markets Act enforcement.”

  • Civil society concern: “We’re trading ISP surveillance for corporate surveillance.”

5.2 Logging and Data Retention

Best Current Practice Discussion:

  • How long should encrypted DNS providers retain query data?

  • Technical proposal: Aggregated, anonymized logging after 24 hours

  • Legal reality: Data retention laws in some jurisdictions requiring longer periods

  • Outcome: Formation of design team to develop BCP document

6. Emerging Technologies and Future Work

6.1 DNS and IoT

Discovery Challenges:

  • mDNS (Multicast DNS) scalability in dense IoT environments

  • DNS-SD (Service Discovery) updates for constrained devices

  • Proposal: Lightweight DNS message compression for IoT

Security for Constrained Devices:

  • DNSSEC validation on resource-constrained devices

  • Compromise: Allow insecure delegation for certain IoT use cases

  • Controversy: Whether this creates dangerous precedents

6.2 DNS as a Database (DNR)

New Use Cases:

  • Using DNS for certificate transparency logs (CT logs)

  • Distributed public key distribution via DNS

  • Technical challenge: Large record sizes vs. DNS message limits

  • Privacy implication: These uses create persistent query patterns

6.3 Internationalized Domain Names (IDNs)

Emoji Domains and Beyond:

  • Handling of newer Unicode characters in DNS

  • Security concern: Visual spoofing with complex scripts

  • ICANN liaison report: UASG (Universal Acceptance Steering Group) activities

7. Operational Reality Checks

7.1 Implementation Reports

Major Implementer Updates:

  • BIND (ISC): Version 9.19 includes full DoQ support

  • Knot Resolver (CZ.NIC): Added ODoH proxy functionality

  • Unbound (NLnet Labs): Improved QNAME minimization controls

  • Windows DNS: Incremental adoption of newer standards

Interoperability Testing:

  • Reports from DNS interoperability workshop held before IETF

  • Success: Basic DoQ interoperability achieved between major implementations

  • Challenge: Handling of fallback between encrypted DNS protocols

7.2 Deployment Metrics

Measuring Adoption:

  • APNIC data showing ~15% of users using encrypted DNS

  • Geographic variation: Higher adoption in Europe, lower in Asia-Pacific

  • Correlation: Encrypted DNS adoption correlates with browser defaults

Performance Impact Studies:

  • Academic research presented showing minimal latency impact for DoH/DoT

  • Exception: High-latency satellite connections where TCP/TLS handshake dominates

  • Recommendation: Opportunistic encryption rather than strict requirement

8. Liaison Reports and External Coordination

8.1 ICANN Liaison Report

Technical Engagement:

  • Root server system enhancements

  • IANA parameter updates related to new DNS RFCs

  • Coordination on DNSSEC signing schedules

Policy-Technical Interface:

  • New gTLD subsequent procedures and technical requirements

  • EPDP (Expedited Policy Development Process) Phase 2 implementation

  • SSAD (System for Standardized Access/Disclosure) technical feasibility

8.2 RIR (Regional Internet Registry) Reports

DNS-Related Activities:

  • Reverse DNS delegation best practices

  • RPKI integration with DNS

  • DNSSEC deployment statistics by region

8.3 W3C (World Wide Web Consortium) Coordination

Web and DNS Integration:

  • Secure Contexts specification and DNS implications

  • HSTS (HTTP Strict Transport Security) preload list distribution

  • CORS (Cross-Origin Resource Sharing) and DNS rebinding protection

9. Birds-of-a-Feather (BOF) Sessions

9.1 DNS over CoAP (Constrained Application Protocol)

Purpose: Explore DNS adaptation for constrained IoT networks
Outcome: Agreement to form Design Team for requirements document
Key insight: Different tradeoffs needed for battery-powered vs. mains-powered devices

9.2 DNS in 5G Networks

3GPP Liaison: How DNS integrates with 5G service-based architecture
Issue: Network slicing and DNS resolution boundaries
Action: Liaison statement to 3GPP SA2 working group

10. Key Decisions and Outcomes

10.1 Working Group Milestones

Advancement to IESG:

  • draft-ietf-dnsop-svcb-https (SVCB and HTTPS DNS records)

  • draft-ietf-dnsop-dns-error-reporting

  • draft-ietf-dprive-oblivious-doh

New Work Items Approved:

  • DNS Stateful Operations (stateful connections for DNS)

  • DNS over Dedicated QUIC Connections

  • Service Binding and Parameter Specification via DNS

10.2 Controversial Decisions

DoH Discovery Protocol:

  • Heated debate about whether to standardize network-provided discovery

  • Compromise: Standardize protocol but make client behavior implementation-dependent

  • Result: draft-ietf-add-ddr advancing despite some dissent

Aggressive QNAME Minimization:

  • Privacy advocates vs. operational stability concerns

  • Decision: Proceed with optional aggressive mode

  • Safeguard: Implementations must allow disabling the feature

11. Cultural and Procedural Observations

11.1 Post-Pandemic Dynamics

Hybrid Meeting Effectiveness:

  • Improved remote participation tools compared to pre-pandemic

  • Persistent issue: Side conversations still favor in-person attendees

  • Positive development: More Global South participation via remote access

Consensus Building Changes:

  • Mailing list discussions becoming more important than meeting discussions

  • Challenge: Reading comprehension vs. verbal comprehension differences

  • Adaptation: More explicit consensus calls during sessions

11.2 Diversity and Inclusion

DNS Diversity Survey Results:

  • Presented by IETF Diversity Directorate

  • Finding: DNS WGs have better gender diversity than IETF average

  • Concern: Geographic diversity still lacking, especially from Africa

  • Action: Fellowship program expansion for DNS topics

12. Looking Forward: Implications and Trends

12.1 Short-Term Impacts (6-12 months)

Expected Developments:

  • Widespread implementation of SVCB/HTTPS records

  • Increased enterprise adoption of encrypted DNS with policy controls

  • Root server operators implementing XFR-over-TLS

Standards Pipeline:

  • DNS Stateful Operations likely to enter Working Group

  • Further refinement of oblivious DNS mechanisms

  • DNSSEC automation standards maturation

12.2 Medium-Term Trajectory (1-3 years)

Convergence Trends:

  • Encrypted DNS becoming default in major operating systems

  • Integration of DNS with other security infrastructures (RPKI, certificate transparency)

  • Increased use of DNS for application configuration beyond web

Potential Disruptions:

  • Quantum computing threats to DNSSEC cryptography

  • Regulatory interventions affecting DNS operations

  • Alternative naming systems gaining traction

12.3 Long-Term Considerations

Architectural Evolution:

  • Whether DNS remains hierarchical or moves toward more distributed models

  • Balance between feature addition and protocol stability

  • Integration with emerging network architectures (satellite constellations, LEO networks)

Conclusion: DNS at an Inflection Point

IETF 123 revealed DNS standards development at a critical juncture, characterized by three simultaneous transitions:

  1. From optional to mandatory encryption: Privacy protections becoming expected rather than exceptional

  2. From simple resolution to rich discovery: DNS evolving beyond simple A/AAAA lookups

  3. From technical to socio-technical considerations: Increasing recognition of economic, regulatory, and ethical dimensions

The debates at IETF 123 demonstrated that the DNS community is grappling with fundamental questions:

  • How much complexity can DNS absorb before breaking?

  • How to balance competing values (privacy, security, functionality, decentralization)?

  • Who gets to decide DNS’s evolution in an increasingly fragmented internet ecosystem?

As Patrik Fältström, longtime DNS expert, reflected during the meeting: “We’re no longer just designing protocols. We’re designing the plumbing of society’s digital infrastructure. Every technical choice has social consequences.”

The outcomes from IETF 123 suggest a path forward that embraces encryption and privacy while maintaining operational manageability—a “pragmatic privacy” approach that acknowledges real-world constraints. The coming year will test whether this balanced approach can withstand increasing pressures from both commercial consolidation and regulatory fragmentation.

Appendices: Key Documents and Resources

RFCs Advanced at IETF 123:

  • RFC 9461: Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)

  • RFC 9462: Delegation-Only DNS Zones

Important Drafts Discussed:

  • draft-ietf-dnsop-svcb-https

  • draft-ietf-dprive-oblivious-doh

  • draft-ietf-add-ddr

  • draft-ietf-dnsop-rfc7816bis

Presentation Materials:

Next Steps:

  • IETF 124 (Yokohama, March 2023): Continued discussion of contentious issues

  • Interim meetings: DNSOP virtual interim scheduled for January 2023

  • Implementation feedback: Critical for drafts approaching RFC publication

IETF 123 demonstrated both the vitality and the vulnerabilities of the DNS standardization process—a community successfully evolving critical infrastructure while navigating increasingly complex technical and policy landscapes.