----------------------------------------------------------------------------- dnsop WG minutes for IETF 73, Minneapolis, US ----------------------------------------------------------------------------- WG: DNS Operations (dnsop) Meeting: IETF 73, Minneapolis Location: Hilton Minneapolis, Minneapolis, US; Salon E Date: Wednesday, 19 November 2008 Time: 13:00 - 15:00 (UTC-6) Minutes: John Schnizlein Jabber: xmpp:dnsop@jabber.ietf.org J-Scribe: Marcos Sanz, Mark Andrews J-Script: http://jabber.ietf.org/logs/dnsop/2008-11-19.txt Audio: N/A, Wed Channel 4 WG URL: http://tools.ietf.org/wg/dnsop/ Material: https://datatracker.ietf.org/meeting/73/materials.html Version: $Id: ietf73-minutes.txt,v 1.4 2009/01/08 00:20:45 pk Exp $ ----------------------------------------------------------------------------- 1) Administrivia [ 13:08 ] - Scribes, blue sheets - agenda bashing no changes - some survey questions: first time attendees - 10 not subscribed to mailing list - 15 oppose friday afternoon slot - majority ----------------------------------------------------------------------------- 2) Status Update [ 13:11 ] - RFCs published RFC 5358 "Preventing Use of Recursive Nameservers in Reflector Attacks" (An IESG appeal has been filed against the approval of this document.) - Internet-Drafts in RFC Editor Queue - NONE - - I-Ds at the IESG - NONE - - I-Ds in or past WGLC draft-ietf-dnsop-default-local-zones-06.txt Waiting for PROTO Write-Up draft-ietf-dnsop-reverse-mapping-considerations-06.txt Waiting for PROTO Write-Up the documents on AS112 (see under 4.2) need an update before proto writeup ----------------------------------------------------------------------------- 3) WG Charter [ 13:14 ] Remaining issue is the proposed work on name server and service performance (response times). The AD indicated that two other OPS area working groups (bmwg and pmol) are the preferred homes for lab or real world performance measurement issues. Chairs have coordinated with the bmwg chair and one volunteer has come forward to assist in drafting text. DNS performance will most likely not be within DNSOP charter. ----------------------------------------------------------------------------- 4) Active Drafts [ 13:15 ] 4.1) draft-ietf-dnsop-respsize-11.txt The lead editor is confident to have incorporated all comments posted in response to this or previous versions of the draft and suggests it should go to WGLC. 4.2) draft-ietf-dnsop-as112-ops-01.txt draft-ietf-dnsop-as112-under-attack-help-help-01.txt Awaiting WGLC Editors working on editorial issues, both drafts need to be revived before they can go to WGLC. 4.3) draft-ietf-dnsop-dnssec-trust-anchor-02.txt About five people in the room have read the draft. The editors believe it is ready for WGLC. No objection from the audience. 4.4) draft-ietf-dnsop-resolver-priming-01.txt Editors collected feedback in and after Dublin and discussed issues but didn't make enough progress to publish a new version. The draft is not yet ready for WGLC. 4.5) draft-ietf-dnsop-name-server-management-reqs-01.txt There was feedback and support in Dublin, but little discussion on the list since then. The editor concludes the draft is ready for WGLC. About five people have read the -01 version. ----------------------------------------------------------------------------- 5) Current & New Topics [ 13:21 ] 5.1) draft-jabley-dnsop-missing-mname-00.txt [ 13:21 ] The draft deals with unsolicited dynamic update messages and suggests a way to signal their undesirability. (The author was not present.) Lack of feedback on the list might have been due to distraction by the "Kaminsky" attack. The problem doesn't appear to be pressing (root ops in the room were asked but did not regard it worse than other unwanted traffic), so a decision about adoption as a WG item will be postponed until some of the current drafts have been finished and sent to the IESG. 5.2) Review and Update of RFC 4641 ("4641bis") [ 13:24 ] Olaf explains that he put RFC 4641 in I-D format in anticipation of revising for version 0 of the 'bis. He plans to get a -01 draft out before IETF74 (San Francisco). There are a number of open issues: timing of key rollover, key sizes, ... It is important to get the disagreement about key sizes solved in or by the Security Directorate. Comments from operational experience are particularly welcome. 5.3) DNS use of and issues with http cookies [ 13:29 ] draft-pettersen-dns-cookie-validate-04.txt draft-pettersen-subtld-structure-04.txt Idea is to declare some domains to be registry-like (TLD-like) rather than organizational. Rob: this is not a DNS problem, but an unfixable HTTP cookie problem. DNS usage has evolved to care about organizational boundaries that the protocol deliberately hid. Pettersen: no longer just cookies, also what domain a URL is really in. Andrew Sullivan: what this is about: delegation has to stop at an organizational boundary. - solve the real problem. Rob: this is against the design goal of DNS that names do not have semantics. Some applications want to tag organizational boundaries in DNS. Eric BW: this is about detection rather than DNS Peter K: this problem needs to be better framed - other WGs seem to use "domain" and "organization" for the same thing - not architecturally correct. Peter K: may be a terminology issue, small team should be able to frame the issue and draft a problem statement VOLUNTEERS: Jelte Jansen, Patrick Wallström, Eric Brunner-Williams, Andrew Sullivan, Yngve Pettersen Pettersen: will provide contact info for Microsoft and Mozilla 5.4) draft-carpenter-renum-needs-work-00.txt [ 13:44 ] [Hannu Flinck] The idea comes from RRG infeasibility of renumbering. Authors are asking input from the DNSOP WG on the DNS related aspects. 3-4 people inthe room have read the draft. Steve Crocker: put some time into renumbering a few years ago. Conclusion is the opposite: renumbering is good. Will share. Mark Andrews: you have not addressed the reverse name space, need to know if address is deprecated. Peter K: request volunteer reviewers: Andrew Sullivan, Steve Crocker. 5.5) draft-bagnulo-behave-dns64-01.txt [ 13:53 ] [Andrew Sullivan] {Discussion continues from dnsext session} [Some questions on particular issues on slides 20 and 21 might be better answered by reading the corresponding text parts in the drafts] Rob: this looks like a serious problem we are not going to be able to answer today. Mark A: Have you thought about EDNS options to handle this? Andrew: one option is not to use a DHCP option.. Mark: this looks like a man in the middle anyway, having it unsecured is not really a problem. Andrew: in Montreal heard that they definitely need translation. Steve Crocker: on legacy v4 hosts, one could put a proxy in front of them and not move the problem around. Peter K: the discussion about whether translation will happen is to happen in BEHAVE, meeting tomorrow. Here focus on DNS aspects. There is a liaison between Behave and DNSEXT, so this is to support that. Ed Lewis: this problem is similar to DNAME - synthesized CNAME - Rob: you could also use an EDNS option to indicate that the AAAA is synthesized and use this algorithm. Ted Lemon: assuming people who need security will do the right thing is a mistake. Andrew: translation: you dislike that part that says "just lie". Olaf: one observation using EDNS options as a control plane for non-DNS options. Create a matrix of the consulting adults as to where they have to be. WG participants are encouraged to follow and contribute to the BEHAVE discussion with special amphasis on DNS operational aspects of "translation". ----------------------------------------------------------------------------- 6) Other (non WG) Internet-Drafts [ 14:13 ] 6.1) draft-dickinson-dnsop-nameserver-control-00.txt Roy Arends (one of the authors, put on the spot by Peter): authors have integrated a lot of the output of dcoma into NSCP (initially name server control protocol). Wasn't expecting to disscuss this at dnsop at this time. Authors plan to publish -01 and then maybe bring it to the WG. ----------------------------------------------------------------------------- 7) I/O with other WGs [ 14:17 ] dnsext) Request to review "forgery resilience" debate Peter K: Some of the proposals considered in DNSEXT are really operational, e.g., RTT banding and servers election in resolvers. Olafur: that sums it up - we are still looking for opinions. Should be done or not? What is the operational impact? Concrete input needed! Discussion to be continued on namedroppers. ----------------------------------------------------------------------------- 8) A.O.B. [ 14:20 ] Olaf (with IAB hat): The IAB has recently submitted its response to the US NTIA's NoI on signing the root. Rob A: On new gTLDs: the increase in the size of the root zone could use review. Steve Crocker: Front page of ICANN web and follow the links. ----------------------------------------------------------------------------- Z) Meeting closed [ 14:22 ] -----------------------------------------------------------------------------