DNS over HTTPS (DOH) IETF 100 Singapore Raffles City Convention Center Olivia room Thursday Afternoon session I 13:30-15:30 Singapore Local Time (UTC +8) 05:30-07:30 UTC 13:30 - 13:40 (10 min) Chair slides - David Lawrence / Ben Schwartz Eliot Lear(EL): What Documents to address changes. Patrick McManus(PM): Discussion on Protocol, discussion on other topics https://datatracker.ietf.org/meeting/100/materials/slides-100-doh-chair-slides/ 13:40 - 14:30 (50 min) Proposed protocol - (15 min): Slides on draft-ietf-doh-dns-over-https Paul - Hoffman / Patrick McManus - (35 min): Protocol-related discussion https://datatracker.ietf.org/meeting/100/materials/slides-100-doh-draft-ietf-doh-dns-over-https/ Issue #11 Discussion: Requirements; Silence; Endourse with Explanation Martin Thomson(MT): Endorse w/explanation. Paul Hoffman(PH): How to deal with out of order responses MT: You get HTTP (no pipelining) PH: Parallel TCP connections MT: Articulate advantages, SHOULD not MUST Mark Nottingham(MN): Silence. Discussion about ordering, many reverse proxies talk http/2 f/e and http/1 b/e Ian Swett(IS): any advantage to writing http/2 only PH: much harder to do http/2 only IS: Strong support for SHOULD Ted Hardie: Might want to say things about clients and servers. Servers MUST support h2, clients SHOULD support h2 Andrew Sullivan(AJS): many pushing back this is a transport for DNS. John Levine(JL): refighting use case for proxy. MN: SHOULD is not appropriate here. **Action: Will take away as Endorse with Explanation** Issues 13/14/15: HTTP Caching MN: Wordsmith Issue 13; Issue 15 2119 text? PH: Stronger than 2119 MT: Q about how this worked in practice. HTTP cache swallowed by DNS cache. PM: HTTP cache shared between clients. Ben Schwartz (BS): Logic took awhile to understand. Rewrite DNS TTL in HTTP cache? PH: Age header nuance Ray Bellis(RB): TTL treat as absolute maximum. David Lawrence (DL): Unbound example of requerying based on shortest TTL in answer set. Warren Kumari(WK): When a server published a TTL 10 minute, they assume it will stay around for 20 minutes. Jim Reid(JR): DNSSEC PH: No different than current state MN: Collision with vultures. Spec could contain examples wth deployment scenarios. Mark Andrews(MA): All records will expire same time JL: Strongly work out examples. MT: send 7719bis links to list PH: Done MT: RRSet caching vs msg caching PH: Not a good thing to discuss here 14:30 - 15:30 (60 min) Open discussion - (50 min) Beyond-protocol technical discussion - (10 min) Identify next drafts needed and solicit volunteers RB: HTTP proxy, refer to xpf draft EL: Split DNS, Load Balancers issues. Thinks there is a paragraph or two to add to document. PH: as long as more than a paragraph Steven: Based on security of DNS over HTTPS relies PKI. MT: OCSP stapling means not going to another server. may want to mandate stapling. OCSP is good practice OK to recommend. Adam Roach(AR): Operational considerations may have proposed mitigations. MN: one use case manualy configured somehow. DL: Browser vendors would love to bypass DNS timings. MT: may be a little bit careful on this. AJS: Slightly concerned about order. Two sets of people in the document who speak two different languages. Work out concrete examples PH: clients do different Certificate checking. Not use h2 roots. Loops may show up. BS: Lot of people scared that other people will be confused. Mike Bishop(MB): DNSSEC pushing around DNS resources. h2 relies less on DNS. Erik Kline(EK): Implementation Q. DNS-TLS what to do if DNS has too many queries. MT: h2 has mechanisms to protect against this class of attack. EL: pull request of a paragraph. BS: Pull Requests BS: Anyone want to write another draft? Alex Mayhoff(AM): Could see some extensions on how we do things via DNSOP. AJS: Premature to write additional drafts. maybe more threads.