----------------------------------------------------------------------------- FINAL dnsop WG minutes for IETF 66, Montreal ----------------------------------------------------------------------------- WG: DNS Operations (dnsop) Meeting: IETF 66, Montreal Location: Palais des Congres de Montreal, Room "513C-F" Date: Thursday, 13 July 2006 Time: 09:00 - 11:30 (UTC -0400) Chairs: Rob Austein, Peter Koch Minutes: Geoffrey Sisson Jabber: xmpp:dnsop@jabber.ietf.org J-Scribe: Alex Mayrhofer, Jelte Jansen J-Script: http://www.ietf.org/meetings/ietf-logs/dnsop/2006-07-13.html Audio: http://limestone.uoregon.edu/ftp/pub/videolab/media/ietf66/ietf66-ch3-thur-am.mp3 WG URL: http://www.dnsop.org Material: https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66 ----------------------------------------------------------------------------- 1) Administrivia [09:03 {audio 0:13:21}] Minutes scribe and jabber scribes as listed in the headder Blue sheets were circulated Agenda as posted on July, 3rd was accepted without changes ------------------------------------------------------------------------------- 2) Status Update [09:05] RFCs published: - RFC 4472 - "Operational Considerations and Issues with IPv6 DNS" - f.k.a. draft-ietf-dnsop-ipv6-dns-issues-12.txt - Published in April Internet-Drafts in RFC Editor queue: - draft-ietf-dnsop-dnssec-operational-practices-08.txt - In RFC-EDITOR state - Should go to AUTH48 by end of month Internet-Drafts in or past WGLC: - draft-ietf-dnsop-bad-dns-res-06.txt - IETF Last Call requested - draft-ietf-dnsop-serverid-07.txt - awaiting nits review and PROTO writeup - draft-huston-6to4-reverse-dns-05.txt - Chairs have asked the Security Area Directorate for review - Issue with using IP addresses as part of an authorisation mechanism - SecDir had some remarks, will be addressed in -06 - SecDir comments: "we understand why you are doing address-based auth, no big deal, just some issues need to be clarified." ------------------------------------------------------------------------------- 3) Active Drafts [09:09] - draft-ietf-dnsop-reflectors-are-evil-01.txt - draft-ietf-dnsop-default-local-zones-00.txt - draft-ietf-dnsop-respsize-03.txt --------------------------------------------------------------------------- 3.1 draft-ietf-dnsop-reflectors-are-evil-01.txt [09:11 {audio 0:20:38}] http://www3.ietf.org/proceedings/06jul/slides/dnsop-4.ppt Frederico Neves presented changes from -00 to -01; many typos were fixed and minor changes applied. Plans for the upcoming -02 version are: - will add recommendations for vendors, not just operators - will introduce some text about SOHO devices. - obscure acronyms to be removed - will add text about IP-based filtering There are three open issues to be discussed in the meeting: - Open Issue #1: title "Preventing Use of Nameservers in Reflector Attacks" The editors propose to insert "recursive" before "Nameservers" Pekka Savola asked to cover not only the abuse of recursive servers but of authoritative servers as well. Frederico explained that the draft mentions other attacks and remaining risks and the chairs clarified that the editors' task was to explicitly cover the "open recursive nameserver" case. While Pekka disagreed with the focus of the document, he was asked to submit text if he felt that the focus was not explained clearly enough to serve the target audience. Rob Austein reminded the WG that it might revisit this focus decision. Olaf Kolkman recommended against that. In the following discussion some people showed support for the editors' proposal. Pekka disagreed because he felt the addition of "recursive" would limit the scope of the document. Other suggestions for changes were made. There was no clear way forward given the options - Keep title as is - Add "recursive" to title - follow Ed's suggestion ACTION(chairs): Take this issue to the WG mailing list (but do not permit discussion to run as it did for the -inaddr-required doc). - Open Issue #2: is text needed on a recommended response to undesired queries? {audio 0:37:14} Frederico explained that the draft currently does not make a recommendation how a recursive nameserver should react to the undesired queries. On the list, Joe Ablay had asked for some guidance for operators to appear in the draft. Mark Andrews pointed out that from the perspective of the iterative resolver "no response" was no good solution and he'd like to see some response. A "REFUSED" response would not amplify. The chairs clarified that the first question is whether or not to address this and only the second would be what the recommendation could look like. Basic problem: how would the nameserver know for sure it is an attack? Joe asked for some guidance instead of just telling the operator what _not_ to do. Joao Damas pointed out that the operator would depend on what vendors implement anyway. Joe: Operator could choose to block the queries at the firewall independent of nameserver implementation. Mark suggested that the actual specification of the best response be handed over to dnsext and Olaf Kolman (dnsext co-chair) acknowledged that dnsext would be willing to look into this. At the same time he suggested not to have normative text in the draft under discussion. Joe agreed that if there was no simple solution he would be fine with having no guidance in the document. Pekka suggested to discuss the trade-offs of the different responses, but it was suggested - with reference to Peter Koch's I-D on the topic - that this might not be done in only a few sentences and could delay the progress of the draft. A "hum" was taken by Peter Koch: "Who can live with not making a recommendation [on how not to answer queries] in doc?" Room: [significant hum] "Who would really like to have a recommendation [on how not to answer queries] in the doc?" Room: [no audible hum] CONCLUSION: strong sense in favour of going ahead without making a recommendation - Open Issue #3: keep or remove TSIG recommendation? {audio 0:47:28} The draft currently recommends either IP address based ACLs or TSIG client authentication. Olaf suggested that SIG(0) and TSIG had similar, albeit minimal, deployment and should be treated equally. After some discussion involving state considerations at the recursive resolver and clock accuracy issues for TSIG, a "hum" was taken by Rob Austein: "Rip it out/don't discuss TSIG or SIG(0)" Room: [minimal hum] "Leave it as just TSIG?" Room: [no audible hum] "Have both (add SIG(0))?" Room: [loud hum] CONCLUSION: That looked like "please add SIG(0)". It was noted that there is a recommended default ACL in the draft ("local" clients) that should be reviewed. ------------------------------------------------------------------------------- 3.2 draft-ietf-dnsop-default-local-zones-00.txt [09:45 {audio 0:54:09}] Mark Andrews reported there was only one comment by Pekka suggesting to cover 255/8 instead of 255.255.255.255/32. This was resolved by pointing out that the current text (255.255.255.255/32) is consistent with RFC 3330. The title of the draft had been changed for the WG -00 version (now: "Locally Served Zones"); nobody in the room voiced any objection. A significant number of people had read the latest version of the draft; there were no objections to going to WGLC. ACTION(chairs): Issue WGLC ------------------------------------------------------------------------------- 3.3 draft-ietf-dnsop-respsize-03.txt [09:47 {audio 0:58:26}] The document was revived to meet the IETF66 I-D submission deadline. None of the editors was present. Rob Austein explained the drafts background and origin. There were no objections to going to WGLC. Volunteers were asked to speak up to meet the "5 reviewers threshold". - Joe Abley - Lars Johan Liman - Marcos Sanz - Mohsen Soussi - Andrew Sullivan - Paul Wouters ACTION(chairs): Issue WGLC ACTION(reviewers (and WG)): Review and send comments ---------------------------------------------------------------------------- The chairs summarized the timeline for the three active WG drafts: - draft-ietf-dnsop-default-local-zones-00.txt - WGLC in July, go to IESG in August - draft-ietf-dnsop-reflectors-are-evil-01.txt - Update to -02 in July - WGLC in August, go to IESG in September - draft-ietf-dnsop-respsize-03.txt - WGLC in September, go to IESG in October The room had no objections or suggestions for change. ------------------------------------------------------------------------------- 4) WG Charter [09:52 {audio 1:03:37}] http://www3.ietf.org/proceedings/06jul/slides/dnsop-2.pdf Peter Koch summarized the state of the charter discussion, pointing out that the WG has only one official milestone left. Some active drafts do not yet correspond to any milestone. Current activities: 1) Guidelines for zone configuration params 2) Guidelines for DNSSEC operational params 3) Guidelines addressing IPv4/IPv6 coexistence and transition 4) Review use of existing DNS frameworks in other protocols Preivious discussion identified three possible additions: - Explicitly mention root server issues - Performance and benchmarking (methods and terminology)? - Transport requirements coming out of DNSSEC Lars Liman suggested not to mention root name servers. He'd like to avoid to create a notion that they are special. No other opinions were voiced. Kenji Rikitake expanded that the transport issues cover IP fragmentation of UDP packets, especially with larger payload due to DNSSEC. This might be covered by the 2nd or 4th item above. After some discussion it was sugegsted to broaden the scope and explicitly address the issue of "how DNS messages get from point A to point B and back again". Russ Mundy suggested to include the role of middleboxes/firewalls here. Ed Lewis asked - with reference to item (4) - whether the IAB dosument draft-iab-dns-choices-03.txt would be covered. Olaf Kolkman [IAB] explained that the IAB wanted to publish this document real soon now and solicited feedback from the WG. Patrik Fältström, as editor, seconded. This is not a WG document but the WG is encouraged to review it. A hum was taken by Rob Austein for the "performance and benchmarking" topic: "In favour of of adding 'Performance and benchmarking methods and terminology' to the charter?" Room: [significant hum] "Opposed to adding?" Room: [barely-audible hum] CONCLUSION: strong sense in favour of charter add ACTION(chairs): draft this into a another paragraph for the charter and then circulate it to the WG ACTION(WG): review draft-iab-dns-choices-03.txt ------------------------------------------------------------------------------- 5) Other WG Drafts [10:09 {audio 1:20:00}] 5.1 draft-ietf-dnsop-inaddr-required-07.txt Status update: This (expired) draft is the only remaining item on our milestones list. Original editor can't carry on work, so Andrew Sullivan was appointed new co-editor (chosen from several volunteers). Proposed timeline: - -08 in September. Revives the draft, incorporates comments. - Will feed open issues into issue tracker. - Appropriate URLs will be posted to list - open issues to be dealt with in October and November - -09 to incorporate resolution to open issues in November. - WGLC January 2007 - Go to IESG for BCP. Rob Austein suggested that this draft is the "poster child" for bad file names. "In favour of changing the filename?" Room: [significant hum] "Opposed to changing the filename?" Room: [diffuse hum] CONCLUSION: strong sense in favour of filename change ACTION(chairs/editors): Change filename when reviving the draft ACTION(chairs/editors): Feed issue tracker ------------------------------------------------------------------------------- 6) Other (non WG) Internet-Drafts [10:15 {audio 1:25:48}] 6.1 AS 112 [10:16] http://www3.ietf.org/proceedings/06jul/slides/dnsop-0.pdf Presentation by Joe Abley covers - draft-jabley-as112-being-attacked-help-help-00.txt - draft-jabley-as112-ops-00.txt - Related work: draft-ietf-dnsop-default-local-zones - Contains many more zones than AS 112 - No current good process for adding new zones to AS 112 - No process for new transports for AS 112, e.g. adding IPv6 - Adoption by WG? Of the people in the room ~10 are involved in running AS 112 instances and ~40 have read the AS112 drafts. Joe pointed out that these documents are not intended to blackhole the phone calls to the ISC NOC, but should serve as a credible source (RFC) to point to. In addition, there is future work, e.g. coordination with draft-ietf-dnsop-default-local-zones. Subject of further discussion was what the WG was expected to do given that the documents seemd almost ready. The authors felt that the dnsop wg was the broadest forum (compared to NANOG, RIPE, ...) and also the best approximation of AS112 operators. Also, Joe felt suggested that AS112 was IANA sponsored central infrastructure. Target status of these documents would be "Informational", including an IETF Last Call. The sense of the room was in favour of adoption of AS112 issues as a WG item. There is more work to do than review the two drafts, given the open questions. No names for volunteer reviewers were recorded. ACTION(chairs): Ask mailing list for adoption of AS112 issues --------------------------------------------------------------------------- 6.2 Cookie Validation/SubTLD structure [10:34 {audio 1:45:05}] http://www3.ietf.org/proceedings/06jul/slides/dnsop-1.pdf Presentation by Yngve Pettersen covers - draft-pettersen-subtld-structure-00.txt - draft-pettersen-dns-cookie-validate-00.txt Background: These drafts are not being proposed for WG adoption. The author would like cross-area advice before proceeding with work. - The author would like from WG: - Feedback - Suggestions for Possible alternative approaches - CRISP has been mentioned to me. Olaf Kolkman added a third option tow the two on the slides: fix the policy protocol; IETF should not specify this kind of hack and there should be no meaning assigned to the content and/or position of labels. Rob Austein (no hats) suggested that option 2 (dns-cookie-validate) seriously missed why some people put IP addresses in DNS and would have little chances to go forward, also because it touches address policy. There might be a way to put an explicit RR in the DNS saying "I am/am not a registry". Yngve: DNS might not be available directly. Peter Koch (no hats) has seen similar ideas in DKIM and GEOPRIV. Administrative hierarchy does neither infer nor follow the hierarchy of the DNS, but people are trying to subvert this principle all the time. Presenter is taking blame for mistakes made years ago. Rob Austein suggested that the most Draconian approach would be to just outlaw cookies that extend to more nodes than exactly the one that set them. Sam Weiler suggested a solution at the application layer by having servers insist on getting authenticated cookies. No conclusions, no actions --------------------------------------------------------------------------- 6.3 draft-pappas-dnsop-long-ttl-02.txt [11:03 {audio 2:12:52}] http://www3.ietf.org/proceedings/06jul/slides/dnsop-3.pdf Lixia Zhang's presentation covers draft-pappas-dnsop-long-ttl-02.txt. Clarification: the presentation is only talking about TTL settings for NS RRs and associated A/AAAA RRs, i.e. "infrastructure" RRs. Does not interfere with load balancing or "dynamic DNS". - Questions to WG - Have we missed any major issues? - Is the WG interested in taking on the topic of infrastructure TTL recommendations? Alex Mayrhofer (NIC.AT) seeing "load balancing game" in switching ISPs more than once per day. Lars Liman agrees that it is important to convey that long TTLs have an affect on stability of network. Should have text which says what are the trade-offs rather than making recommendations. Rob Austein (no hat) agrees with Liman that we need to document trade offs. Prefers to take this on as WG item, but not this specific document. Mark Andrews would like to see recommendations against very low TTLS on NS RRs. Peter Koch suggested that the new doc would reference the research paper but not copy it. After that he took a "hum": "Who is in favour in taking this topic up with the addition that not talking about recommendations but trade-offs?" Room: [loud hum] "Against?" Room: [no audible hum] CONCLUSION: strong support for adoption Since there was strong support for adopting the work item, the chairs asked for volunteer co-editors and reviewers (pending additional nominations on the wg mailing list): Editors: - Joe Abley - Howard Eland Reviewers: - Mark Andrews - Greg Berezowsky - Olafur Gudmundsson - Fredrico Neves - Marcos Sanz - Geoffrey Sisson - Andrew Sullivan ------------------------------------------------------------------------------- 7) Current & New Topics [11:26 {audio 2:36:58}] 7.1 "_underscored" names considered -- is a registry needed? - draft-crocker-dns-attrleaf-01.txt - draft-lear-iana-no-more-well-known-ports-01.txt Bill Fenner points to draft-fenner-iana-dns-srv-00.txt proposing a registry for underscore names to alleviate the problem in Bonjour where you need to have a port number to get a name. Peter's Summary: three different proposals exist, one for a SRV name registry, one to drop well known port registration and one for a general underscore name registry. Premature to take up as WG item. ACTION(Bill Fenner): Send pointers to the WG mailing list ------------------------------------------------------------------------------- 8) I/O with other WGs [11:28 {audio 2:38:58}] 8.0 dnsext draft-eastlake-dnsext-cookies-00.txt was discussed in dnsext but the operational requirements and/or consequences remained unclear. dnsext asked dnsop for input. Discussion showed many people had read the draft and some had concerns about deployment and scalability. No conclusion. ACTION(chairs): phrase the question to the WG and to pick an appropriate time so that we can respond to the dnsext WG request before the next IETF with a response regarding requirements 8.1 ENUM [11:34 {audio 2:45:06}] ENUM WG has been working on draft-conroy-enum-edns0-02.txt about requiring EDNS0. Draft is going to WGLC. Lars Liman pointed out that the draft contained some pretty strong words, lots of MUSTs, which should be closely looked at. ACTION(chairs, Alex Mayrhofer): copy enum WGLC to dnsop 8.2 mboned [11:37 {NO audio}] Peter Koch reported about an effort to define the future of MCAST.NET Nothing yet to do for the dnsop WG. 8.3 others WGs [11:38 {NO audio}] v6ops has draft-ietf-v6ops-scanning-implications-00.txt awaiting WGLC. Draft might have implications on v6 reverse mapping, essentially ruling that out, if "hiding" the v6 hosts in the address space was considered desirable. ACTION(Peter Koch): Send pointer to the list ------------------------------------------------------------------------------- 9) A.O.B. [11:39 {NO audio}] Ed Lewis and Doug Otis pointed the WG to dkim's use of the DNS. Doug also mentioned amplification issues with SPF data, documented in draft-otis-spf-dos-exploit-01.txt. -------------------------------------------------------------------------------