dnsop-ietf88-minutes.txt
WG:             DNS Operations (dnsop)
Meeting:        IETF 88, Vancouver
Location:       Regency B
Date:           Thursday, 5 November 2013
Time:           15:20 - 16:50 (UTC +01:00)
Chairs:         Tim Wicinski (tim.wicinski@teamaol.com)
                Peter Koch (pk@denic.de)


0) Introduction
  Non-interested people should go towards the door

1) Administrivia, Blue Sheets, etc.
  Nothing to report

2) Status Updates (10 minutes)

  2.1) DNS Prefetch Performance Data from W.C.A. Wijngaards
    http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-10.pdf
    Data collected from a SURFnet resolver, graphed with Cacti
    1.5 % of total qps prefetched
    Latency improvment not really noticeable
    Paul Wouters: because prefetching is useful only on small devices?
    Warren Kummari: statistics too global, some names are better handled by prefetching
    Brian Somers/opendns: prefecthing is good to avoid stalling everyone when TTL expires

  Action: Turn it to a new I-D, combining data and algorithm.

  2.2) Call For adoption: draft-hardaker-dnsop-csync
    Wes Hardaker:  Summary: publish in the child a list of things to copy in the parent (NS, A, DS - removed after Berlin, see CDS,etc). Ready for WG adoption 20 readers of the draft
    Evan Hunt: csync is pull, competitor (dynamic update, see Mark Andrews) is push.  We should wait to discuss which strategy to use until both proposals have been presented.
    Wes Hardaker: we can have both

3) Open Items
  3.1) CDS/CDSKEY Discussion,  Kumari-Olafur (20 minutes)
    draft-kumari-ogud-dnsop-cds
    http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-1.pdf
  Olafur Gudmundsson : now two RR, CDS and CDNSKEY with rules on how to choose (do not check consistency). Pull mode (polling). Possible push with NOTIFY or UPDATE?
  30 readers of the draft
  Evan Hunt: same remark as before (we should use Mark Andrews' push with UPDATE)
  Paul Wouters: why this mechanism when we have csync?
  Olafur Gudmundsson replies: DNSSEC has some specific requirments
  (timing)
  Paul Hoffmann: NOT ready for WGLC. None of the 2 documents explain
  why there is a split between the two strategies.
  Mark Andrews: could replace RFC 5011 as well
  [name missed] Not for dnsop because new protocols?
  Olafur: No, just a mechanism, with new RR types.
  Peter Koch: I'll be sure we don't go into protocol changes, don't worry.
  Wes Hardaker: csync cannot pre-publish, that's a difference

  3.2) DS Query Increase,  Fujiwara (10 minutes)
    draft-fujiwara-dnsop-ds-query-increase
    http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-2.pdf
    Summary: Number of DS queries increase faster than the number of validators
    Many repeated queries, following the timing of the negative caching (NCACHE is 900s, RR TTL is 86400) Problem since most domains are not signed. Also tested in the lab with BIND and Unbound, same behavior.
    Solutions? May be increase the NCACHE TTL , despite RFC 2308. Add
    dummy DS (with a new digest type meaning "unsigned") for popular
    names? Tested with BIND and Unbound which work well with this. [Google Public DNS fails, tested during the meeting]. Increases the signing load if opt-out.
  Brian Dickson: other solution, not do opt-out
  Mark Andrews: charge more money for unsigned domains
  Antoin Verschuren: the problem will be solved by universal deployment
  of DNSSEC

  Question:  Is it actually a problem for the group?
    Vast majority of NO
  At least documenting it?
  Roy Arends: not a problem on Nominet data for instance
  Antoin Verschuren: not a problem but improving resolution and making
  it more efficient is always nice

  Chair: documenting the observations, OK, but without the recommandations of solutions

  3.3) PCP to update Dynamic DNS, James Huang (10 minutes)
    draft-deng-pcp-ddns
    http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-3.pdf
    From another WG, requiring DNS expertise
    DDNS for small home gateways. Used a lot to have a fixed name. Also, some people use nonstandard-protocol-over-HTTP for that.
    Solution proposed: standard practices for dynamic DNS when there
    is massive address sharing (CG-NAT). No change to protocol.
    Incoming HTTP to the user's home network: very difficult. Use SRV records?
    Really a matter for dnsop? Or Apps Area (Mark Andrews)
    Zero readers of the draft
    Andrew Sullivan : IPv6 will solve the problem
    Joel Jaeggli: legacy clients (v4 only) won't use SRV, anyway
    General feeling seems to be there is no interest

  3.4) AS112 with DNAME, Abley (10 minutes)
    draft-jabely-dnsop-as112-dname
    http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-4.pdf
  The problem of adding and dropping zones to AS112. Very difficult
  we never know when all servers are configured for the new zones.
  Omniscient AS112 ? It requires custom code
  Use DNAME? Nice but does it work? Yes (tested with APNIC Flash clients)
  Geoff Huston: methodology of the test : two Web bugs, one with DNAME and one without.
  Adopt the document? Towards 6304 bis?
  15 readers (just 1 or 2 AS112 operators in it)

  * No objection to the adoption by the WG.

  3.5) Remote-Triggered DNS Cache Flushes, Abley (10 min)
    draft-jabley-dnsop-flush-reqs
    http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-5.pdf
  Allows auth. servers to remotely flush the caches for instance
  when registry hijacked.
  The proposed mechanism (dynamic update) was rejected in Berlin. So, back to use cases and requirments. Could be made more complete.
  Adoption by the WG?
  10 readers. Show of hands: some strong objections.
  Johann Ihren: I understand it is painful to make a mistake and not
  being able to fix it because of caching [minutes taker
  personal note: the problem is not only mistakes but also
  hijackings]. If there were a simple solution, OK. But there is not, it doesn't scale. Will US providers act on the behalf of a zone master in Indonesia?
  Antoin Verschuren : scaling is the big issue. Caching is great for
  the DNS, we should not override it.
  David Conrad : object because it would be protocol development
  Discussion taken to the list (a bit controversial)


4) Non Actionable WG Items

  4.1) edns-tcp-chain-query and edns-tcp-keepalive, Paul Wouters (15 minutes)
    draft-wouters-edns-tcp-chain-query
    draft-wouters-edns-tcp-keepalive
    http://tools.ietf.org/agenda/88/slides/slides-88-dnsop-6.pdf
  DNSSEC requires many round-trips to get all the data needed to validation. Need a way to retrieve everything in one stroke. Useful for high latency networks (cell phones)
  Should we include NS and glue (not formally required for validation)?
  Second draft: keep the TCP connection open
  Already a patch for dig. Works with Unbound, BIND, OpenDNS (Google closes after 64 queries)
  Andrew Sullivan : good idea
  Joe Abley : could be made more general, TCP by default (because it cheaply validates the IP address), UDP as a fallback
  Brian Dickson : just be sure that the client does not expect the TCP session to stay alive
  Now, which home for these drafts? No obvious place.

5) New Items
  5.1) IPv6 Multicast PTR records, Abley (5 min)
    draft-jabley-multicast-ptr
    http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-7.pdf
   Skipped, handled in mbbone meeting.

6) Late!
  6.1) Evan Hunt/Mark Andrews, IPv6 reverse prefix delegation, parent zone updates
    draft-andrews-dnsop-pd-reverse
    http://tools.ietf.org/agenda/88/slides/slides-88-dnsop-8.pdf
  Presented by Evan Hunt.
  Delegating reverse prefix zone when using prefix delegation (with DNSSEC)

    draft-andrews-dnsop-updating-parent-zones
  See csync. This solution uses dynamic UPDATE.
  Wes Hardaker: more options are nice but... we already have existing solutions (custom protocols with registrars). We already have a secure mechanism, DNSSEC, let's use it.
  Marc Blanchet : prefix delegation is for millions of customers. But a name server at customer's premises is uncommon.
  Paul Hoffmann : several solutions is OK because they have different operational impacts.
  Warren Kummari : too complex while today, things just barely work.
  Lee Howard: should be discussed in Homenet, it's their job
  Dan York: DNSSEC deployment really needs a solution for this problem. We need something really simple for the registrars, which have no money margin.
  Warren Kummari : CDS could be improved by adding trigger mechanism
  [minutes taker personal note: like DNS serial query + NOTIFY?]
  Evan Hunt : csync and CDS are simple but you don't know if the TLD implements it and it will take time to find out they don't. With this solution, you know immediately that something is missing.

  Adoption of documents? Postpone the prefix delegation thing.

  CSYNC hum: not a lot of Yes but silence on No
  Dan York: we seem to miss a strategy, we should choose, have a plan.
  Chair: there is no consensus pro or against a solution.
  10 readers of Mark Andrews' drafts
  Adopting the work item and not individual drafts?
  Joe Abley: let's go back to requirments? Or a mini-charter (Olak Kolkman)?

  Donald Eastlake announced revival of DNS cookies

7) After Meeting Reading
    draft-mglt-homenet-dnssec-validator-dhc-options