Thanks again to Johan for serving as scribe.
Dave & Rob--- Domain Name System Operations (dnsop) Minutes MONDAY, March 7, 2005 (1930-2200) ===================================== CHAIR(s): David Meyer <[email protected]> Rob Austein <[EMAIL PROTECTED]> AGENDA o Administriva 5 minutes - Mailing list: [EMAIL PROTECTED] subscribe dnsop - Scribe(s)? Jabber Other - Blue Sheets o Agenda Bashing 5 minutes Meyer o Review and status of work items Active Drafts ------------- draft-ietf-dnsop-bad-dns-res-03.txt 5 minutes Larson/Barber draft-ietf-dnsop-dnssec-operational-practices-03.txt 5 minute Kolkman, et. al draft-ietf-dnsop-inaddr-required-06.txt 8 minutes Senie draft-ietf-dnsop-key-rollover-requirements-02.txt 5 minutes Guette, et al. draft-ietf-dnsop-ipv6-dns-configuration-05.txt 2 minutes Jeong, et al.. Expired Drafts -------------- draft-ietf-dnsop-respsize 2 minutes Vixie/Kato draft-kato-dnsop-local-zones 2 minutes Vixie/Kato draft-ietf-dnsop-serverid-02.txt 5 minute Wolfe Potential WG Items ------------------ To publish, or not to publish,... 5 minutes draft-durand-dnsop-dont-publish-00.txt Durand 6to4 Reverse DNS Delegation 5 minutes draft-huston-6to4-reverse-dns-03.txt Huston Split-View DNSSEC Operational Practices 8 minutes draft-krishnaswamy-dnsop-dnssec-split-view-00.txt Krishnaswamy Provisioning data needed for DNSSEC 10 minutes draft-hollenbeck-epp-secdns-06.txt Hollenbeck DNS authoritative server misconfiguration 10 minutes draft-fujiwara-dnsop-bad-dns-auth-02.txt Fujiwara, et al DNS transport issues 10 minutes draft-fujiwara-dnsop-dns-transport-issue-00.txt Fujiwara A Practical Approach for DNS server specification 5 minutes draft-yasuhiro-dnsop-increasing-dns-server-02.txt Morishita Other Issues ------------- Tunnel end-point discovery using DNS 10 minutes draft-palet-v6ops-tun-auto-disc-03.txt (Section 3.2) Savola The DNS Phase In Problem 10 minutes Koch Technical pieces for DNSSEC deployment 7 minutes Krishnaswamy Status of Active Drafts ----------------------- draft-ietf-dnsop-bad-dns-res-00: ready to push out draft-ietf-dnsop-dnssec-operational-practices-00: slightly rearranged, one changed definition draft-ietf-dnsop-inaddr-required-06: enough people seem to care to make it worthwhile to push this forward in the present direction draft-ietf-dnsop-key-rollover-requirements-02: comments solicted draft-ietf-dnsop-ipv6-dns-configuration-05: Status of Expired Drafts ------------------------- draft-ietf-dnsop-respsize: bill manning: this is an important document that should be moved forward. Also important because it is directly referenced to by ICANN documents moussen soussi: this draft has been and will be very useful to TLDs computing the consequences of adding v6 glue rob austein: will go to last call draft-kato-dnsop-local-zones: akira kato: concerns significant additional traffic hitting roots bill manning: I don't like it, step towards incoherency draft-ietf-dnsop-serverid-02: suzanne woolf: intended as a replacement for hostname.bind, not enough comments so it expired rob austein: don't wait for comments, this is ready for LC Potential WG Items ------------------- draft-durand-dnsop-dont-publish-00.txt goals: restart talk on what should be published or not in DNS. issues: ambiguity, unreachability, new v6 stuff: transition phase, globally unique local addrs recommendation: when publishing multiple addresses take care to not publish at the same time addrs designed to be globally unique and addrs that are not ed lewis: when solving this problem don't let the public net suffer from what you want to do internally bill manning: keep your grubby hands out of my zone. reachability is in the eye of the beholder lars-johan liman: the interesting thing is not the publishing (in DNS) but rather what the domain names are being used for *after* they have been published rob austein: there are costs (to others) associated with having unreachable stuff in the DNS. that ought to be documented keith moore: if you're seeing limited scope addresses published in DNS then that's a sign of other problems and it is not DNS' task to solve these john schnizlein: split-DNS is ... rob austein: I declare split-DNS out of topic for this one rob austein: i hear interest in this draft draft-??-ipv6-dns-configuration (?) david kessens: no question, answers for you: this document has been considered by the iesg and there are a number of comments. It is possible to go forward even without addressing all the comments given some sort of "warning label". rob austein: the problem is that we've failed to reach consensus on this issue for a number of years and it is time to stop trying and just move on. This document represents a lot of effort in documenting the various issues involved. pekka savola: ought to be possible to publish this document without the iesg warning label rob austein: this document was never intended to reach consensus david kessens: next step is to publish asap draft-huston-6to4-reverse-dns-03: geoff huston: ...self-service style cafeteria webpage... bill manning: as the existing maintainer of 2002:: i strongly support this as I'm tired of maintaining it mark andrews: we could do this all in dns, no need to go to http geoff huston: ...or we could go out and do something bill manning: don't make this a wg item, instead just ship it geoff huston: may benefit from a round in DNSOP, but I'm fine either way draft-krishnaswamy-dnsop-split-view... suresh krishnaswamy: documents a way to config split-DNS with DNSSEC. This document is not about information hiding. split-views and DNSSEC may seem mutually conflicting. keith moore: example doesn't show apps rob austein: were not here to debate split dns in general, this is limited to DNSSEC applied to split DNS given that split DNS will be used regardless ed lewis: split-view is essential, good to get it documented sam weiler: disagree with keith bill manning: advance it. the philosophical issues are not a topic for this WG russ mundy: important to get modern documents on how to get DNSSEC working in present environments draft-hollenbeck-epp-secdns-06.txt scott: last remaining question: DS publish start and end DS TTL DS signing interval RRSIG(DS) lifetime ed lewis: this is what I came here for. DS is unique in the sense it is the only RR that is only available at the parent. Important that the parent doesn't tell to much about the child. ed lewis: RRSIG(DS) lifetime is crucial in the case where the childs key is compromised. Even if the child replaces the key quickly it is still possible for the attacker to generate new RRSIGs (with the compromised key) that will be accepted as valid if the RRSIG(DS) is still out there. ogud: drop the ttl, the reason for it is too weak marka: concur ed lewis: if we set the signature that will cap the ttl too, and that's perhaps sufficient draft-fujuwara-dnsop-bad-dns-auth-01: Highlights details. Transport issues ripped out into separate doc: draft-fujuwara-dnsop-dns-transport-issue-00 Rewrite needed and will be done. Issues over EDNS0 and TCP need more exposure. draft-yasuhiro-dnsop-increasing-dns-server-02.txt Pekka Savola: Tunnel end-point discovery: draft-palet-v6ops-tun-auto-disc-03.txt ...forward tree. May be issues here. ...reverse tree. Assumes pre-population of whole reverse tree, including the rfc1918 space. Must work through unmodified NAT-boxes. Wants comments on feasibility of assuming pre-population ok. Whether using DNS search path can be on the table. keith moore: upside down approch having yet another network layer service depend on DNS. DHCP would seem more appropriate and better to solve the issues with a DHCP approach. mark andrews: If you go to a different suffix (i.e. not in-addr.arpa) then you can pre-populate with wildcards. Peter Koch: DNS Phase In New feature discovered/implemented. Need lookup service. Use DNS. Initial deployment: existence of FOO means YES, absence means NO or don't care. Want a !FOO to be able to distinguish between NO and "don't care". Problem does occur. One example is ENUM (or perhaps structured name spaces in general) alain durand+mark andrews+rob austein: Discussion on whether there is a real need. sam weiler: poorly defined problem
pgp0xaV8tMW3X.pgp
Description: PGP signature
