Dear WG,
the draft version of the Montreal meeting minutes is now available at
<http://www3.ietf.org/proceedings/06jul/minutes/dnsop.txt> and in this
mail. Please read and comment. Changes will be applied to the online
version, which will turn final on August, 28th.
Please have a look at the various volunteer lists and the actions, which
will be dealt with in no particular order during the next days.
-Peter
PS: Thanks to Geoff Sisson for scribing; in any case he did not unlearn English,
so all (post editing) mistakes are mine.
-----------------------------------------------------------------------------
DRAFT dnsop WG minutes for IETF 66, Montreal
-----------------------------------------------------------------------------
WG: DNS Operations (dnsop)
Meeting: IETF 66, Montreal
Location: Palais des Congres de Montreal, Room "513C-F"
Date: Thursday, 13 July 2006
Time: 09:00 - 11:30 (UTC -0400)
Chairs: Rob Austein, Peter Koch
Minutes: Geoffrey Sisson
Jabber: xmpp:[EMAIL PROTECTED]
J-Scribe: Alex Mayrhofer, Jelte Jansen
J-Script: http://www.ietf.org/meetings/ietf-logs/dnsop/2006-07-13.html
Audio:
http://limestone.uoregon.edu/ftp/pub/videolab/media/ietf66/ietf66-ch3-thur-am.mp3
WG URL: http://www.dnsop.org
Material:
https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66
-----------------------------------------------------------------------------
1) Administrivia [09:03 {audio 0:13:21}]
Minutes scribe and jabber scribes as listed in the headder
Blue sheets were circulated
Agenda as posted on July, 3rd was accepted without changes
-------------------------------------------------------------------------------
2) Status Update [09:05]
RFCs published:
- RFC 4472 - "Operational Considerations and Issues with IPv6 DNS"
- f.k.a. draft-ietf-dnsop-ipv6-dns-issues-12.txt
- Published in April
Internet-Drafts in RFC Editor queue:
- draft-ietf-dnsop-dnssec-operational-practices-08.txt
- In RFC-EDITOR state
- Should go to AUTH48 by end of month
Internet-Drafts in or past WGLC:
- draft-ietf-dnsop-bad-dns-res-06.txt
- IETF Last Call requested
- draft-ietf-dnsop-serverid-07.txt
- awaiting nits review and PROTO writeup
- draft-huston-6to4-reverse-dns-05.txt
- Chairs have asked the Security Area Directorate for review
- Issue with using IP addresses as part of an
authorisation mechanism
- SecDir had some remarks, will be addressed in -06
- SecDir comments: "we understand why you are doing
address-based auth, no big deal, just some issues
need to be clarified."
-------------------------------------------------------------------------------
3) Active Drafts [09:09]
- draft-ietf-dnsop-reflectors-are-evil-01.txt
- draft-ietf-dnsop-default-local-zones-00.txt
- draft-ietf-dnsop-respsize-03.txt
---------------------------------------------------------------------------
3.1 draft-ietf-dnsop-reflectors-are-evil-01.txt [09:11 {audio 0:20:38}]
http://www3.ietf.org/proceedings/06jul/slides/dnsop-4.ppt
Frederico Neves presented changes from -00 to -01; many typos were fixed
and minor changes applied. Plans for the upcoming -02 version are:
- will add recommendations for vendors, not just operators
- will introduce some text about SOHO devices.
- obscure acronyms to be removed
- will add text about IP-based filtering
There are three open issues to be discussed in the meeting:
- Open Issue #1: title
"Preventing Use of Nameservers in Reflector Attacks"
The editors propose to insert "recursive" before "Nameservers"
Pekka Savola asked to cover not only the abuse of recursive servers
but of authoritative servers as well. Frederico explained that
the draft mentions other attacks and remaining risks and the chairs
clarified that the editors' task was to explicitly cover the
"open recursive nameserver" case. While Pekka disagreed with the
focus of the document, he was asked to submit text if he felt that
the focus was not explained clearly enough to serve the target audience.
Rob Austein reminded the WG that it might revisit this focus decision.
Olaf Kolkman recommended against that.
In the following discussion some people showed support for the
editors' proposal. Pekka disagreed because he felt the addition
of "recursive" would limit the scope of the document. Other suggestions
for changes were made. There was no clear way forward given the
options
- Keep title as is
- Add "recursive" to title
- follow Ed's suggestion
ACTION(chairs): Take this issue to the WG mailing list
(but do not permit discussion to run as it
did for the -inaddr-required doc).
- Open Issue #2: is text needed on a recommended response to
undesired queries?
{audio 0:37:14}
Frederico explained that the draft currently does not make a recommendation
how a recursive nameserver should react to the undesired queries. On the
list, Joe Ablay had asked for some guidance for operators to appear in
the draft.
Mark Andrews pointed out that from the perspective of the iterative
resolver "no response" was no good solution and he'd like to see some
response. A "REFUSED" response would not amplify.
The chairs clarified that the first question is whether or not to
address this and only the second would be what the recommendation
could look like. Basic problem: how would the nameserver know for
sure it is an attack?
Joe asked for some guidance instead of just telling the operator what
_not_ to do. Joao Damas pointed out that the operator would depend on
what vendors implement anyway. Joe: Operator could choose to block the
queries at the firewall independent of nameserver implementation.
Mark suggested that the actual specification of the best response
be handed over to dnsext and Olaf Kolman (dnsext co-chair) acknowledged
that dnsext would be willing to look into this. At the same time he
suggested not to have normative text in the draft under discussion.
Joe agreed that if there was no simple solution he would be fine with
having no guidance in the document.
Pekka suggested to discuss the trade-offs of the different responses,
but it was suggested - with reference to Peter Koch's I-D on the
topic - that this might not be done in only a few sentences and could
delay the progress of the draft.
A "hum" was taken by Peter Koch:
"Who can live with not making a recommendation [on how not to answer
queries] in doc?"
Room: [significant hum]
"Who would really like to have a recommendation [on how not to answer
queries] in the doc?"
Room: [no audible hum]
CONCLUSION: strong sense in favour of going ahead without making a
recommendation
- Open Issue #3: keep or remove TSIG recommendation?
{audio 0:47:28}
The draft currently recommends either IP address based ACLs or TSIG
client authentication. Olaf suggested that SIG(0) and TSIG had similar,
albeit minimal, deployment and should be treated equally.
After some discussion involving state considerations at the recursive
resolver and clock accuracy issues for TSIG, a "hum" was taken
by Rob Austein:
"Rip it out/don't discuss TSIG or SIG(0)"
Room: [minimal hum]
"Leave it as just TSIG?"
Room: [no audible hum]
"Have both (add SIG(0))?"
Room: [loud hum]
CONCLUSION: That looked like "please add SIG(0)".
It was noted that theer is a recommended default ACL in the draft
("local" clients) that should be reviewed.
-------------------------------------------------------------------------------
3.2 draft-ietf-dnsop-default-local-zones-00.txt [09:45 {audio 0:54:09}]
Mark Andrews reported there was only one comment by Pekka suggesting
to cover 255/8 instead of 255.255.255.255/32. This was resolved by
pointing out that the current text (255.255.255.255/32) is consistent
with RFC 3330.
The title of the draft had been changed for the WG -00 version (now:
"Locally Served Zones"); nobody in the room voiced any objection.
A significant number of people had read the latest version of the draft;
theer were no objections to going to WGLC.
ACTION(chairs): Issue WGLC
-------------------------------------------------------------------------------
3.3 draft-ietf-dnsop-respsize-03.txt [09:47 {audio 0:58:26}]
The document was revived to meet the IETF66 I-D submission deadline.
None of the editors was present. Rob Austein explained the drafts
background and origin. There were no objections to going to WGLC.
Volunteers were asked to speak up to meet the "5 reviewers threshold".
- Joe Abley
- Lars Johan Liman
- Marcos Sanz
- Mohsen Soussi
- Andrew Sullivan
- Paul Wouters
ACTION(chairs): Issue WGLC
ACTION(reviewers (and WG)): Review and send comments
----------------------------------------------------------------------------
The chairs summarized the timeline for the three active WG drafts:
- draft-ietf-dnsop-default-local-zones-00.txt
- WGLC in July, go to IESG in August
- draft-ietf-dnsop-reflectors-are-evil-01.txt
- Update to -02 in July
- WGLC in August, go to IESG in September
- draft-ietf-dnsop-respsize-03.txt
- WGLC in September, go to IESG in October
The room had no objections or suggestions for change.
-------------------------------------------------------------------------------
4) WG Charter [09:52 {audio 1:03:37}]
http://www3.ietf.org/proceedings/06jul/slides/dnsop-2.pdf
Peter Koch summarized the state of the charter discussion, pointing out
that the WG has only one official milestone left. Some active drafts
do not yet correspond to any milestone.
Current activities:
1) Guidelines for zone configuration params
2) Guidelines for DNSSEC operational params
3) Guidelines addressing IPv4/IPv6 coexistence and transition
4) Review use of existing DNS frameworks in other protocols
Preivious discussion identified three possible additions:
- Explicitly mention root server issues
- Performance and benchmarking (methods and terminology)?
- Transport requirements coming out of DNSSEC
Lars Liman suggested not to mention root name servers. He'd like
to avoid to create a notion that they are special. No other opinions
were voiced.
Kenji Rikitake expanded that the transport issues cover IP fragmentation
of UDP packets, especially with larger payload due to DNSSEC. This might
be covered by the 2nd or 4th item above. After some discussion it was
sugegsted to broaden the scope and explicitly address the issue of
"how DNS messages get from point A to point B and back again".
Russ Mundy suggested to include the role of middleboxes/firewalls here.
Ed Lewis asked - with reference to item (4) - whether the IAB dosument
draft-iab-dns-choices-03.txt would be covered. Olaf Kolkman [IAB]
explained that the IAB wanted to publish this document real soon now
and solicited feedback from the WG. Patrik Fältström, as editor,
seconded. This is not a WG document but the WG is encouraged to review it.
A hum was taken by Rob Austein for the "performance and benchmarking"
topic:
"In favour of of adding 'Performance and benchmarking methods and
terminology' to the charter?"
Room: [significant hum]
"Opposed to adding?"
Room: [barely-audible hum]
CONCLUSION: strong sense in favour of charter add
ACTION(chairs): draft this into a another paragraph for the charter
and then circulate it to the WG
ACTION(WG): review draft-iab-dns-choices-03.txt
-------------------------------------------------------------------------------
5) Other WG Drafts [10:09 {audio 1:20:00}]
5.1 draft-ietf-dnsop-inaddr-required-07.txt
Status update:
This (expired) draft is the only remaining item on our milestones list.
Original editor can't carry on work, so Andrew Sullivan was appointed new
co-editor (chosen from several volunteers).
Proposed timeline:
- -08 in September. Revives the draft, incorporates comments.
- Will feed open issues into issue tracker.
- Appropriate URLs will be posted to list
- open issues to be dealt with in October and November
- -09 to incorporate resolution to open issues in November.
- WGLC January 2007
- Go to IESG for BCP.
Rob Austein suggested that this draft is the "poster child" for bad file
names.
"In favour of changing the filename?"
Room: [significant hum]
"Opposed to changing the filename?"
Room: [diffuse hum]
CONCLUSION: strong sense in favour of filename change
ACTION(chairs/editors): Change filename when reviving the draft
ACTION(chairs/editors): Feed issue tracker
-------------------------------------------------------------------------------
6) Other (non WG) Internet-Drafts [10:15 {audio 1:25:48}]
6.1 AS 112 [10:16]
http://www3.ietf.org/proceedings/06jul/slides/dnsop-0.pdf
Presentation by Joe Abley covers
- draft-jabley-as112-being-attacked-help-help-00.txt
- draft-jabley-as112-ops-00.txt
- Related work: draft-ietf-dnsop-default-local-zones
- Contains many more zones than AS 112
- No current good process for adding new zones to AS 112
- No process for new transports for AS 112, e.g. adding IPv6
- Adoption by WG?
Of the people in the room ~10 are involved in running AS 112 instances
and ~40 have read the AS112 drafts.
Joe pointed out that these documents are not intended to blackhole
the phone calls to the ISC NOC, but should serve as a credible source (RFC)
to point to. In addition, there is future work, e.g. coordination with
draft-ietf-dnsop-default-local-zones.
Subject of further discussion was what the WG was expected to do given that
the documents seemd almost ready. The authors felt that the dnsop wg
was the broadest forum (compared to NANOG, RIPE, ...) and also the best
approximation of AS112 operators. Also, Joe felt suggested that AS112
was IANA sponsored central infrastructure.
Target status of these documents would be "Informational", including an
IETF Last Call.
The sense of the room was in favour of adoption of AS112 issues as a
WG item. There is more work to do than review the two drafts, given the
open questions. No names for volunteer reviewers were recorded.
ACTION(chairs): Ask mailing list for adoption of AS112 issues
---------------------------------------------------------------------------
6.2 Cookie Validation/SubTLD structure [10:34 {audio 1:45:05}]
http://www3.ietf.org/proceedings/06jul/slides/dnsop-1.pdf
Presentation by Yngve Pettersen covers
- draft-pettersen-subtld-structure-00.txt
- draft-pettersen-dns-cookie-validate-00.txt
Background: These drafts are not being proposed for WG adoption.
The author would like cross-area advice before proceeding with work.
- The author would like from WG:
- Feedback
- Suggestions for Possible alternative approaches
- CRISP has been mentioned to me.
Olaf Kolkman added a third option tow the two on the slides: fix the
policy protocol; IETF should not specify this kind of hack and there
should be no meaning assigned to the content and/or position of labels.
Rob Austein (no hats) suggested that option 2 (dns-cookie-validate)
seriously missed why some people put IP addresses in DNS and would
have little chances to go forward, also because it touches address
policy. There might be a way to put an explicit RR in the DNS saying
"I am/am not a registry". Yngve: DNS might not be available directly.
Peter Koch (no hats) has seen similar ideas in DKIM and GEOPRIV.
Administrative hierarchy does neither infer nor follow the hierarchy
of the DNS, but people are trying to subvert this principle all the
time. Presenter is taking blame for mistakes made years ago.
Rob Austein suggested that the most Draconian approach would be to
just outlaw cookies that extend to more nodes than exactly the one that
set them. Sam Weiler suggested a solution at the application layer by
having servers insist on getting authenticated cookies.
No conclusions, no actions
---------------------------------------------------------------------------
6.3 draft-pappas-dnsop-long-ttl-02.txt [11:03 {audio 2:12:52}]
http://www3.ietf.org/proceedings/06jul/slides/dnsop-3.pdf
Lixia Zhang's presentation covers draft-pappas-dnsop-long-ttl-02.txt.
Clarification: the presentation is only talking about TTL settings for
NS RRs and associated A/AAAA RRs, i.e. "infrastructure" RRs. Does not
interfere with load balancing or "dynamic DNS".
- Questions to WG
- Have we missed any major issues?
- Is the WG interested in taking on the topic of infrastructure TTL
recommendations?
Alex Mayrhofer (NIC.AT) seeing "load balancing game" in switching
ISPs more than once per day.
Lars Liman agrees that it is important to convey that long TTLs have an
affect on stability of network. Should have text which says what are the
trade-offs rather than making recommendations. Rob Austein (no hat) agrees
with Liman that we need to document trade offs. Prefers to take this on
as WG item, but not this specific document. Mark Andrews would like to
see recommendations against very low TTLS on NS RRs.
Peter Koch suggested that the new doc would reference the research paper
but not copy it. After that he took a "hum":
"Who is in favour in taking this topic up with the addition that not
talking about recommendations but trade-offs?"
Room: [loud hum]
"Against?"
Room: [no audible hum]
CONCLUSION: strong support for adoption
Since there was strong support for adopting the work item, the chairs
asked for volunteer co-editors and reviewers (pending additional
nominations on the wg mailing list):
Editors:
- Joe Abley
- Howard Eland
Reviewers:
- Mark Andrews
- Greg Berezowsky
- Olafur Gudmundsson
- Fredrico Neves
- Marcos Sanz
- Geoffrey Sisson
- Andrew Sullivan
-------------------------------------------------------------------------------
7) Current & New Topics [11:26 {audio 2:36:58}]
7.1 "_underscored" names considered -- is a registry needed?
- draft-crocker-dns-attrleaf-01.txt
- draft-lear-iana-no-more-well-known-ports-01.txt
Bill Fenner points to draft-fenner-iana-dns-srv-00.txt proposing
a registry for underscore names to alleviate the problem in Bonjour
where you need to have a port number to get a name.
Peter's Summary: three different proposals exist, one for a SRV name
registry, one to drop well known port registration and one for a general
underscore name registry. Premature to take up as WG item.
ACTION(Bill Fenner): Send pointers to the WG mailing list
-------------------------------------------------------------------------------
8) I/O with other WGs [11:28 {audio 2:38:58}]
8.0 dnsext
draft-eastlake-dnsext-cookies-00.txt was discussed in dnsext but the
operational requirements and/or consequences remained unclear.
dnsext asked dnsop for input. Discussion showed many people had read the
draft and some had concerns about deployment and scalability.
No conclusion.
ACTION(chairs): phrase the question to the WG and to pick an
appropriate time so that we can respond to the
dnsext WG request before the next IETF with a response
regarding requirements
8.1 ENUM [11:34 {audio 2:45:06}]
ENUM WG has been working on draft-conroy-enum-edns0-02.txt
about requiring EDNS0. Draft is going to WGLC.
Lars Liman pointed out that the draft contained some pretty strong words,
lots of MUSTs, which should be closely looked at.
ACTION(chairs, Alex Mayrhofer): copy enum WGLC to dnsop
8.2 mboned [11:37 {NO audio}]
Peter Koch reported about an effort to define the future of MCAST.NET
Nothing yet to do for the dnsop WG.
8.3 others WGs [11:38 {NO audio}]
v6ops has draft-ietf-v6ops-scanning-implications-00.txt awaiting WGLC.
Draft might have implications on v6 reverse mapping, essentially ruling
that out, if "hiding" the v6 hosts in the address space was considered
desirable.
ACTION(Peter Koch): Send pointer to the list
-------------------------------------------------------------------------------
9) A.O.B. [11:39 {NO audio}]
Ed Lewis and Doug Otis pointed the WG to dkim's use of the DNS. Doug
also mentioned amplification issues with SPF data, documented in
draft-otis-spf-dos-exploit-01.txt.
-------------------------------------------------------------------------------
