draft minutes
Randy Bush <randy@psg.com> Sun, 13 January 2002 16:38 UTC
Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA12464 for <dnsext-archive@lists.ietf.org>; Sun, 13 Jan 2002 11:38:54 -0500 (EST)
Received: from lserv by psg.com with local (Exim 3.33 #1) id 16PnQc-000I5W-00 for namedroppers-data@psg.com; Sun, 13 Jan 2002 08:24:14 -0800
Received: from rip.psg.com ([147.28.0.39]) by psg.com with esmtp (Exim 3.33 #1) id 16PnQc-000I5Q-00 for namedroppers@ops.ietf.org; Sun, 13 Jan 2002 08:24:14 -0800
Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 16PnQc-000MO7-00 for namedroppers@ops.ietf.org; Sun, 13 Jan 2002 08:24:14 -0800
From: Randy Bush <randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: namedroppers <namedroppers@ops.ietf.org>
Subject: draft minutes
Message-Id: <E16PnQc-000MO7-00@rip.psg.com>
Date: Sun, 13 Jan 2002 08:24:14 -0800
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit
[ these minutes from Jun-ichiro itojun Hagino <itojun@iijlab.net> are the only ones i have received. will submit tomorrow if i get no others. please send corrections now -- randy ] multicast dns - is this the right solution? ?: is it the same protocol, or new protocol? reuse of the port number, reuse of the packet format ?: when we started, "behavior just like DNS" operational problem, conceptual problem alain: icmp6 name lookup - one solution looked at (but was not provided for ipv4) aboba: no set of goals stated, document is ready for ietf last call something gone very wrong. is this solving the right problem? is there a better solution? mohta: zeroconf is not a good thing to pursue. if we don't want client configuration, dns servers having wellknown anycast addresses work fine ?: would like to do "infrared" thing that palm does, or appletalk. need some mechanism for resolving name. rob: there are people with different goals. ?: it is a good way to reuse DNS. we won't be able to solve the problem even if we start fresh aboba: if zeroconf requirement is broken? olafur: zeroconf is a part of requirement. --- dns threat model (rob) examine why dnssec was started dnssec ensures data item is the same when they are put in, and when they are pulled out lack of threat model? dnssec has dependency on time sync. --- delegation signer (olafur) motivation key record repeats the mistake of ns record in delegations, same record in two zones key at child is clumbersome parent advertises strong identifier of key used resolver verifies DS record from parent only verifies key if sig matches verified DS DS advantages information flow in key handshake is now identical to NS minimizes communication only when hcild changes KEY set signing key less data in parent DS much small than key DS only at secdure delegation child in full control of security status no conflicting key sets disadvantages: more work for resolvers. 3 implementations what change from the last IETF NODS in NXT bitmap at unsecured delegations DS can only pont at DS zone keys that can sign zone key size field dropped server returning... DS complicates life for resolvers chop off 2535, or DS, or opt-in next steps DS seem to work DS makes DNSSEC much/some easier for operations DS increments complexity in resolvers advance or discard? ?: is it really advantageous to have less data in parent? less state - similar to opt-in minimizes communication deployability difference for big zones how much better should combine discussion for opt-in it is advantageous that downstream reload does not happen when upstream key changes balance: decoupling child signing and parent signing - weakening security outband or inband? key rollover for .com - 6month, 2 key alive at one time (comments continue after opt-in talk) --- opt-in dnssec painful for large zones huge upfront cost null KEYS, nxt RR and signatures for child zones that are not secure little initial deployment high generation cost ordering re-signing distributing changes since 00 total rewrite goal is the same, different methods NXT indicates opt-in instead of KEY opt-in uses noSig techniques basically, finer granurality, opt-in 2535 choice can be made on per-record (instead of per-zone) 2535 NXT - authenticated denial of existence of names does not allow unsigned names opt-in NXT - authenticated denial of existence of SIGNED names does allow unsigned names 2535 - positive answer = this delegation is not signed the unsigned name exist (crypto verifiable) opt-in - negative answer = there exist no signed delgation between two signed names the unsigned name exist (not crypto verifiable) pros and cons every advantage has disadvantages positive: opt-in reduces the amount of crypto in a zone negative: opt-in gives up authenticated denial of existence for unsecured delegations (give up security for unsecured data item) don't "like" opt-in? sign it with 2535 opt-in does not obsolete 2535 positive side-effect traversing a zone through NXT recodrs gives only signed names and signed delegations a chain of secure delegations is possible without the requirement to sign the whole zone 2535 is not "better " ot "worse" than opt-in 2535 has advantages for the average zone opt-in has advantages for the delegation-only zone (large zone) randy: change in security model. attacking the problem of size by a protocol change, and security model change. assumption - the little part of zone gets signed. ?: it is already hard to keep up hardware with .com size. vixie: losing ability to cryptographically prove non-existence of names, or nonexistence of child signature, is it true? - not exactly. ?: it is up to zone owner. ?: we can mix 2535 and opt-in in a single zone. --- key desire to have algorithms separately documented. minimize dependency to 2535 key format draft documents standard moduli? --- AD bit outstanding issue ad draft status document passed working group last call, not sent out when can AD bit be set? AD = authenticated data AD draft says authoritative server can set the AD bit if local security policy allows comments on the mailing list afer last call disagree argument for text the issue only affects resolvers that trust server doing signature validation on all data loaded is expensive either slows loading or answers integrity of whole zones on servers can be protected by other means signed zone files, signed zone transfer against AD MUST only be set if signatures have been verified setting the AD bit under other conditions is wrong AA bit implies that the data is authentic suggestion authors must add text that clarify states that AD bit is not be set by default and MUST only be set if there are some other validity checks in place document must also document what [stub] resolvers are affected ?: 2535 says about AD bit - data satisfies the security policy of the server ?: what is "policy"? can you tell what kind of policy the server is implementing? ?: the situation happens only when you talk to authoritative zone. it should be your own domain, so you know the policy? ?: why you can't use AA bit for that? authors will update the draft. do we need DS? do we need opt-in? vixie: from test results, it seems (something like) DS is needed for key rollover opt-in is just a hack for one zone (.com) anyway we need to get this DONE. ?: opt-in is needed, to sign .com. can't deploy .com with 2535. ?: cost vs usefulness. cost is significant for large zones. ?: does opt-in break security of zones (= signed chain)? bill: interoperability between 2535 and DS? - yes, DS-capable resolvers can (but there is a flag day). olafur: we are doing this too long. for DS and opt-in, need go or nogo. ?: there are people who are trying to deploy 2535. too long wait. randy: agree with vixie. ?: not deployable as it is today. vixie: need to separate between deployability due to size, and other issues. does it matter if we sign .com today, or 2004? this needs to come to conclusion. during this week people will talk and try to come to conclusion, and then to the list. vixie: the reason why root is not signed is that dnssec is still seems to be in flux --- tkey securet key renewal mode necessary to refresh shared keys for tsig new mode for update procedure and mechanism in tkey renewal mode defined key has lifetime. during renewal, key lifetime overwraps tsig-signed query from client expiration time check server urges clients to send tkey renewal requests tkey secret key renewal request from client DH public key old key's name and algorithm answer from server establish new secret by DH TSIG-signed query with the new key from client server adopts the new key feature systematic control by server "renewal", not add/delete limit number of shared keys think about network errors. feel no need for this. server can delete the key when it expires. tkey is just for temporary measure. it is direciton we shouldn't go. --- dns mib proposed replacement for 1611 not ready for prime time yet. please read, test it and comment. need requirement document to start with. --- ngtrans dns op req problem: IPv4-only and IPv6-only nodes coexist, how to resolve? long term problem consequences - this working group has to do something. requirement single root requirement, applies for IPv4 and IPv6 dns is IP version independent application. need to be able to get the same data independent from data. we can change v6 things, we cannot change v4 things need some kind of bridging system, so that v6 only resolver can get data from v4 only server, or other ways need symmetry in bridging system? no. v4 resolver - no good way. zone needs to be served by dualstack node. v6 resolver - relaying system? leakage of information serve zones on dualstack node, period. --- dynamic update we assume that updated records gets eventually removed explicitly state an expiration time repeat of past effort. if we are going to repeat this one, requirement document is needed. we can't assume wall clock (powered off). there seem to be some need. --- application keys - limiting the scope of the key resource record simple idea - restrict KEY to dnssec. dnssec key vs application keys - looks like a different beast. reolver behavior is very different. separate rtype, SRV, KEY, ... protocol specific flag? attribute? should we separate pubkey and cert? we need a requirement document. (battery is out) to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- draft minutes Randy Bush