----------------------------------------------------------------------------- dnsop WG minutes for IETF 76, Hiroshima, JP ----------------------------------------------------------------------------- WG: DNS Operations (dnsop) Meeting: IETF 76, Hiroshima Location: ANA Crowne Plaza Hiroshima, "Orchid West" Date: Wednesday, 11 November 2009 Time: 13:00 - 15:00 (UTC+9) Chairs: Rob Austein Peter Koch Minutes: John Schnizlein Jabber: xmpp:dnsop@jabber.ietf.org J-Scribe: Wolfgang Nagele J-Script: http://www.ietf.org/jabber/logs/dnsop/2009-11-11.txt Audio: ftp://videolab.uoregon.edu/pub/videolab/video/ietf76/ietf76-ch8-wed-afnoon.mp3 [~59MB] {meeting starts at 00:13:45} WG URL: http://tools.ietf.org/wg/dnsop/ Material: https://datatracker.ietf.org/meeting/76/materials.html#wg-dnsop ----------------------------------------------------------------------------- 1) Administrivia No new IETF attendees, about 5 new to DNSOP WG - Note Well - Agenda : no changes 2) Status Update [13:12] Rob Austein stepping down as co-chair when a replacement is found. 3) Active Drafts [13:14] 3.1) DNSSEC Key Timing Considerations [Johan Ihren] Request adoption as WG document RFC 5011 coverage has been integrated 2 kinds of ZSK rollover: prepublication and double signature (during algorithm change) 3 kinds of KSK roll: double KSK, double RRset (add and remove KSK+DS together), double DS questions: should all rollover mechanisms be described in detail? should we expand the algorithm rollover section? Wes Hardaker: cannot choose, but document ramifications of each Ed Lewis: used this in a key management plan - sent email to list of problems found. Draft authors should check with those already operating DNSSEC zones. Jelte Jansen: should replace rather than expand algorithm section which is wrong Olaf Kaufman: overlap with 4641bis - keep tradeoff in that tutorial document Mark Andrews: should describe introduction and removal of algorithms Rob Austein: yes, you should cover all of these Adopt as WG document? How to resolve interaction between Olaf's 4642bis? Johan: intend to avoid circular dependencies Fredico Neves: why not include in 4641bis? A: they target different audiences Wes: the content is needed Hum for WG doing some document on this content - unanimous Whether to merge with olaf's bis draft or not punted to list. 3.2) Initializing a DNS Resolver with Priming Queries [13:33] [Peter Koch] How many read? 10-ish Open questions: Q1 retry strategy? Q2 parallel vs sequential priming? Q3 may the sbelt be used before priming? Q4 when to reprime? Q5 completeness of response? response to non-EDNS based root (priming) queries? Bob Halley: answer no on Q3 No other comments, exhorted wg to comment on open issues. Peter (as chair): we have an issue tracker which we hope to use for these questions 4) Current & New Topics 4.1) DNSSEC Trust Anchor History Service [13:42] skipped, no presentation 4.2) DNSSEC Signing Policy & Practice Statement Framework [13:44] [Fredrik Ljunggren] DPS states practices and provisions employed or states requirements or policy target audience: registries, or sponsoring organizationor regulatory authorities outlines topics to be considered when implementing DNSSEC. in the DNSSEC for root discussion - compare IANA and Verisign How many read the draft? 5-ish WG document? Peter: has been used for the root and by several TLDs Rob: after reading notes from Stockholm, the status seems similar now. Shane Kerr: have heard lots of support Rob: take question to the mailing list. Matt Larson: we should adopt it. Ed Lewis: have not read it - have written a CPS it is a pain. Do you want to do this? Volunteers to read and comment within 2 weeks: Andrew Sullivan, Wes Hardaker, Sam Weiler, Jaap Akkerhuis, Suzanne Woolf, Matt Larson, Chris Liljenstolpe, <3 more people in the back> Roy Arends: have read it, plan to use at Nominet Olaf: will Nominet bring its experience back and contribute to the document? Yes, if WG adopts. Peter: this question is for the framework only, not that any TLD DPS be published. Jim Galvin: support it. Adopted by "way more than" 5 raising hands in support. 4.3) Reverse DNS in IPv6 for Internet Service Providers [14:00] [Lee Howard] How can residential ISPs populate reverse DNS for IPv6 Changes (since Stockholm): only for residential (not commercial), clarified why wildcard won't match, how to have DHCP update DNS, concern about synchronizing rules for on-the-fly with multiple servers. Informational rather than BCP Removed recommendation not to populate reverse DNS Added concern of mischievous hostnames in delegated DNS How many read? 5-10 Jason Livinggood: think "residential" is too limiting - include Small office Ted Lemon: several recommendations based on current state of home gateways, should be intended state or take them out. Roque Gagliano: this is important - we get questions on this. Rob: comment from Alain Durand: want that "operators are not required to populate" No consensus, needs further discussion 5) Other (non WG) Internet-Drafts [14:11] 5.1) Top Level Domain Name Specification [Olafur Gudmundsson acting as proxy for Lars Johan Liman] asked for feedback on formal (BNF-like) string rules on the screen Markos Sanz: too little to understand John Klensin: come to the plenary to learn more - this does about the right thing. Peter Koch: not convinced this is the right way to go. Don't see justification for IETF to make these rules. This looks more like policy than technical requirement. Rob: ICANN wants something - how can we help. What alternative? Peter: not normative - say that they must be alphabetic. Klensin: to identify the boundary case, if this WG declines to make policy statements, then remove any constraint and allow anything. wnagele: for the mic: we can do this as a "quick fix", and then start the real work to fix 1123, to relax rules further. Olafur: want input even if this is not adopted as a WG document. No consensus, the involved parties need to talk some more. 5.2) IDN TLD Variants Implementation Guideline [14:22] [Jiankang Yao] 5-10 people had read read the draft. Doug Otis: similar to latin names - deal with it the same way as phishing names Stephane: there are several topics - not something we can solve Ed Lewis: before the meeting a few of us worked on recasting this as a simpler technical problem: make 2 zones look the same. The policy issues of whether there should be variants is out of scope. There does appear to be a technical topic of how to make two zones have identical content. Exact framing of question and whether the WG wants to adopt it, is taken to list. 5.3) DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA [14:44] [Ray Bellis] To solve the problem that many home gateways send DHCP for DNS as the gateway, send query for "LOCAL.ARPA" that gives correct NS address. Issues: DNSSEC breakage What if ISP does not support (or signs) LOCAL.ARPA? 10 people have read, five think should adopt. Take adoption question to the WG list. 5.4) Self-termination Mechanism for Anycast DNS Service skipped 6) I/O with other WGs [14:54] TSVWG [Joe Touch] Update procedures for updating port registration and unify registries Idea is to put all the protocol things (SRV names, Services, Ports) in one table. Adding procedures to change, transfer, withdraw - current is write-only. Stewart Cheshire: SRV always has the underscore - clarifies SRV name Olafur has an alternate proposal. Will take to the list and get feedback to Joe. The following I-Ds were not discussed, serve as reference and pointer here only. BEHAVE OTHER 7) A.O.B. [15:03] Ondrej Sury: DNSSEC plugin for Firefox http://labs.nic.cz for alpha version: Linux, MacOS, Windows Wes Hardaker: this is the third of these - very nice One final announcement: The room for "DNSSEC signed root" - Cattleya West -----------------------------------------------------------------------------