[dnsop] draft DNSOP minutes for IETF 62

[David Meyer <dmm@1-4-5.net>]

	Thanks again to Johan for serving as scribe.

	Dave & Rob


---
Domain Name System Operations (dnsop) Minutes

MONDAY, March 7, 2005 (1930-2200)
=====================================

CHAIR(s): David Meyer <dmm@1-4-5.net>
          Rob Austein <sra@isc.org>

AGENDA

 o Administriva						 5 minutes

   - Mailing list: majordomo@lists.uoregon.edu
     subscribe dnsop

   - Scribe(s)?
      Jabber
      Other 

   - Blue Sheets

 o Agenda Bashing					 5 minutes
   Meyer                                           

 o Review and status of work items			 

   Active Drafts
   -------------
   draft-ietf-dnsop-bad-dns-res-03.txt			 5 minutes
     Larson/Barber
   draft-ietf-dnsop-dnssec-operational-practices-03.txt	 5 minute	
     Kolkman, et. al
   draft-ietf-dnsop-inaddr-required-06.txt		 8 minutes
     Senie
   draft-ietf-dnsop-key-rollover-requirements-02.txt	 5 minutes
     Guette, et al.
   draft-ietf-dnsop-ipv6-dns-configuration-05.txt	 2 minutes
     Jeong, et al..

   Expired Drafts
   --------------
   draft-ietf-dnsop-respsize				 2 minutes
     Vixie/Kato
   draft-kato-dnsop-local-zones				 2 minutes
     Vixie/Kato
   draft-ietf-dnsop-serverid-02.txt                      5 minute
     Wolfe

   Potential WG Items
   ------------------
    To publish, or not to publish,...			 5 minutes
     draft-durand-dnsop-dont-publish-00.txt
     Durand

   6to4 Reverse DNS Delegation				 5 minutes
     draft-huston-6to4-reverse-dns-03.txt
     Huston

   Split-View DNSSEC Operational Practices		 8 minutes
     draft-krishnaswamy-dnsop-dnssec-split-view-00.txt
     Krishnaswamy

   Provisioning data needed for DNSSEC			10 minutes
     draft-hollenbeck-epp-secdns-06.txt
     Hollenbeck

   DNS authoritative server misconfiguration             10 minutes
     draft-fujiwara-dnsop-bad-dns-auth-02.txt
     Fujiwara, et al

   DNS transport issues	                                 10 minutes
     draft-fujiwara-dnsop-dns-transport-issue-00.txt
     Fujiwara

   A Practical Approach for DNS server specification	 5 minutes
     draft-yasuhiro-dnsop-increasing-dns-server-02.txt
     Morishita



   Other Issues
   -------------

   Tunnel end-point discovery using DNS			10 minutes
     draft-palet-v6ops-tun-auto-disc-03.txt (Section 3.2)
     Savola

   The DNS Phase In Problem				10 minutes
     Koch 

   Technical pieces for DNSSEC deployment		 7 minutes
      Krishnaswamy



Status of Active Drafts
-----------------------

         draft-ietf-dnsop-bad-dns-res-00: ready to push out

         draft-ietf-dnsop-dnssec-operational-practices-00: slightly
                 rearranged, one changed definition

         draft-ietf-dnsop-inaddr-required-06: enough people seem to
                 care to make it worthwhile to push this forward
		 in the present direction

         draft-ietf-dnsop-key-rollover-requirements-02: comments solicted

         draft-ietf-dnsop-ipv6-dns-configuration-05:

Status of Expired Drafts
-------------------------

         draft-ietf-dnsop-respsize:
             bill manning: this is an important document that
	     should be moved forward. Also important because it
	     is directly referenced to by ICANN documents
             moussen soussi: this draft has been and will be very
	     useful to TLDs computing the consequences of adding
	     v6 glue 

	     rob austein: will go to last call

         draft-kato-dnsop-local-zones:
             akira kato: concerns significant additional traffic
	     hitting roots 
        
             bill manning: I don't like it, step towards incoherency

         draft-ietf-dnsop-serverid-02:
             suzanne woolf: intended as a replacement for
	     hostname.bind, not enough comments so it expired 
             rob austein: don't wait for comments, this is ready
	     for LC 

Potential WG Items
-------------------

         draft-durand-dnsop-dont-publish-00.txt
             goals: restart talk on what should be published or
	     not in DNS. issues: ambiguity, unreachability, new
	     v6 stuff: transition phase, globally unique local
	     addrs recommendation: when publishing multiple
	     addresses take care to not publish at the same time
	     addrs designed to be globally unique and addrs that
	     are not 

             ed lewis: when solving this problem don't let the
	     public net suffer from what you want to do
	     internally 
             bill manning: keep your grubby hands out of my
	     zone. reachability is in the eye of the beholder 
             lars-johan liman: the interesting thing is not the
	     publishing (in DNS) but rather what the domain names
	     are being used for *after* they have been published
             rob austein: there are costs (to others) associated
	     with having unreachable stuff in the DNS. that ought
	     to be documented
             keith moore: if you're seeing limited scope
	     addresses published in DNS then that's a sign of
	     other problems and it is not DNS' task to solve
	     these 
             john schnizlein: split-DNS is ...
             rob austein: I declare split-DNS out of topic for
	     this one 
             rob austein: i hear interest in this draft

         draft-??-ipv6-dns-configuration (?)

             david kessens: no question, answers for you: this
	     document has been considered by the iesg and there
	     are a number of comments. It is possible to go
	     forward even without addressing all the comments
	     given some sort of "warning label".
             rob austein: the problem is that we've failed to
	     reach consensus on this issue for a number of years
	     and it is time to stop trying and just move on. This
	     document represents a lot of effort in documenting
	     the various issues involved.
             pekka savola: ought to be possible to publish this
	     document without the iesg warning label 
             rob austein: this document was never intended to
	     reach consensus 
             david kessens: next step is to publish asap

         draft-huston-6to4-reverse-dns-03:

             geoff huston: ...self-service style cafeteria webpage...
             bill manning: as the existing maintainer of 2002:: i
	     strongly support this as I'm tired of maintaining it
	     mark andrews: we could do this all in dns, no need
	     to go to http 
             geoff huston: ...or we could go out and do something
             bill manning: don't make this a wg item, instead
	     just ship it
             geoff huston: may benefit from a round in DNSOP, but
	     I'm fine either way 

         draft-krishnaswamy-dnsop-split-view...

             suresh krishnaswamy: documents a way to config
	     split-DNS with DNSSEC. This document is not about
	     information hiding. split-views and DNSSEC may seem
	     mutually conflicting. 

             keith moore: example doesn't show apps
             rob austein: were not here to debate split dns in
	     general, this is limited to DNSSEC applied to split
	     DNS given that split DNS will be used regardless
             ed lewis: split-view is essential, good to get it
	     documented 
             sam weiler: disagree with keith
             bill manning: advance it. the philosophical issues
	     are not a topic for this WG
             russ mundy: important to get modern documents on how
	     to get DNSSEC working in present environments 

         draft-hollenbeck-epp-secdns-06.txt

             scott: last remaining question:
                 DS publish start and end
                 DS TTL
                 DS signing interval
                 RRSIG(DS) lifetime

             ed lewis: this is what I came here for. DS is unique in
                 the sense it is the only RR that is only available at
                 the parent. Important that the parent doesn't tell to
                 much about the child.
             ed lewis: RRSIG(DS) lifetime is crucial in the case
	     where the childs key is compromised. Even if the
	     child replaces the key quickly it is still possible
	     for the attacker to generate new RRSIGs (with the
	     compromised key) that will be accepted as valid if
	     the RRSIG(DS) is still out there.
             ogud: drop the ttl, the reason for it is too weak
             marka: concur
             ed lewis: if we set the signature that will cap the
	     ttl too, and that's perhaps sufficient

         draft-fujuwara-dnsop-bad-dns-auth-01:

             Highlights details. Transport issues ripped out into
	     separate doc:  
         draft-fujuwara-dnsop-dns-transport-issue-00
                 Rewrite needed and will be done. Issues over
		 EDNS0 and TCP need more exposure. 

         draft-yasuhiro-dnsop-increasing-dns-server-02.txt

     Pekka Savola: Tunnel end-point discovery:
         draft-palet-v6ops-tun-auto-disc-03.txt
             ...forward tree. May be issues here.
             ...reverse tree. Assumes pre-population of whole reverse
                 tree, including the rfc1918 space.
             Must work through unmodified NAT-boxes.
         Wants comments on feasibility of assuming pre-population ok.
         Whether using DNS search path can be on the table.

         keith moore: upside down approch having yet another
	 network layer service depend on DNS. DHCP would seem
	 more appropriate and better to solve the issues with a
	 DHCP approach.
         mark andrews: If you go to a different suffix (i.e. not
	 in-addr.arpa) then you can pre-populate with wildcards. 

     Peter Koch: DNS Phase In
         New feature discovered/implemented. Need lookup
	 service. Use DNS. Initial deployment: existence of FOO
	 means YES, absence means NO or don't care. Want a !FOO
	 to be able to distinguish between NO and "don't
	 care". Problem does occur. One example is ENUM (or
	 perhaps structured name spaces in general)

         alain durand+mark andrews+rob austein: Discussion on
	 whether there is a real need. 
         sam weiler: poorly defined problem