IETF-72 DNSEXT draft minutes

[Ólafur Guðmundsson /DNSEXT chair <ogud@ogud.com>]

Please comment if you see any mistakes,
	thanks
	Olafur


		       IETF 72, Dublin, Ireland
			      DNSEXT WG Minutes (draft)
			by Lars-Johan Liman
			edited by Olafur Gudmundsson

Chairs: Olafur Gudmundsson (OG), Andrew Sullivan (AS)

On request from the chairs, there are rough time stamps in the left
margin for when actions happened, for reference to jabber and audio
recording. Note that the jabber log is in (+0000).

Full Jabber log:
      http://jabber.ietf.org/logs/dnsext/2008-07-31.txt

[AC ...] indicates an action on someone.

AGENDA

	   Agenda for the meeting of the DNS Extensions Working Group
	   IETF 72
	   Dublin, IE		2008-07-31 1300 h (+0100) Ballroom 1

	   1.  Minute and Jabber scribes (2 min)

	   2.  Note Well (2 min)

	   3.  WG status

	       3.1 Drafts published (1 min)
	       3.2 IESG processing:

		   a.  draft-ietf-dnsext-2929bis (2 min)

	       3.3 Documents in/past WGLC

		   a.  draft-ietf-dnsext-forgery-resilience


	       3.4 Current WG Documents

		   a. draft-ietf-dnsext-dnssec-rsasha256 (8 min)
		   b. draft-ietf-dnsext-rfc2672bis-dname (8 min)
		   c. draft-ietf-dnsext-dnssec-bis-updates (10 min)
		       - discuss clarification on TA handling
		   d. draft-ietf-dnsext-rfc2671bis-edns0 (1 min)
		   e. draft-ietf-dnsext-tsig-md5-deprecated (8 min)
		       - discuss proposal for alternate text
		   f. draft-ietf-dnsext-axfr-clarify (8 min)


	       3.5 Expired WG Documents

		   a. draft-ietf-dnsext-dns-protocol-profile (5 min)

	   4.  Proposed WG work

	       4.1 draft-crocker-dnssec-algo-signal (5 min)
	       4.2 draft-vixie-dnsext-dns0x20 (see below)
	       4.3 Clarification to RFC 1123 (5 min)
	       4.4 dynamic zones and DNSSEC (M. Andrews) (5 min)
	       4.5 Warning: stuff coming because of NAT-PT

	   5.  Discussion: further forgery resilience work (30 min)

	       5.1 draft-ietf-dnsext-forgery-resilience
	       5.2 draft-vixie-dnsext-dns0x20
	       5.3 other suggestions

	   6.  A.O.B

	   7.  Close


MINUTES

1.  Minute and Jabber scribes

	Lars-Johan Liman was appointed as minute scribe, and Matthijs
	Mekking as the jabber scribe.

2.  Note Well

	The participants were made aware of the IETF "NOTE WELL"
	statement.

3.  WG status

3.1 Drafts published

	There were no new drafts published since the last meeting.

  3.2 IESG processing:

    a. draft-ietf-dnsext-2929bis

	OG reported that this document now has cleared the IESG
	"discuss" status.

  3.3 Documents in/past WGLC

   a. draft-ietf-dnsext-forgery-resilience

	OG reported that it has passed last call (LC) and that a new
	version went up this morning. The WG members were advised to
	make sure their LC issues were addressed.

3.4 Current WG Documents

   a. draft-ietf-dnsext-dnssec-rsasha256
   http://www.ietf.org/proceedings/08jul/slides/dnsext-0.pdf
	Wouter Wijngards (WW) presented (see slides). There were no
	comments. It was noted that version -05 of the document is
	out, and the WG was asked to use that for LC comments.

13:08
[AC 72.1] Andrew Sullivan to send out LC a week from today.

   b. draft-ietf-dnsext-rfc2672bis-dname
   http://www.ietf.org/proceedings/08jul/slides/dnsext-1.pdf
	WW presented (see slides).

13:13
[AC 72.2] The chairs to send this document to LC "real soon
	now". Comments on the mailing list between now and the LC will
	be treated as "LC comments".

   c. draft-ietf-dnsext-dnssec-bis-updates
      - discuss clarification on TA handling

	OG: Want to come to conclusion in sept. If the editor is
	comfortable, then the document will be sent to LC, but at
	least consensus on the list.

[AC 72.3] Andrew Sullivan to create a discussion thread for this on
     	  the list.

   d. draft-ietf-dnsext-rfc2671bis-edns0

	The editor claims that this document is done.

13:19
[AC 72.4] Olafur Gudmundsson to send the document to LC when the
     	  previous document LC ends.

   e. draft-ietf-dnsext-tsig-md5-deprecated
      - discuss proposal for alternate text

	Francis Dupont (FD) requested that the text should say "no
	longer required" rathern than "deprecated".

	Peter Koch (PK) noted that there is no good place to record
	requirement levels. That fact needs to be sorted
	out. Therefore the document is not ready for LC, even if the
	document as such is OK. We need to modify registry to contain
	that type of information.

13:25
[AC 72.5] Peter Koch to send text regarding requirement levels in the
     	  registry.

   f. draft-ietf-dnsext-axfr-clarify
   http://www.ietf.org/proceedings/08jul/slides/dnsext-5.pdf

	Ed Lewis (EL) presented and went through history. It has been
	stuck in "AD has issues" for a long time. Ed is trawling
	through the archives to find and resolve all issues.

	Dan Bernstein has raised issues in the past, Andreas
	Gustafsson (previous editor) has addressed most of them. EL
	has also checked with 4 implementors that the document doesn't
	create problems for them.

	The discussion veered into whether the master server or the
	slave server has the "right" to remove incorrect zone data
	from the zone.

	It was specifically noted that the document needs a section on
	the differences between loading a zone into a master, and
	transferring a zone in a zone transfer.

[AC 72.6] Ed Lewis to write a scratch proposal on text to address this
     	  issue, and send it to the list for discussion.

13:40
	PK: There are similar issue with root priming. There is
	possibly a difference btw. what's transferred in a zone
	transfer, and what is actually is served out in responses to
	queries.

13:44
[AC 72.7] The issue was referred to discussion on the mailing list.

	It was established that transfer of single RR messages is OK,
	and that it does not conflict with the statement in earlier
	RFCs that only "complete RR sets" shall be served in responses.

3.5 Expired WG Documents

   a. draft-ietf-dnsext-dns-protocol-profile

	Nothing has happened with this document. The chairs have
	discussed with the editors and arrived at the following: If
	this document has not started to move at the end of September,
	the chairs will kill the document.

13:52

4.  Proposed WG work

4.1 draft-crocker-dnssec-algo-signal

	Scott Rose presented. Asked the audience to please
	read, comment. Note that the document has two goals: a) to
	reduce the response size between a resolver and an
	authoritative server; and b) to signal when new algorithms are
	deployed.

[AC 72.8] Scott Rose to send request to mailing list and ask the WG to
     	  adopt the document.

4.2 draft-vixie-dnsext-dns0x20

	Discussion was deferred to agenda point 5.

4.3 Clarification to RFC 1123
     http://www.ietf.org/proceedings/08jul/slides/dnsext-3.pdf

	TLD labels are always alphabetic per RFC 1123. That needs to
	be updated. One reason is the use of internationalized domain
	names in top level domains.

	Matt Larson & Lars-Johan Liman have volunteered to draft text.

	Warnings were conveyed that there are issues both in the
	protocol specification and in registration procedures (which
	really belong with the IANA). It was also noted that old
	implementation may have problems accommodating TLDs that don't
	follow the old spec.

	Alfred Hoenes noted that there is also a problem with
	formal specifications of DNS labels, which often differ from
	document to document.

	AS noted that the update cannot be an errata, since the issue
	came up due to an errata! :-)

14:02
[AC 72.9] Matt Larson and Lars-Johan Liman to draft and post new document.

4.4 Dynamic zones and DNSSEC (M. Andrews)

	Presentation by Mark Andrews (MA). MA is looking for group of
	people to work on this, and investigate the problems.

	EL noted that he had written something up once and was willing
	to contribute it to the discussion.

14:12
	WG members were encouraged to contact MA off list if they are
	interested in working with this.

4.5 Warning: stuff coming because of NAT-PT

	OG gave a "heads-up" and asked the WG members to watch other
	WGs, and to speak up early if problems are found, since it is
	much easier to fix problems that are discovered at an early
	stage.

5.  Discussion: further forgery resilience work
     http://www.ietf.org/proceedings/08jul/slides/dnsext-6.ppt
	OG made some initial remarks regarding resilience, and urged
	the audience to deploy draft-ietf-dnsext-forgery-resilience
	without delay, even though it has just passed WGLC.

5.1 draft-ietf-dnsext-forgery-resilience
5.2 draft-vixie-dnsext-dns0x20
5.3 other suggestions
     http://www.ietf.org/proceedings/08jul/slides/dnsext-2.pdf
	WW acted as a proxy for the author and presented the dns0x20
	draft. It is noted that most server implementations echo the
	query string back to the client verbatim, so this can be
	implemented "immediately".

[Here the minute taker queued at the microphone for a while, and notes
were graciously taken by Rob Austein for the duration.]

	It was noted by the audience that the length of the query name
	makes a difference, but that the client always poses the
	"full" query to a server, and that the referral may be
	shorter, but that is irrelevant.

[Minute taker back.]

	It was noted that we only have seen very few proposals in
	documents, and that the decision on whether we want to adopt
	documents or not should be deferred until we have seen more
	proposals.

14:55

	OG urged people with good ideas to send them in as drafts, and
	requested that they be sent is as personal submissions, but
	tagged with "dnsext" to identify them as possible future WG
	work items.

[AC 72.9] Chairs will not propose the adoption of any particular work
        or collection of work until after the details of the attack is
        officially known and the WG has had time to form an opinion
        what is appropriate response.

6.  A.O.B


14:56
	John Dickinson made a short demonstration of a proof of
	concept program that infected a cache, which, in a very
	limited environment, succeeded in a matter of seconds.

7.  Close

	The meeting was adjourned.

15:01

[END]


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>