Re: [dnsext] Forgery resilience and meeting in Stockholm
Ólafur Guðmundsson /DNSEXT chair <ogud@ogud.com> Wed, 20 May 2009 15:22 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D4853A6CBC; Wed, 20 May 2009 08:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.577
X-Spam-Level:
X-Spam-Status: No, score=-0.577 tagged_above=-999 required=5 tests=[AWL=-1.252, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVmTY+jnDWL2; Wed, 20 May 2009 08:22:48 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E03A33A6BF1; Wed, 20 May 2009 08:22:47 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1M6nZu-0008gg-Qo for namedroppers-data0@psg.com; Wed, 20 May 2009 15:19:34 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ogud@ogud.com>) id 1M6nZd-0008fB-7r for namedroppers@ops.ietf.org; Wed, 20 May 2009 15:19:28 +0000
Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4KFJDhW055673 for <namedroppers@ops.ietf.org>; Wed, 20 May 2009 11:19:14 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-Id: <200905201519.n4KFJDhW055673@stora.ogud.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 20 May 2009 11:17:30 -0400
To: namedroppers@ops.ietf.org
From: Ólafur Guðmundsson /DNSEXT chair <ogud@ogud.com>
Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm
In-Reply-To: <20090508181422.GH2372@shinkuro.com>
References: <20090508181422.GH2372@shinkuro.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
With less than one day left before the chairs need to make a determination. The purpose of this message is to point out that the discussion has possibly been derailed by heated arguments about the merits of a subset of the options, at the detriment of other options. At this point we have enough support to say EDNS0 Ping is acceptable for further study, even though there is a large number detractors. (option #4) It is close call for option #3 x20 There is no public support for option #2, and no one has argued for option #1. If you are in favor of options #1, #2 or #5 now is the time to speak up. As an experiment I have set up a poll for the different options, http://www.doodle.com/7yvife73qvwtnr5m Feel free to post to namedroppers or participate in the pool. When you participate in the poll use a name that I can correlate to a namedroppers subscription i.e. no AB or BA names. thanks Olafur Olafur At 14:14 08/05/2009, Andrew Sullivan wrote: >Dear colleagues, > >Your Chairs have been observing the discussion around adoption of >various drafts for techniques to mitigate forgeries and cache >poisoning. It appears to us that the WG is not converging on >consensus. > >We currently have a request open to adopt EDNS0 ping. The discussion >of adopting the document appeared to expose a fault in the community, >where some expressed strong opposition to undertaking any further forgery >resilience work when DNSSEC is already available, while others argued >that DNSSEC is not getting deployed and therefore we need other urgent >action. > >Meanwhile, some other mechanisms, including "0x20" and those outlined >in draft-wijngaards-dnsext-resolver-side-mitigation-01.txt seem to be >showing up in various implementations. > >We think it would be better if we came to some more or less shared >agreement on what to do in this space (including nothing). The >portion of the meeting we had in Dublin that was dedicated to this >topic seems not to have inspired consensus. Therefore, we would like >to present five options for consideration: > >1. Do nothing, and take all energy that might be devoted to this >effort and direct it towards DNSSEC deployment. > >2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and >include in it recommendations to do nothing else except what that >document contains. Remove from section 3 any strategies we do not >want to adopt. (Note that this latter condition entails decisions >about the next two options.) > >3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps >this gets included in that document, or perhaps it proceeds as part of >a set of documents. Let's leave the editorial process issues out of >the discussion, and just focus on whether we want to include this >strategy in the tool box. > >4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this >might be included as part of (2) or processed individually, but that >doesn't matter. > >5. Officially adopt nothing, but support (2) and (3) going ahead as >individual submissions on the Informational track. (2) would >obviously need to be modified slightly to keep out any protocol items >that might be entailed. The reason (4) can't just go ahead on the >individual track is that the assignment of an EDNS0 code point >requires standards action, so the work would come back here anyway. > >We will plan to request a meeting session in Stockholm to discuss this >issue (and possibly some other topics before us). If the WG can come >to a clear consensus on-list before then (and we have no other >business), then obviously we will be in a position to cancel the >Stockholm session. If we have not come to a conclusion by 20 May, we >will keep the session scheduled. > >In the absence of strong arguments in favour of action and at least an >apparently broad constituency to do the work within the WG, the Chairs >are inclined to take option (1), because the WG is supposed to be >sleeping. This is by no means to say that we are prejudiced in favour >of that option. It is rather to say that we are procedurally bound, >by our charter, to a default of "No" for at least some of these >documents. Adding a new standards-track item to the WG work requires >rechartering, please note, and given one other request we have open we >may therefore need to recharter anyway. > >Best regards, > >Olafur and Andrew > >-- >Andrew Sullivan >ajs@shinkuro.com >Shinkuro, Inc. > >-- >to unsubscribe send a message to namedroppers-request@ops.ietf.org with >the word 'unsubscribe' in a single line as the message text body. >archive: <http://ops.ietf.org/lists/namedroppers/> -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Forgery resilience and meeting in Stockh… Andrew Sullivan
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… W.C.A. Wijngaards
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Matthijs Mekking
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Ondřej Surý
- Re: [dnsext] Forgery resilience and meeting in St… Matthijs Mekking
- Re: [dnsext] Forgery resilience and meeting in St… Roy Arends
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… Stefan Schmidt
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Andrew Sullivan
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Olafur Gudmundsson
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Matt Larson
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Mark Andrews
- Re: [dnsext] Forgery resilience and meeting in St… Bert
- Re: [dnsext] Forgery resilience and meeting in St… Joe Abley
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Joe Abley
- Re: [dnsext] Forgery resilience and meeting in St… Shane Kerr
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Desperate plea for 0x20, was Re: [dnsext] Forgery… Shane Kerr
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Paul Vixie
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Jeffrey A. Williams
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- RE: Desperate plea for 0x20, was Re: [dnsext] For… Antoin Verschuren
- RE: [dnsext] Forgery resilience and meeting in St… Antoin Verschuren
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Federico Lucifredi
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Otmar Lendl
- Re: [dnsext] Forgery resilience and meeting in St… Ólafur Guðmundsson /DNSEXT chair
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Federico Lucifredi
- Re: [dnsext] Forgery resilience and meeting in St… Peter Koch
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Ted Lemon
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Olafur Gudmundsson