DNSEXT66 minutes
Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com> Fri, 04 August 2006 13:32 UTC
From: Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com>
Subject: DNSEXT66 minutes
Date: Fri, 04 Aug 2006 09:32:05 -0400
Lines: 301
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-From: owner-namedroppers@ops.ietf.org Fri Aug 04 15:39:00 2006
Return-path: <owner-namedroppers@ops.ietf.org>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.1
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
To: namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Message-ID:
Message-ID: <20140418072225.2560.91840.ARCHIVE@ietfa.amsl.com>
Minutes of DNSEXT working group, IETF 66 July 10th 2006, Afternoon Session I Note takers: Marcos Sanz and Robert Martin-Legene Agenda and presentations available at https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66 Administrivia: Previous minutes are approved. Draft agenda is approved. PRESENTATION 1 - "Document status" by O. Gudmundsson New RFCs since last meeting are 4389, 4470 and 4509. A review of the status of current I-Ds follows: draft-ietf-dnsext-dns-name-p-s-02 is in AUTH48 state. draft-ietf-dnsext-wcard-clarify-11 and draft-ietf-dnsext-dhcid-rr-13 are in the RFC-Editor queue. draft-ietf-dnsext-nsid-02 is in wg LC. draft-ietf-dnsext-mdns-45 is in publication requested as informational. draft-ietf-dnsext-dnssec-experiments-03 is in publication requested as experimental. draft-ietf-dnsext-opt-in-09 is in publication requested as experimental. draft-ietf-rfc2536bis-dsa-06 needs more reviewers. LC is completed and is waiting for chair decision. draft-ietf-rfc2539bis-dhk-06 needs more reviewers, too. draft-ietf-dnsext-dnssec-trans-04 has entered LC. There is ongoing work with the following drafts: - Draft-ietf-dnsext-dnssec-bis-updates-03 - Draft-ietf-dnsext-2929bis-03, hopefully going soon to wg LC - Draft-ietf-dnsext-signed-nonexistence-requirements-03, hopefully going soon to wg LC - Draft-ietf-dnsext-nsec3-06, aiming at having it completed this year. And the following drafts are in holding state: - Draft-ietf-dnsext-rsasha256-00 - Draft-ietf-dnsext-ecc-key-09, needing simplifications because of interoperabilty issues. DISCUSSION 1 No discussion PRESENTATION 2 - "NSEC3 status and issues" by D. Blacka http://www.nsec3.org contains an issue tracker about NSEC3 (with history and rationale) and other useful information. NSEC3 is an NSEC RR alternative that prevents zone enumeration by hashing domain names and at the same time is an optional optimization for delegation-centric zones called opt-out. Current version of the draft is Draft-ietf-dnsext-nsec3-06. There was a side meeting yesterday and there is a proposed NSEC3 workshop (tentative date is September). Purpose of the last Frankfurt workshop (8th-10th May) was interoperabilty testing of signing, serving and validation, and no major issues found. A semi-permanent test environment was set up. Notes from the workshop are in the NSEC3 website, and provided valuable input for the version -06 of the draft. Some tests that still need to be done are: NSEC to NSEC3 rollover and vice versa, signalling mechanisms, traversing down various combinations of NSEC and NSEC3 with and without opt-out and spoofing tests with wildcards and opt-out. Changes from the -05 to -06 draft version are: a hash length field was added to RDATA, a new section on signalling and a new section on dynamic update were added to the document, and some text on the handling of unknown NSEC3 hash algorithms was added, too. The examples were updated and completed. In the new version of the draft responses are now required to use NSEC3 with all the same parameters, because otherwise it becomes too cumbersome for implementations. Things still known to be missing in the draft are text on transitioning and on the following open issues, which didn't make it to -06 mainly because of time constraints. Open issues are (numbering according to the issue tracker in the NSEC3 website): #8 "signalling": about interoperabilty with 4035-based resolvers. NSEC3-signed zones should be treated by them as insecure and, in order to achieve this, the new draft describes the use of unknown signing algorithms. There was an alternative solution and this one is not set in stone, but this is what has been implemented. #9 "iterations upper bound": the current document sets an upper bound based on RSA signing times. Resolvers may treat NSEC3 RRs with too many iterations as bogus. Open questions are: Should be based on verification times instead? Resolvers should treat as insecure instead? How does the upper bound change over time? #11 "queries for NSEC3 owner names" (aka the "paradox problem"): Three different approaches exist that have been described in past versions of the draft. Should these queries work? Some people don't feel it to be very important, but the correct behavior must be defined. #18 "Signalling complete NSEC3 chains": So that authoritative servers (primary and secondary) can determine the NSEC3 parameters. The current document requires finding the NSEC3 for the zone apex, but there are three other proposals: a) to introduce a new zone apex RR (e.g. NSEC3-PARAM), b) to reuse NSEC3 at zone apex, and c) a special case the zone apex NSEC3. Preferred solution at the moment is introducing a new zone apex RR. #22 "Separating NSEC3 from DS algorithms": NSEC3 currently reuses the DS hash algorithm registry, but the desired NSEC3 hash properties might not be exactly the same as for DS, so maybe a new registry could be needed. DISCUSSION 2 No discussion PRESENTATION 3 - "Automated DNSSEC trust anchor management" by O. Kolkman The trust anchor update requirements in DNSSEC are documented in dnsext-rollover-requirements-02. The initial set of proposals includes: draft-ietf-dnsext-trustupdate-threshold, draft-ietf-dnsext-trustupdate-timers, draft-laurie-dnssec-key-distribution, draft-moreau-dnsext-takrem-dns, draft-weiler-dnssec-dlv and P. Vixie's "old-signs-new", which is not a I-D (yet). The key-rollover scope would be replacing trust anchors, based on existing scope, and would not include using a multitude of islands of trust. Reviewers of these documents seem to converge to thresholds and timers solutions, or sometimes threshold with modifications (that is, mainly the wg documents). timers have properties that are not available in threshold and reviewers seem to like some of these in threshold, too. Others prefer the extreme of threshold with minimal parameters. Question to the floor: Timers seems to be a complete document, what is the benefit of further refining threshold? DISCUSSION 3 J. Ihren asks what the IPR status on threshold and timers is. The decision about IPR is, however, felt to be out of scope for this wg. The personal interpretation of the chairs is that no actual IPR exists (only a claim about SSL), but implementors should take decisions regarding IPR by themselves. B. Manning explains that the patent on threshold and timers is valid only in Israel (tentatively extended to Canada and Europe, but it was withdrawn). For him, timers-document is ready and sufficient, but operational considerations he sees in there should be widely reviewed. There is consensus in the room to not consider the DLV solution in this concrete discussion. R. Austein admits that DLV is only a consolidation of trust anchors, not a rollover solution. The feeling in the room about accepting B. Laurie's document to be a wg item is not conclusive. M. St. Johns states that some text on trust anchor deletion must be included in the timers document, thus it's not complete yet. He feels that timers are weird, but the necessary result of retrofitting an active protocol into a passive protocol. An alternative solution could be to do the rollover off-band with another protocol, but then issues could arise with firewalls (e.g. one protocol doesn't get blocked, but the other one does). B. Manning points out that, both with timers and thresholds, if you are offline long enough, you might lose the ability to synchronize. R. Austein expresses his preference for the timers solution. W. Hardaker states that timers are architecturally sounder and a self-contained solution. The revoke bit is good in his opinion. M. Larson states that he's fine with both solutions, however expresses concerns because the wire protocol has to change the revoke bit for timers. A. Sullivan states that the threshold is easier to grasp for the people than timers. S. Weiler expresses his preference for threshold. Consensus of the room is to go forward concentrating in timers. When the document is updated by the editor (by the end of the week), it will go for LC. PRESENTATION 4 - "RFC 2627bis, DNAME rewrite for clarity" by M. Larson and W. Wijngaards DNAME has been in the charter of the wg since 2002. RFC 2672 has shortcomings, omissions and could be clearer. Protocol will not be changed in this rewrite, which is not intended to create a DNAME2. The process will be to first create an ID listing issues with 2672, then gather WG feedback to create solutions, and later create 2627bis. First cut of issues is (more input wished): * 2672 defers signalling. Non-EDNS and EDNS0 are presumed to be non-DNAME-capable, which is actually not the case. With a signalling mechanism, the response to DNAME-capable client could omit CNAME synthesis and compress DNAME data. * 2672 prohibits compression in DNAME RDATA pending signalling, but * this could be done if the client were DNAME-capable. * 2672 always sends DNAME. Is this making like difficult to older resolvers? Would it break things with wider deployment. Signalling would help to deal with this. * 2672 requires synthesized CNAME to have zero TTL. Could it be * possible to use DNAME-TTL for synthesized CNAMES so as to allow * caching? * 2672 is not clear about wildcard DNAME. 2672 is clear that wildcard synthesis doesn't apply to DNAME, because DNAME substitution occurs before wildcard expansion, but draft-ietf-dnsext-wcard-clarify disagrees, so this issue should be expanded and clarified. * 2672 is silent on whether recursive nameservers can synthesize CNAMEs from cached DNAMEs for non-DNAME-capable stub resolvers. This must be clarified. DISCUSSION 4 R. Austein corrects the last issue by stating that it is actually worse: the draft doesn't talk about recursive nameservers, but about "servers" in general. Then he suggests to consider DNSSEC when updating the document PRESENTATION 5 - "2929bis" by D. Eastlake 3rd At the Dallas meeting there were requests for more explicit and details guidance, so these have been added in section 3.1.3 of version -03. Suggestion to go to LC with -03, considering pending comments by P. Koch. DISCUSSION 5 R. Austein questions the necessity of this doc the chairs restate its necessity. Thomas Narten pleads for the necessity of an RFC, a draft is not enough. PRESENTATION 6 - "DNS cookies" by D. Eastlake 3rd (Draft-eastlake-dnsext-cookies-00) This DNS cookies provide weak authentication of queries and responses and can be viewed as a weak version of TSIG, but with the benefit that they require no setup or configuration. They are intended to reduce forged source IP address in traffic amplification DOS attacks and recursive server workload DOS attacks, together with cache poisoning. To sum it up, the cookie RR is a meta-RR in the additional information section including a resolver cookie and a server cookie in the RDATA. The details of the functioning are described in the draft. The complexities of this solution have to do with bad guy resolver behind a NAT (who can get server cookie and attack other resolvers behind the NAT) and with anycast servers (who would need to use the same server secret or assure that queries from the same resolver go to the same server). DISCUSSION 6 R. Martin-Legene expresses sympathy for the idea, but points out that the solution would be to fix UDP. P. Koch points out that spoofing must be stopped somewhere else (cf. BCP38) and states that DNSSEC fixes cache-poisoning. M. Andrews predicts that this will increase resolution times, so it should be done an EDNS option, if at all. The chairs conclude that this is not a topic of the wg at this point, and will wait to hear feedback from the operational community, because it addresses an operational problem. PRESENTATION 7 - draft-koch-unsolicited-queries-00 by P. Koch P. Koch reminds that the DNSOPS wg is currently dealing with the amplification attack and that there is an ID about it: draft-ietf-dnsop-reflectors-are-evil-01. Then announces that there is an I-D about identifying and responding to unsolicited queries and asks for review of it: draft-koch-dns-unsolicited-queries-00. DISCUSSION 7 No discussion PRESENTATION 8 - "andrews-dnsext-soa-discovery-01" by M. Andrews This draft is about discovering zone cuts without causing negative entries to be recorded in caches. The author asks about going LC with the document. DISCUSSION 8 Apparently, few people have read it. Chairs will ask people in the mailing list to read it and depending on feedback, it will be adopted. P. Koch states that the document seems useful, but at the same time potentially dangerous because of playing games with the namespace. R. Austein points out that those mechanisms of discovery could be useful for dynamic updates. PRESENTATION 9 - "Update on wg milestones" by O. Kolkman The proposal for the update of the wg milestones has been posted to the mailing list. Please read and comment. Adjourn. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- DNSEXT66 minutes Ólafur Guðmundsson /DNSEXT co-chair