[dnsext] Forgery resilience and meeting in Stockholm
Andrew Sullivan <ajs@shinkuro.com> Fri, 08 May 2009 18:21 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7ADD73A6EDE; Fri, 8 May 2009 11:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.006
X-Spam-Level:
X-Spam-Status: No, score=-0.006 tagged_above=-999 required=5 tests=[AWL=-1.276, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nmqqk9cD6jn0; Fri, 8 May 2009 11:21:35 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 704D23A68EE; Fri, 8 May 2009 11:21:31 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1M2Uat-000OON-7s for namedroppers-data0@psg.com; Fri, 08 May 2009 18:14:47 +0000
Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ajs@shinkuro.com>) id 1M2UaX-000OMw-Q7 for namedroppers@ops.ietf.org; Fri, 08 May 2009 18:14:31 +0000
Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 878832FE9574 for <namedroppers@ops.ietf.org>; Fri, 8 May 2009 18:14:24 +0000 (UTC)
Date: Fri, 08 May 2009 14:14:22 -0400
From: Andrew Sullivan <ajs@shinkuro.com>
To: namedroppers@ops.ietf.org
Subject: [dnsext] Forgery resilience and meeting in Stockholm
Message-ID: <20090508181422.GH2372@shinkuro.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Dear colleagues, Your Chairs have been observing the discussion around adoption of various drafts for techniques to mitigate forgeries and cache poisoning. It appears to us that the WG is not converging on consensus. We currently have a request open to adopt EDNS0 ping. The discussion of adopting the document appeared to expose a fault in the community, where some expressed strong opposition to undertaking any further forgery resilience work when DNSSEC is already available, while others argued that DNSSEC is not getting deployed and therefore we need other urgent action. Meanwhile, some other mechanisms, including "0x20" and those outlined in draft-wijngaards-dnsext-resolver-side-mitigation-01.txt seem to be showing up in various implementations. We think it would be better if we came to some more or less shared agreement on what to do in this space (including nothing). The portion of the meeting we had in Dublin that was dedicated to this topic seems not to have inspired consensus. Therefore, we would like to present five options for consideration: 1. Do nothing, and take all energy that might be devoted to this effort and direct it towards DNSSEC deployment. 2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and include in it recommendations to do nothing else except what that document contains. Remove from section 3 any strategies we do not want to adopt. (Note that this latter condition entails decisions about the next two options.) 3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps this gets included in that document, or perhaps it proceeds as part of a set of documents. Let's leave the editorial process issues out of the discussion, and just focus on whether we want to include this strategy in the tool box. 4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this might be included as part of (2) or processed individually, but that doesn't matter. 5. Officially adopt nothing, but support (2) and (3) going ahead as individual submissions on the Informational track. (2) would obviously need to be modified slightly to keep out any protocol items that might be entailed. The reason (4) can't just go ahead on the individual track is that the assignment of an EDNS0 code point requires standards action, so the work would come back here anyway. We will plan to request a meeting session in Stockholm to discuss this issue (and possibly some other topics before us). If the WG can come to a clear consensus on-list before then (and we have no other business), then obviously we will be in a position to cancel the Stockholm session. If we have not come to a conclusion by 20 May, we will keep the session scheduled. In the absence of strong arguments in favour of action and at least an apparently broad constituency to do the work within the WG, the Chairs are inclined to take option (1), because the WG is supposed to be sleeping. This is by no means to say that we are prejudiced in favour of that option. It is rather to say that we are procedurally bound, by our charter, to a default of "No" for at least some of these documents. Adding a new standards-track item to the WG work requires rechartering, please note, and given one other request we have open we may therefore need to recharter anyway. Best regards, Olafur and Andrew -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Forgery resilience and meeting in Stockh… Andrew Sullivan
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… W.C.A. Wijngaards
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Matthijs Mekking
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Ondřej Surý
- Re: [dnsext] Forgery resilience and meeting in St… Matthijs Mekking
- Re: [dnsext] Forgery resilience and meeting in St… Roy Arends
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… Stefan Schmidt
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Andrew Sullivan
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Olafur Gudmundsson
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Matt Larson
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Mark Andrews
- Re: [dnsext] Forgery resilience and meeting in St… Bert
- Re: [dnsext] Forgery resilience and meeting in St… Joe Abley
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Joe Abley
- Re: [dnsext] Forgery resilience and meeting in St… Shane Kerr
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Desperate plea for 0x20, was Re: [dnsext] Forgery… Shane Kerr
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Paul Vixie
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Jeffrey A. Williams
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- RE: Desperate plea for 0x20, was Re: [dnsext] For… Antoin Verschuren
- RE: [dnsext] Forgery resilience and meeting in St… Antoin Verschuren
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Federico Lucifredi
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Otmar Lendl
- Re: [dnsext] Forgery resilience and meeting in St… Ólafur Guðmundsson /DNSEXT chair
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Federico Lucifredi
- Re: [dnsext] Forgery resilience and meeting in St… Peter Koch
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Ted Lemon
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Olafur Gudmundsson