minutes

2025-08-22 02:09:16 +00:00 · 2019-11-24 14:17:42 -05:00 · 2019-11-24 14:17:42 -05:00 · 422040e75d
commit 422040e75d
parent f37fe62f7b
2 changed files with 241 additions and 1 deletions
--- a/dnsop-ietf106/dnsop-ietf106-agenda.txt
+++ b/dnsop-ietf106/dnsop-ietf106-agenda.txt
@ -80,7 +80,7 @@
    - 10 min
 *   Operational recommendations for management of DNSSEC Validator
-    - https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/
+    - https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/
    - Daniel Migault, mglt.biz@gmail.com
    - 15 min
--- a/dnsop-ietf106/dnsop-ietf106-minutes.txt
+++ b/dnsop-ietf106/dnsop-ietf106-minutes.txt
@ -0,0 +1,240 @@
 DNSOP WG
 IETF 106, Singapore
 Chairs: Suzanne Woolf, Tim Wicinski, Benno Overeinder
 Minutes taken by Paul Hoffman
 Text from slides not given here
 ### Day 1 ###
 Administrivia
 Hackathon Report
 Benno Overeinder
 	Overview of the many projects from this Hackathon
 Message Digest for DNS Zones
 draft-ietf-dnsop-dns-zone-digest
 Duane Wessels
 	(No slides)
 	Added multiple digests per zone
 	Two interoperable implementations
 	Ready for WG Last Call? Proposed standard or experimental?
 	Suzanne: Are people comfortable with deploying at scale, even with the experimental stuff in Section 5
 	John Levine: Doesn't understand what is hard to deploy with this
 		Duane: Large dynamic zones
 		John: Comfortable with static, and people will experiment later
 	Alex Mayrhofer: Which are the implementations?
 		Duane: LDNS in C, and Shane Kerr in Python
 		Alex: Experimental
 	Warren Kumari: If it experimental, we have to say what the experiment is
 		Suzanne: That leans towards standards
 		Benno: NLNetLabs plans to implement in next year
 Extended DNS Errors
 draft-ietf-dnsop-extended-error
 Wes Hardaker
 	People seem to really care!
 	Better than not caring
 	Discussion of EDE overflow options
 		Set TC bit, don't set TC bit, create new bit
 		Ray Bellis: A minimal error response only needs the Question section
 			Wes: Could still live in the wild
 		Mike StJohns: Need to say for UDP-specific
 			Likes create new bit
 		Ondrej Sury: Don't do anything special
 			Set TC bit
 		Ralf Weber:
 			Set TC bit
 		Eric Orth:
 			Create a new bit
 			Doesn't want to do another round trip
 		Petr Špaček: Don't set TC bit
 		Robert Story: Keep EDE but throw away glue records
 		Brian Dickson: Use TC bit and create new bit
 		Mike StJohns: Definition of TC bit says you will get the same thing back
 			Wes: No, it's a hint
 		Ondrej: You could hit a different server if you come back over TCP
 	Forwarding case
 		Brian: Locally-generated generated identity from ABCD group
 			Wants 4.1
 		Ray: Don't do anything
 		RalfW: Multiple boxes in the stream won't have been updated
 		Ben Schwartz: Doesn't like the idea
 			Efficiency issue
 			There is no signal in the query, so you have to do this all the time
 			Forward it, or set your own answer
 		Ondrej: Forwarding is not specified in this document, might be added when there is more experience
 			Wes: That's what we have now
 				The list wanted resolvers to pass to end uers
 		Vittorio Bertola: Without tracing, will be useful
 		Ray: EDNS doesn't work this way, it is really hop-by-hop
 		Brian: Forwarders that don't know EDE don't add any value
 			Finding the resolver's name is the big value
 	More on the list about both
 Service binding and parameter specification via the DNS (DNS SVCB and HTTPSSVC)
 draft-ietf-dnsop-svcb-httpssvc
 Ben Schwartz
 	Mark Andrews: Keep the zero
 	Ray: Using a SHOULD may make getting early allocation for code point
 	Eric: Wants shorter chain legths
 		Come up with a better name
 	Alex: Could the names be for the authoritative name server
 	Mark: SHOULD is fine, if it isn't MUST
 	(?) from Cloudflare: Is the alias form required?
 		Ben: No
 			Examples are the most complicated possible
 			Will add simpler examples
 	(?) from Jabber: Concerned about when no clients need ANAME record
 	Brian: Updates DNAME and CNAME
 	(?): ESNI has its own format
 		Helps make server that only does HTTP3 clearer
 	RalfW: With caching, the stub is rarely affected
 		Hints section text is now superflouous?
 		Ben: Requested from ESNI folks
 			Prevents the stub from doing chain-walking for address records
 		In 11.1, could not find key0 and key5
 	Tommy Pauly: Needs to work well with resolvers that don't know about it
 		What is the timeframe for the bikeshed?
 	Ralf Dolmans: How does alias chain spread out?
 		Ben: If resolver see an alias record, need to send out three queries
 	Ondrej: Likes the idea of IP hint
 	Dan York: Are there client implementers for this?
 		Eric: Yes
 	Mark: Wire formats need to be stable for early allocation
 	David Schinazi: Yes, we want this
 	Brian: Implementing at least the 0 case, maybe others
 ### Day 2 ###
 DNS Transport over TCP - Operational Requirements
 draft-ietf-dnsop-dns-tcp-requirements
 Duane Wessels
 	Latest draft -05
 		Mentions TLS
 		Dropped TFO to MAY
 		Other updates
 	Ready for WG LC?
 	Ondrej: Will use this document as a base for BIND updates
 	Brian: Will look over it for GoDaddy suthoritative implementation
 	Petr: We have feedback next year
 Interoperable Domain Name System (DNS) Server Cookies
 draft-ietf-dnsop-server-cookies
 Willem Toorop
 	PaulW: What privacy is gained?
 		Willem: Don't send out the address when the address changes
 	Wes: Agrees with PaulW, but why can't the client just change its secret all the time?
 		Willem: The server would send the same cookie
 		Wes: Client can decide how long its cookies live
 		Willem: Client should notice if the server doesn't support cookies
 	Jim: How often is often?
 		Willem: If your client IP does not change, you don't need to change it
 		Jim: Give guidance about "often"
 		Ondrej: Draft says one year
 	PaulH: Maybe bring this to the list
 	Suzanne: Next step is coding
 Related Domains By DNS
 draft-brotman-rdbd
 Stephen Farrell
 	Warren: Do you need both sides to point to each other for "related"?
 		Stephen: Yes
 	Warren: Likes the "unrelated" case
 	Petr: Looking for practical use cases, not theoretical
 		Stephen: Comcast has some
 	Daniel Migault: Impact on size of responses?
 		Stephen: Pretty small
 	John L: Not convinced about DNSSEC-like
 		Also: without the Mozilla PSL, this isn't useful
 		Would want to do the DBOUND problem
 		Stephen: Is there a small part of the problem that can be used?
 	Tim: Salesforce has a real use case
 		This is step 1
 		Would like to see something like this start to happen
 	John L: Useful to say "two subtrees are the same"
 	Benno: Will take to mailing list
 	PaulH: Define "this"
 	Stephen: Maybe ask the list about each doc
 Operational recommendations for management of DNSSEC Validator
 draft-mglt-dnsop-dnssec-validator-requirements
 Daniel Migault
 	Leif Johanson: Is it meaniful to expose this to the outside world? "Here is how I establish trust?"
 		Making trust auditable?
 		Daniel: Haven't thought about it
 		Leif: It's turtles all the way down
 		Daniel: Underspecified in the current version
 	Chris Box: Thank you for the document
 		Really useful
 		Daniel: Had issues for positioning correctly
 	Yoshiro Yoneya: Supports document
 		Impetus of MTA operation is to have more contact the customer support center
 		Add this to the draft
 		Daniel: Is in NTA document
 	Lots of people now interested in reading the document
 Avoid IP fragmentation in DNS
 draft-fujiwara-dnsop-avoid-fragmentation
 Kazunori Fujiwara
 	Ondrej: There is a draft in the Int Area saying that fragmentation is fragil
 		All this is UDP-specific
 		Let that draft finish first, then do DNS-specific things
 	Warren: It is in RFC Editor queue
 	John L: There is DNS-specific stuff that we can say
 		Should adopt
 	Brian: Might need embellishments, split out resolver-to-auth and stub-to-recursive
 		Give the recommendations up front
 	Geoff Huston: This is too prescriptive
 		Jumping to solutions based on edge case
 		Timeouts are most important
 		Probably the wrong approach
 		Davey Song's ATR
 		For UDP, run with high MTUs because TCP is the last resort
 		This is solving the 6-12% problem by making it a problem on everyone
 		There is no hurry
 		Not ready for adoption
 	Brian: Vulnerability to cache poisoning due to fragmentation
 	Suzanne: Shows a lot of effort, but we should wait and see the status on the Int Area work
 		Then see what of this work is DNS-specific and useful
 	Mark: Cookies are not perfect
 User Assigned ISO 3166-1 Alpha-2 Codes and the DNS Root Zone
 draft-arends-private-use-tld
 Roy Arends
 	Brian: Great, has a use case for it
 		Prefer delegated unsiged
 	Warren: Lots of thoughts
 		Agree that we need an interal namespace
 		Took it to ICANN
 		Roy: Wants it to be private space
 			Doesn't want it to semantic
 		Wants it to be semantic
 		Needs to be an insecure delegation
 		Wants it to go somewhere
 		Read Suzanne's expired document
 	Suzanne: IETF cannot decide what goes into the root zone
 	Stewart Cheshire: Inspired idea, wish we had thought of it 15 years ago
 		Discuss with ICANN to be sure there will not be conflict
 		Teminology suggestion: don't use "private", but instead "internal"
 		Different people have different views of who gets to choose the name
 		Industry can pick within the industry
 	Jim: Could become a rathole quickly
 		Simpler is to list the codes, say "pick one"
 	Terry Manderson: Loves this
 		Avoids a lot of political skirmishes
 	Wes: Do both signed and unsigned
 		Roy: this could be the undelegated, .internal could be delegated
 	Petr: Collisions will happen when organizations merge
 		Terrible things will happen the longer it goes on
 		Roy: Merging firms will have lots of problems
 	Klensin: No representative of history
 		TC 46 can do different things
 		Roy: Looks for engagement on WG list
 	(?) Gupta: Enterprise users don't read / don't care
 		Who would anyone use this?
 		Roy: There has never been a BCP, so we can point to it
 	Stewart: As things evolve in the DNS
 		The incentive increases for identifying internal names
 Chairs: Please read draft-pusateri-dnsop-update-timeout because we ran out of time