mirror of
https://github.com/ietf-wg-dnsop/wg-materials
synced 2025-08-22 10:17:20 +00:00
minutes
This commit is contained in:
Tim Wicinski
parent
fd16e107cf
commit
a4c5f2893d
143
dnsop-ietf122/dnsop-ietf122-minutes.txt
Normal file
143
dnsop-ietf122/dnsop-ietf122-minutes.txt
Normal file
@ -0,0 +1,143 @@
|
||||
DNSOP WG
|
||||
Bangkok, Thailand
|
||||
Session 1
|
||||
Date: Monday, March 17, 2025
|
||||
Time: 1530-1630 local
|
||||
Chairs: Benno Overeinder, Suzanne Woolf, Tim Wicinski
|
||||
|
||||
Only discussion during the mic line are covered here, not the slides
|
||||
You should definitely read the slides
|
||||
Minutes by Paul Hoffman
|
||||
|
||||
Administrivia, Chairs
|
||||
New AD for the WG: Mohamed Boucadair (Med)
|
||||
Lots of clapping for Warren
|
||||
Opening, Note Well
|
||||
90ish people in Meetecho/Zulip
|
||||
Lots of review of the past few months in the slides
|
||||
Wes Hardaker: Three docs in front of the IESG will have small changes by next week
|
||||
Geoff Huston: Reminds the chairs that the DNS Directorate exists for getting reviews
|
||||
|
||||
Hackathon results
|
||||
See slides
|
||||
Six documents had work done
|
||||
|
||||
Clarifications on CDS/CDNSKEY and CSYNC Consistency, Peter Thomassen
|
||||
https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/
|
||||
Maybe ready for WG Last Call
|
||||
|
||||
Domain Verification Techniques using DNS, Shumon Huque
|
||||
https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/
|
||||
Ben Schwartz: Domain control validation vs. domain authorization
|
||||
Latter is like MX records
|
||||
The section on wildcards should go further down
|
||||
Daniel Kahn Gilmore: Worried about the overlap beween the DNS and the other networks
|
||||
Doesn't want users to be tricked into making claims they don't know
|
||||
If a malicious operator can convince users to add records unde the wrong _label, big security issues
|
||||
|
||||
DNS Filtering Details for Applications, Mark Nottingham
|
||||
https://datatracker.ietf.org/doc/draft-nottingham-public-resolver-errors/
|
||||
Gautam Akiwate: DNS filtering is being discussed in ICANN's SSAC
|
||||
Safari already displays messages based on DNS error codes
|
||||
Need to figure out the trust model for the URLs
|
||||
Ben: Doesn't agree with the role for IANA
|
||||
Likes the care the draft shows
|
||||
Norms from the IETF are paid attention to
|
||||
Let's not charge down the wrong path
|
||||
Wes: Extended DNS Error draft tried to deal with some of these issues, were told not to
|
||||
Can end up displaying messages that are harmful
|
||||
Read the WG discussion on EDE, maybe the WG will change
|
||||
Mark: Browser vendors deal with this kind of thing all the time
|
||||
Vittorio Bertola: This could be in a policy forum
|
||||
This should be done
|
||||
Should be for everyone, not just public resolvers
|
||||
Ralf Weber: Message to be displayed to the users might be a subset of the registry?
|
||||
Mark: Now is just a URL
|
||||
Mark: Is DNSOP the right venue for this?
|
||||
Benno: Need to discuss with the ADs, but for now DNSOP is fine
|
||||
|
||||
Clarifications to the DNS Ranking Data, Kazunori Fujiwara
|
||||
https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-ranking-data/
|
||||
Ondřej Surý: DELEG is more important than this
|
||||
Willem: Legacy way to do delegations will be around for a while
|
||||
Good to bring clarity for that
|
||||
Jim Reid: Thinks we have to do both
|
||||
Wants to clean up now, DELEG is long in the future
|
||||
Ralf: DNS is currently working
|
||||
Mixes different functions we have in the DNS
|
||||
Might have to change the structure for the future
|
||||
Don't change the guidance
|
||||
Willem: Not trying to mix everything together
|
||||
Collect guidance
|
||||
|
||||
Session 2
|
||||
Date: Thursday, March 20, 2025
|
||||
Time: 1300-1430 local
|
||||
|
||||
Collision Free Keytags for DNSSEC, Shumon Huque
|
||||
https://datatracker.ietf.org/doc/draft-huque-dnsop-keytags/
|
||||
Jim: Would rather a document that said "you should avoid collisions" instead of "you must not have collisions"
|
||||
Suggestions are more moving parts around key generation and validation
|
||||
Creating this complexity might cause more problems that it solves
|
||||
Mark: BIND has been avoiding key collisions for 20 years
|
||||
Now has code for partitioning
|
||||
Jim: How often has this actually been seen in the wild
|
||||
Shumon: Wants to make the validation process predictable
|
||||
Christian Elmerot: Prefers a flag date
|
||||
Easiest option does not involve coordination
|
||||
Important draft to get adoption
|
||||
Roy Arends: Prevents validators from being abused
|
||||
Important to adopt
|
||||
Collisions happen more often than you think
|
||||
Petr Špaček: We need something like this because different implementations do different things
|
||||
Causing operational issues today
|
||||
Ralf: Supports this work
|
||||
Overall problem space is low
|
||||
|
||||
Distributed DNSSEC Multi-Signer Bootstrap, Johan Stenstam
|
||||
https://datatracker.ietf.org/doc/draft-leon-distributed-multi-signer/
|
||||
Automating DNS Delegation Management via DDNS
|
||||
https://datatracker.ietf.org/doc/draft-johani-dnsop-delegation-mgmt-via-ddns/
|
||||
Signalling Key State Via DNS EDNS(0) OPT
|
||||
https://datatracker.ietf.org/doc/draft-berra-dnsop-keystate/
|
||||
No mic line
|
||||
Does not have a strong feeling about whether they all need to go together
|
||||
|
||||
DNS Update with JSON, Paul Hoffman
|
||||
https://datatracker.ietf.org/doc/draft-hoffman-duj/
|
||||
Tobias Fiebig: Likes the draft, needs more work
|
||||
Peter Tomasson: Question about having multiple additions or deletions, and whether a DNS host needs to block add-then-remove
|
||||
Paul: Answered on the list earlier today
|
||||
Paweł Kowalik: Caution about using DUJS instead of DUJ64 because quotation marks might be munged in the browser
|
||||
|
||||
Domain Name System (DNS) Public Key Based Request and Transaction Authentication ( SIG(0) ), Donald Eastlake
|
||||
https://datatracker.ietf.org/doc/draft-eastlake-dnsop-rfc2931bis-sigzero/
|
||||
Ted Lemon: Using SIG(0) heavily in SRP document, soon to be published
|
||||
Likes a new RRTYPE as a first guess
|
||||
Petr: How compatible is this with current SIG(0) deployment?
|
||||
Donald: Not sure, but will research
|
||||
Petr: Probably prefer new RRtype
|
||||
|
||||
dry-run DNSSEC, Yorgos Thessalonikefs
|
||||
https://datatracker.ietf.org/doc/draft-yorgos-dnsop-dry-run-dnssec/
|
||||
Petr: What is the interaction with aggressive caching?
|
||||
Are resolvers supposed to act as if the zone is signed?
|
||||
Yorgos: Need to think about it?
|
||||
Peter: Instead of just signing a zone with dry-run, also test parents' checking
|
||||
Would not help with a wildcard error
|
||||
Should think about the checks that the parents should be doing
|
||||
Jorgos: Likes this
|
||||
|
||||
A Top-level Domain for Private Use, Warren Kumari
|
||||
https://datatracker.ietf.org/doc/draft-davies-internal-tld/
|
||||
Ted: Should work on this
|
||||
Tommy Jensen: Work on here
|
||||
Consider that libraries MAY treat it as special to catch things from going upstream
|
||||
Stuart Cheshire: Agree with logic, should be listed in registry
|
||||
Jim: Not for IETF because ICANN told us what to do
|
||||
Maybe figure out the process
|
||||
Thanks for bearing with all the machinations
|
||||
Mark: Locally served registry requires that the names have insecure delegations in the DNS
|
||||
Bring-your-own-devices work because of this insecure validation
|
||||
Suzanne: How much work is needed?
|
||||
Warren: Almost no work
|
||||
Loading…
x
Reference in New Issue
Block a user