mir/dnsop-wg-materials
2
0
Fork 0
mirror of https://github.com/ietf-wg-dnsop/wg-materials synced 2025-08-22 02:09:16 +00:00
Code Issues Releases Wiki Activity

added minutes

Browse Source
This commit is contained in:
Tim Wicinski 2022-08-02 17:56:30 -04:00
parent 6de8c76f20
commit e5ce8d5ab0
2 changed files with 140 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
dnsop-document-status.md
View File

@ -1,5 +1,5 @@
# DNSOP Chairs Status
### Updated: 6 June 2022
### Updated: 3 August 2022
Official document list: https://datatracker.ietf.org/wg/dnsop/documents/
@ -13,7 +13,6 @@ Questions, Concerns, etc: dnsop-chairs at ietf.org
* ["Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)" - draft-ietf-dnsop-svcb-https](https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/)
* ["Guidance for NSEC3 parameter settings" - draft-ietf-dnsop-nsec3-guidance](https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec3-guidance/)
## IESG Queue
@ -24,6 +23,9 @@ Questions, Concerns, etc: dnsop-chairs at ietf.org
## In WG Last Call
* draft-ietf-dnsop-avoid-fragmentation
* draft-ietf-dnsop-dnssec-bcp
## Upcoming WG Last Calls
@ -33,33 +35,27 @@ Questions, Concerns, etc: dnsop-chairs at ietf.org
- Currently being Held
- **Action**: Chairs
* draft-ietf-dnsop-avoid-fragmentation
- Value or values
- **Action**: Make progress
* draft-ietf-dnsop-dns-catalog-zones
- **Action**:
- WGLC in September
* draft-ietf-dnsop-dns-error-reporting
- **Action**:
* draft-ietf-dnsop-dnssec-bcp
- recently adopted
* draft-ietf-dnsop-dnssec-bootstrapping
- Recently adopted
* draft-ietf-dnsop-dnssec-validator-requirements
- WGLC in September
* draft-ietf-dnsop-glue-is-not-optional
- **Action**:
- WGLC Real Soon Now
* draft-ietf-dnsop-ns-revalidation
- document has three TODO to address
- **Action**:
- **Action**: Shumon working on adding an author to help
* draft-ietf-dnsop-rfc8499bis
- **Action**:
- **Action**: Interim in September
* draft-ietf-dnsop-zoneversion
- Was named rrserial
@ -67,26 +63,27 @@ Questions, Concerns, etc: dnsop-chairs at ietf.org
* draft-ietf-dnsop-dnssec-automation
- Recently adopted
* draft-ietf-dnsop-domain-verification-techniques
- Recently adopted
* draft-ietf-dnsop-caching-resolution-failures
- Recently adopted
## Recently Expired Documents
## Active Calls for Adoption
* draft-rebs-dnsop-svcb-dane
- Needs a few more
## Candidates For Adoption
* draft-sahib-domain-verification-techniques
* draft-wing-dnsop-structured-dns-error-page
* draft-rebs-dnsop-svcb-dane
* draft-dwmtwc-dnsop-caching-resolution-failures
* draft-dulaunoy-dnsop-passive-dns-cof
* draft-klh-dnsop-rfc8109bis
* draft-wing-dnsop-structured-dns-error-page
## New Documents

122
dnsop-ietf114/dnsop-ietf114-minutes.txt Normal file
View File

@ -0,0 +1,122 @@
DNSOP WG
IETF 114
2022-07-28
Chairs: Benno Overeinder, Suzanne Woolf, Tim Wicinski
Notes here are only what happened at the mic, not on the slides
About 120 people attended
Administrivia
DNS Directorate: Warren Kumari
Please volunteer to review documents for the new directorate
IETF 114 Hackathon Results
Nils Wisiol talked about work on DNSSEC bootstrapping
Yorgos Thessalonikefs talked about DNS error reporting
DNS Security Extensions (DNSSEC): Paul Hoffman
draft-ietf-dnsop-dnssec-bcp
No questions at the mic
Recommendations for DNSSEC Resolvers Operators: Daniel Migault
draft-ietf-dnsop-dnssec-validator-requirements
No questions at the mic
Survey of Domain Verification Techniques using DNS: Shivan Kaul Sahib
draft-sahib-domain-verification-techniques
John O'Brien: Glad to see commentary on time-limited
Some service providers require that a domain being validated by a second-level domain
Some require that it be at a zone cut
John Levine: It should be a BCP
Shivan: Could be an RRtype, but dropped
Was meant as a survey, but could be a BCP
Brett Carr: Make it a BCP
Too many ways to do it
Anthony Somerset: Make it a BCP
Draw more attention to the TCP fallback problem
Ben Schwartz: Add a sentence about DNAME
Doesn't care what it says, but it should say something
Chairs: Asked if there were objections to BCP; none in the room
dry-run DNSSEC: Yorgos Thessalonikefs
draft-yorgos-dnsop-dry-run-dnssec
Wes Hardaker: Likes this
Must not get in the way of current validation
Thus: no DS hacks
Steve Crocker: Doesn't like going insecure
Yorgos: Only arises when you are testing, not when actually signed
Viktor Dukhovni: Concern that all resolvers will act correctly when presented with an unknown DS
Tested with DS 0, found failure
Would need many resolvers to adopt this before it would be useful
Paul Hoffman: Would like the variable-size DS for pre-testing post-quantum signing algorithms
Ben: Would like to know the error rate, not just the reporters
Yorgos: Can turn on "no error" report
Lars-Johan Liman: Likes this
In order to avoid having lingering things, would like to have timers to turn this off
Suggests that software pull them after a time
Wes: This supports doing algorithm roll
Lots of corner cases, including larger responses
Peter Thomassen: Keeping around longer is only harder on the registry
Should be their policy
Maybe not needed for PQC because the hash size won't change much
Resolver will choose the first DS type it knows, so naive resolver might not see this
Yorgos: Have an idea on how to implement for this
Sam Weiler: RFC 4955 says to use a reserved DNSKEY to do this
Nils: Would prefer EDNS0 in clients where clients have opted in
Viktor: Doesn't think client-side will work because of caching
Likes stealing a bit from the hash algorithm
Mark Andrews: Variable length digests for private OID types; don't be scared of them
Maybe want a dry-run as DNSKEY as well
Thinks this is safe to experiment
Initializing a DNS Resolver with Priming Queries: Paul Hoffman
draft-klh-dnsop-rfc8109bis
No questions at the mic
Structured Data for Filtered DNS: Dan Wing
draft-wing-dnsop-structured-dns-error-page
John O'Brien: Should look at how this interacts with RPZs
Petr Spaček: Have you heard from browser vendors?
More positive response
Brett: Supports adoption
Ben: This revision is an improvement
Should this be in DNSOP? This is a deeper question
Browsers already have their own private mechanisms
Tim: Chairs want to hear from folks who want to implement this
Johnathan Reed: Supports adoption
Akamai could implement this for some of its services
Viktor: This is for reporting RPZ names
Not in conflict with what browsers are doing
Chris Box: Would like to see this developed
John O'Brien: Useful for applications other than web browsers
Recent results on measuring the end-to-end success rate of DNSSEC and new record types: Eric Rescorla
Ray Bellis: Home gateway resolvers are much worse at passing DNSSEC records
Brian Dickson: Could you test this for particular routers
Eric: Probably yes
Hazel Smith: Had done some testing on DoT and DoH resolvers; do you have any called-out data?
Eric: No, started at the end of their study
Assume that they work
Viktor: Can this be done by geography?
Eric: Data will be in the paper
Mark: Could you do the EDNS0 query?
Eric: Can show the code
Daniel Kahn Gillmore: Wants to see by size of packets
Eric: In the report
Daniel: We need to think what we can do when we know there are parts of the network is garbage
Wes: RFC 8027 covered some of this
Table is missing RRSIG
Eric: Took out of the report
CDS/CDNSKEY Consistency Is Mandatory: Peter Thomassen
draft-thomassen-dnsop-cds-consistency
Mark: CDS records are no different than any others
One NS might be down, which would stop the
Peter: This is telling the parent how to act when faced with inconsistent information
Viktor: There might be hidden masters
Don't want to get stuck
Peter: Wording could be changed to allow servers down
Ben: There is a missing time constant
When do I recheck if I get an inconsistent set?
Peter: 7344 doesn't put any time limit
Ben: Should suggest some time to retry when there is an inconstancy