WGs marked with an
Dnsop Status PagesDomain Name System Operations (Active WG) |
Ops Area: Ignas Bagdonas, Warren Kumari | 1999-Jun-03 —
Chairs:   |
IETF-103 dnsop minutes
Session 2018-11-05 1350-1550: Chitlada 1 - Audio stream - dnsop chatroom
Minutes
# DNS Operations (DNSOP) Working Group
## IETF 103
* Date: 5 November 2018
* Time: 13:50-15:50 ICT (0650-0850 UTC)
* Room: Chitlada 1
* Chairs: Tim Wicinski
* Chairs: Suzanne Woolf
* Chairs: Benno Overeinder
* Minutes: Thomas Peterson
* Secretary: Paul Hoffman
* IESG Overlord: Warren Kumari
* [Document
Status](https://github.com/DNSOP/wg-materials/blob/master/dnsop-document-status.txt)
* [DataTracker](https://datatracker.ietf.org/wg/dnsop/documents/) ---
## Agenda
### Administrivia
* Agenda Bashing, Blue Sheets, etc, 10 min
* Updates of Old Work, Chairs, 10 min
Next up for DNSOP WG adoption: draft-wessels-dns-zone-digest
Warren Kumari - ipv4.arpa draft
Paul Hoffman: KSK roll side meetings on Wednesday afternoon at 4pm and
Friday morning at 9am
### Current Working Group Business
* draft-ietf-dnsop-serve-stale, Lawrence, 15 min
Stuart Cheshire: I think this is a really good idea, we did something
similar at iOS 12. iOS behaviour is similar, and works inconjunction
with Happy Eyeballs. It would be nice if the client could signal to
the resolver that it could wait for correct answers. Could we discuss
cache-refresh before expiration?
David Lawrence: Draft now specifies refresh.
Ondrej Sury: Believe this is a good idea, but options should be dropped
due to security implications. Suggest to document existing implementations
like Unbound.
Wes Hardaker: Supports this document, and higher TTLs are
determental. What would you do with EDNS options? The values in timer
recommendations are less important that defining acceptable ranges.
Paul Wouters: Options are terrible idea, but serve-stale is great idea.
Mukund Sivaraman: RFC2181 should remain to treat it as 0 as it assumes
an error.
David Lawrence: Both options (cache for 68 years or constant refresh)
are terrible
Giovane Moura: Resolvers already deployed in the world already do this,
e.g. OpenDNS
Chris Lemmons: EDNS makes things more complex, other means should provide
access to debug information
John Ihren: Who is in the best position to serve stale? The zone owner. Go
with long TTL, but change update TTL behaviour.
Mark Andrews: We should add a second TTL, a serve stale TTL, and another
to signify how often things need refreshing. It would require using
EDNS1 to ensure server support.
David Lawrence: Do you see this as an eveolution?
Mark: We should bite the bullet. EDNS makes signalling a new field to
client easy. We should give authoritative ability to serve stale for
and update interval.
* draft-ietf-dnsop-aname, Chairs, 15 min
Ray Bellis (in discussing draft-bellis-dnsop-http-record-00): CNAME/DNAME
is a orthoganal problem, as it does not cover "CNAME at the apex". Point
of HTTP record is to get traction from browser vendors as they dislike
SRV, as well SRV no good for wildcards. Browsers also islike priority and
labels. Hopefully minimal changes to browsers. No changes to authoritive
infrastructure, RDATA identical structure as PTR. Recursors change small -
optional ability to fill in A/AAAA, and in being optional negates expert
review. HTTP is just a resource record.
Wes Hardaker: We need to ensure we are looking far ahead, this may bite
us again in future. This should be solved generically.
Ray Bellis: Then just get a new record type for it
Mark Andrews: SRV and Port 0 is same as HTTP. Types should not become
class independant. SRV is perfectly fine.
Tim: But HTTP people won't touch SRV.
Wes Hardaker: This would help in the secnario of multiple responses
Ray Bellis: Have a multiple query types draft in the works.
* draft-ietf-dnsop-rfc7816bis, Hofmann, 15 min
Ondrej Surry: BIND has sponsored work to implement QNAME, release being
prepared
Petr Spacek: Had QNAME on for ~2 years
Ralph Dolmans: We name QNAME minimisation by default
* draft-ietf-dnsop-7706bis, Hofmann, 15 min
Mukund Sivaraman: This draft is a fine idea, we want resolvers
closer. Questions about scaling, as every resolver will need a copy of
a root, which needs testing. Copy of root on a blackhole local network
resolver.
Wes Hardaker: Issue of running on localhost/1918 address space. Presented
that draft is more secure and better for privacy. Some roots have turned
on transfers.
Ondrej Surry: ICANNN have sponsored local copy of root into BIND, and
will send example configuration.
Paul: If there is language that precludes non-root zone, please call
it out.
John Levine: Are you providing copies of root with expiring signatures?
Ralf Weber: Why not move this directly into the resolver?
Paul: This answers resolves getting answers as if it were root, however
flags may differ
Ralf: Would you consider moving to the resolver doing this itself?
Paul: No opposition
Tony Finch (via Jabber): Do we need this when we have NSEC + Prefetch +
Serve Stale?
Paul: Aggressive prefetch could do that, which doens't yet exist.
Petr Spacek: We have explored this, zone is more efficient to get in bulk.
Dan York: At ICANNN this is called "hyper-local".
### New Working Group Business
* draft-mayrhofer-did-dns, Mayrhofer, 10 min
Jim Reid: In the past changes to EnumService, IANA refused to update
register despite valid use case. Please be careful how you articulate
to area managers.
* draft-hoffman-dns-special-labels, Hofmann, 15 min
Ondrej Surry: Thank you for doing this, but it's so boring
Petr Spacek: Also grateful but boring
* draft-lhotka-dnsop-iana-class-type-yang, lhotka, 10 min
Ondrej Surry: Who will be doing the updates?
Ladislav: The idea IANA maintains this model as per the IANA
considerations
Ian Farrer: Vote of support for the work
Wes Hardaker: The more we have structs and enums available, the
better. RFC 6168 is worth looking into.
* draft-hoffman-resolver-associated-doh, 15 min
Dan York: Requesting eyes on
draft-york-dnsop-deploying-dnssec-crypto-algs-01