* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Doh Status Pages

DNS Over HTTPS (Active WG)
Art Area: Barry Leiba, Adam Roach, Alexey Melnikov | 2017-Oct-10 —  
Chairs
 
 


IETF-104 doh minutes

Session 2019-03-26 1120-1220: Grand Ballroom - Audio stream - doh chatroom

Minutes

minutes-104-doh-00 minute



          notes-ietf-104-doh
          
          * {
            font-family: arial, sans-serif;
            font-size: 13px;
            line-height: 17px;
          }
          ul.indent {
            list-style-type: none;
          }
          ol {
            list-style-type: none;
            padding-left: 0;
          }
          body > ol {
            counter-reset: first second third fourth fifth sixth seventh eighth
            ninth tenth eleventh twelfth thirteenth fourteenth fifteenth sixteenth;
          }
          ol > li:before {
            content: counter(first) ". ";
            counter-increment: first;
          }
          ol > ol > li:before {
            content: counter(first) "." counter(second) ". ";
            counter-increment: second;
          }
          ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third) ". ";
            counter-increment: third;
          }
          ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) ". ";
            counter-increment: fourth;
          }
          ol > ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) ". ";
            counter-increment: fifth;
          }
          ol > ol > ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth) ". ";
            counter-increment: sixth;
          }
          ol > ol > ol > ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) ". ";
            counter-increment: seventh;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) ". ";
            counter-increment: eighth;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) "." counter(ninth) ". ";
            counter-increment: ninth;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) "." counter(ninth)
            "." counter(tenth) ". ";
            counter-increment: tenth;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) "." counter(ninth)
            "." counter(tenth) "." counter(eleventh) ". ";
            counter-increment: eleventh;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) "." counter(ninth)
            "." counter(tenth) "." counter(eleventh) "." counter(twelfth) ". ";
            counter-increment: twelfth;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol >
          li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) "." counter(ninth)
            "." counter(tenth) "." counter(eleventh) "." counter(twelfth)
            "." counter(thirteenth) ". ";
            counter-increment: thirteenth;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol >
          li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) "." counter(ninth)
            "." counter(tenth) "." counter(eleventh) "." counter(twelfth)
            "." counter(thirteenth) "." counter(fourteenth) ". ";
            counter-increment: fourteenth;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol >
          ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) "." counter(ninth)
            "." counter(tenth) "." counter(eleventh) "." counter(twelfth)
            "." counter(thirteenth) "." counter(fourteenth) "." counter(fifteenth)
            ". ";
            counter-increment: fifteenth;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol >
          ol > ol > li:before {
            content: counter(first) "." counter(second) "." counter(third)
            "." counter(fourth) "." counter(fifth) "." counter(sixth)
            "." counter(seventh) "." counter(eighth) "." counter(ninth)
            "." counter(tenth) "." counter(eleventh) "." counter(twelfth)
            "." counter(thirteenth) "." counter(fourteenth) "." counter(fifteenth)
            "." counter(sixteenth) ". ";
            counter-increment: sixteenth;
          }
          ol {
            text-indent: 0px;
          }
          ol > ol {
            text-indent: 10px;
          }
          ol > ol > ol {
            text-indent: 20px;
          }
          ol > ol > ol > ol {
            text-indent: 30px;
          }
          ol > ol > ol > ol > ol {
            text-indent: 40px;
          }
          ol > ol > ol > ol > ol > ol {
            text-indent: 50px;
          }
          ol > ol > ol > ol > ol > ol > ol {
            text-indent: 60px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol {
            text-indent: 70px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol {
            text-indent: 80px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol {
            text-indent: 90px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol {
            text-indent: 100px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol {
            text-indent: 110px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol {
            text-indent: 120px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol {
            text-indent: 130px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol {
            text-indent: 140px;
          }
          ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol >
          ol > ol {
            text-indent: 150px;
          }
          
          DNS over HTTPS Working Group - IETF 104, Prague11:20
          - 12:20 AM, 26 March 2019Grand BallroomNote Well 
          https://www.ietf.org/about/note-well/  Charter:
          https://datatracker.ietf.org/group/doh/about/Working
          Group Chairs:Benjamin SchwartzDavid "Tale" LawrenceSession
          Chairs:Pete ResnickDavid "Tale" LawrenceAgendaResolving issues
          in draft-ietf-doh-resolver-associated-doh (30 min)  Paul Hoffman 
          https://datatracker.ietf.org/doc/draft-ietf-doh-resolver-associated-doh/Re-chartering
          or new working group (balance of time):Operational
          issues regard DoHJason Livingood and Jim ReidDiscussion of
          appropriate venue for this sort of work    Minutes11:20 Meeting
          Begins---------------------------------------------------------------------------------------------11:22
          Paul Hoffman discusses issues brought up by
          draft-ietf-doh-resolver-associated-dohhttps://datatracker.ietf.org/meeting/104/materials/slides-104-doh-draft-ietf-doh-resolver-associated-doh-00Ben
          Kaduk: This topic is off-topic based on IETF mailing list charter
          (rfc3005/bcp35). (Regarding discussion occuring on many different
          lists.)Martin Thompson: Suggestions were made on how to achieve the
          goals better.Eliot Lear: "Ickiness" is too abstract of a word. Hard to
          understand the conversation.Presentation endsBrian Dickson: One issue
          with the use of possibly DoH servers where there are existing chains of
          forwarders. Need to be able to disambiguate entities in the forward chain,
          who identify themselves separate from this.Paul Hoffman: Send to list.Eric
          Rescoria (ekr): Now we can talk about authentication Paul Hoffman:
          Well-known URI has authentication, others cannot.Eric Rescoria (ekr):
          High-probability 10.0.0.1. Even if not true, ordinary behavior is going to
          be try and assume no DoH if you can't connect, and fallback to unencrypted
          DNS. Attacker can cause fallback. Not enthused about this.Paul Hoffman:
          Are you against it?Eric Rescoria (ekr): Don't see any value. JavaScript
          apps probably know which server they want to use.Paul Hoffman: often
          people would know what they want populated there anyways eg: browser
          vendorRalf Weber: Don't want to run HTTP servers on my recursive
          resolvers. Always get special name and resolver can send you to HTTP
          server.    Martin Thompson: Objections are more fundamental. Agree
          not wanting HTTP server on resolver. But why are we talking to an HTTP
          server about a DNS server in the first place? Why can't we talk to the
          DNS server? In other protocols we have ways to talk to the other endpoint;
          in DNS we have no way to talk to the resolver itself. In HTTP we can put
          in header fields, and specify the connection is doing various things,
          and so on. If we could ask the resolver, "what is your configuration for
          DoH?" we would be in a better place.    Jon Reed: You have presented
          a set, is there room for discussion to consider it in order?Paul Hoffman:
          It's an open question.Jon Reed: Can we make a recommendation that saying
          "there is no DoH" should be explicit?Paul Hoffman: Not normally what
          we do...Jon Reed: Maybe we can also put IP addresses in there since
          TLS can often fail unintentionally.    Patrick McManus: Concern
          that people say "I am okay using local resolver since I trust my local
          network". They don't trust their network, they trust their network
          provider. Paul Hoffman: Short-term terminology changes were meant to
          touch on the issues you raise. Go ahead and talk on DNSOP.Patrick McManus:
          DoH server chosen through this mechanism is not authenticated more
          than your network is.Paul Hoffman: Send text.Ted Hardie: In the draft,
          instructions to IANA: "Names MUST NOT be delegated". Paul Hoffman:
          Send text.Ted Hardie: These are specific to DoH, but could imagine
          making these TLS-protected DNS servers return DoT and DoH. Would you be
          open to expanding scope?Paul Hoffman: I would be, but this is the DoH
          working group.Ted Hardie: Affects instructions to IANA.Warren Kumari:
          Sympathetic to doing from JavaScript, but ...?    Erik Nygren: Do we
          need all 3 mechanisms? Using DNS as a resolver is attractive compared to
          other mechanisms. Special-use domain name solves a lot of problems. Of
          these, the only one that you could use in JavaScript (bootstrapping
          needs to know what resolver is).Paul Hoffman: But JavaScript cannot
          use this. Valid question is "simplify down to one?".Erik Nygren: Even
          if not possible today, could we expect that in the future it would
          be?    Ben Schwartz: At least 2 different options in draft. 1: New
          problem - think of all possible solutions & list ones that are likely to
          work. But we should pick a single solution; go to implementers and see
          which solution they prefer. No input from people building local network
          clients. Not much input from browser vendors. 2: No web API for reading
          an IP address. Even if you can resolve a name you cannot find which
          IP address it resolves to.Paul Hoffman: Did not know that there was
          no way to resolve IP address. If that's wrong then the whole thing is
          wrong but nobody has pointed it out yet.Ben Schwartz: My understanding
          is that there is no such API. Otherwise we need a W3C liaison action to
          create such an API.Jared Mauch: Current trend to encapsulate protocols
          inside of other protocols. Concerned about how we continue to do that,
          and we should discuss solution spaces. Recursion involved in that is
          relatively hard. Vendors will say "now you need to implement all of these
          different stacks". Concerned about this level of complexity. Some benefit
          to users, but broader than  browsers. Interactions are complex. If we
          need to ask vendors to implement new things, standards like this concern
          me.Petr Špaček: For us as resolver vendors, no point in us implementing
          DoH if nobody can find it. This is way more important than it seems,
          otherwise we will be stuck with Google as an endpoint. DHCP
          workgroup has been trying to solve security in DHCP for
          at least 7 years. It's just a hard problem. We shouldn't
          wait for solving that problem in order to have a DoH option for the
          client. ---------------------------------------------------------------------------------------------12:00
          Jason Livingood and Jim Reid present Centralized
          DNS over HTTPS (DoH) Implementation Issues and Risks
          ~and~ DNS over HTTPS (DoH) Considerations for Operator NetworksSlides:
          https://datatracker.ietf.org/meeting/104/materials/slides-104-doh-doh-implementation-risks-and-operations-considerations-01Tale
          Lawrence: Unstated option of "not appropriate for the IETF".Pete
          Resnick: talk about where stuff should go and what are important things
          to go.Tale Lawrence: Was going to be a model of a "pop-up working
          group".Stéphane Bortzmeyer: No, not in charter for DoH working
          group. Not a DNS-specific topic. Bigger problem for the Internet:
          dominance of big players like Google. Is work on a draft about
          consolidation. Maybe DNSOP if DNS-specific, maybe IAB work if broader;
          not in favor of a new working grouop.Vittorio Bertola: All discussion
          should be in one place. Was related discussion at ICANN(?).Watson Ladd:
          Concerned that drafts are looking at DoH and operational issues at DoH,
          ignoring a long history of misbehavior by ISPs in DNS.Stephen Farrell:
          Analysis is not sufficiently baked. Has to be redone before I would have
          a clue to how the IETF should go forward. Asking for the impossible:
          do it objectively!    Suzanne Woolf: As DNSOP chair. This does not
          feel like DNSOP work to me. It is operational but more than DNS people
          could come to analysis and correct answers. Feels more like recharter or
          BoF + WG or some other way to get this done.Suzanne Woolf: As IAB member
          (but not speaking for the IAB). Discussion has gotten more challenging
          because it is difficult to separate layer 9+ issues from technical
          ones.Ben Schwartz: Not speaking as a chair. I would appreciate a clearer
          taxonomy of the issues. Browser-related components should be transfered to
          W3C.    Warren Kumari: Every time we say DoH, we could say DoT. Want a
          new mailing list: ADD (applications doing DNS).    Gurshabad Grover:
          Some issues are superficial. Are advantages.Kirsty P.: this is important
          work and I want to see it happen and I don't care where.    Elliot
          Lear: Work should continue in the IETF. Agree with Ben Schwartz that
          taxonomy needs work. Patrick McManus: Very similar to prior pervasive
          encryption work.    Brian Dickson: DNS stateful operations has
          applicability to DoT to signal privacy from one server to another. Don't
          know where work with that would be.    Ralf Weber: Some of the issues
          are DoH & DoT, in the same boat. Need to come up with operational ways
          to deal with these. One issue is provisioning and needs to be solved
          for both DoH and DoT.    Leslie Daigle: Push back on idea that this
          will get punted to W3C. Fundamentally this is a question about how do
          DoH and DoT break host assumptions about DNS.        Wendy
          Seltzer: From W3C. Third time W3C mentioned I was summoned. I don't
          see a reason for W3C to say it should happen in that group. And I
          haven't heard this conversation in W3C groups. I can poke at groups
          if you would like for them to be engaged.Pete Resnick: ADs & chairs will
          discuss.    ---------------------------------------------------------------------------------------------Thanks
          for all the help with the minutes everyone! - Shane
          
          



Generated from PyHt script /wg/doh/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -