Minutes IETF100: doh
minutes-100-doh-00

DNS over HTTPS (DOH)
IETF 100 Singapore
Raffles City Convention Center
Olivia room
Thursday Afternoon session I
13:30-15:30 Singapore Local Time (UTC +8)
05:30-07:30 UTC

13:30 - 13:40 (10 min) Chair slides - David Lawrence / Ben Schwartz

Eliot Lear(EL): What Documents to address changes.

Patrick McManus(PM): Discussion on Protocol, discussion on other topics

https://datatracker.ietf.org/meeting/100/materials/slides-100-doh-chair-slides/

13:40 - 14:30 (50 min) Proposed protocol
 - (15 min): Slides on draft-ietf-doh-dns-over-https Paul - Hoffman / Patrick
 McManus - (35 min): Protocol-related discussion

https://datatracker.ietf.org/meeting/100/materials/slides-100-doh-draft-ietf-doh-dns-over-https/

Issue #11 Discussion:  Requirements; Silence; Endourse with Explanation

Martin Thomson(MT):  Endorse w/explanation.
Paul Hoffman(PH):  How to deal with out of order responses
MT: You get HTTP (no pipelining)
PH: Parallel TCP connections
MT: Articulate advantages, SHOULD not MUST

Mark Nottingham(MN): Silence.  Discussion about ordering, many reverse proxies
talk http/2 f/e and http/1 b/e

Ian Swett(IS): any advantage to writing http/2 only
PH: much harder to do http/2 only
IS: Strong support for SHOULD

Ted Hardie: Might want to say things about clients and servers.
Servers MUST support h2, clients SHOULD support h2

Andrew Sullivan(AJS): many pushing back this is a transport for DNS.

John Levine(JL): refighting use case for proxy.

MN: SHOULD is not appropriate here.

**Action:  Will take away as Endorse with Explanation**

Issues 13/14/15: HTTP Caching

MN: Wordsmith Issue 13; Issue 15 2119 text?
PH: Stronger than 2119

MT: Q about how this worked in practice. HTTP cache swallowed by DNS cache.
PM: HTTP cache shared between clients.

Ben Schwartz (BS): Logic took awhile to understand.  Rewrite DNS TTL in HTTP
cache? PH: Age header nuance

Ray Bellis(RB): TTL treat as absolute maximum.
David Lawrence (DL): Unbound example of requerying based on shortest TTL in
answer set.

Warren Kumari(WK): When a server published a TTL 10 minute, they assume it will
stay around for 20 minutes.

Jim Reid(JR): DNSSEC
PH: No different than current state

MN: Collision with vultures.  Spec could contain examples wth deployment
scenarios.

Mark Andrews(MA): All records will expire same time

JL: Strongly work out examples.

MT: send 7719bis links to list
PH: Done
MT: RRSet caching vs msg caching
PH: Not a good thing to discuss here

14:30 - 15:30 (60 min) Open discussion
 - (50 min) Beyond-protocol technical discussion
 - (10 min) Identify next drafts needed and solicit volunteers

RB: HTTP proxy, refer to xpf draft

EL: Split DNS, Load Balancers issues. Thinks there is a paragraph or two to add
to document.

PH: as long as more than a paragraph

Steven: Based on security of DNS over HTTPS relies PKI.
MT: OCSP stapling means not going to another server. may want to mandate
stapling. OCSP is good practice OK to recommend. Adam Roach(AR): Operational
considerations may have proposed mitigations.

MN: one use case manualy configured somehow.
DL:  Browser vendors would love to bypass DNS timings.

MT: may be a little bit careful on this.

AJS: Slightly concerned about order. Two sets of people in the document who
speak two different languages. Work out concrete examples

PH: clients do different Certificate checking. Not use h2 roots. Loops may show
up.

BS: Lot of people scared that other people will be confused.

Mike Bishop(MB):  DNSSEC pushing around DNS resources. h2 relies less on DNS.

Erik Kline(EK): Implementation Q. DNS-TLS what to do if DNS has too many
queries. MT: h2 has mechanisms to protect against this class of attack.

EL: pull request of a paragraph.
BS: Pull Requests

BS:  Anyone want to write another draft?

Alex Mayhoff(AM): Could see some extensions on how we do things via DNSOP.

AJS: Premature to write additional drafts. maybe more threads.