Minutes IETF115: dnsop
minutes-115-dnsop-00

DNSOP WG
IETF 115
2022-11-08
Chairs: Benno Overeinder, Suzanne Woolf, Tim Wicinski
Notes here are only what happened at the mic, not on the slides
Minutes taken by Paul Hoffman

Chairs' slides
    https://datatracker.ietf.org/meeting/115/materials/slides-115-dnsop-chairs-slides

The ALT Special Use Top Level Domain
    draft-ietf-dnsop-alt-tld, Paul Hoffman

    Wes Hardaker: Root Server Operator. Add should not forward statement.
    Preference is "Should"

    Anthony Somerset: Does not AS112.  Leakage from root operators?
    Do not need to do anything.

    Eliot Lear:  Many thanks, GNS relies on this

    Paul Wouters: AS112 wrong tool for this

    Ben Schwartz:  Queries to the root.  wants DNSSEC vaidated.
    "DNS Context" is confusuing

    Rob Wilton: Thanks for working on this, could this now focus on stub
    resolvers. Recommends Standards Track not Infomational. **Chairs Action:
    Time for WGLC**

Hackathon at IETF 115
    Willem Toorop presented on the Hackathon results
    Perl libraries for DNS error reporting
    Encrypted Client Hello was also implented by one implementer

DNS Error Reporting
    draft-ietf-dnsop-dns-error-reporting, Roy Arends
    Viktor Dukhovni: Should a resolver behind a forwarder do something
    different:
        Roy: Could cause cascading
            Will add language regarding forwarders, or clients who don't do
            error detecting

Negative Caching of DNS Resolution Failures
    draft-ietf-dnsop-caching-resolution-failures, Duane Wessels
    Peter Thomassen: Partitioning of the cache is up to the implementers, but
    the ECS breaks that
        Duane: If an implementation normally has different caches based on the
        ECS, the cache can blow up Peter: Could go into "protect yourself"
        section
    Peter Koch: Resolution is not DNSSEC protected; add this to Security
    Considerations Ralf Weber: It would be great to ignore ECS, but doing so
    would be hard
        Leave up to the implementation

Control Options For DNS Client Proxies
    draft-homburg-add-codcp, Philip Homburg
    Benno: Wants to know if the WG wants this
    Ralf: Is this local-only, or can you extend it?
        Only between two programs
        Why not do this as an API
        Philip: Wants to do this within the DNS protocol
            Outside the DNS community if we do an API
        Ralf: Prefers API for on-machine, DNS for off-machine
    Viktor: DANE/PKIX is either no mention or mandatory: this is fragile
        This ignores opportunistic DANE
        Philip: Set both bits to zero to get that operation
            Can clarify the language to use DANE
    Benjamin: Disagrees that we don't stanardize APIs
        This feels like an API
        Browsers have rapidly-evolving requirements for how they do DNS lookups
        This is a new protocol between two parties
        Philip: The client has a probing query is already there

Consistency for CDS/CDNSKEY and CSYNC is Mandatory
    draft-thomassen-dnsop-cds-consistency, Peter Thomassen
    Wes: Supports this
        Likes mandating checking everywhere
    Ralf: Supports this
        Can't ask "all" servers in anycast
        What if you don't get a response
        Peter: Ask each provider
            Is willing to add in wording about unresponses
        Paul Wouters: This wasn't in CSYNC, our bug
    Viktor: Concern was hidden masters and nameservers that are gone and are
    never going to come back **Chairs Action: CfA**

Multi-Signer Key-Exchange (MSKE)
    draft-thomassen-dnsop-mske, Peter Thomassen
    Viktor: What about ongoing ZSK rollovers, particularly timing
        Peter: If one provider does a ZSK rollover unilaterally: unsafe
            Needs to think more about it

Structured Data for Filtered DNS
    draft-wing-dnsop-structured-dns-error-page, Tirumal Reddy
    Lots of industry interest
    **Chairs Action: CfA**