Skip to main content

Minutes IETF116: dnsop

Meeting Minutes Domain Name System Operations (dnsop) WG
Title Minutes IETF116: dnsop
State Active
Other versions plain text
Last updated 2023-03-30

IETF 116, Yokohama
Thursday moringing, March 30, 2023
Chairs: Benno Overeinder, Suzanne Woolf, Tim Wicinski (remote)
Minutes taken by Paul Hoffman
Only stuff said that happened at the mic is reported here

Administrivia and updates of old work

GNU Name System (Very Short Update), Christian Grothoff
        Warren Kumari: Need to reply to authors
                Did the IETF conflict review
                        Close to DNSOP, but doesn't prevent publication
                        Has a limited number of possible responses in the
                        conflict review
        Wes Hardaker: Thank you for using .alt
                Lots of cool technology in the protocol
                Christian: Knew that they had publish a RFC
                Conflict with the RRtypes, prevents working with the DNS in the
        George Michaelson: Mostly philosophical comments
                Implement a registry function for .alt
                First occupant has some expectation of structure
                Who has control of the registry?
                        Christian: Will do first come, first served in their
                        own .alt
                Has an issue with "reservers"
                Should not be spinning an alternate registry
                        Christian: Didn't get an IANA, so they did their own
        Eliot Lear: Thanks to the WG, authors and ADs
                Has not made a publication decision yet
                Invites people to still commment to the ISE

Structured Error Data for Filtered DNS - Document Update, Tirumal Reddy
        Ben Schwartz: Would like to see the registries tightly controlled: IETF
                Wants to prevent the designated expert from being pressured for
                odd states
        Tommy Pauly: Agrees with Ben on reviews
                Wants the text to not be browser-specific
                Contact info marked as mandatory
                        There may be future cases which don't need contact info
                        Browser or OS may know better than the DNS about what
                        to do because it has more context Tiru: Agrees, didn't
                        put specific URIs in Should be a list of URIs, but may
                        be too narrow

Structured Error Data for Filtered DNS - Implementation, Gianpaolo Scalone
(remote) and Ralf Weber (local)
        Designed an extension for Chrome
        Wes: Super happy to see the deployment
                Ralf: No address redirection
                        Use NXDOMAIN with EDE
                What is the UI when the main page is fine but are requesting
                sub-resource like JS or CSS
        Tiru: Don't want a user to go to another page, so put it all on the
        main page Gianpaolo: Sees some text to explain this Tiru: Can address
        comments gotten here

Domain Verification Techniques using DNS, Shivan Kaul Sahib
        Yasuhiro Morishita: Wants information for external DNS providers
                Users cannot usually add underscore names
        John Levine: Draft has considerbly improved
                Wants more definition of what is machine-readable and what is
                human-readable Give plausible argument about why CNAME is not a
                good idea
        Wes: Encourage text that says if not using DNSSEC, must do other

Compact Denial of Existence in DNSSEC, Shumon Huque
        Lars-Johan Liman: Does the draft do things differently if the DO bit is
                Shumon: Not currently, but is considering
                But this has impact on resolver, please describe in document
        Viktor Dukhovni: A lot of complexity depending on resolver setting DO
                Someone might deliberately send known NXDOMAIN through resolvers
                        Shumon: Will document this
                May take a while for current implementations to go away
                        Shumon: Optimistic that the current implementers can
                        change quickly
        Jim Reid: Skeptical of this
                Rather ugly from protocol point of view
                A lot of work for just to make responses shorter
                Would want it to be informational
                        Shumon: Wants to implement what is already done
        Christian Elmerot: Thinks that this simplifies things quite a bit
                Already using in production, but are doing it differently
                Wants to have one way to suggested
                Jim: Happy to have this help coordination, not standard
        Ralf: Thanks for doing this, need to document it
                Should minimize impact on the rest of the ecosystem

Consistency for CDS/CDNSKEY and CSYNC is Mandatory, Peter Thomassen (remote)
        Viktor: Corner case: if someone is moving to a hoster that doesn't do
                Peter: Could add a way to turn off DNSSEC on transfer
        Johan Stenstram: Breaks the logic that "if it is signed, it is good"
                Doesn't like "if this is really important"
                Let's not go there
                Authoritative servers are proxies for the registrant
                Out of sync is reflection on the registrant: business issues
        Wes: CSYNC was for keeping DNS up and running
                CSYNC can't fix the business problems
        Peter: Agrees that one signature should be OK
                Other parts of the spec also suggest asking multiple places

Generalized DNS Notifications, Johan Stenstam
        Viktor: Once it is a service, is the transport UDP?

DNS Out Of Protocol Signalling, Willem Toorop
        Lars-Johan: Please do this