Minutes IETF120: add: Thu 22:00
minutes-120-add-202407252200-00
Meeting Minutes | Adaptive DNS Discovery (add) WG | |
---|---|---|
Date and time | 2024-07-25 22:00 | |
Title | Minutes IETF120: add: Thu 22:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2024-07-25 |
Agenda ADD@IETF120
Meeting Materials, Links
Materials, Charter, Documents
ADD WG General Info
ADD Chairs: David Lawrence, Glenn Deen
Area Director: Eric Vyncke
Session link, minutes, jabber, materials
Meetecho Link
Meeting Minutes
Meeting Chat
Materials
Session times
Time: Thursday 15:00-16:30 Local (PDT) time
Agenda
-
Administration [10 min]
- IETF NOTE WELL
- Scribe selection
- Agenda bash
- Welcome from chairs
- AD Comments
-
Announcements from Chairs
-
Document status
- IETF LCs
- ADD WG LCs
- ADD Adoption Calls
-
Docs
- WG Doc - Handling Encrypted DNS Server Redirection 15m (Tommy
Jensen)
EDSR Adopted
draft-ietf-add-encrypted-dns-server-redirection - needs comments
- WG Doc - Handling Encrypted DNS Server Redirection 15m (Tommy
Glenn: We have "Do Not Resuscitate", "Dance Dance Revolution" -- What
does EDSR stand for?
Tommy: "DNR" is your fault.
Ben: Check Chrome in the Interop Hackathon - it already implements a
variant of this behavior.
-
Architectural Directions Discussion
-
Related work in other WGs [10 min] (Tommy Jensen)
- Client Auth Recommendations for Encrypted DNS
- Updating RFC 7050 to include DNR + (DoT, DoH, DoQ) as the
preferred secure channel to DNS64 servers- These are being covered in DNSOP, not in this WG.
- Lorenzo Colitti: RFC 7050 doesn't say that the server
"SHOULD" be trusted. Doing 7050 with this seems pretty
silly so maybe we can leave it alone. It doesn't say
what constitutes trust. - Tommy: I'm not sure we can just leave it alone, given my
reading of the requirements.
-
Encrypted DNS & CPE Devices [20 min + open discussion] (Dan
Wing)- Tobias Fiebig: The ACME/CA way with a domain per CPE would
be the most technically sensible, but I understand the
problem. I wonder if TLSA would be an appropriate solution.
The ISP could handle TLSA registration for the devices, and
the problem would be solved in a local way. - Eric Vyncke: As responsible AD, it looks like we are talking
about a normal TLS server and not only a DNS
server/forwarder in ADD. This is out of charter. - Dan: We need to solve this problem for ADD.
- Eric: Let's at least keep focused just on the DNS
forwarders. Otherwise it's completely outside of the scope
of ADD. - Glenn: Question from the chairs: if we focus only on the DNS
function on the ADD, is that in scope? - Eric: We can maybe push it into ADD if we focus only on the
DNS forwarders, but otherwise it should go in a separate
working group or somewhere else and be more useful - Glenn: It seems like discovering TLS is necessary for the
DNS problem. - Eric: I would say "maybe" it's in the charter, but I would
like to explore that outside of this working group first.
Maybe in ACME. - Q Misell: I think you've correctly identified the problem
that TLS is tied to a CA. There is work to not tied to a CA,
but for now it is. ACME is probably the best way we
currently have to do this. I don't think we should come up
with a DNS-specific way. There is definitely a problem for
TLS certificates for devices on a private/home network, but
this is not the place for that. Maybe it's ACME. If the CPE
runs a CA, then maybe it can also run an ACME server for the
home network? We can take off the TLS bit and shove it off
to ACME, and ACME can figure it out. - Ben: To Tobias: use of TLSA here would be the DANISH
architecture. I think the right answer here requires deeper
thought, and possibly going to the W3C and finding a new URI
scheme instead of "https" to represent local network
devices. - Erik Nygren: I agree that this is a problem worth solving,
probably in a new working group. To what Ben says, it's not
clear that the CA model makes sense here. Martin Thomson's
model, using the hostname tied to the certificate, is a path
worth exploring, but that would need to be explored in the
context of a new working group that explored the
requirements for this. - Tobias Fiebig: If we scope this to DNS, that carries the
question of how relevant it actually is. Geoff Huston shows
heavy usage of 8.8.8.8, 9.9.9.9, 1.1.1.1, so does the ISP
really need local resolvers on the CPE? My ISP is sending
many users to large central IPv4 anycast resolvers. - Glenn: There are many variants of how people deploy this at
the ISP level. There probably are people, and there have
been people who came forward to say that they do need this. - Tommy Jensen: The home for this doesn't need to be here, but
we clearly all care a lot about this. I didn't see Delegated
Credentials in the list of options. If you care about a
service that only works when the box is online, why not use
DC instead of STAR? If this were a BoF I would definitely
help, attend, review, etc. - Dan: Our previous draft focused on delegated credentials,
but this one replaced that one based on feedback we got. - Syd Alam: I support this, thank you for bringing it up.
- Tobias Fiebig: The ACME/CA way with a domain per CPE would
-
-
AOB / Discussion (all)
- Planning & Wrap up
A cry of disbelief