IETF 123 DELEG

Base Protocol

Changes from -00 to -01

MUST NOT use NS records as fallback (downgrade protection)
Added ADT DNSKEY flag (also downgrade protection)
New EDE, "New Delegation Only" for DE=0 when no NS exists
-- debate between NXDOMAIN and SERVFAIL for RCODE
Now updates 6673 (Resolver algorithm) and 6840 (DELEG in type
bitmap)

Next updates planned

Renaming glue4/glue6 to just ip4/ip6 (they're not hints, and if
present, do not use NS records, use addresses instead)
Security Considerations
Proofreading, acknowledgements, etc.

Open Issues

80-row matrix of expected behavior for certain states... how do we
put into the draft?
Which parts of SVCB do we reuse?
Do we need to support cyclic siblings?
DE=0 for DELEG-only zone: SERVFAIL?
Priming root zone? Please defer to another draft

Nameless Addresses

Resolver implementors agree that there needs to either know the address
of or know there is no address for a nameserver. DELEG gives us a chance
to add new types of delegation, not to get rid of names, but to add
nameless servers as an option where only addresses are needed.

The current draft options for getting addresses:

DIRECT (always below delegated domain, either names + addresses, or
just names followed by A/AAAA queries
INCLUDE (always to outside delegation)

Proposed addition to delegation is the second option in DIRECT above.
There is no replacement or removal of existing DELEG mechanisms.

Note: names are not necessary when there's no secure transport or the
authentication for the secure transport does not rely on the name.

Pro arguments

If we don't add it now, we probably won't later
It may have low usage, but it is easy to add for those who want it
Hack of making up fake name for nameless addresses can lead to
errors

Con arguments

Not hard to make up unique random name for an address
This approach can't synthesize NS records from DELEG for backward
compat

WG discussion

Ben Schwartz: we should be consistent about whether nameservers are
"hosts" in the DNS sense: are their identities IP addresses or domain
names? It's confusing to have both concepts. I think we should embrace
that nameservers do not have names.

Wes Hardaker: there isn't a clearly understood need for nameless
servers, so does it matter if we cannot add it later if there's no need
for it at all?

Paul Hoffman: we don't technically need anything about DELEG. My
question is how flexible do we want to make this?

David Lawrence: Suggestion: for INCLUDE, don't use addresses until DELEG
check fails (have not spoken with coauthors yet)

Philip Homburg: If we add this, it will only work for DIRECT
(inconsistency).

Joe Abley: transition from NS to DELEG is already confusing enough, as
is glue. We will also be in this transitional state longer than DNSSEC
(room boos, lol). Let's keep it as simple as possible.

Dave Lawrence: I think adoption of DELEG will be faster (even if NS
records are forever) because it gives support for features people
want

Petr Špaček: Not having a name means there's no implication the child
can override anything (prefer this over inconsistency)

Dave Lawrence: independent of need for names for SNI of secure
transports (separate discussion), it seems to simplify DELEG to
make nameservers nameless

Joe Abley: SERVFAIL and name error are both problematic. REFUSED would
be matter (or even NOTIMPL).

Warren Kumari: prohibiting delegation to a nameless IP address will come
back and bite us.

Jim Reid: we need better triaging flow for deciding, per suggestion, if
they are useful for DELEG work. The recent list discussions don't seem
to be productive.

Paul Hoffman: which brings us to "are we sticking to SVCB format?"
which shapes what we can do and therefore what topics will actually
be productive based on what features are compatible with our chosen
format.

Philip Homburg: the intersting part of DELEG is the INCLUDE mode, DIRECT
doesn't give us anything new, but INCLUDE we need to work around SVCB
limitations.

Erik Nygren: it will be problematic in supporting both mdoes (DELEG and
NS) we need to be mindful of.

Ben Schwartz: if outsourcing nameserver operations, use INCLUDE (which
definitely supports names). If using DIRECT, you do not outsource to
avoid problems with pinned features of a zone the outsoruced provider
cannot dynamically change.

Warren Kumari: +1, this is what I was trying to say earlier

John Levine: stale glue will not be a problem with nameless servers
anymore, but on the other hand, synthesizes names make more
opportunities to screw things up. I agree with Ben, and I like nameless
addresses and consistency on that.

Q Misell: I prefer NOTIMPL as the error code for DE=0 but no DELEG

Florian: I'm fine with moving priming queries to a different draft, but
we need to at least say "we are punting this but it is allowed"

Roy Arends: agreed, we can remmove discussion of where the records
exists (parent v. child) and leave that for solving the priming
queries question, which will simplify the current discussions.

Philip: poitn of delegating to names is so there can be A/AAAA records.
INCLUDE approach means we are replacing role of A/AAAA records.

Petr: NXDOMAIN is the only option. Anything else will cause problems
because NXDOMAIN can be cached and the others cannot.

Mark: this will not work, NXDOMAIN is just as bad as REFUSED. We
need to use SERVFAIL. RFC 2308 let us cache NXDOMAIN, but that
requires an SOA record which we do not have in this case. Nameless
servers are just the wrong approach.
(chat discussion: why not use SOA from the parent?)

Mark: Nameless servers will remove the ability for operators to validate
zone data, which is something we haven't been doing as 1034 requires,
but still, nameless servers sets us up for failure.

(Note: the chat is very active on the topic of correct error type for
DE=0 but no DELEG with no clear consensus)

Peter: I don't think NOTIMPL makes sense when the problem really is that
part of the namespace is just not reachable. Separately, I think it's
fine to indicate a zone cut by faking NS records.

Not reachable makes sense, so why is a new EDE code with that
semantic not sufficient?

Karl Dyson: without names, we cannot synthesize NS records.

Petr: you can synthesize names and have records for them though.
Technically, you can do it.

Florian: I have a draft that uses RESINFO to advertise support for
DELEG, what do the authors think of incorporating this into the base
draft?

Dave: have not read it or discussed it, but open to looking at it

Auth delegation types

We are here because existing delegations have limited functionality, so
we are trying to provide more without breaking existing delegations. As
an RRtype reviewer, I foresee problems with this that aren't just "DELEG
is a new RRtype".

Suggested exension: Authoritative Delegation Type (ADT) records that
exist only at delegation points. This is because one RRtype (DELEG)
won't fit all. The SRV authors thought they solved advertising services,
yet we also have SVCB now. We can avoid DELEG3, and shoe horning
everything into TXT or DS records by assigning a range of types, of
which DELEG is the first.

Use DNSKEY flag and EDSN DE bit for signaling support for the range
Can use NSEC(3) for secure proof of absence for the whole range

Proposal: separate document that defines this range that the existing
base protocol then consumes one point from that range.

WG discussion

Éric Vyncke: I think this idea is nice, but I don't think (as AD) this
WG charter includes it. Let's talk.

Paul: it seems in charter given this WG is the one that needs it
Éric: I think the draft and idea makes sense, but dnsop should own
it (general change to DNS related allocations versus DELEG consumes
it)
Petr: seems very nit picky, it's DELEG work in spirit
Jim: there's a much wider remit for reserving these code points
beyond the DELEG WG, so I agree with DNSOP. Not to mention DELEG WG
already has enough problems to solve.

TODO: non-ASCII^^ for Éric done ;-) thank youuu!

Paul Hoffman: 4033-4035 breaks out changes to protocol versus new
features, so I think separate documents make sense for clarity for later
readers.

Joe Abley: I'm confused about why allocating new code points solves
problems...

Roy: current draft says NSEC(3) is not necessary, but what happens
when there's DELEG2, DELEG3? Example: secondary servers would not
need to know what delegation types are in use so long as they know
something from this new range is in use. Defining the predictable
code points for future DELEG work makes life easier.

Jim: this is an interesting idea, but (see discussion of proper home
above)

Petr: the value of this proposal is preventing the confusion around
DNSSEC again in the future by pre-communicating the semantics of future
defined collection of DELEG* types.

Viktor Dukhovni: resolvers will struggle with knowing which NSEC proof
to present when it si ambiguous whichs ide of parent/child split the
records live on. We do want that clarity. However, I don't think it
makes sense to have a large range of parent-side record types, maybe
five would be sufficient (because we can't just have one large bucket
for RRtypes that may live in different places).

Roy: we have 64k types available, which we still have basically 64k
available. Limiting ourselves seems silly (I'm thnking 16-256).

Philip: it seems reasonable, but it worries me because it might be
repeating the SRV v. SVCB mistake. We are assuming that DELEG2, DELEG3
will look similar to DELEG such that a resolver can use the predictable
range for anything meaningful.

Roy: it costs so little to allocate a range now, but a lot more to
do it later when DELEG2 is being created.
Philip: I disagree, because right now NSEC(3) is not required for
DELEG, but this proposal would introduce that (by DELEG being in the
range that itself requires NSEC(3)).

Ondřej Surý: it makes sense that this does not belong in DELEG WG as
this is more useful generally for "these are parent-side records" not
just "these are parent;side delegation records"

Roy: well, it's "these are records at the delegation point" not
parent

Ulrich Wisser: this doesn't sound at all about code points but defining
a set of records with a shared set of properties (and the code range is
irrelevant, why do we need consecutive type numbers?)

Petr: at first, most zones will have no DELEG and therefure need
NSEC(3), not sure this gets us much

Q Misell: I think this is a good idea to avoid having to redefine "oh,
and this type also needs all these same properties". Let's pick a
reasonably large number for the range.

Chairs questions for mailing list

1) Do we see a need for allocating such a range
2) 2) if so, how big should the range be. Those are questions for us to
discuss on the mailing list.

Link for context

https://github.com/PowerDNS/draft-dnsop-parent-side-auth-types/blob/master/draft-peetterr-dnsop-parent-side-auth-types.md

RRtype for DELEG INCLUDE records

The draft currently assumes SVCB semantics and that when a resolver sees
DELEG with INCLUDE type, it queries the target name with type SVCB.
However, some have objected to use of SVCB here.

SVCB has the benefit of sharing DELEG record format and being recognized
by DNS software. However:

this means the slight differences from SVCB to DELEG also apply here
does this prepend _dns. or not? SVCB requires that...
reusing key-value pairs from SVCB, but there's no Do53 ALPN so we
would need to define something else, drifting us further from SVCB

The alternative is a new RRtype that defines exactly what is needed that
SVCB doesn't cover. This gives flexibility to match the semantics of
DELEG whether DELEG remains sVCB-based or not. However:

This is yet one more RRtype for DNS software to recognize
bikeshedding the RRtype anme will be tedious (seriously, not being
flippant)

WG discussion

Viktor: SVCB has a key registry of 64k, why can't we just introduce new
keys with the needed semantics?

Paul: SVCB also has priorities which this WG has decided we do not
need, so this cannot be addressed by adding keys.

Ben: I disagree with every point in this analysis. I don't have a strong
opinion on what RRtype to use, but these arguments aren't the right ones
for making this decision. Priorities are useful and I think it's a
mistake to drop that here. Example: lower priority delegations to a
third party that enables "we prefer to handle in house except for when
they are overloaded or unreachable, shed to third party". Also, whenever
TLS or QUIC are used by the DNS, you want the properties of SVCB where
properties of TLS and QUIC are being defined.

(back and forth on this)

Erik: Agree with Ben, we should keep the registry and semantics the
same. But should the target of the INCLUDE be the same type? No, I think
a new type there makes sense to accommodate for variations. This will
also make synthesis easier.

Wes: this has a clear demonstration of need. Just because we are going
to change some things doesn't mean we can't reuse the rest. We should
maximize reuse.

Paul: agree the SVCB chasing is just fine to reuse, just a question
of what you're chasing to

Philip: the further DELEG wanders from SVCB,t he harder this is going to
get to manage, so I think a different type makes sense (keeping the two
types, DELEG and new type we chase, in sync as much as possible)

Viktor: posing question: are the semantics of SVCB appropriate?

Paul: if we get rid of priority on DELEG, I hope we also do for the
chased record type. Keep in mind these are RR sets, not just
individual records

Chair wrap up

Base protocol authors: you get the feedback you need? (yes from Dave)

Roy's draft will need discussion (range of RR types)

Reminder: Petr's point about determining needed mechanisms first, then
we can define semantics that support what we are trying to accomplish
(let's not get too buried in SVCB analysis until we know what we need
from the RR type)