DNS Operations (DNSOP) Working Group



IESG Overlord

Document Status




* Agenda Bashing, Blue Sheets, etc,  10 min
* Updates of Old Work, Chairs, 10 min

Current Working Group Business

Service binding and parameter specification via the DNS

- https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-httpssvc/
- Ben Schwartz, 15 min
- Chairs Action: ?


Stephen Farrell: Keep the ALPN port;

Paul Vixie: I proposed removing port number. add a warning that operators should avoid using non-default ports for general Internet use. Non-default ports may be firewalled in client networks, so may appear to work in testing but may not work for some clients/users.

Ben Schwartz: We can fix this with 1-2 sentences

Chairs Action: Want to encourage Interop testing, and WGLC before 108

DNS Query Name Minimisation to Improve Privacy (bis)

- https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7816bis/
- Ralph Dolmans, 15min
- Chairs Action: How close to WGLC?


Ralf Weber: don't minimize forwarding; don't recommend complex mechanisms

Jim Reid: query limiting - wording on labels

Stehane Bortzmeyer: number of queries - SHOULD is reasonable (also, see section 7.1 of RFC 1035)

Paul Vixie: 1) auth misconfig hard to detect, mixed-mode authority and the delegation has disappeared. with qtype=NS, answer in answer section. 2) rate limiting have ddos implications.

Joe Abley: not all qtypes are equal. choice of qtype - use 1 qtype and use SOA as an option.

Ralph Dolmans: maybe small set of qtypes

Joe Abley: any benefit to a small set?

Paul Vixie: Agree with Joe, SOA should be in the mix

Mark Andrews: Forwarders should be trusted, but can't trust beyong forwarder

Warren Kumari: Why are we not using the original qtype

Ralph Dolmans: Pick the most common qtype the upstream would use

Ralph Dolmans: Unbound switched from NS to A, NS queries are sometimes blocked, but A are not.

Erik Nygren: A vs AAAA query. A may stick out more.

Chairs Action: New Version, then working toward WGLC

New Working Group Business

Avoid IP fragmentation in DNS

- https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-avoid-fragmentation/
- Kazunori Fujiwara, 15 min


Joe Abley: this is useful

Ralf Weber: Useful

Paul Vixie: No intent to design Path MTU Discovery. Allow someone to do that.

Chairs Action: CfA sent

The Delegation_Only DNSKEY flag

- https://tools.ietf.org/html/draft-pwouters-powerbind-03
- Paul Wouters, 10 min


Ben Schwartz: Likes DNSSEC transparency, Why does it need to be machine readable?

Paul Wouters: How to put into resolvers? Send Q to list

Peter van Dijk: Authorative should check during loading; does not protect child apex delegation.

Ralf Weber: resolver has to do work. technical solution to political problem.

Joe Abley: adding complexity must have problem to solve

Paul Wouters: Large outside subset to never trust DNSSEC.

Wes Hardaker: DNSSEC transparency because don't trust DNSSEC properly

Joe Abley: World is not as clean as it seems

Warren Kumari: Not sure how this behaves

Paul Wouters: Log all DS changes once this is set

Wes Hardaker: currently have to log every signed record for DNSSEC transparency. with this bit, only log DS records

Matthijs Mekking:

Chairs Action: Will send out CfA

Parameterized Nameserver Delegation with NS2 and NS2T

- https://datatracker.ietf.org/doc/draft-tapril-ns2/
- Tim April, 15 min


Sam Weiler: Child/Parent/both no restrictions. new record type that only appears on the parent is a can of worms.

Matt Pounsett: if redesigning NS, remove the current ambiquity.

Joe Abley: Can allow clients to never use old policy

Peter van Dijk: Agree with Sam/Joe, as a resolver implementor, this is scary.

Alexander Dupuy: If done, present in parent, and in authority sections.

Paul Hoffman: Similiar to work done in ADD queue

Ralf Weber: Stub/resolver different than resolver/authorative

Ben Schwartz: Work like this is blocking current dprive work

Chairs Action: Need work and discussion with ADD/DPRIVE/DNSOP chairs

DNS Catalog Zones & A Data Model for Configuring DNS Zone Provisioning

- https://datatracker.ietf.org/doc/draft-toorop-dnsop-dns-catalog-zones/
- https://datatracker.ietf.org/doc/draft-toorop-dnsop-dns-zone-provisioning-yang/
- Willem Toorop, 15 min


Wes Hardaker: would be good to suceed; should look at RFC6168

Paul Vixie: supports; Will drop metazone in favor of this

Chairs Action: Catalog Zones - CfA

Chairs Action: Yang - Needs work



Attendees are asked to visit and enter your Name+Affiliation in the Blue-Sheet section of the DNSOP Etherpad.

Mic Line Queue

The Mic Line will use the WebEx chat channel. To get in the queue type q+ to leave type q-. Please don't type questions or other things into the WebEx chat channel as that will make managing the queue very hard for the chairs. Please use the Jabber channel for side conversations.

When you connect into WebEx you should start off as auto-muted so you'll need to unmute yourself to speak when called.

Helpful Info & Prep

The IETF has prepared a couple of documents to help get everyone ready.



Attendee List

Warren Kumari, Google Stephen Farell, Trinity College Dublin Hugo Salgado, .CL Ralph Dolmans, NLnet Labs Donald Eastlake, Futurewei Paul Ebersman, Neustar Joe Abley, PIR Joao Damas, APNIC Willem Toorop, NLnet Labs John Border, Hughes Kazunori Fujiawra, JPRS Mike Bishop, Akamai Ted Hardie, Google Murray Kucherawy, Facebook Tim Wicinski, unaffialted Stéphane Bortzmeyer, AFNIC Sean Turner, sn3rd Shumon Huque, Salesforce Peter van Dijk, Open-Xchange PowerDNS Keith Mitchell, DNS-OARC Ben Schwartz, Google Yoshiro YONEYA, JPRS Sam Weiler, W3C/MIT John Dickinson Sinodun IT Vittorio Bertola, Open-Xchange David Kinzel, Shaw Communications Ralf Weber, Akamai Technologies Scott Hollenbeck, Verisign Michael Gibbs, Verisign Ash Wilson, Valimail Eric Orth, Google Michael Hausding, SWITCH Jerry Lundström, DNS-OARC Witold Kręcicki, ISC Puneet Sood, Google Paul Vixie, Farsight Jim Popovitch, DomainMail, LLC (just curious) Shinta Sato, JPRS Ladislav Lhotka, CZ.NIC Joey Salazar, ARTICLE19 Dick Franks, unaffiliated Zaid AlBanna, Verisign Tim April, Akamai Technologies Mallory Knodel, CDT Matthijs Mekking, ISC Roland van Rijswijk-Deij, NLnet Labs Fredereico Neves, Nic.br Cathy Aronson, ARIN Mark Andrews, ISC Pieter Lexis, Open-Xchange PowerDNS Jeff Osborn, ISC Duane Wessels, Verisign Shane Kerr, NS1 Erik Nygren, Akamai Matthew Pounsett, DNS-OARC Bernie Innocenti, Google Petr Špaček, CZ.NIC James Gould, Verisign Vladimir Cunat, cz.nic Denesh Bhabuta, DNS-OARC daniel migault Jim Reid, RTFM llp Alexander Dupuy, Google David Blacka, Verisign Robert Story, USC/ISI Chi-Jiun Su, Hughes Network Systems Mauricio Vergara Ereche, ICANN Claire Pershan, unaffiliated Michael Richardson, Sandelman Software Works Wes Hardaker, ISI Kaustubha Govind, Google Chrome Marc Groeneweg, SIDN Hugo Kobayashi, NIC.br Paul Wouters, Red Hat Paul Hoffman, ICANN Benno Overeinder, NLNet Labs Suzanne Woolf, PIR Dan McArdle, Google/Chrome