Minutes DNSEXT IETF 54, Yokohama, July 2002 - Agenda Bashing. No bashing. ---------------------------------------------------------------------- State of Documents (WG document discussion is minuted below) - Number of documents in the RFC editor queue. + gss-tsig is halted to December to be fixed. It violates the tsig spec + message-size Talks about A6 needs to be redone for AAAA - IETF last call. + restrict-key-for-dnssec Obvious problems. Need to be done + delegation-signer-0.8 Still being worked on. Will be part of the total docset rewrite. - Back to WG's lap + ad-is-secure-06.txt Number of issues raised by IESG. + dnssec-roadmap-05.txt No responses from the WG after comments from the AD. - Ready for last call. + dnssec-records-01.txt Was waiting for OPT-IN but will be pushed + unknow-rrs-03.txt Needs small clarification. + dnssec-intro-01.txt + rfc2536bis-dsa-01 + rfc2539bis-dhk-01 + mdns-10.txt Not clear if it is ready to go. - Not ready to go + axfr-clarify To bind specific + dnssec-opt-in Needs more work (discussed later) + obsolete-iquery-0.3.txt Few last call comments. Need a volunteer for cut-n-paste of comments. Robert Elz volunteered The document needs revision, went to last call. Elz and original author will get in touch and will go over the namedroppers archive. + dns-threats-02 More research is needed. + tkey-renewal-mode-0.2 Will be talked about - Blocked for other documents + ecc-key-01 + dhcid-rr-05 dhcid untouched, work done in dhcp drafts - Other documents + kitamura-ipv6-name-auto-reg-01 + opcode-discover-00.txt Experimental. ---------------------------------------------------------------------- Interoperability reports ------------------------ General remark: IETF interop tests do not name vendors. (see list) RFC1886 Vladimir Ksinant Two implementation are inter-operable Goals: - Advance RFC1886 Non goals: - no benchmark - Two tests: Definition of AAAA and IP6.INT Features tested: A. AAAA .... Test results - two servers where fully inter-operable - two resolvers have identical and correct behaviour - One server partially conformed Mailing list: rfc1886@nic.fr www.ipv6.6wind.com/standard/testRFC1886.nic.fr Comment: Erik Nordman: Merge to one document. DS interop test, Russ Mundy/Sam Weiler. Non complete tests of two implementation. Some of the results maybe implementation problems others may be specification problems. Need more research. Sam Weiller One issue should the TTL be chained down to effect RRs lower in the Derek Atkins: Do it within the zones. Austein question answered by Mundy: DS seem to solve the issues it was designed for: reducing parent-child interactions DNSSEC@cafax.se 'meeting' Ed Lewis lots of people are restarting their experiments. Chairs invite people to publish specific reports and write-ups of workshops and interop tests. ---------------------------------------------------------------------- WG documents discussion ----------------------- Comments where invited for all documents. Relevant comments below. draft-ietf-dnsext-ad-bit-is-secure-06.txt Rob Austein: One of the reason that this is staying is maybe that there is more information needed. Suggestion if ad=on then additional info can be found in the OPT RR. Steve Bellovin: If you trust the the entity that sets the AD bit you have to setup a trusted/secure path between the resolver and the entity. The document must add that as requirement. on the mdns-10.txt Audience: Why both mdns and discover? chairs: because they are different unknown-rrs-03.txt Rob Austein: rfc2535 down-case names in rdata. unknown-rrs-03 forbids this. This can be dealt with in DNSSEC but it needs to be clarified. draft-ietf-dnssext-opt-in-02.txt Roy Arends Changes in opt-in OPT-IN now only on delegation points. - All authoritative RR types must be signed. - The parent is not authoritative for delegation NS RRs. Changes in security model - 2535 NXT proves existence. - OPT in: lack of NXT bit means no secure delegations. OPT-IN Corner Cases. No document yet. - OPT-IN vs AD-bit + AD bit must be cleared on a negative OPT-IN response. + This need clarification Caching Responses - NXT+SIG RRs are statements on security of a response. + Do not cache them individually. + Cache them as properties of a response. There are a number of a caching problems. The issues are really implementation issues. - OPT-IN NXT should really only be cached as a property of another RR. Concerns raised DNSSEC is already complex. Does OPT-IN justify the added complexity. Where is the resolver implementation? If DS turns out to be stable there is little time for OPT-in left. There is a opt-in resolver (and server) implementation. Expected to be in bind soon. There are implementations of opt-in: 2 servers and 1 resolver Nordmark: Is anybody working on the additional implementation complexity? Conrad: OPT in is implemented according to 01. The caching behaviour has not be implemented. Vixie: ISC has no policy on OPT in. Good code will be put in. Austein: Treading the NXT RRs as properties of RRset. There are issues with the TTL. Bush: Current discussion is around corner cases. Both DS and OPT-IN need flag-date; DS signing testing will continue. By and of August there should be a document set for DS. Then estimate how long additional OPT-IN would take. So mid September an assessment will be made if to OPT-IN will be going into the document set. dnsext-dns-threats-01 Threat model not finished yet. Bellovin: There are a lot of '*' MX records. Typos can lead to email going to the wrong place. That is a problem that should be dealt with. Conrad: Implementing the validation was to difficult with bit-string labels. The solution needs on-line signing. There is an implementation that does that now bit-stings have gone. Atkins: tkey-renewal-01 Yuji Kamite presented the draft changes. - renewal process a phase 2 process - defined adoption message to begin using new key. Waiting for IANA considerations need - Only DH will not use GSS. DH will be mandatory no comments. dnsext-dhcid-rr-05 Ted Lemon: DHCID language is correct, DHCPD will be modified; redundant text will be removed. kitamura-ipv6-name-auto-reg-01 Kitamura San presented abstract of draft There is an implementation. Keep discussing and revising. Goal is informational RFC. No comments. draft-dnsext-opcode-discover-00.txt Bill Manni