Subject: DNSIND/DNSSEC minutes for Oslo IETF Date: Sat, 07 Aug 1999 23:18:54 +1000 From: Robert Elz To: minutes@ietf.org Minutes for DNSIND / DNSSEC joint meeting, Monday July 12, 1999, Oslo Chaired by Randy Bush and Robert Elz. Minutes taken by Robert Elz with the assistance of M.T. Hollinger, Mark Gritter, and Ed Lewis. One agenda addition from previously published agenda: added a brief slot for Matt Crawford to talk about ipngwg's A6 record draft. The proposed charter for the proposed new merged dnsind/dnssec WG was shown, no comments received. "dnsext" received no objections as the new WG name. The charter will now have its milestones updated reflecting the outcomes of this meeting, will then be sent to the list for review, and then, assuming there are no problems, will be sent to the ADs for IESG approval. The list of dnsind & dnssec RFCs in PS status was reviewed, with brief comments on what their next steps might be, and when. RFC1982 is, and has been for some time, ready to advance. RFCs 1995 and 1996 still need some interoperability testing. RFC2136 must wait until there is a security mechanism ready to advance to DS along with it, which won't be RFC2137, which is obsolete already. RFC2181 will be a little difficult to deal with, because of its nature. No interoperability reports yet exist on RFC2308. None of the newer RFCs (2535-9, 2541) have been at PS long enough to advance yet. And there are three more approved by the IESG, but not yet published (edns0, binary-labels, and dname). All known current internet-drafts in dnsind and dnssec were then listed, and briefly discussed. The group suggested possible outcomes for the various documents, more detailed discussion of many of which was on the agenda anyway. Of the ones not on the agenda for this meeting, it was felt that draft-skwan-gss-tsig-*.txt should advance as PS, draft-ietf-dnsind-indirect-key-*.txt may proceed as either PS or Experimental, that to be determined later. Discussion of draft-ietf-dnsind-keyreferral-*.txt was merged into the agenda item on draft-ietf-dnsind-sec-rr-*.txt. It was felt that draft-skwan-utf8-dns-*.txt needed to be compared against UTF5 proposals (of which no draft was known at the meeting, though the name of one was subsequently sent to the list). Draft-ietf-dnssec-as-map-*.txt has been sent to the routing area so often over the years that no-one has kept count, it kept returning to dnssec when no-one from routing showed much interest. The group resolved, once again, that this draft is not work for this working group. No-one had any information on draft-ietf-dnssec-secfail-*.txt and it was consequently dropped (it is an old draft and should most probably have expired by now anyway). A draft just recently submitted with a dnssec label (draft-ietf-dnssec-externalkeys-*.txt) was also unknown to the group, and not considered to be a work item. One additional draft, draft-ietf-urn-naptr-rr-*.txt (from the URN group) was noted as being one that this group should keep an eye on, if not actually take over from that group. This is intended to become a standards track RFC. Finally, draft-ietf-dnsind-tsig-09.txt had completed its working group last call, and was considered ready to be sent to the ADs for review and IETF last call for PS. Being (apparently) completed no discussions of this draft were held. Matt Crawford spoke on the A6 record draft from the ipngwg group. That is draft-ietf-ipngwg-dns-lookups-*.txt. He was asked about the potential explosion of lookups that could possibly be required. The answer was that resolvers should limit the amount of work they're willing to do - anyone who makes an unreasonably complicated zone (too many indirect A6 records) will not have their names resolved. They will be the ones to suffer. This is much the same as that which limits chains of CNAME records, etc. There was discussion on the current status of draft-ietf-dnsind-rfc2052bis-*.txt, the planned replacement of the experimental RFC 2052. This draft completed its working group last call and IETF last calls early in the year, after which it was rejected by the IESG. Subsequent discussions, on the namedroppers list, and in private between the chairs, ADs, IESG, and IAB, have so far failed to arrive at a compromise position. The most recent list of 11 requested changes were discussed. Some of those were considered as trivial, some had been previously agreed by the working group, just have not yet appeared in a new draft while other open issues remain. Most discussion centered upon what protocols (or non-protocols) should be used as examples of the SRV RR that this draft defines. Using examples of well known protocols which do not in fact actually use SRV was objected to by the IESG. The group made no actual progress on resolving this issue during the limited time available in the meeting. Aside from some requested wording changes there were less objections to other proposed changes, except that some members of the group felt that prohibiting the use of SRV records in protocols other than where their use was specified by an RFC was going to far, and claimed to be already using them for applications like telnet. One wording change requested, and generally agreed with, was to replace the phrase "load balancing" anywhere it appears (an in one place in particular) by the phrase "server selection". It was felt that attempts to read the SRV record as a mechanism by which load could really be balanced in any meaningful interpretation of the term may be one of the causes of some of the difficulties this draft has experienced. The attendees felt that pressing ahead with attempting to get this published on the standards track was worth while - it was noted that it has already been implemented, and our attention was drawn to draft-ietf-cat-krb-dns-locate-00.txt. More discussions will be held on the mailing list. The milestone for the charter on finishing this document is still way out into next century however (and receding). There was a very brief mention of draft-ietf-dnsind-edns1-*.txt, and its aims. It was requested that discussion continue (start really) on the list. Donald Eastlake III spoke on draft-ietf-dnsind-tkey-*.txt. It has been waiting upon tsig to be finished before any real attempts to push it forward. This is a scheme for agreeing upon keys (to use for tsig). He was asked if this belonged in the DNS at all. The answer was that a mechanism is needed, and it needs to be one which does not rely upon the DNS being functional, he was loath to depend upon any other mechanisms necessarily being available. It was pointed out that this would mean there would be (could be) multiple different mechanisms to obtain essentially the same information. Don asked the group whether all of the options that currently exist in the tkey draft are required, and whether it should perhaps be simplified. More discussion on this draft is needed on the list. It is currently intended as a standards track document. Edward Lewis, as proxy for for Brian Wellington, spoke on draft-ietf-dnsind-simple-secure-update-*.txt. He went through the changes in the latest version of the document (which has moved from a dnssec doc). Authorisation for the dynamic update transaction has been separated from the security of the data being updated. That is (as your reporter understands it) the key needed to perform an update of data in a zone will not be the same key used to sign that data. Only the zone key is now permitted to sig, not user keys. Ed was asked why this change had been made - he didn't have the answer. This will be explained on the list. The new doc also now allows the use of SIG(0) as an alternative to TSIG as a signing mechanism. There are no current known implementations, though it was stated that one was planned for Bind version 9. Donald Eastlake spoke on draft-ietf-dnssec-update2-00.txt. RFC2137 should be considered obsolete, it is incompatible with RFC2535. This draft was the intended replacement for RFC2137. That is the public key secure update method, whereas simple-secure-update is the shared key secure update method. Other methods could also be defined. It was asked whether all these could be combined into one document. Don stated that he couldn't defend update2 as currently proposed, it is too complicated. It was also asked which method should people implement. The answer was that this depends, public key methods are more general, but have higher overhead. None of the methods have actually been implemented yet. Randy Bush said that for the global internet public key was the way to go, for small clouds, shared key, but that doesn't scale to the internet as a whole. It was suggested that the names should be changed, so instead of suggesting "simple" and "complex" updates, that names suggesting public, and shared, key updates be used, to avoid loading the names. This is to be discussed on the mailing list. Donald Eastlake also spoke on draft-ietf-dnsind-rollover-00.txt. This is a mechanism for zones to deal with parent/child zones needing to be resigned. He solicited comments on the list on this draft, which also deals with zones that split, or recombine. It was asked whether in some world where .com is shared among various administrators with different keys, might this get complex. The answer was yes. It was also asked whether the request for a key to be signed be manual? The answer was no, that is the point of this proposal. Does this cause a problem with zones where the key is not to be kept on line? There is no comment on how quickly things happen, just that they do. If latency might be days, servers might not want to retain state of the requests that had been made. Donald briefly described the method, but suggested that discussion of the issue be continued on the mailing list. Edward Lewis spoke on draft-ietf-dnsind-sec-rr-00.txt. This and draft-ietf-dnsind-keyreferral-00.txt are related drafts. Keyreferral came first, sec-rr is an addition to the earlier draft. The issues were that it could be difficult for a parent if it had to retain keys for all of its children, and that there was also some desire to progress away from NXT records. However, Ed is now convinced that the parent doesn't need to hold keys for all children. Don Eastlake remarked that only keys for insecure children that cannot be updated are needed. Also, there have been comments that the current specifications should not be delayed more, before some implementation experience has been gained. For example, on NXT records, they have not yet been implemented for anyone to really be able to say that they are unworkable. For now these drafts will be considered dormant. If, at some later stage, there appears to be a need for them, they can be revived. Donald Eastlake spoke on draft-ietf-dnsind-kitchen-sink-00.txt. This is a new proposed resource record (actually not all that new, drafts proposing it have even around for a while, and it has a type code assigned) to provide a mechanism for those who want to define new RR types to hold the known universe, but who don't, or can't obtain a specific RR type code, and otherwise tend to attempt to interpret the contents of TXT records. One problem with the Kitchen Sink RR (and TXT records) is that an application seeking to use it will get all the records returned, and then have to dig through those to find the relevant ones. It was asked why individual RR type codes couldn't simply be used. Rob Austein replied from the audience that this is for those who won't, or can't, do that. For example, the IANA is unlikely to register an RR code for an RR type whose contents cannot be divulged. If a proposed RR is worthy of standardising, it should get its own RR type code. This RR is for all of the other junk. A new draft is to be expected within about a month of the meeting, after which it should be pushed forward as an experimental RFC. Peter Koch spoke on draft-ietf-dnsind-apl-rr-02.txt. This new draft resolves the issues that had been raised since the last meeting. No new issues have been raised. Peter believes the draft is ready for a working group last call prior to requesting the draft be advanced as a proposed standard. Edward Lewis again acted as a proxy for Brian Wellington, and spoke on the draft-ietf-dnsind-dddd-01.txt draft. Ed went through the changes in the new version of the draft. It seems that there is a demand for a mechanism that can be used to (in particular) make old DCHP installed records go away after they are no longer relevant. However there was little support for this particular mechanism, it is too complex. Michael Patton proposed a method long ago, the reaction then was that the work required wasn't justified by the benefits. There is really little harm in leaving the obsolete records in the DNS. A simple way to arrange for records to be deleted is a desirable goal, but so far, no-one has been able to find a suitable method. Rob Austein pointed out that most of the mechanism proposed is for handling all of the possible failure cases, which are unlikely to occur, and in any case, do little harm. It was suggested that this draft be dropped. Robert Elz spoke very briefly on Mark Andrews' draft draft-ietf-dnsind-verify-00.txt, and explained its purpose. Peter Koch spoke on draft-ietf-dnsind-local-compression-05.txt which is, essentially, an alternative - both provide a mechanism to allow name compression in DNS packets for future RR types which contain domain names in their data. The new draft of local-compression avoids an ambiguity that was in the previous draft - it now makes compression mandatory, so every RR will have a canonical form for the compressed RR. Local compression should simply work if deployed at client & server for a new RR. On the other hand verify requires all the DNS servers on the net to be upgraded before it can safely be used. It was asked which, local-compression or verify, would work better for a new RR type that is to be deployed for only a short period. No-one was really in favour of proceeding with verify. Randy Bush asked whether anyone has any pressing need for any kind of compression inside the RR data fields of anything but the NS records of the root zone? No-one had any demand. Peter Koch suggested that there might be new RRs coming where compression might be useful. Matt Crawford suggested A6 records might, but probably no type of compression will really help. Donald Eastlake spoke on draft-ietf-dnsind-local-names-07.txt. This draft has been updated, but more updates are still needed. The draft deals with two issues, and perhaps should be split into two. The more controversial second part needs the TLD "local" added to the root zone files to work. It was asked what is the demand for this mechanism. Don couldn't really say, but did indicate that there do seem to be some people using it. As a suggestion for naming local resources, it seems OK. The local top level domain part is more controversial. The draft is to be revised one more time and then group will decide what we will do with it. Under any other business, Donald Eastlake suggested that an IANA considerations draft, for the DNS, was needed. Bill Manning indicated that he already had a task to create such a document. Don and Bill will work together to produce a draft of this. The group was asked whether any had examined the new proposal for another resource record giving location information. The group did not express what could be considered support for the proposal. Robert Elz suggested that for the Washington IETF, as a trial, dnsind (or whatever the group has turned into) drafts will be required to be submitted to the secretariat at least two weeks prior to the secretariat's cut off date. That is, dnsind has an earlier deadline. Drafts that do not make that earlier deadline will be considered at the meeting only if time permits (they will definitely be at the end of the agenda, and no attempt will be made to squeeze the agenda to make them fit). No dissent was expressed to this.