[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IETF-60 DNSEXT minutes
[ Moderators note: Post was moderated, either because it was posted by
a non-subscriber, or because it was over 20K.
With the massive amount of spam, it is easy to miss and therefore
delete relevant posts by non-subsrcibers. Please fix your
subscription addresses. ]
DNSEXT meeting August 2
Scribe: David Blacka
Jabber Scribe: George Michaelson
Olafur Gudmundsson presented information on one various
implementations of DNSSEC. There are number of projects going on in
each of the major DNSSEC functional area's. There was a question to
the meeting about the weather standardization in all APIs
is an item of interest to working group. The sense of the room
was that this would be a good thing to do.
The chairs are to find people to start work on draft that documents
what information is needed to pass to applications, from this
specification an API can be formulated.
DNSSEC key management or trust anchor maintenance:
There were three presentations on approaches to maintain DNSSEC trust anchors.
Mike St. John's presented his scheme using a revoke bit and timers.
Johan Ihren presented his scheme is using n-of-m keys.
Paul Vixie presented the DLV interim scheme available in bind-9.3.
The sense of the room was that this its on important them for the
working group to work on.
The chairs are instructed to coordinate with related working groups
(DNSOP) and security area AD's own
how to approach this area. All presenters and others are invited to
submit drafts for consideration as working group documents.
Zone enumeration discussion:
During the working group last call for DNSSEC this issue was raised as
a barrier to entry for a number of TLD's.
The working group commissioned two studies on this issue:
Zone enumeration prevention requirements
NSEC++ transition approaches and impact on protocol
both of these reports where presented based on the current status off
the work items.
In addition two different proposals for NSEC replacement where presented.
There a was extensive discussion on the different approaches and the
need for even addressing this issue. At the meeting it was pointed out
that there are both issues for large delegation zones as possibly for
small enterprise zones and these may differ both in requirements and
solution space.
The sense off the room was that none of the proposals is fully baked
and we can not do an engineering trade-off yet as the requirements are
not known at this point. The working group will actively work on it
requirements document before any protocol work is done.
End off first meeting.
After discussing with security area directors our new potential
work item, the working group has two security advisers available:
Russ Housley on key management and
Hillary Orman on key strength issues and on-line signing.
Second meeting Thursday August 5.
Note taker: Peter Koch
Jabber Scribe: George Michaelson
Jakob Schlyter presented the results of his interoperabilty testing of
RFC3597 (unknown RR types support).
In his tests few bugs where found in implementations but no issues
with the document. Jakob recommends advancement to Draft Standard
based on the results.
There are RR types with intra RR versioning (e.g. LOC), those have not
been tested specifically.
At this stage Olafur urges the WG members to volunteer for additional
interop tests for the WG to be able to advance more documents to
Draft. Jakob is asked to give an estimate of the effort needed for a
test coordination "most of the work was getting the implementors
to participate rest took 3 or 4 days".
Donald Eastlake presented two documents for considerations for adoption
by the working group: TSIG-SHA1 and ECC-KEYs.
As there are lingering doubts about the long term viability of MD5 it
is prudent to consider adding a stronger hash such as SHA1.
ECC keys are shorter than RSA/DSA keys for same strength, basic
technology is unencumbered, but lots of patents/patent claims wrt to
implementation techniques.
The working group will consider adopting both drafts as working group items.
Rob Austein presented a straw man proposal for identification of
nameserver answering a query. There is need for a mechanism for
identifying DNS servers in an anycast set and the current approach
(id.server, hostname.bind), which has a problem as it needs a separate
query.
The draft proposes the use of EDNS to ask server for an id to be
attached to the response. Since this is a (proposed) protocol
change, the doc is discussed here while earlier documents reside in
DNSOP.
There was lively discussion about various aspects of this issue, what
to put in the identification string, how fine grain the identifier
should be server/server+addr/view etc.
The sense of the room was that this is of critical importance, but we
need requirements first. DNSOP is working on these, please follow and
contribute there.
The chairs then presented their status of each of the current working
group documents, majority of which are at IESG or in the last stages
to advance there.
In open mike session Roy Arends presented his and Jakob Schlyter's
work on fingerprinting implementations. Noteworthy observations
include a firewall product which answers queries with EDNS on with an
IN-ADDR.ARPA query, enabling external queriers to detect the presence
of this particular IDS systems.
Another problem present in several implementations (vendors have
been approached) is vulnerability against "DNS ping pong", i.e.
systems answering unsolicited responses with another response
Miek Gieben gave input to the recent enumeration discussion.
He performed a dictionary attack (using john the ripper) on the
NL zone. After 18 hours he was able to find 10% (135.000) of the
1.x million domain names.
Meeting concluded, the chairs want to thank the note takers
for excellent notes.
Olafur + Olaf.
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>