Thursday, July 28, 2022< ^ >
Benno Overeinder has set the subject to: DNSOP interim-2021-dnsop-03
Room Configuration
Room Occupants

[16:56:36] Yoshiro Yoneya joins the room
[17:30:07] <zulipbot> (Anthony Somerset) are we expecting enough controversial content that the questions mic has been taken away :D
[17:31:44] <zulipbot> (Éric Vyncke) ;-)
[17:32:10] <zulipbot> (Anthony Somerset) warren has magiced it back into existence
[17:32:23] <zulipbot> (Brett Carr) Hello Everyone :)
[17:33:02] <zulipbot> (Eric Rescorla) Can someone transcribe when presentations are starting in this channel? I have a conflict so I have to jump in at the end for my presentation
[17:33:48] <zulipbot> (Shivan Sahib) Hi all!
[17:33:49] <zulipbot> (Barry Leiba) Chair slides starting
[17:34:15] <zulipbot> (Andrew Campling) Hi Brett
[17:34:28] <zulipbot> (Eric Rescorla) @**Barry Leiba** thanks!
[17:36:27] <zulipbot> (Andrew Campling) The agenda is pretty content rich!  :-)
[17:37:34] <zulipbot> (Barry Leiba) Warren talks about DNS directorate
[17:39:38] dkg joins the room
[17:42:09] <zulipbot> (Barry Leiba) Tim W talks about doc status
[17:47:25] <zulipbot> (Warren Kumari) Erm. Should I turn down the in-room speakers? I think that the other mics are not quite as hot, so don't want to futz with it  unless needed...
[17:47:51] <zulipbot> (Warren Kumari) Actually, I will ask the technical ppl instead of me twiddling the knobs...
[17:48:17] <zulipbot> (Éric Vyncke) Possible safer ;-)
[17:49:14] <zulipbot> (Anthony Somerset) i think we should be fine now
[17:49:42] <zulipbot> (Barry Leiba) Nils talks about the hackathon
[17:51:45] <zulipbot> (Barry Leiba) Yorgos, more hackathon
[17:53:23] <zulipbot> (Barry Leiba) Paul H, DNSSEC as a BCP
[17:55:33] <zulipbot> (Barry Leiba) Moving to WGLC now…
[17:56:12] <zulipbot> (Benno Overeinder) We will keep you informed ekr.
[17:56:29] <zulipbot> (Barry Leiba) Daniel M, Recommendations for DNSSEC Resolvers
[17:57:57] <zulipbot> (Petr Špaček) It sounds there might be an overlap between the Paul's document and this document...
[17:58:23] <zulipbot> (Anthony Somerset) i agree - i was going to ask the same question
[17:59:03] <zulipbot> (Eric Rescorla) @**Benno Overeinder** thank you!
[18:00:47] <zulipbot> (Barry Leiba) Shivan, Domain Verification Techniques
[18:01:36] <zulipbot> (Tim Wicinski) @**Andrew Campling**  DNSOP is always a good time - don't like one document, there will be another one coming round the bend !
[18:02:53] <zulipbot> (Tim Wicinski) I did an editorial dive on Daniel's doc and will shepherd Paul's DNSSEC BCP, so I'll make a note to review both and compare.
[18:08:54] <zulipbot> (Petr Špaček) Excellent, thank you!
[18:09:20] <zulipbot> (Tim Wicinski) of course, The chairs are to serve.
[18:09:59] <zulipbot> (Tim Wicinski) (y'all can stop laughing now)
[18:11:45] <zulipbot> (Hazel Smith) Do people use DNAME for domain verification? (I haven't seen it used like that personally, but I haven't been surveying the matter either.)
[18:12:00] <zulipbot> (Petr Špaček) FWIW BCP makes more sense to me as well.
[18:12:13] <zulipbot> (Brett Carr) Happy to help as a reviewer when this moves towards being a BCP
[18:12:13] <zulipbot> (Barry Leiba) Yorgos, Dry-Run DNSSEC
[18:13:44] <zulipbot> (Shumon Huque) re: BCP for domain verification techniques, I agree also. We initially set a low bar for ourselves to feel out the working group, so it was a primarily a survey. But we would like to have provide solid recommendations about good ways to do this.
[18:14:58] <zulipbot> (Brian Dickson) I'm not aware of usage of DNAME, but an anti-caveat is that DNAME can exist at zone apex, with no impact/pollution on the apex itself, it's actually an elegant method.
foo.domain.example hits domain.example DNAME bar.example, rewrite to, QED
[18:16:20] <zulipbot> (Brian Dickson) (But must not be a persistent record since only one DNAME can exist.)
[18:17:44] <zulipbot> (Petr Špaček) I would be more worried about unintended interaction of DNAME vs. other techniques - when provides requires you to verify using _subdomain but you have DNAME in place, what does it mean? IMHO that's what should be described in the BCP.
[18:17:57] <zulipbot> (Brian Dickson) Note to meeting folks, not seeing presentation on meetecho feed?
[18:18:10] <zulipbot> (Petr Špaček) I do see it on MeetEcho.
[18:18:10] <zulipbot> (Shumon Huque) I agree that we should clarify what happens when a DNAME is present at the domain name where a verification record exists. We should probably clarify that the domain name being verified is the owner of the record, rather than the DNAME target.
[18:18:23] <zulipbot> (Brett Carr) I can see it here brian
[18:18:49] <zulipbot> (Brian Dickson) Thanks, Brett
[18:19:39] <zulipbot> (Éric Vyncke) @Brian be sure to click on the right most icon on the top right
[18:19:56] <zulipbot> (John O'Brien) re: DDS RR type -- An idle thought: Shouldn't it be PDS?
[18:20:24] <zulipbot> (Shumon Huque) Yeah, that's a good point Petr - the subdomains of the DNAME owner will essentially be occluded so no domain verif record can exist there.
[18:20:37] <zulipbot> (John Levine) also that dname at foo and won't work
[18:21:03] <zulipbot> (Yoshitaka Aharen) maybe I misunderstand something, but looking at the example in slide 9, can it be used to validate with "[ldh-challenge-label] DNAME [challenge-domain-name]"?
[18:22:13] <zulipbot> (Suzanne Woolf) <no hats> I like this draft
[18:22:54] <zulipbot> (Tim Wicinski) i like this draft, and I wear the hat of an operator to state this.
[18:23:07] <zulipbot> (Brett Carr) +1 for a seperate record
[18:23:37] <zulipbot> (Shumon Huque) Part of the work on the domain verification draft should also involve us reaching out to app folks (including outside IETF). If they do not buy into and adopt our recommendations, we might be wasting our time.
[18:24:16] <zulipbot> (Hazel Smith) Presumably the alternative is to not "go secure" either in the first place? i.e. never set the AD bit when validating dry-run DS?
[18:26:06] <zulipbot> (Antoin Verschuren) If we can't convince people to implement DNSSEC, then how can we convince people to try dry-run DNSSEC?
[18:27:05] <zulipbot> (David Lawrence) Am I the only one not digging it?  I'm not really sure why this is superior to pre-delegation testing that we can already do, and I'm not even one that normally complains about the Camel.   We can achieve what is needed without protocol modifications, so why pursue this?
[18:27:06] <zulipbot> (Samuel Weiler) We have an RFC on DNSSEC Experiments, 4955, that suggests using algorithm numbers to signal experiments, not the DS alg identifiers.  I'm thinking we should follow its guidance....
[18:27:34] <zulipbot> (David Lawrence) I'm currently against adoption, for whatever that's worth.
[18:27:47] <zulipbot> (Jim Reid) Good point Antoin.
[18:28:13] <zulipbot> (Antoin Verschuren) +1 David. THis is a DNS Camel proposal, because we can and it's fancy to do something DNS
[18:28:26] <zulipbot> (Peter Koch) Maybe the IETF could use the re-instantiated DNS Directorate to discuss  a moratorium on methods that "ease" DNSSEC deployment, so the poor folk out there have something remotely stable to understand and roll out?
[18:28:26] <zulipbot> (Petr Špaček) Antoin, Jim. I think it's the opposite. Why would people risk breaking their domain... could tell stories.
[18:29:18] <zulipbot> (David Lawrence) The Slack story would not have improved with this.
[18:29:31] <zulipbot> (Éric Vyncke) For what it is worth, the DNS directorate is not a gating point, but will have a very useful role in reviewing and pointing issues.
[18:29:44] <zulipbot> (Éric Vyncke) (for @Peter)
[18:30:05] <zulipbot> (Hazel Smith) Yeah, there are no "success reports"
[18:30:18] <zulipbot> (Antoin Verschuren) Adoption is not about breakage. Adoption is about cost and initiative. Look at the .nl adoption.
[18:30:18] <zulipbot> (Petr Špaček) @Dave It could. The error was detectable because the NSEC was rubbish, and it might have been reported to operator instead of breaking stuff.
[18:30:34] <zulipbot> (John Klensin) Antoin, David: As a would-be camel herder, I would certainly agree that the bar to this should be rather high.
[18:30:34] <zulipbot> (Petr Špaček) Yes, error reporting does allow sampling.
[18:31:10] <zulipbot> (Jim Reid) This ID adds a lot of complexity for marginal benefit IMO. I'm not sure it's a good idea to tweak a protocol to enable configuration testing.
[18:31:37] <zulipbot> (Randy Bush) @jim: we're gonna stop now?
[18:31:51] <zulipbot> (Petr Špaček) I agree with the complexity objection, certainly. Having said that, I still think it is a useful feature.
[18:32:11] <zulipbot> (Jim Reid) Sure Randy. We have to stop somwhere. :-)
[18:32:37] <zulipbot> (Shumon Huque) @**David Lawrence** - I agree. More complete pre-delegation testing would have caught the issue that took Slack down.
[18:33:10] <zulipbot> (John Klensin) @Randy, if not now, when ? (translated from the camel)
[18:34:28] <zulipbot> (Antoin Verschuren) In my opinion, implementing real DNSSEC is just as hard, or even simpler than doing dry-run DNSSEC.
[18:34:28] <zulipbot> (Hazel Smith) I wonder if it would be useful to have an (Informational?) document on suggested approaches for testing DNSSEC with a parallel domain? (e.g. -> or whatever test domain you want to buy)
(E.g. suggestions of tooling to use to compare the zones or something?)
[18:35:36] <zulipbot> (Hazel Smith) i.e. curate a collection of "What we tried, what went well, what went poorly, what we learned" type observations from large DNS domains that did a migration to DNSSEC
[18:36:08] <zulipbot> (Petr Špaček) Hazel, I like that idea - that might be an excellent BCP.
[18:36:21] <zulipbot> (Tim Wicinski) The Slack writeup was really well done
[18:36:34] <zulipbot> (Tim Wicinski) (Agreeing with Hazel)
[18:36:34] <zulipbot> (Jim Reid) Using dry-run DNSSEC with a pretendy key before using the actual key seems clumsy: more moving parts, more ways to complicate or break things. What does this ID do that can't be done already?
[18:36:47] <zulipbot> (Brian Dickson) Antoin, when you say "DNSSEC implementation", do you actually mean "DNSSEC deployment" instead? E.g. enabling/configuring DNSSEC, rather than actual code development? Are there any significant DNS implementations (auth, resolver, client) that haven't done DNSSEC yet? I'm not convinced those are blockers, e.g. that there are enough implementations that operators can switch to, on auth/resolver at least.
[18:37:15] <zulipbot> (Hazel Smith) @**Jim Reid** Yeah, that would be my concern, that there's plenty of scope to still shoot yourself in the foot when mangling the dry-run DS record to make it a real one... (tooling would likely help here ofc)
[18:39:29] <zulipbot> (David Lawrence) I'm not so much a stubborn old goat, but I'm not yet seeing anything that convinces me that a protocol changing approach is superior to the perennial request for better tooling.   Even the protocol change would still need tooling anyway, so it's not like that somehow saves that part of the problem.
[18:39:42] <zulipbot> (Jim Reid) Yes Hazel. More tooling would help of course. IMO that effort should focus on the real DS records and keys - not diversions.
[18:39:42] <zulipbot> (Petr Špaček) Well, testing from one spot is not an issue. The hard part is validating it all over the world where you don't have control over clients.
[18:40:15] <zulipbot> (David Lawrence) I do my dry runs with dnsviz command line.  A spiffy web front end with dancing bananas could make it more accessible.
[18:41:59] <zulipbot> (Antoin Verschuren) @Brian Dickson, yes, I meant deployment. Experience in DNSSEC deployment tell me that the protocol is not the issue, but the operational process and maintainence is where it can go wrong. People that don't think about maintainability..
[18:42:12] <zulipbot> (Hazel Smith) @**Petr Špaček** Quite.
Some of the sort of things I was thinking of for how to test this where you care (e.g. in the browser for web operators, but other scenarios should be covered too!) was experiments with client-side javascript (or embedded 1x1 pixel jpgs, or...) on webpages to test if "" and "" both succeed or both fail or only one succeeds etc?
[18:43:31] <zulipbot> (Barry Leiba) Paul H, Initializing a DNS Resolver with Priming Queries
[18:43:31] <zulipbot> (Petr Špaček) Generally what Geoff Huston does, in many variations possible. If you control the page it's even easier.
[18:46:41] <zulipbot> (Benno Overeinder) @ekr, heads up in about 15 minutes.
[18:46:54] <zulipbot> (Eric Rescorla) @**Benno Overeinder** thank you. I am outside the room
[18:47:07] <zulipbot> (John Klensin) Please ask Paul to try to stop moving back and forth... in some positions, he becomes nearly inaudible.
[18:47:42] <zulipbot> (Tim Wicinski) Done John
[18:48:08] <zulipbot> (John Klensin) Thanks.  Immediate improvement noted.
[18:48:34] <zulipbot> (Tim Wicinski) Also, Shout Out to @**Barry Leiba**  for the chat  transcribing.
[18:49:26] <zulipbot> (Tim Wicinski) Chairs have interest in this work.
[18:49:53] <zulipbot> (Warren Kumari) As do I (with no hats)
[18:49:53] <zulipbot> (Brian Dickson) ObHumor/Pun: Optimus Priming
[18:50:46] <zulipbot> (Eric Rescorla) Thank you. I am in the back of the room now and ready to go whenever
[18:53:38] <zulipbot> (Brett Carr) I support the adoption of this document, we would welcome this in our RPZ based DNS Resolver.
[18:54:18] <zulipbot> (Tim Wicinski) Chairs are interested in hearing about folks willing to implement
[18:54:31] <zulipbot> (Petr Špaček) Excellent, thank you for feedback!
[18:55:10] <zulipbot> (Andrew Campling) Providing greater transparancy on why content is filtered is a really positive step
[18:55:49] <zulipbot> (John O'Brien) Re: structured DNS error with RPZ -- I'm specifically thinking about whether it is possible and advisable to include EDE with NOERROR responses; those in which a known-naughty response has been rewritten to a captive portal address, for instance.
[18:57:38] <zulipbot> (Hazel Smith) Re: "should we" (shove this into the DNS)... surely some non-trivial proportion of operators have already shoved this functionality into their DNS recursive services, and I guess the question is whether we want to support/obstruct/encourage/discourage/have no opinion on that
[18:58:17] <zulipbot> (Petr Špaček) @Ben I think the question is not if DNS is the right place. This things is happening in the wild. The question is if want to allow better UX for what is happening right now.
[18:58:17] <zulipbot> (Hazel Smith) "this functionality" as in "malware filtering etc being done by DNS operators at query time"
[18:58:31] <zulipbot> (Tim Wicinski) agree Hazel - as an operator I see so many variations on this that maybe some consistency would be useful?
[18:58:58] <zulipbot> (Petr Špaček) Ah, I forgot to scroll down to see that other people already said.
[18:59:11] <zulipbot> (Andrew Campling) +1 to Petr
[19:00:17] <zulipbot> (Warren Kumari) Philosophically, people shouldn't futz with answers... but, if they are going to, it should would be nice if they could tell you that they did, and why..
[19:00:17] <zulipbot> (Andrew Campling) A great point about non-browser client s/w
[19:00:30] <zulipbot> (Brian Dickson) E.g. REST APIs, so +1 and echoing Viktor
[19:06:32] <zulipbot> (John O'Brien) Did somebody set the session on 2x speed?
[19:07:31] <zulipbot> (Antoin Verschuren) ;-) It's Eric. It's very hard for him to talk even slower :-)
[19:07:58] <zulipbot> (Hazel Smith) (Speed is fine for me, but I see your point - I thought you meant the whole WG)
[19:12:48] <zulipbot> (Petr Špaček) We cannot hear the room.
[19:13:01] <zulipbot> (Petr Špaček) Or is it just me?
[19:13:14] <zulipbot> (Antoin Verschuren) I hear the room...
[19:13:15] <zulipbot> (Yoshitaka Aharen) I can hear EKR speaking
[19:13:27] <zulipbot> (Randy Bush) audio ok for me except when ekr turns away from mic
[19:13:28] <zulipbot> (Tim Wicinski) not the remote speaker?
[19:13:41] <zulipbot> (Petr Špaček) Okay, local problem. Sorry for the noise.
[19:13:41] <zulipbot> (Antoin Verschuren) I can hear everybody
[19:14:20] <zulipbot> (Warren Kumari) I'll just type instead: EKR, you've made me sad....
[19:16:07] <zulipbot> (Randy Bush) @warren: as ekr said, ImperialViolet told us this a decade ago.  but these are finer grained measurements, which is cool
[19:16:47] <zulipbot> (Petr Špaček) Well, next time ISPs start to weep about DoH and DoT I know the slides to show them.
[19:16:47] <zulipbot> (Warren Kumari) Yup. Also, I was hoping that things had gotten much better over time...
[19:17:09] <zulipbot> (Brian Dickson) @ekr or whoever else, could you make anonymized raw data available for other slicing/dicing/aggregation of it, to provide back to you for your benefit too?
[19:17:22] <zulipbot> (Randy Bush) i wish i lived in that universe
[19:17:48] <zulipbot> (Warren Kumari) @Randy: You mean the one where things get better over time? Yeah, me too...
[19:18:14] <zulipbot> (Warren Kumari) But hope springs eternal...
[19:19:34] <zulipbot> (Hazel Smith) One person's comment in the room that it's "interesting and depressing" is a fair summary I think
[19:19:47] <zulipbot> (Hazel Smith) Thanks, ekr for doing this and sharing the results!
[19:20:00] <zulipbot> (Barry Leiba) Peter T, consistency is mandatory
[19:20:16] <zulipbot> (Petr Špaček) @ekr Excellent data, thank you very much. By any chance, is a preprint version of the paper available somewhere?
[19:26:11] <zulipbot> (Hugo Salgado) I support the demand for consistency between NS, it's the mechanism that we have implemented in our TLD for scanning, and I understand that zonemaster also performs checks in all NS. It is the right and necessary thing to do.
[19:26:58] <zulipbot> (Hugo Salgado) Bootstraping from unsigned to signed has more demanding requirements than a simple rollover.
[19:28:49] <dkg> Ben: the draft doesn't say anything about querying cadence at all -- why add querying cadence for this part?
[19:29:31] <dkg> it seems to me that the most relevant missing time constant has to do with whether the responses are consistent, given that the responses don't all come in perfectly simultaneously
[19:29:42] <zulipbot> (Benjamin Schwartz) dkg: I think the correct cadence is not obvious, so some guidance would be useful
[19:29:46] <dkg> i'd assume that the answer to that is "within the slop allowed by the TTLs"
[19:29:55] <zulipbot> (Hazel Smith) Thanks everyone!
[19:30:04] Yoshiro Yoneya leaves the room
[19:30:04] <dkg> but the text that was on the slide at least didn't explicitly say that
[19:30:08] <zulipbot> (Tim Wicinski) Yes Thanks ALL
[19:30:29] <dkg> ben, i think the correct cadence is non-obvious for *all* of the CDS/CDNSKEY polling
[19:44:21] dkg leaves the room
[20:03:27] dkg joins the room
[20:28:55] FXTIA leaves the room
[20:42:48] FXTIA joins the room
[22:12:54] dkg leaves the room