Internet Engineering Task Force 112, 11 Nov 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF112-DNSOP-20211111-1600

Description

DNSOP meeting session at IETF112
2021/11/11 1600

https://datatracker.ietf.org/meeting/112/proceedings/

A

But anybody else.

B

Sounds good to me also.

A

C

B

D

All right looks like it's one after the hour, so we'll um so we'll kick this off. My name is tim um benno. You can kick off the next slide. Benno is running. The slides suzanne is going to keep us all on track timewise. I hope um she does a great job on that. So we're the chairs warren is our overlord. So now that he's here we can start um and paul hoffman's taking minutes.

D

um I did put the agenda in the ether pad, even though he doesn't use it, but if folks want to actually drop comments in there about things, they said to make sure it's captured correctly. Please you know you're free to do so and we can integrate all that. That's what that's the fancy stuff we do so next slide, sir.

D

um This is the note well about paying attention to ift, ietf policies, etc, etc. You by this point in the week most people are pretty familiar with it. um So please you know, but if you're not, please take a read on it and next slide. We also have a new slide. This um thanks to wes on the code of conduct guidelines, some 7154.

D

We feel these are pretty straightforward um and please reach out to the chairs. If you you know, feel you know, things aren't being addressed in the way you feel it's pro up, you know should be or or warren right we're here for you, um so don't don't feel afraid to like reach out and sort of. You know express opinions about this um thanks. um We can go to the next slide now, so so some notes from the chairs uh just a quick heads up about the nom con feedback is still open.

D

So please go in there and make your opinions known. um They will welcome it. We will welcome it. um It's a good thing, there's some folks in dns pretty regularly that are running for a few positions. So you know we always like that um on another note, kim davies has a document about moving some stuff in in int to historic and um he's.

D

I think this has been socialized in dns, but also through the orc list and warren's offered to ad sponsor it, um and um if, if you all want to take a read at it- and you know it's pretty straightforward- it's simple clean straightforward.

D

We should be in good shape, but thanks kim for working on that, um he also promised to publish the zone after he's got all this cleaned up. So um I like that, I don't know why, but I like that. um You know that we haven't actually adopted work in a while, um and we've talked about this and warren's talked about this with us and we're. You know we had some ideas, but then it was like.

D

Maybe we should just have a poll and have the working group sort of chime in on this, because you know everybody loves a good poll right, so we're putting something together, probably in the next week or so, and we've had we've had good success with our focus in terms um you know feedback from the authors as well as as other folks, and so we're going to continue doing that on. You know just one or two documents and then you know do an hour. One or two documents really get people sort of thinking about that.

D

So, um if you've got adopt a doc, a document that's adopted and you'd like to sort of sign up for one just drop us a note.

D

We will reach out to folks, but if you want to sort of push yourself to the head of the list, you know a good, a good email to us kind of move us along. I think so. Thanks next slide, um which- and this is just some- you know- um warren's like let's put the pretty picture back in there. um So we put the pretty picture from last time about the active working group documents and what people feel is important or not important.

D

um So there you go, we've got you a pretty picture and we think it's pretty good. So um next slide.

D

And just, and also as a follow-up from some of the working group poll from you know july.

D

Two of the documents that were really suggested um by the folks were the unisex bootstrapping and the united states, automation, which are both going to be discussed, and we both think are very you know we would love to see the working group sort of coalesce around some of that, and also on the some of the new group beings. New work being suggested suggested is the 8109 biz, which we I believe we felt like. We wanted to adopt at one point and we sort of um lost it in the shuffle, so we're guilty.

D

The chairs are guilty of that or I'm guilty of that, um and I think what will happen is if, once we start adopting work, the biz documents will probably will filter up to the top first, um it's probably the correct way to say that um and warren can sort of speak on that if he wants to any way shape or form um so a next slide.

D

What else are we talking about here? So some document updates um we've got two documents um in the rfc status. 7816 biz is it's in the editor thing, but they've assigned a number. I consider it done um so that's really great and thanks to the authors for sort of getting all the work involved on that, thanks and and on the next slide.

D

We've got three other documents that one in the editor queue my consideration um and then two that are going through the ihd evaluation and they both are getting lots of good comments and feedback and um we're those are being moved along as well. In a very you know, process sort of way, so those those things are happening and that's great thanks for the authors on sort of following up on a lot of those and also almost done. We feel when we were sort of discussing this this week. Blue is not optional.

D

um I think there's one or two outstanding, there's like one outstanding item and once we sort of clear some of that up, I think we're ready for that one as well as avoid fragmentation. Some of I think, there's some editorial work. um We want to help on sort of clearing some of the fragmentation, bits up and also catalog zones, which um will and we'll talk about tomorrow. um Due to his timing, um phil's feels is basically done as well. um They've had some good hackathon results as well.

D

um Also the feedback from the interim on dns error, reporting rory's, got some great feedback and he's working to integrate all that and um we've our our view of it is it's it's in really good shape and ready to go. So that was really great. So I know people thought that was kind of a strange interim item, but we got a lot of operational stuff right in there and that was pretty great, um the rr serial document. I I know hugo is working on some implementation stuff. I and I see him in the audience.

D

um Maybe we should do that as an interim topic, um that's been one, that's sort of been you know, sitting on my like. We owe we owe that the drafts and works or some effort sort of thing um so and then the as because I in a consideration, is basically in the editor queue and considered done.

D

5933 33 biz um was on hold, we chatted it out and um what we we came up with and we'll see what happens during the working group is changing it to informational and then we'll proceed with a working group last call probably starting this weekend, and you know we expect all you know. We expect everything from that. So, um but thanks to the authors for being patient- and I do think you know- paul's work on sort of cleaning up some of the the ionos stuff actually is really super helpful in this case.

D

um So thank you paul next slide and, of course our stuff is in the data tracker, um we're shortening our list um and we feel that, as we sort of get get the list down a little bit more, that um we'll start adopting stuff and we'll work, you know we've been discussing numbers. You know like how you know how many exact drafts can we do, but I think we're taking it on a you know, we'll we'll take guidance from the working group and from warren on the best way to do that.

D

So um so thanks and we keep it all on github as well, and I think okay, so, let's cruise over to the agenda, let's I think that's the next one yep one more, um the recurrent business is the nsac3 parameter setting wes.

D

You know, I think, there's a great email thread about what number to use- and I love whenever he kept saying- let's just make it zero, um but wes is going to give us a great uh little overview on that. So next slide and don't take this, as quote unquote new business um and you can bash this.

D

As you see it's more updates or documents that people have sort of wanted to sort of talk about um whether or not we adopt it is sort of you know, that's always a bigger discussion right, but we call it new business because it's it's not sort of adopted work. So I apologize. I think the wording is probably bad. There.

D

um We've got dnsec automation, um siobhan and schumann's document on domain verification techniques, the structured error page bit and brian dixon, who did the talk in deprived we've chatted with him he's revised his slide, so he's got a different slide.

D

Deck and um we're hope you know, we believe and he's going to provide better motivation, upfront about what he's trying to solve here, and I think you know hopefully a sort of streamlined discussion, so we so there can be comments because we know we were even with 20 minutes or so we kind of ran out of time and deprived, so we're hoping to sort of help brian along by you know, moving that shortening that up um thanks and I think what what else is going on. um I think that's it.

D

So that's that's tomorrow's business, so that's kind of ours. If anybody has sort of agenda bashing they like or don't like what we're doing. um Please speak up, you know or adopting new work, not adopting new work. What we're not focusing on! We really would like to hear that. um I know you know when we talked yesterday, the four of us. We were all in agreement that we'd like to hear from the working group. You know what what can be more efficient, it's a good way to put it.

B

Tim, I just I'm monitoring the the chat room. Okay and hugo just sent a message that about our serial. I planned some minor updates before expiration hope to have implementations running too.

D

So that's a great, I appreciate we appreciate that and we can chat about the you know. Internal.

E

D

Things of that nature, so we just didn't want to feel that you were being ignored. Hugo.

D

um So yeah, okay, then I I think I'm done unless people want to raise their voice, which I welcome them to do. Otherwise we can move along to mr hartiger.

B

Yes, I will stop sharing.

D

Thank you, wes.

B

Wes, do you want to run your slides yourself or shall I.

F

uh Yeah, that's okay. I can do them um yeah either way, but just make sure it's the most recent set yep. They did send a sharing request.

B

Yeah uh grand screen, so there you go.

F

Okay, uh so I hope everybody else doesn't have a headache like I do um so, if I feel a little, if I sound weird, that's probably why um this is the dns atf dnsop uh insect three iterations draft by myself and victor duke company. um I pulled it out of the oven I put the toothpick in it.

F

It is so close to to being ready to uh to serve um so really we're down to like one point, which is what we'll discuss today, but just as a reminder, sort of the current you know, the point of the draft is to say things like use. Nsec. If you can, you should. You know ideally use zero as a iterations count, and you know use assault only if you're going to change it- and this is the current draft table of you- know what validators and stuff should do.

F

I'm not going to go over it because we're going to change today, victor in his massive scanning of over 12 million domains that are have insect deployed, insect three deployed, um uh actually, that's an increase from from the last time he measured, which was the last time I reported in july.

F

So now there's 12 000 and you can see the fractions of the number of zones that are at various different values of iteration counts. On the left-hand side, um I did put you know the five nines in bold. So I mean the good news is for 500 we're we're at five nines under that. um But but even then you can see that there is a decent fall off and and even ninety nine percent of enzo iii zones in the world today are under 20 or under or equal to 20..

F

uh There is a break at zero and one- and I think zero and one is, is one of the most confusing points I didn't put one on the slide, but there's a decent jump from zero to one, um and you know, like most people, think oh well, I want one iteration. um Well, no, it's for one iteration. You actually have to set a value of zero and I think that's confused people.

F

um So the remaining outstanding question is: what should we set as the lower limit for for validators and zone owners to actually use um the previous draft had 150? The current draft has a hundred and then, as a mail message I put on the on the dinosaurs. The other day was trying to see discussion around okay. Well, what could we do? uh Recently? Four implementations, uh you know have said they've in their announcement text, have said that you know they're capping it at 150..

F

Since the discussion the other day, two more have promised to go down to a hundred, and then you might want to mute your mic. You have a little bit of background feeding.

F

Excuse me yep no problem, so this is the final slide, and so this is what I think if I summarize the conversation in the past week for uh for dns up on the mailing list, where we ended up. So the important thing to note is one most dns participants really want zero. It's just a question of whether we can state that or not um so I think you know I was out walking around the other day, and I said you know the right way to handle.

F

This was with should mace musts and that type of stuff, and then multiple people actually started saying the same thing on the on the mailing list, so that actually works well. So I think this is what we we might want to say, and so what I really want to hear from today is people that disagree with anything on this slide. So to read it out, you know you should use uh validators should treat iterations greater than zero as insecure, and that is a bold change from where we are right.

F

um You sh, you may treat you know iterations of one as uh you actually may that's. That second line is wrong. It should be. You may treat iterations of one and you may want to validate it and and don't treat it as insecure, because because of that, one number that is out and so prevalent that only seven percent of the the existing zones out there are using zero.

F

You must treat iterations greater than 100 as insecure, and you may treat iterations greater than 500 is serve fail and remember. That was something that we decided as an optional thing. People don't have to do it; uh they can just continue treating things as insecure and some implementations you know may want to return serve fail if they want to be a little more aggressive and really yelling at people that don't do that and then you know for the zone owner side of things.

F

You know whether, whether you're an operator that's managing a zone on behalf of somebody else or whether you're actually controlling the iterations yourself. You should use an iterations count of 0 and you must use an iterations count of less than or equal to 100. You know which again matches the must up here, so these two values should always stay in lock step.

F

So what I am done talking and we may get 15 minutes back. If nobody has. You know issues with this particular proposal, but of course we have people with issues with this particular proposal. So we'll start with victor.

F

Victor you can unmute and go.

F

While we're waiting for victor ted, do you want to try.

G

Ted lemon ted.

G

um So uh thanks for doing this, it's really great work and I totally support it. I do have one question, which is uh the choice of insecure versus.

G

uh Well, so the the text actually says insecure, but but I'm wondering, if there's a difference in behavior that might be appropriate for validating stub resolver, as opposed to a validating caching resolver- um and I I don't actually know the answer to this, but but like my instinct, is that the stub resolver should treat um an iteration of greater than 100, essentially is an attack and punish it by failing to resolve the result.

G

In other words, it should treat it as bogus rather than as insecure, because insecure isn't really accurate. But that's just my sort of my instinctual reaction. I don't know that. That's the correct reaction, I'm just curious what you think of that.

F

Well, I I hit I that that's a good question, so I mean I should we should hear from other people my my gut reaction on splitting. What type of uh resolver it is you know, leads to problems, and you know camels and things like that of we should just have everything. Do the same. um The reason for doing insecure versus uh you know serve fail essentially or failing to to resolve it all. Is it actually matches what insect three does today?

F

um So the insect three draft says: if you're, using something greater than 4096, I mean the values are just huge. You know just treat it as insecure, so there's precedence for, for that is really what it came down to and you're still trying to do the end goal of of helping actually do a resolution, even if you can't prove that I remember this is for proof of non-existence right, so uh it it's, uh it's you'd still return an nx domain. uh You just wouldn't you know, be able to verify it right.

F

Thanks uh victor, do you want to try again.

E

Figured out where the mute is all right, so a couple of things one I don't know if everybody realizes, but when we treat high duration counts as insecure, the entire zone essentially becomes insecure. It's not just the negative answers. It's that one, because one can then forge delegations.

E

Every answer in the zone can is then subject to man in the middle uh attack. If you get an answer with a valid signature, sure you can trust it, but you might have gotten an unsigned answer and trusted that instead, so it's a very marginally secure zone at that point, essentially no answer is secure. If a tld were to go, you know above the iteration limit, then all of its child zones become completely insecure, so this is pretty drastic.

E

The other comment is in terms of the gap between uh insecure and sir fail. Surfmail does have the advantage that it preserves the security of the zone right. You know they. uh They don't ever go insecure all right. If they screw up, they get to find out about it and then ideally fix it.

E

So it would be ideally nice to keep that range small, maybe even not have insecure fall back, but of course, in practice, uh if you know on the ground, not enough domains get the message and some people you know are happy enough to operate in this gray zone where they think they're secure but they're not uh rather than serve fail. We can you know, let them be that way. So I don't know what the answer is, but just for clarity, uh insecure is very insecure. uh You, you have no security once you're over the limits.

F

Thanks for the clarification victor uh jim uh chairs, you might want to cut the key or decide when you want to do that based on time, I'm not watching time. Jim.

H

Thanks hope you can hear me now. I was having problems earlier today, great stuff. um I pretty much agree with what ted was saying before. I think we probably need to look at the validation side is not having this flag is insecure middle ground.

H

In my view, either a zone is secure or it's not secure and I think it's better to return surf fail if the number of iterations is too high and also the point that victor was just making about the potential for denial of the service attacks of spoofing attacks. If the zone is accidentally mapped as insecure and it's not quite there. So I I would prefer not to do this insecure middle ground and just take a very big view of it. Either the zone is secure or it's not there's nothing in between.

F

Okay, so you essentially want a serve fail for greater than zero or one correct. Yes, okay, um okay, uh we'll go on.

I

Ralph, having a kind of middle ground can cause problems, so I would also prefer one one signal and I think in early discussions we we thought about uh um doing the surface at 100, 150.

I

So that as a starting point, because the problem now, if you have a resolver that wants to do the kind of hard cut, it cannot comply to this graph because the current uh graph, the must is at 100 so between 100 and 150 bears or 500. In that case, there is a behavior that is currently not possible if you want to just have really hard cut.

F

Thanks, you actually bring up another point that I meant to mention which I haven't, which is that there was discussion on the list that we should produce this rfc with the goal, uh with the goal being zero. um I think there's general consensus around that um and allow validators to slowly achieve that based on measurements by you know, victor or others in terms of what actually happens in the world. So you know functionally be non-compliant to the rfc when it comes out.

F

You know and wait for for a time a fall-off time uh and then get to serve fail or something like that.

F

J

K

Hi, can you hear.

F

K

Yes, okay, good, uh I was the one who was proposing to specify the goal and you know let people slowly approach that goal and I think that for the zone owners, the the rfc should be just must less than one or zero or one or something like that, because that's the only interoperable value in the long term- and I don't think it's useful to update the rfc in you know in a year or two.

K

So I think that we should be very strict for zoners and we can be much more relaxed in the specification for the validators, because we don't even specify the value for validators. It can be just you know, think about the value before you release your software and do your measurements, because for validators it's basically impossible to prescribe the value, because it's changing all the time, but for zone owners we can specify what they has to do to be interoperable in the long term. In my view, we don't need to like refine details.

K

F

Make any sense yeah it does. uh Thanks. Do you have an opinion on the serve fail aspect of whether it should be a low value or something like it is now with whether insecure or not is.

K

Yeah, I'm afraid it's. It is same same story because right now we cannot do say, fell above certain point, but it will change over time. So again, I would just describe for validators what needs to be considered when the validator vendor is setting the thresholds, but we, I don't think we have to specify the values in the draft actually because we describe the logic they well. If you you know the current prevalence of iteration values, you will see distribution and then you know make up your mind, and these are the consequences of your decisions.

K

I mean, if you describe that insecure means actually not just for the nx domain and the desire file has better security properties. Then I think it's enough in the draft for the data vendors to decide. Okay,.

F

All right, thank you all right chairs. I will uh take all that input and do something with it. I think we uh there will certainly be more commas on the list.

B

Okay, thank you. Thank you, wes um yeah, so uh indeed yeah, no uh speaking now as a as an implementer, I uh I agree with better, uh also for for uh well and and also I want to know that the surveil behavior is new. The other are caps caps on iterations the serve file is new and I think yeah we will follow the drafts and the rfc, and also, of course, thank you victor for measuring the current state of the number of insect iterations being used by operators.

B

um Okay, I want to go to the next presentation. Let's see where are we here? That's.

B

There, you are, um what do you want? You want to run the slides. You can ask uh to run the slides, there's a new option here there we are yeah granted.

L

Can you hear me actually, yes good, I I have intermittent failure, so I have actually uh okay.

L

Okay, this seems to work good, hello, I'm always from the swiss internet foundation, and this is work that we actually had a whole group of doing, but schumann started this with his multi-signer document a few years back, and so um we have presented this work at its before and we have be continuing working on it, and so I was going to do doing an up status, update uh where we are in the work, and so we have um the algorithms are for leaving for joining and leaving a multi-silo group is defined.

L

uh We have algorithms defined for keyword, overs of a whole group of signers.

L

We are working on a controller software that can orchestrate the whole multisigner setup, joining leaving algorithm, rollo or key rollovers, and uh one of the um missing pieces for this to be really automated is that the parent zone would have to uh support season, and this is actually what we have been doing in the swedish internet foundation. We are implementing season scanning.

L

uh We started with cds cdns key scanning last month, and we will start with ceasing scanning, hopefully next month before christmas, and let's see.

L

We can with this yes, okay, so what do we have left to do?

L

um Obviously, we this we have written up, the all the algorithms, but we have not made real world verification, and we try will do this with our software implementation and we hope to do this between this itf and the next one, and then we will have to make more stringent timing, definitions and there's a lot of dependencies on ttls and timeouts, and I think we need to be a little bit more yeah stringent on what these timing definitions are, and I think that is my part.

L

Let's see yes, okay, um yes, and so this was added by schumann, but I think I can speak to this uh too. Okay, we, if you're following the the icam process, we there is a dns day, basically at the the ik meetings, and there is a small on the dns day. There is a dns automation panel that steve crocker has been running together with schumann and there's a lot of work around the dnsec automation.

L

There was an uh workshop of the rsec, the committee of icann, about the nsa automation, so there's a lot of movement around this and I think yeah. So this work that is really looked at other than in other places.

M

L

Yes, before I come to this, uh uh what I do wanted to say that there that we have been working on a way to so one of the the special use cases of this multisigner is to take a domain and move it from one signing. Dns provide a dns provider to another signing dns provider and one of the requirements is that bose have the same algorithm and but- and this is of course doable for large organizations because then you can pay for it, and you can, you know, make requirements to your service providers.

L

But if you are your person, but it's your personal domain, you probably can't do that and uh registrars or other you know. Hosting providers are not very uh open to making changes to their environment for just your domain. So what we in practice would like to do is to make to be able to move a domain from one signer to another sinai, but they have different algorithms for signing, and this will need some additional work and we will have to go back to how dns egg is validated actually and see.

L

What we can do there to. You know make this work, and um so this will be future work after we have this, the first one finished, and um yes so, and we would like to ask the working group for adoption for this work so that we um yes get this documented and defined how to move your domains around and how to run them in this more resilient setup of multisign.

L

L

B

You're, muted, schumann,.

B

I can't hear you.

N

Can you hear me now.

B

N

Okay, great sorry, I had to click an extra button, uh so I just wanted to say that working on this draft has helped us to talk with implementers and manage dns providers alike to implement the key management interfaces that allow multi-signer operation to work smoothly, and that, in turn, helps us solve the inter-provider handoff uh smoothly as well. So I think we think there's good benefit to the operational dns community generally, so we would encourage the working group to consider adopting this drug.

B

Thank you. uh Thank you, schumann, um yeah, as tim already presented at the start.

B

You are on the shortlist for for working group adoption uh and we will start uh start the process after uh well next week, but again we uh we discussed the sponsor with the dinosaur chairs and the ad.

B

But we idly, we, we see about four or five active drafts in the working group and active not being in the isgq or editor queue or on hold we're.

O

B

To that with the current state of the document, so we're open for adopting new work and, as tim presented on this slide, your draft is also on this list.

N

B

Yeah paul please go ahead. Greetings.

P

So this follows up on schumann's question: um does this have to be in dns op? And the reason I ask is this: we?

P

Yes, it obviously relates to operations, but it really relates to horrors and how operators hand things off and such I could completely see this being in a different working group that is much more operator oriented than protocol oriented um from what uri said.

P

I think the issues that are open that are are, you know, will be dealable with, but I think need to be discussed are really not ones that we are necessarily experts at in dns op, and so I could see a purpose-specific group um that is about how do operators work with each other when doing handoffs and have this be part of that not saying it shouldn't be in dns off, but I'm not sure that it needs to be in the same queue with lots of other things that we are doing, that are much more protocol focused than operator focused just a thought.

B

Thank you noted um so uric. Do you want to run the queue yourself or shall I uh call for the next.

L

Oh please: we continue with peter yep.

M

Okay, um paul just said that most of the proposal concerns dns operators only and not the protocol, and I wanted to point out. I don't know if it's in the draft that there may be a protocol implication in case of key rollovers or key algorithm rollovers.

M

um I don't remember exactly what the circumstance was, maybe schumann or if you know, but wasn't there some requirement that you have to have signatures. um Oh yeah, I remember. If you have two providers, um they have to sign the dnsk record, set on each side with their respective keys, and if one provider decides to to change the algorithm, then the the other doesn't use the new algorithm and can't sign the dns key records appropriately, and I think that requirement um comes from some dns rfc.

M

I don't have the section in my head and um I remember there was some kind of complication like that. So maybe there is a protocol implement um a protocol implication just putting it out there.

L

Okay, thank you peter.

I

Golf weber, would you okay? So there was a time um when there was dns x that cared for protocol and dns up that cared for operations and then dns up started to do well. We would do it all together, but I think that this is exactly the work that belongs in dns up, and I very much would encourage to work to take that work up and adopt the crowd.

L

Thank you ron and victor.

E

I also think that sorry, I also think that implementers of of name servers, not necessarily operators, probably need to make software changes to support this work and so exposure in this working group, where the right people pay attention, I think, is appropriate.

L

Thank you yes um to this point. I can say that, yes, we are doing this. We implementing this controller software right now and um there is actually a quite complicated state machine in it to make this work, and what I can say is that it would be much easier to implement like a peer-to-peer version of it in a name server, because the name server already ha the signer already had the state of all the keys, um but I mean that is obviously in a future development that we could talk after.

L

We actually have verified that this is working in the first place.

B

Okay, I think, okay, that was the queue any other questions. We still have time for one, no okay, thank you! Thank you, ulrich and schumann. um So yeah concluding, I think, you're well on your way in writing the document um and and for your own timeline. What do you think so? uh Well, they're both operational you're implementing stuff, but also for the draft? How much work do you expect.

L

Well, we expect that we would have the implementation ready in the next months and then we would run the experiments before the next itf so that we could, you know they update the document with the remaining to-do's and um then depending on feedback from the working.

O

L

We hope that we're good to go, but you know what I.

O

L

There's always so it always details.

B

Thank you, okay. Thank you. Uluri.

L

B

Thank you we're doing well with time next presentation is by shivan and or chief on this in the room. Hi steven. um Do you want to present your slides yourself, so I uploaded them already in meat echo. So if you oh yeah yeah, you ask there. You go.

Q

Right, perfect excellent sure should I start.

B

Yeah, yes, please.

Q

Sounds good um hi.

N

Q

uh I'll be talking about domain verification techniques using dns, which is a draft that schumann and I have been working on. We also presented this at the last itf and we've gotten some good feedback before and after that I mean we wanted to ask for adoption.

Q

So just very briefly, um what is domain verification? uh What is your verification? So essentially, as folks probably know, many providers on the internet need users to prove that they have some kind of kind of control over a domain and service providers ask users to put a dns record in their zone. That proves that they're, the ones who control their domain and a good example.

Q

It is let's encrypt with the dns-01 challenge and um you put the you put the challenge text record and then, once it's verified by, let's encrypt, you get issued a cert and I won't go into the whole draft because we talked about it last time, but just as a refresher, the draft is fairly simple. It gives an overview of existing techniques, talks about text records and cname, which are the two ways in which we saw that service providers right now are doing dns based domain verification and also we give recommendations.

Q

um Some of them are targeted domain verification so that there isn't bloat um at the at the label and also time bound checking, because um we notice that some service providers ask people to just keep the verifying records around for a very long time, which is again not great for bloat uh and also we recommend the use of.

Q

um We suggest the use of dnsec to prevent spoofing, and I put in a link to the 111 presentation over here and we've gotten a bunch of feedback uh on the mailing list and the mic, and there were some security issues that were talked about at the mic, especially last time and we've been using github to capture all of that and I think yeah. We know that detailed security analysis is needed, but I think that would really like benefit from the involvement of the working group and um that's basically it so yeah.

Q

I think shimon, and I would both want to ask for adoption.

B

Thank you. Thank you, shifan um yeah. um So, first of all, let's see if there are any hands erased. No there's! No one in queue.

B

Going once going twice, yeah paul, please go ahead.

B

Oh sorry, paul we can't hear you.

R

Test, oh sorry, okay. um I just wanted to reiterate again, uh as I did on the last meeting, that this is super important. This is a huge problem and- and we should not stall this and really move this forward fast.

B

Okay, thank you is the more support in the room. I've, I've just went over the mailing list and there was quite some. There was a good discussion on the mailing list. After the last presentation, schumann, schuman, please go ahead. Yeah.

N

Sure uh so yeah so uh benno and chairs. The other thing I would uh recommend that you do is look at the minutes and the uh recording of the last um presentation that we did there were a lot of.

N

There was quite a lot of vocal support for this draft right being adopted and the fact that a lot of these domain verification techniques are kind of they've grown up organically in ad hoc right and no one sat down and done any like serious security analysis of these schemes and that's kind of like a a big gap that the dns community can uh can can jump in and make sure that these things are being done in a in a secure and maintainable fashion.

B

Thank you, shulman um joey,.

O

Thank you. um I wonder, I'm just wondering other than working more on that security analysis. uh What would be the next? Yes and um I I see it hasn't, been updated since the previous yeah, so I was just wondering like uh what are the reasons um how to phrase this um um like what has changed in order like to uh support adoption better this time, if that makes sense,.

Q

Yeah, I think we've just been gathering feedback in the github issues. I guess um and that's where all of them are right now in terms of work to do. I think, um there's like a few sections to be filled out, uh especially like recommending like when to use text versus cname, um but yeah.

O

Q

The point of view of the authors, I think we also thought that it was ready for adoption last time um so, but we all you know, we also figured that would be good to give a just a refresher. um This itf and yeah again ask good option.

O

Should we do a count of hands, then I mean show of hands or something.

B

Q

That up to the chairs, but.

B

Yeah, thank you. Thank you, shiva, so joey. So indeed in in the indiana shop, we we go to the mic indeed, so it's it's it's support in the working group. Then we take it uh the call for adoption to the mailing list um uh and in the on the mailing list, uh there's there's the formal call of dot call for adoption.

B

um But again, uh as we are working on our backlog and are we going a good uh we did well, we did a good job in the past month, so we have to be cautious not to accept too many new drafts, because then we're in the same situation that are too many active drafts and there's less focus.

B

This is also a result of the well previous discussions of the working group and not about not only the dinosaur chairs and the ad, but also the working group participants that we need to focus our work. um So it's not uh it's. It's not a qualitative statement not to adopt or postpone it's really a managing workload, and we we did hear you. We did hear uh the different participants about the importance of this work, and um maybe I should give the word to tim, maybe and brett. You are still in queue so uh but.

D

I was waiting for brett first, so unless he's done.

B

Yeah, okay, no, so uh definitely um the the chairs will be in contact with uh steven and schumann also making an indication how much work there is to be done on the document, but also for the working group and plan the work and yeah okay, red.

S

B

D

B

R

B

Hear you brad.

B

No, no, I do the mic is showing up, but it's so you maybe some another button.

D

I'll I'll speak quickly, brett and then, if you can figure that out in the short term, how's that so.

B

D

Cool um speaking as an operator, I think this is like way important and I you know, as I've sort of have sort of hammered on schumann siobhan. They should just keep hammering on this because there's this is good stuff so um and we'll figure out the whole chair, we'll figure out the whole adoption thing right. So don't stop.

D

As I keep telling you you too. I work so I always feel like I'm just cracking the whip on the stream on, and I feel sorry about that. So I apologize you won.

B

No definitely it's good work yeah, but it's uh yeah. We have also managed to work loud and but I think we're in good shape. Now as a working group and adopting new work um brett. Can you try it again.

B

No, no sorry, I don't hear you, maybe you can type your question. I will relate yeah thanks, uh schumann,.

N

um Yeah, so just answering tim, uh I think that's fine. We can keep plugging it uh plugging away at the draft shivan and I but we're hoping if it was adopted early we we would. We could recruit more collaborators to help us with the you know, security, analysis and more extensive analysis of these schemes, so that was, in our opinion, one of the benefits of earlier adoption.

N

But yeah I mean point tech and I realize you have to manage the queue of work, so we can uh plug away edit by ourselves in the meantime and if anyone wants to collaborate with us, just uh yes.

D

Let's speak out, yes, let's you know collaborators, please. You know step up um yeah.

A

D

A

Paul volunteering in the chat and anybody else that wants to help get this draft.

D

Ready for adoption.

A

D

Thank you, yep didn't know that schumann, so you know we'll find you people how's, that.

N

Yep thanks all right and thanks we've recruited paul, that's good! That's.

B

Good okay. Thank you um question uh from brad and relaying from the jobber room. I was just going to a add my support and b question the title of the draft. It says survey, but you talk about recommendations.

B

The title may confuse people into thinking. It's just informational.

Q

Yeah from our point of view, it is informational because we're trying to capture as much um like as much like. First of all, the survey of like what people are doing in the field right now and then also the different like trade-offs that people might want to make. So.

O

Q

Not be a normative document, this would more capture the guidance and um what people think that we should do. You know um like when you should use like a cname record versus a text record um for verification, so so yeah. So this would be more. um This would be more like guidance than prescriptive.

B

Okay, thanks uh peter, so I also asked my coach here suzanne. How are we doing uh with respect to time.

B

Okay, so peter go. Please go ahead. Yeah.

M

Yeah, I don't know exactly: who is um um what kind of parties are involved in the bms apps group? I mean obviously name server, implemented, resolver operators and art operators and all these people, and regarding this draft I wonder who the address he is because, for example, in the case of certificate issuance, I guess that would be something that um cas would have to expect from the customers. So, for example, that's encrypt would have to say um you should put this in that record into the dns.

M

So cis have to be convinced, but I don't think cis are part of the dns apps group, then for github verification or domain verification for office 365 or something. Then these companies have to be convinced and um I'm not sure if, if they consider themselves involved with dns operations also.

M

um So while I think these recommendations are good, I just wonder if um they will get heard when you put them in dns, ops, so who's the addressee of the draft.

Q

Yeah, I think um it is definitely like service providers for sure, um and I think the idea is that a lot of folks have um have come up with like ways of doing um domain verification that they kind of just. um We talked about this in the draft a little bit like some of them extremely well formatted, and some of them are just you know just here here, put a string and they don't really talk about any requirements around that so, and we think this happened because of the lack of guidance.

Q

And um so yes, I think the hope is that, given like an ietf document, um that'll help. So people can like point towards that and kind of use that, when designing domain verification techniques or domain notification methods for their own services,.

N

Again, so just to follow up uh siobhan, I think uh peter to your point yeah. So I I I think our expectation is once we develop this draft a little bit more. We will have to do outreach to application and service provider communities right to kind of clue them in uh to uh you know what, uh if any recommendations come out of this draft to see if we can persuade them to adopt those recommendations, so I think that's. We expected that to be part of the process.

B

Thank you. Thank you both um any final words. No, so uh thank you. Thank you, shivan and schumann for uh pushing this work, and uh definitely the chairs will have a follow-up with you there and well paul routers and also brett brett carr volunteered to help that's good, and we will definitely make progress uh in the next month. Yeah.

Q

Perfect thanks better thanks, sirs.

B

Yeah, thank you.

B

Next, we have let's look at the agenda. Structured data for dns error, access, denied error pages. Then yeah there you are and then how do you want? Do you want to run the slides? I can do that for you. We uploaded them already in mid echo.

B

Oh sorry, I see the request yeah there you go.

B

I can't hear you yet.

T

B

Yeah, thank you.

T

um So my name is dan wang. I'm talking about uh structured, dns, error, page.

T

um So our purpose for this document is to provide some parsable data. We decided on json for the user and it to troubleshoot why a dns query was filtered by something upstream and then this information can be displayed in logs and nothing. You know done with it interactively.

T

You know at the time it occurs or it can be displayed on the user interface of the operating system, the browser or whatever and the adjustments we made here better handle headless devices that don't have a web browser and don't need to use a web browser to go, get the information.

T

That was one of the deficiencies of the draft that we're superseding. With this that's mentioned at the bottom draft, ready dns, hop error. Page we've received a bunch of comments. I saw a bunch came in late yesterday, my time from peter, which was was pretty cool and I'll talk about a couple of those things as we go through, so the design handles a commercial filter and an it or parental operated, or you know, whoever is operating another layer of filtering to filter whatever that they additionally want to do so.

T

The commercial dns filter might filter malware, might be a government mandated filter to filter child porn sites and then the it operated or parental operated. Dns filter might do some other stuff all eventually going to the client. So the protocol allows these these filters and these blocks to be propagated down.

T

Should the one the the filter in the middle decide that it wants to propagate that down in a lot of situations with parental filtering and with it filtering the the intermediary needs to be involved to resolve problems with filtering done by the upstream, uh because they own the contract. They have the uh the phone number to call uh to resolve those issues um so, but that it turns into something the protocol handles either way, but there's operational concerns and issues there.

T

The packet format is the usual, um and then this slide I'll update for the meeting materials. I noticed this morning that there's a couple things missing in it, but the json that comes down is is purposefully as tight as I could figure out how to make it. um So the the c colon is uh intended to have anything that the filter service wants to include to help it identify this filtered event. So this could be a time stamp like shown here.

T

It could be any unique value, a sequence number that it wants to keep track of for each time it does a filter could be anything that it likes doesn't matter. The protocol itself doesn't care. This is something that is generated and a responsibility of the the dns filter uh itself. The d colon uh is the domain of the doh dot server that the user is connected to this is to detect if the uh doh dot server is just blindly proxying and forwarding this traffic or is actually aware of this extension.

T

There's some stuff talked about in the draft on why that's valuable the j colon is some free form text.

T

We have a discussion point later to talk about what language that's in, which is a thing that causes me a little bit of grief. Only the d and the j are mandatory, as specified currently in the draft. Peter had some comments on that o is a free form organization that is doing the filtering and r points off to a justification for why this filtering happens so might be an employee contract for why a job site or a guns and ammo site or whatever, was being filtered or point to a country specification.

T

A country requirement that child porn be filtered. If that was the reason that it was filtered so then, on the client, it constructs the url by prefixing https to the d colon value and appending the query parameters for c what I missed here on this slide, and I will update in the meeting material. Is it also appends the don't the the domain queried from the dns query and the uh the record type that was queried like a or quad a or whatever um there's some security considerations? um The um one is.

T

We want no clickable links uh in the o and the j fields, uh because they then need to be uh sanitized on where they're going and what you know what they're. For.

T

So that's something that needs to be probably cleaned up in the client. um How to do that? We don't specify. Quite yet, we need to socialize that a little bit more see how we want to handle that encrypted and authenticated dns on that. First bullet is mandatory because we don't want arbitrary justification text to be inserted into a dns query.

T

Response pair would be bad and then, if the url is being visited for the c and the r uh pages that are formed uh is uh that that url should be in a constrained environment similar to what captive portals are doing today, but keep in mind that processing those two things, the c and the r fields is optional, because again we're expecting and hoping that the j field, the justification free form, contains enough information to understand why this was filtered. That's why we're not using uh predefined? You know error code number.

T

One error code, number two error code, number three, which etsy is taking a path of defining for filtering, but rather freeform text, so that anything that the operator wants to put in here for why they filtered can actually be put in here- uh and this is my last slide. So a couple of discussion points that that I'd like to get feedback on on the list or right now are how to handle the language in the j and perhaps also the organization field, but really the justification field is the one that is most.

T

Concerning that you know, if it comes back in german, you don't speak german, it is not helpful.

T

Some consideration is, if that comes back, a web browser could itself with its built-in translate capability, just translate it for the user um not terribly appealing, but some discussion on that would be kind of nice and then also the isolated browser environment and how folks feel about that. There is a increase in security posture for the client for that situation, but it also means the user doesn't get autofill for and and also doesn't get cookies to open a ticket with their service provider.

T

You know they're or whoever is doing that filtering, because it's in this constrained environment, that's not going to autofill and they have to type everything manually, which is a real pain, and I don't know if this is interesting enough for the working group to consider adopting it. Quite yet, or if we'd like to go another cycle but most interested in those first, two discussion points. So that's my presentation.

B

Thank you, dan uh yeah there's a queue. Then you want to run the queue yourself.

T

C

C

But thanks excellent ben: please go ahead.

U

Hi, so uh we've been talking about this topic for a long time, and so I've been saying my my thought about this for a long time, which is, I am very, very cautious about about anything here that gives the gives the dns operator the ability to jump into a connection that wasn't for them and present the user, with with any information, especially information that the user can't verify, especially information that would potentially take the user to, for example, a different web property.

U

So, in my view, there's no safe use case here that involves presenting this to the user, at least not in a web context, and that's okay. I think there's actually value nonetheless in this in this draft, uh but what I would really like is a a shift to emphasis on on technical use cases and debugging, where the risk of user harm is minimal and- uh and I think a generalization here.

U

In my view, access denied is not is not the only interesting use case here, and this exact format or technology could apply equally well to diagnosing other dns failures in general. I think this could be a useful, essentially a useful addendum to the extended error codes draft to provide debugging at the client with more general structured information.

U

But I don't think there should be any expectation that this information is surfaced to an ordinary user where it could be used as part of an attack where it could be used to lie to the user about the rate reason for certain kinds of filtering or attempt to scare the user present the user with scary information about something to try to interfere with their perception of what they're accessing.

U

T

Cool. Thank you.

B

Okay, next jonathan jennifer, reed.

J

um I I so I I take ben's points like I said: we've been talking about this for a while. I have my views on it. I think there is a real use case here for debugging. I think there's a use case here for enterprises, particularly enterprise products, uh malware filtering uh all of this stuff, and I think in you know a world in which I simply get an nx domain.

J

I don't know whose problem that is, if I get an x domain along with some indicator that that next domain was intentional, you know or or that or was fabricated or whatever. um I think, there's something in between dnsr codes, and here we're gonna go automatically load this url for you, and I think this draft can talk about what that is, uh and I think that's you know the direction to go in. I think it can provide guidance to uh iot device creators and and browsers- and things like that.

J

um I take the point about attacks. I have a hard time, envisioning an attack uh that says I see what you're asking for and something is telling you you're not allowed to have it. It doesn't give you phone number, it doesn't give a url doesn't give anything just a it's, not just you right. That is the signal that this could lose and there's value in that. In my opinion,.

C

B

Thank you um andrew andrew kepling,.

V

uh Hi um two points ready uh one just to echo something that uh peter said um in the chat uh which uh I'll read it out loud, because it summed up what I was thinking but more succinctly than I would have phrased it, which is uh uh bad senses, uh sort of do just fine without support for this draft already, um whereas the the draw supports good senses who want to be transparent about what they block um and why they block it uh to their users, and I think that that's really the key here um to actually yeah for the well-behaved I mean census is a pejorative term but whatever, um and so notwithstanding that uh there are valid reasons to block access to content.

V

This actually gives visibility to that um and then second point, the current user experience is crap, yeah, let's be honest, nx domain or some or a blank screen is pretty hopeless. um You know, I often remind people about rfc8890. You know the internet is meant to be friend users this this this document. It gives us an opportunity to actually make it a much better um end user experience in enterprises um now with malware etc, and I really think uh the the problems have been exaggerated and there's a really positive reason for going with this.

V

B

B

Thank you. um Next, eric eric oath.

U

B

U

Audible, just yes, okay great, so I think my opinion of this is it's as far as ever, showing such information ui. I think ben gave a pretty good description of why it's, I think, scary, for pretty much any client to be able to show such information from the ui. If some user types in hps example.com and we stick something in the the content- pane, that's not from example.com or from the browser itself, which is controlled. That's just a very scary security situation.

U

I can't do anything anywhere touching that, without talking a huge number of security consultants on our side and figuring out, if there's any safe way, we can do that and at least in the old, in the old version. That's our pure ui. It never rose to the priority level where I could even drive that and get enough opinions to even approach it.

U

But as far as a pure debugging scenario, yeah sure it sounds very similar to ede, which is something we could just stick in our debug logs and have available there for either us to debug stuff or for users to debug stuff.

U

The question, then, is if this is just filling a similar role to ede of just making the information known that this is oh, this was blocked for this common reason.

U

Are we getting enough value out of this compared to edu? It would be worth pursuing to be worth resolvers sending this information. If it's not, then I don't know if this is enough to do so. In the very least, I think we need more information on just how this ideally goes alongside ede before anyone can really consider adopting much less consider implementing anything. A lot of these lines.

M

B

uh Thank you um paul.

P

So um I'm busily typing minutes, and I found myself flinching um at two people who spoke before me, which is why, I'm speaking the idea that you could use this protocol or any freaking protocol just in the enterprise space, but not over the whole internet, is I mean it's even scarier to me than I think this is scary for uh folks, like ben.

P

um I fully agree with the the idea that you don't want to show users information that they could mistake as coming from a website if they ask to go to website and they're getting information from an intermediary intermediary.

P

Dns server you've got to make it super super clear that this did not come from them, but I am even more frightened by the idea that people think oh we'll just use this in enterprise and dan. I know you've been on both sides of it's the whole internet or it's just enterprise, and I think you know, with stuff you're doing at citrix, now you're more on the just enterprise side.

P

Do you feel that this could be safely scoped to just enterprise.

T

No, I don't see a reason to scope it to just enterprise myself, because I think it's easy to show that this text that you're seeing did not come from the site. You're visiting we're doing that today, the industry's doing that today, with nx domain, um it shows I couldn't get there. I couldn't find the server right and it shows a message and and.

P

I I I live with a use case where that doesn't work where the person will say the website says this, when it's very clearly what you just said, which was it was in fact safari saying this so yeah. I I have some fears as well, particularly if you're not feeling that it should be limited to the enterprise, so just wanted to throw that in there.

T

With bring your own device and and taking my work computer to starbucks, um you know which, which is an enterprise scenario and which isn't um you know and starbucks may want to do filtering locally themselves. You know for for their, you know. Whatever their reasons are, you know to use their network for free, um you know, buy a coffee and don't view porn because it upsets everyone else in the coffee shop, reasonable. uh It's their network, um don't know, but yeah. I don't see a way to restrict anything to just enterprise.

T

I mean you know in theory: imap was that way back in the day, but it certainly isn't now right.

P

Okay, very good thanks.

B

Thanks um yeah, finally, uh brian please go ahead.

W

I've been following it too closely, but I'm thinking from the perspective of having looked at and even done stuff with rpc in the past.

W

uh One of the things about rpz changing response codes is that it's incompatible with dnsec, for example, but if you, for example, had an rpc response that is signed by the rpc operator or whatever the source is, that creates a kind of a providence on providence on the response, that's something that might be a way of proving who actually did that and you can then, as either the enterprise or the end user, decide whether you want to trust that or not, and it can be a comparison against do I do I treat this as a server fail, because I don't trust that source or do I do trust that source and I'm just going to happily acknowledge the the blockage anyway, yeah.

T

M

T

The authors um we had a discussion on that for probably 45 minutes um and decided to not go down that path um partially, because you know if the requirement to start to block it starts off with you have to do dns sec.

T

It's gets scary fast.

T

But yes, that would be a much more authoritative way of identifying who who modified that record and you know or who, who created, that record very much like how tls fake certificates are done for tls proxy.

B

Okay, thank you dan. um I think you get. You've got enough feedback from the room.

T

That was great feedback. I appreciate it thanks for everyone's time and uh reading the draft, and all that that was great thanks.

B

Okay, thank you.

B

Then. The final presentation is by brian dixon.

B

We reserved about 30 minutes for the presentation, they're, both it's presentation of four documents and the same well, not the same presentation, but a similar presentation has been given by brian at deprive earlier just earlier today, and we decided to also allocate 30 minutes for brian in dynasop, because it both discusses dina's, op drafts and deprived drafts, and to give context, brian asked to present all the documents at once for the different venues for both dpriv and dinosaur.

B

Good brian, are you ready? How do you want to run? Do you want to run the slides yourself from.

W

B

Or I can do it.

W

That'd be great yeah, okay, okay, and uh I know it's probably a little bit unusual, but uh could I invite uh paul hoffman to the mic first, to give me some immediate feedback on the clarity of of what the uh the goals are or what the use cases are. um I'm not sure that I've, I've done a good job of that and uh if he, if he can give a little bit of feedback as I go through, this that'd be great thanks.

W

uh So what this is talking about is a mostly a um derivative from uh an initial draft on authenticated dns over tls to authoritative that I put together- and there are pieces of it that um I pulled out that belonged, maybe more appropriately in dns off or as little standalone elements in deprive.

W

The goal is to provide a complete package of implementation, guidance or specifications uh to allow um a resolver to talk to an authoritative get um have the ability to establish a authenticated connection to the authoritative server, with respect to a specific domain name that it wants to send queries about um and the all the stuff is about how to do the discovery and signaling. Do it securely? Do it in a way that's downgrade resistant, uh so next slide.

W

So it's privacy protection is the the main thing, but that's pretty common across all of the a lot of competing um suggestions or drafts, or proposals in deprive. um I was taking this as a as a complete set of things, and some of these are involving different solutions to some of the same underlying problems.

W

um One common thing for any of these is the authoritative server's. Identity must be authenticated uh if you want to do authenticated a dot um for that to be viable. I'm I've come to the conclusion.

W

You need to have a secure delegation to the name, server's name um the zone, containing that uh it has to be deployable uh in a reasonably short time, so I'm assuming the use of stuff, that's only in dns, with as few new protocol elements as possible and without requiring any major changes, or even anything above the most minor on the registry. Registrar mechanisms for for transmitting stuff upstream within the dns system, uh explicit signaling, of support and being downgrade resistant next slide.

W

So the main adot ends up calling out a couple of new small drafts. One is a thing I'm calling nsv that was the dns or ds hacks draft.

W

uh This is a new dns key algorithm that is used to protect delegation, uh ns records via dns sec signature over a ds record, which contains a hash of the name, server name, it's the only. You need to have some way of of uh validating the target of an ns record in the parent, the delegation, in order to be able to trust the name- that's being used in that, since all the rest of it, including the the actual name used in the certificate for tls, as well as any signaling.

W

Those are all dependent on that name. So that's one of the drafts is just about um how to accomplish that in using a dns key algorithm.

W

The second draft is a thing called the dnst, it's a new rr type and it's simply explicit support for transport tied to the domain name of the name server um and the name server domain has to be dnsx signed. So this becomes a protected signaling things. So it's downgrade resistant and glue glue guidance is kind of optional, but it it's useful potentially to compare the glueless guidance against what ds glue has it, but I don't think that's necessary to discuss in this.

W

This form right now. Next slide.

W

And I'm using a tls for adot, sorry tls, a for adot, I should have said tlsa, not tls um and I've. I've started with the assumption that I'm going to need a new rr type, which is an alias for tlsa. That might not be the case.

W

The validation of the tls certificate that eventually gets presented to the resolver is an important part of this, and I can see, there's only really two good ways of doing that: validation on a certificate, web, pki or tlsa and since tlsa is part of the dns standard and we're already I've already said for the transport flag validation.

W

That zone has to be signed anyway. So there's not a lot of additional uh incremental overhead in saying, let's use a tlsa record, if you can validate the tlsa record, um you're good to go, you don't actually technically need web ppi doesn't mean you can't use web web pki issued certs. It just says that you don't actually have to use the web pki validation.

W

You can still do that. You can still choose to do that. You don't have to.

W

And then there's a question of new rr type or just use an unprefixed tls say the name server name.

W

Next slide and feel free to tell me if I'm going too fast, anyone just raise your hand.

W

So the the novel thing here- uh nsv it's just uh the sv- is just the the uh mnemonic for a new dns key algorithm, uh which is being used to validate ns records.

W

The it's used to create a special ds record, it's possible to use a ds record, even if this child zone is not signed. If you look at the last line in this slide, it says unknown. Dns, key algorithms are treated as insecure, rather than bonus, so nsv unaware resolvers, don't have problems with this proposed edition.

W

So the idea is you take the name server name, you uh put it into a structure which is technically a dns key structure. You don't actually publish the dns key in the child zone and that avoids making the child's own seem as if it's actually dns excited because it doesn't have to be. You then take the hash of that.

W

New record type- and that becomes your ds record validating that is using the parent nsr data so where you've got an ns record, the target name, which is the right hand side of the ns record, is the name server name. You follow the same construction method, take the name server name, you hash it as as a as if it was a dns key and compare that against the ds. If it matches um you're good- and you can be reasonably assured that the ns record in the parent for the delegation has not been tampered with.

W

That's all this is it's protecting the nameserver record from an on path attacker by using ds record and the fact that the ds record is going to be signed in the parent zone.

W

W

uh Dnst for signaling uh ad adot support: this is just a new record type that would be in the child zone at the name, server's name.

W

uh The record would simply consist of three flags that are either set or not set and indicating support for each of the three different transport protocols that I put in the draft udp, which is obviously vanilla, dns, tcp, vanilla, dns and dot, which is dns over tls to authority um it's using the same owner name. But what I'll point out is that nameservers can have more than one name. So if you want to differentiate.

W

A nameserver usage case of having some of the zones that it serves being dot, supported and some other ones, not you give them different names and put in different dnst records and they all resolve to the same address. And then it's a question of based on the delegation.

W

What the zone name is, do you try to, or do you want to use, uh dlt or not, uh or rather has that that's been explicitly signaled by the nameserver operator? It's not required to do this. I'm saying it's available as a mechanism, so an authority server operator can do dlt to everybody dod to nobody or potentially do it on a zone by zone basis um without actually having anything other than the name server name being a differentiator.

W

um And then for dot to be usable, the client has to validate that the zone assigned the record is present and the dot flag is set. um That covers that. Oh- and I I point out that you can.

W

You can do some odd things that are not really going to be useful outside of the enterprise, but within an enterprise you can actually set up zones that require dot and don't support, vanilla uh queries and answers so that, for instance, the dns root um authority server could actually be doing um client cert validation to allow it to restrict who's allowed to actually do queries.

W

It's kind of an odd edge case, but it's interesting next slide.

W

uh All of this is about downgrade resistance. um That's why the nsv, algorithm ds, hashes, are ds. Hashes in the parent zone. They're signed, um restrict the usage of ns uh to cases where, if there's a, if there's a corresponding ds that the ds and the ns are in agreement um and the children uh child um records in the name server names zone, um those are also this dns sign zone so they're signed, and that gives you discovery is downgrade resistant and certificate.

W

Validation is protected by um dnsec, so the worst that an on-path adversary can do is interfere with the connection but not force downgrade next slide.

W

Yeah there's some interesting things. I was looking at to try and improve the efficiency in terms of the number of round trips once a cache is partly warm not completely hot.

W

For instance, a name server named zone having some of the records have already been resolved, but other ones are not.

W

Is there a way to minimize the number of queries you need to do for a new name server in that zone, and these are just sort of semantic tricks using a couple of different label types and an opt rr for allowing uh aggressive insect to be used.

W

Probably worth not discussing it in depth here, it's probably worth reading in the draft next slide.

W

And this is just uh explaining why I'm going down the road of it has to be dna? Second tlsa. It's so that the clients have the ability to validate using only dns elements. If you don't require tlsa to be used, then clients can't validate using dane and they're forced to use web pki. So I don't want that. To be the case. That's why I'm saying it's got to be uh tlsa, and that means it has to be dnsx signed. That's for minimum operability.

W

The resolvers have the option of not doing nsx validation and of doing web pki validation if they wish. This isn't forcing the clients to do anything. It's making sure that if the clients want to do dane validation that they can and the only things that actually have to be signed are the name server zones. Then the zones that contain the names of the name servers themselves.

W

It's usable for privacy on unsigned zones, I'm not saying don't, encourage dnsec, I'm saying is optional next slide.

W

It's a work in progress hasn't had very much review because I didn't aggressively push it out earlier and taking this on as one of many projects and I'm trying to find good ways that are easy to implement and easy to deploy the minimum amount of additional work um for the specific things like dnst.

W

It's such a small draft. I think it doesn't require much review. It could probably even go straight to a working group. Last call with like only a few reviews and getting an early code point assigned so that implementations can be done. It's trivial, it's three flags. uh The nsv is probably a little bit more controversial.

W

That, I think, is if I'm not mistaken, that's sitting in deep private uh rather than dns off, um and that's probably where the bulk of the discussion was going to happen, plus a dot itself yeah. That's all. I got.

B

Hi, uh thank you. Thank you. Thank you. Brian. uh There are two people in the queue um three. It's still we do have uh sufficient time to discuss uh benjamin bin. Please go ahead.

U

Hello, so so brian, I I think it's fair to say that you and I are thinking along pretty similar lines. uh Yes, for a lot of these topics,.

W

And I'm happy to have any pieces of these incorporated merged as uh people seated.

U

So you know, obviously we we've had a lot of debate about exactly how the fine details of all of this should work, but um but I think it's actually a good thing that we're that we're we've got uh lots of interest in trying to find a solution here and and similar ideas about what the solution should look like.

U

So in the details, um I have two thoughts so well. First, I don't think that we are ready to to jump in and move forward with with any of any of these proposals. I think um these are there's a bunch of deep questions here that we're not we're not just going to plow ahead.

W

Oh, the parent proposals talk about, I think yeah yeah.

U

All of them yeah, um but for dnst specifically, um so my view is as you as I'm sure most people here know, but maybe not all um there is an adopted draft uh called service bindings for dns in the add working group that specifies a way to signal the supported um the supported set of secure transports for for a dns server.

U

That draft, uh so that draft is, is essentially, in my view very similar to dnst. I would strongly prefer not to have two solutions there. um You know the the the service bindings for dns draft is not in last call if you feel that there are changes you'd like to see in it, uh please take those to add and, and we can discuss whatever changes you want, if you think it should be a different rr type, I think add, and that draft is the place to have that discussion.

W

Okay, I haven't been.

U

W

Edd, for a long time so I've uh I wasn't aware of that. um So that's the yeah. I actually did originally start with trying to do this using an sbcb binding, but I found that I was using literally none of the the the value proposition of of that other than basically the flag signaling.

W

So I I basically did this as a shortcut to avoid having to make my draft long or to reference other things, and I wanted to minimize the amount needed to deploy if somebody isn't already doing, uh for instance, https uh and hasn't already done any kind of service binding work.

W

I I the reason I went with uh this simple flag mechanism. Is it's so lightweight to actually implement? I agree. We shouldn't have two things. It's simply a question of um which is more expedient. Is there anything in the service binding things that actually add value that can't be done other ways in better ways? I I think it's it's an offline discussion, but yeah okay,.

U

The other thing I'll mention is that the glue list delegations we're kind of in the wrong working group for this, but the glueless delegations raise a bunch of very tricky privacy questions because, as I understand it, to get the to hit the performance targets that you're talking about, we essentially disable the adot mechanisms when we're chasing these glueless delegations and those. So it's assumed that the queries involved in the glueless delegation process are no longer sensitive.

U

I think that's only true if the child zone, if the ns in the child zone is not only out of bailiwick, the original ns record is not only out of bailiwick but also itself non-sensitive. So if I have you know, companyone.com and I have- uh and I put my name servers under company1.net they're out of bailiwick, but they're still disclosing the same piece of information, potentially so correct. uh Yes, I so I I would like to see a little more discussion of that. I I think it's.

U

It makes the system easier to reason about if we don't have to restrict ourselves to particular architectures like that.

W

Yeah and again, I would point out that, after having thought about it, a bit more, uh the blueness is a recommendation, not a requirement. The only thing I think actually ends up being a requirement is uh the well the the bailey wick issue, I think, is, is core of the whole thing.

B

Okay, thank you victor you're. Next.

W

Okay, uh do you want me to give a quick answer now? Do we have time uh the first one? Oh sorry,.

B

Yes, please we, we do have uh okay about seven minutes.

W

On the the first question uh in my presentation, I think I skipped over.

W

This is a detail but um or maybe I removed it, it was in the other presentation, uh I'm not assuming that um uh that, even if you have transport security that you can rely on that for data integrity, so it and I I know this is probably a little bit controversial because I haven't actually shown my work, but it is possible to poison tlds and you could become a man in the middle for a tld, at which point you can't necessarily become a tld for the tls situation, but you can for the non-tls situation, which means that you can serve up bad data, even if you weren't originally on path.

W

You make yourself on path with uh with poisoning a resolver um anyway, the the gist of it is with nsp. You remove that as being even a remote possibility.

W

um I can't remember the other part of the question about nsv um I'll answer. The second question, then, if, if I didn't answer adequately on the first question, we can go back to that um for the motivation for getting rid of the prefixes.

W

It's mostly about the ability to uh get the signal in and um uh actually that's the tlsa part. It's it's only the dnst that matters for the signaling, the tlsa part, could still be um underneath the individual. I guess it's just to allow a more scalable uh population of a zone if you have the ability to do some kind of wild card and the only way to discover that you're able to use that wild card is if the owner name.

W

That happens to be the same, and you can see that in an insect, um an nsec record that shows that there is no tlsa record uh at that order name, but that's that's mostly for optimizing. The number of round trips on a warm cache, not hot, but warm yeah. I I think it's probably a thing to discuss on the building this morning.

S

Okay, there I just had a question for you about uh the nsv algorithm type for ds, same question that I actually asked ben in the uh deprived meeting, um which is have you had any? uh Have you attempted to deploy this nsv algorithm to any um parent zones that are significant? I mean, obviously you can run your own parents own. Have you attempted to deploy it to any active ones and what was the results of that.

W

I tried a few, um but I was limited mostly to whatever the uis were, supporting um the uis differ, but generally will have drop downs as opposed to free form uh for the algorithm values, but I'm gonna work with my co-worker to try and do a more direct um api as opposed to ui since we're registered.

W

We can actually do that and send the results up to different plds, so I haven't succeeded, but I haven't done the the more in-depth trials on that my suspicion is that, as long as an algorithm has had a pull point assigned to it, it's much easier to convince a registrar to update their ui to allow the code point to be used. The fact.

W

The main issue I think is going to be on the the parental side and whether or not a registry is going to be willing to accept a plain text rather than a hashed ds value. um By sticking with an existing ds hash, um I see very little the likelihood of there even being any contentiousness to this. It's still doing uh comparisons of hashes and the only purpose of that is to validate existing parental records, I.e the ns records.

W

So I I don't think there's going to be any pushback from registry operators, which is where I think the the biggest part of friction is going to be for getting the optimization under the uh the dsp kind of mechanisms.

S

So report back about what you found would be great to the mailing list. Thank you.

W

Absolutely for sure.

B

Thank you uh victor. Please go ahead.

E

Specific specifically on the question of registries, uh if I remember correctly.de, will not accept the the nsv dsr set, because at the time at which you upload your ds record, they actually do live queries against the child to make sure it has matching dns keys at the zone. Apex during epp and they'll reject the uh the update. So some registries will change their practice yeah. This.

W

Would require me going to peter and twisting his arms substantially or other people at d, but um modulo then actually saying yeah. Okay, um that's going to be a problem for de, and I think uh there may also be an issue with ca. Canada. I think they require both of them to be presented.

W

I don't know what they do with the dns key other than just validating that it matches the what ends up in the ds that may or may not be a problem. It remains to be seen.

B

Okay, thank you. Thank you, brian thank you working group. um You have enough directions and feedback brian. I think.

W

You know overall, I I think yeah yeah, I'm happy uh happy enough and look forward to continuing discussions on the list on the mailing list.

B

Okay, thank you. um Then we come to an end of the agenda for today, so tomorrow we have another session of an hour.

B

During this session, there was a continued discussion on the insect 3 iteration guidance on on jabber, so we asked wes if whether he was available tomorrow to continue this, this discussion in the working group, so we will reserve another 10-15 min minutes for tomorrow to continue the discussion on ancestry and finally nail some numbers or well um suzanne. You want to say something to that.

A

Sure, just um thanks everybody for your time. We are still- and I think I said this in the chat.

A

We are still working on the ideal way to do agendas for the big ietf meetings and interims and the rate that we accept new work, but people should always feel free to work on things, comment on drafts that are of interest and in fact the more work has been done on a draft by the time it's out, the adoption is requested, the more likely it is to be in in some kind of shape to to really get into and solve remaining problems and and move on.

A

So um thanks everybody for your time, and we will see you tomorrow.

B

A

Thanks, ah oh one, one other thing: there have been a couple of drafts that were discussed today, where it sounds like cross area review would be a really good idea, um and it's not completely obvious immediately where to go for that review, but that's something we can work on with warren and the iasj.

A

So thanks everybody and we'll see you tomorrow.

B

Okay, thank you see you tomorrow.

B

B

B