Internet Engineering Task Force IETF 116, 30 Mar 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF116-DNSOP-20230330-0030

Description

DNSOP meeting session at IETF116
2023/03/30 0030

https://datatracker.ietf.org/meeting/116/proceedings/

A

A

A

A

A

B

Okay, everybody two minute warning: I figure we'll give people a couple more minutes to get that last cup of coffee, but we'll be starting in a couple of minutes.

B

A

I was surprised.

A

A

B

B

I think we're as ready as we're gonna be welcome to DNS operations. If you don't mean to be in DNS operations, you might prefer to go back to sleep.

B

But here we are at ietf 116.

B

So we'll go through the chair, slides first and then we'll get into our regular agenda. Tim is not with us in person, but is out in The, Ether and Beno and I get to be here in real life and see all you lovely people, so we're good I found out Tim and Suzanne Warren, who is not who's, also not in the room, but it's recovering from being ill and we look forward to hearing from him um the usual things about chat rooms. Minutes thanks, Paul Hoffman for taking care of that. For us.

B

The note well, everybody has seen this by Thursday. Everybody has seen it multiple times, I hope, you've read it at least once because it does govern how your activities in the ietf are part of the process.

B

Code of conduct, this again should be very familiar and not a big challenge for folks at this, especially at this point in the week. Thank you for observing it.

B

A couple more meeting tips that the chairs were asked to make sure the room had heard this session is being recorded um for in-person participants, make sure to sign into the session using mediaco from the data tracker agenda, use medeco to join the mic. Cube It's, especially appreciative if you can do that, because that helps us manage between the virtual, the virtual and physical cues, keep your audio and video off, if not using the on-site version, and please wear masks unless actively speaking on a microphone.

B

Remote participants. We're glad you're here make sure your audio and video are off unless you're chairing or presenting during a session. Use of a headset is strongly recommended.

C

B

So our agenda blue sheets agenda, Etc, we have a virtual blue sheet. If you signed into miracle it should be on it, but everybody should be signed into meet Echo if only to be on the blue sheet.

B

We've got updates of ongoing work. We've got a brief guest presentation on the gnu name system, current working group business for consideration for possible future adoption and time permitting next.

B

um Structured error, data for filtered DNS, that's a that's one of our documents that we need an update on it. Implementation, update domain verification techniques.

B

Additionally, for consideration compact denial of existence, Indiana sec and consistency for CDs, cdns, key and c-sync as mandatory next.

B

Generalized DNS notifications and DNS out of protocol signaling again for consideration for possible future adoption and time permitting dnsack extension using Peak certificates and Tim is going to do the slightly more detailed update you ready, Tim.

D

B

Am okay, terrific? You sound fine.

D

So um thanks Susan and thanks Beno um thanks all so we have a bunch of document updates and, as you can see since our last meeting, the dnsc BCP is now um published and thanks for Paul, for putting the effort into that. We appreciate that sitting in the editors too, is the catalog zones document just sort of waiting for the editors to get to it, it's all in good shape. So that's pretty good.

D

um The next page Suzanne we do have several things sort of in a state.

D

D

Did you do to the next page? Sorry, there we go, I see it now. um The service B document, as you all remember, was sort of stuck in the editor's queue uh waiting for the ensi document, and this was sort of holding up a bunch of stuff. So Warren did his super magic, stuff process magic and he brought it back to the working group. The authors removed those sections and we it's back in the process and it'll. It's an ietf last call already, and it will end next week.

D

It looks like um so thanks for everybody moving them along really quickly.

D

um The much shorter ens eye portion will most likely end up in the TLs working group, because it's it's a very small document and it's probably more relevant there um and they can sort of have fun with that. So thanks all um of course, the all TLD document, which is kept Morgan, Paul sort of busy. That's an ietf last call as well. That goes another week until the 10th looks like things are good, but with that wrapping up Christian um is hoping.

D

This will help unstick his the DNS draft, the DNS document that is in the iesc iseq and he's gonna, give a little a little short update about about that right after this um and we think it ciao.

D

um The 5933 Biz is still in a holding pattern and that's fine Warren. If you need us to help you with anything. Just let me know or let us know- and we can you know put some time aside to do that. So we know it's sort of a weird State.

D

um We do have several documents in this post working group last call State um and we I finally realized today, like hey I, can put these I can put notes in the data tracker, um so it shows up in a weird spot, and so that's that's kind of strange, um but it's it's at least a start, so the first one is to avoid fragmentation. Thank you, Suzanne.

D

um There are some comments from the implementers on deployment guidance that was sent to the mailing list. So we attempted to summarize those comments in an organized fashion into an implementation appendix and the author's published version 12 today, and there was some communication mix up on our part. um It'd be good to get some reviews and good to get feedback from the working group, because there is, there seem to be some strong opinions on what they will and will not do, and and I'd like to hear what people sort of think about that.

D

um So that would be sort of super useful.

D

um The of course the 84.99 biz has finished up and the shepherd write-up will happen next week that was promised to us um Mr benno. um So thank you for that. The glue is not optional. Draft also finished up and the shepherd write-up is currently underway.

D

um I, don't think we sent a note to the list, but please see the author's note to the mailing list regarding the sibling blue part um that is really relevant and um Schumann and um Dwayne both made very good comments about that so and I think both of those are in pretty good shape. So then we sort of come up to the domain verification techniques which actually Siobhan's sort of talking about here.

D

um In a bit and I, we felt that the working group last call had hit consensus, but there was a little bit of stickiness around a few around the token top concept that seemed to be resolved, but there are some editorial clarifications: I see them in the GitHub repo um that the authors want to sort of put together and Siobhan's gonna do a little sort of update on what's going on there I think, because it went from an informational to a BCP. A few people felt things had sort of changed along the way.

D

um So please, if people have comments during his talk, please speak up um now in the case of the DNS Tech validator requirements.

D

um We have some editorial comments that came in most of them, helping to clarify the language and we're working with the authors and reviewers to get those addressed and I. Think one of the authors who we have signed up to help work on that is in the room, um and so we will work with you Ed to make sure those things get sort of sorted out um and mostly it's more clarification and sort of cleaning up the language.

D

It's does not seem to be normative type changes, but it will probably go back to the working group as it's been a little bit of time.

D

um So and yes, we have several documents that are ready for working group. Last call based on our discussions with the authors and stuff um Zone version, DNS, error, reporting and caching resolution failures.

D

um We really um I want. We want to get a couple of these um documents and working that's called moving along, not all of them, but just a couple before we start moving these, but we want to make sure we get good working group feedback to help us on these working group class called documents. So and next page we do have some more documents that are kind of being worked on.

D

Oh, did we miss a page yep um the DNS Peter's DNS, like bootstrapping, there's I've, seen we've seen a bunch of nice sort of comments and edits from Peter. um We want to sort of double check with him. We we think it's pretty close and we failed to sort of track him down. That was our fault um and as revalidation the authors seem to have resolved all their outstanding to Do's, I think uh mostly removing text that seem to be helpful.

D

um So thanks Schumann uh data set automation. We we think we kept thinking. It needs another author, because it's sort of um stuck but we're waiting to sort of figure out. What's going on there, um surface, B Dane has been quiet and then on the agenda today is structured, DNS, error, page it's on there twice, so it seems to be a Hot Topic.

D

um People are pretty psyched to do stuff. There's a protocol update and then um actually implementation stuff, which is always good times. So that's where things are. We do have a couple things that I know are on our adoption list and we're gonna.

D

We need to sort of sit down and sort of sort that out, but we wanted to sort of clear up this Log Jam a little bit so folks have comments. Throw them at us.

D

um I was hoping the notes I put in the data track where people could see but they're kind of hard to find so I apologize for that.

D

I think that's where we are on that and then um I Believe Christian. If you're there.

B

D

Thanks so thanks all.

D

E

Okay, good, that's good! Thank you! Thank you, yeah, so um I'm here to talk about the green name system. That's a document! That's not part of this working group officially, but uh somewhat related, uh since it's the new name system, not the domain name system. Next, um so, as you all know, DNS censorship is widespread. Dns is part of the mass surveillance apparatus and we also have injection attacks.

E

The working group has, in the last decade spent a lot of work on things like DNS over tlsd and s-sec, and so on, as we as you all know, to defend against some of these attacks. um But the new name system is another attempt to doing is a more radical redesign. Next.

E

um The name system is decentralized, with secure memorable names uh just like DNS. You can use delegation to delegate resolution to another Zone.

E

um For example, if you have you know, www.example.dns.alt looks like a DNS name um and you could have the whatever gns.alt there's a Zone example in there, and then that could delegate to Sub Zone ww or to a record um in our configuration. You would then typically put for any Zone, the respective public key of the authority that would sign the records in that zone and that's kind of how you start.

E

The resolution process is by configuring for any kind of domain, name that you want what the public key is supposed to be next, so the key features of DNS is first of all, it's compatible gns is compatible with DNS, so you could use it as a drop in replacement and resolve DNS names using gns. The key feature is that you get a query and response privacy. So if somebody asks a question in gns near the Zone public key nor the label become public knowledge.

E

The server's answering those queries do not know what the question was and I do not know what the answer was. So the record can remain a secret between the Zone publisher and the person performing the name resolution, of course, under the assumption that the zone or the label remains secret as well, because of course, if you can ask the same question, you should get the same answer.

E

We also have a globally instant and reliable key revocation implemented in the system and we can support Dane records. So basically, you can also serve as a pki. Next.

E

So current status we have a draft. What's on the independent stream editor track, we have passed there, we're now in the IST conflict review for a while, not well in part, because it was a difficult one I hear, but in part also, because we've been waiting for the dot alt draft to progress.

E

We have two different implementations in C and go we've done a usability study that basically shows the users wouldn't even know that they're using gns over DNS, and we have a way to migrate, DNS zones into gns automatically and we've run this on large zones like dot, FR dot, SE that we have public access to. You can install the software and run it if you have a appropriate free software distribution. Next.

E

Okay so as we can resolve DNS names in gns, you know there's, of course, this possibility of having a conflict. The dot outdraft tries to address this challenge. um It doesn't specify a registry for DOT alt, which I personally think is a mistake. uh The new net project runs the Ghana registry, where we are putting in a registry for DOT out, so you're welcome to come to us.

E

If you want to have your own protocol under dot alt, and we will be happy to run such a registry I think it would be good to put that into dot alt draft, but okay.

E

um Now, of course, it's free software users don't have to stick to gns.alt, they could put any domain in there and resolve names in that domain over the new name system and that's actually, okay, for example, if you had somebody who was publishing dot, LI or dot Nu under the new name system as an alternative way to access those zones, you might want to say: okay, I deliberately want to overwrite DNS here for this Zone I do not want to use DNS I want to use DNS and that's okay, but in cases where you don't want the conflict, then dot alt is useful for a user to use and of course, then we recommend that next, okay, so to conclude, the name system proposes a radical alternative for the absolute DNS protocol.

E

We have specifications and implementations and migration Logic. The dot outdraft will help address conflicts where they would be a problem for the users um and we have a draft for the DHT, that's used below if you're interested in further developments on that specification.

E

Thank you thank.

F

You, if I do it formally after Banner yeah, yeah I'll, wait and it's George.

G

Warren you're a first: please go ahead.

H

Hi so um two things first off I just realized that I still owe the JNS authors or actually I, guess the ISE, a email reply, I just found a thread that had been looking at me, so I will hook to reply and hopefully, by the end of the day and then also for the working group. As you all probably know, I got tasked with doing the conflict review thing.

H

um We've been a lot of discussion with the ISE and I have most of the text. Written up. I can't remember if it's in the tool, but my position is going to be that this work is closely related to work done in the ietf in the DNS up working group, but that it doesn't prevent publication of the document.

H

um So you know related, but the ISE can go ahead. I did want to remind people that there's a very limited number of conflict review positions that can be put in. There are largely you know. This isn't related to anything whatever.

H

This is conflicts directly with work in the ietf and should not be published um and those are sort of the main overview of the positions. There is some Nuance, so just so everyone knows, my position is because you know: we've worked with the authors and the ISE to make it so that this won't conflict directly because of the suggestion to use um all um the position is going to be. You know, related to work, does not prevent publication.

H

Hopefully that was coherent. um I will try to clarify if there wasn't.

B

Thanks Warren and I think I think Wes is next or George.

F

No I'm late I think Wes is next: okay, fair.

I

Enough uh West herricker, USC isi, I'm on the a b and also on the ican board I have a couple of uh thank yous to start off with uh you know, first off, uh thank you for uh encouraging the use of dot alt and actually doing that separation. The IB, as you know, has a a document that is quite old saying you know. A unified namespace is beneficial to end users because it gets confusing if it's not so greatly appreciate yoga's willingness to adapt to that uh Second.

I

Thank you for all the cool technology that is in you know. This I've said this before you know: I've read the the um the new DNS specification before and there's a lot of cool math that you know, I think is pretty novel and you know will help, even even if it's not used in the future, which I hope it is. But even if it's not, it will still drive new technology, and so thank you for.

E

That we're fun. We thought it had to be documented as an RFC.

I

uh One one final point, though, is that everybody's been concentrating on the naming conflicts at this point you know, especially with respect to tlds and things like that. There's other conflicts in the document that I have marked up written of the document that conflicts with the DNS protocol in other ways, for example, you're reusing, RR types, but you have a larger field, so you've essentially co-opted the rest of the numeric values beyond the existing ietf specifications.

I

So I'm not saying it's good or bad right, but if the ietf was ever going to try to expand and then you were using those numeric Fields beyond the IHS current range, rather than sticking to the uh for your own use, section you're you're, using a significant expanded set of fields, so that could be a conflict that people want to explore as well.

E

Yeah I mean we deliberately said: okay. The current DNS protocol only allows the 16 bits and they seem to be enough for the foreseeable future. So we didn't see a reason why DNS would expand it, and so we used a 32-bit address space to avoid record type conflicts and said the lower ones are the ones of DNS and we're going to stick to that, and we only want to use those above 2 to the 16., in the hope that this would not generate conflicts.

E

Now we have the Ghana registry, where our types will be registered and, of course, if the ITF in the future were to decide that they need for some. For me, incomprehensible reason more than two to the 16 record types, we might just combine the two Registries to avoid conflicts on that level as well. I think.

F

George Michaelson, IP, Nick, so I I think I probably have more philosophical observations than Technical and they may not be helpful. So perhaps this is pointless. Could you re-roll to slide six, please back to.

F

No, so you use this word on slide six about by implication. The registry function that you're going to implement the registry function, to resolve differences between parties and to refine, who has delegation under dot, Alt and I I struggle a little with that concept set against the idea that dot alt is effectively structure, free and I. Understand. First occupant has some expectation of behavior, but this becomes a process question which is not really a technical question. It's a process question who is adjudicating these delegation questions well.

E

I went to this working group about 10 years ago, and we said we have a bunch of special use, top level domains like dot onion, which was effectively passed, Dot, i2p and so on. That were not um and the goal was to avoid conflicts with the DNS namespace because, as we just heard, a unified namespace is beneficial for users, highly beneficial.

F

Highly beneficial.

E

Probably beneficial um beneficial, and if that is our goal, that we avoid these kinds of conflicts right then the best way of doing you know this allocation is to basically say: okay. This is actually a real implementation effort on actual protocol design that deserves to have a a unique suffix so to speak, and that's the only education we're going to do is you know.

E

First, come first serve on somebody who implements a new name system um and I think that's again beneficial to users that want to have this conflict avoidance, which, for me, is the main motivation behind dot, alt yeah um and not this. We need something completely unstructured wild west, where users will not have this common expectation of uh names not having conflicts.

F

No I think I think by motivation. You are in a very similar headspace to many people, the problem being that we have structural behaviors around the creation of these entities and they come with legalisms and requirements for behavior that are.

J

F

An outside scope of this room, but I was intrigued. You put them on the slide, so the word reserves kind of took me there. The second part is the Collision of protocol. Are our types that is a registry function right, so I mean if you front up and say, hey we're starting to consume these. You shouldn't be spinning an alternate registry of use. You should be lodging them in the same register.

E

We tried and we were refused in our access. So therefore we started our own.

B

Thanks George, um it sounds like there's a lot more to discuss here and I hope you'll be available for folks. I want to discuss further, but we do have to keep moving on our agenda here. Elliot is still in the queue um Elliot. You get a brief last word.

J

uh Good evening, good afternoon, I um good morning and first of all, I just would like to add my thanks to the working group and um the authors and the ads um as the internet as the independent submissions editor I wanted to make one clarification and one request, and by the way, it's a pleasure to see the authors in person or on video because we haven't actually met um the independent submissions. Editor has not yet made a publication decision that happens pretty much at the end of the process.

J

Furthermore, um I'd like to just also um invite people in the room, virtually speaking um if they have comments on the draft. Of course, please send them to the independent submissions. Editor and I would happily entertain those and I'm sure the authors would benefit from those. So thank you very much and have a great rest of your meeting.

B

Okay, thanks and.

B

Next up uh too many windows thermal on structured error, data.

K

L

K

Everyone I'm thiru um I'll, be talking about the updates to the draft, uh mainly addressing the comments that we received during the working group. Adoption call next slide. Please.

K

I think so far we have addressed all the comments that we have received, and we have few discussion points um next slide. Please yeah so I mean, as we all know, this craft defines a sub error codes. What we did was added citations for each of the server codes, so it makes quite easy for uh to have an ambiguous definition of each of these error codes and added a registry for feature uh supper codes to be added as well, uh next slide yeah.

K

So what we have done is we have mapped these sub error codes to uh the uh error codes that are already defined in RFC 8914. So, basically, all these error codes uh map back to either block censored or filtered, and we uh had a had a good discussion internally on. Why is there a need to use forced uh answer and we thought it was not required next slide, please that should give an explanation.

K

So what we thought was uh the fourth answer basically is forging the response and uh the client is losing the uh DNS error response, which is block censored or filter which gives additional meaning to these sub error codes. So uh in this specific case, where it is edgy supporting client which is using this extended uh error codes, we felt there was no need to use the forged answer for the clients which support Ade next slide.

K

So we did bunch of changes to address uh to explain uh the changes, how it aligns with RFC 8914, uh and we also added information to say that the information in fields, especially the contact uh justification for blocking or filtering a domain and the organization Fields, will be only displayed if the resolver has sufficient repetition uh to address the comment with regard to utf-8, we extended it to allow utf-8 as well, but we couldn't address the user preferred language. We have the same issue as RFC 8914 and the other challenge that we saw was.

K

If that negotiation were to happen, it would probably have an impact on the client privacy. So that was the only issue that we were not sure how to address with limitations that we saw next slide.

K

Yeah so since we have already defined several Json attributes, we were thinking what is the best way for a feature: specifications to add new attributes to the sign or registry, whether we want to go with the designated experts or a more restrictive policy by requiring IDF review. uh We would like to hear your comments from the working group on that.

K

K

Yeah, the current version for the sub error codes requires an expert review for registering new sub errors. We can use the same uh policy for even the Json attributes and uh we would like to hear comments on any other additional items that we need to record in the guidelines for uh adding new sub errors. Certain Json attributes next slide.

K

I think that's about it and we would welcome more review and uh discussion on this draft. Hey Ben.

B

We can't hear you Ben.

M

K

Then we can't hear you.

K

Ben, we can't hear you thank you.

N

O

B

O

B

O

You sorry I'd like to see these Registries be pretty tightly controlled, um with ietf review.

G

O

Think there are a lot of places in the world where a return type code to indicate why something is blocked. uh You know a where the the legal system would love to have a return type code of blasphemy to explain why something is blocked. I think that these are there's high level of policy sensitivity here and I would not want to put that on. A designated expert I think that, ultimately, the the iitf needs to have the Change Control there.

K

Sure that makes sense to me I mean we can add IDF review with specification required yeah. That shouldn't be an issue at all.

B

B

Go ahead, Tommy.

P

Hello, Tommy, Polly, Apple, um yeah, I think for the review. I agree with Ben I. Don't have a particularly strong opinion. There I think either works. um The two things I wanted to say. One I just filed the issue as I was reading. This um I noticed that the document cites some like specific browser strings about what happens. If you see certain errors, I'd love to see that be a bit more generalized, because that's one snapshot, and also like assumes that browsers, aren't looking at extended DNS errors at all.

P

So I think you know something that we probably don't want in the RFC, because it's going to get out of date soon.

K

Yeah, that was added to in the initial stages to yeah.

P

K

But yeah I totally agree.

P

We've accomplished that goal: yes, yes, um then, the other question I had and I I can final issue, but I just wanted to hear the author's opinion um there are certain Fields, like the contact info that are marked as mandatory.

P

Yes, so I I think I understand the rationale for that of you know, don't block it and give a reason and not tell me how to follow up, um but you know in that case this field is kind of expecting it to be some specific contact. Uri types um I think there are cases where there may be other context or let's say we add more Fields here- that um potentially could supersede needing contact in that format.

P

So I'm just a little bit concerned about being mandatory that you have to come up with some telephone number or email address. um You know, for example, there are cases today where we allow a DNS configuration to be installed by an application that can say I want to configure this encrypted DNS service from my whole device. That does this filtering.

P

In that case, there may be um like we may know better uh remediation or contact info of like switch to the app on your phone that provided this and that's where you do it and we don't necessarily need a telephone number or an email address there.

P

So I just want to make sure that we don't paint ourselves into a corner with making certain things mandatory. That may not be relevant in all scenarios or may get superseded by Future entries in our registries.

C

P

I I, no, no I I meant we don't paint ourselves into a corner as this group- oh sorry, yeah um uh some client operating system or browser or application. Yet whoever is processing the error um if yeah, if it is just getting the error from a DNS server that comes from you, know, DHCP on your local network yeah. Absolutely it's going to be useful to get contact info, but there may already be other contexts in how that DNS resolver was provisioned. That will not be necessary to include here as a telephone or email address.

K

Yeah that makes sense to me. In fact, if you see that field that we have defined, we don't in fact define what what should be there in that. But we give suggestions like it could be sips, URI or a telephone format or something else, because we were not sure what are all the contact mechanisms that could be there. So we just give examples on how it would look like, uh so we are not mandating on whether it should be adjusted telephone number or receipts URI, so they're just just examples that were quoted there.

K

If my memory serves right, my.

P

Impression is that it that I, you do need to include some value for this c contact entry, and it does need to be a list of Uris Okay. So I'm just worried that that may be a little bit too narrow. If, like we may, have people end up putting just like placeholder Uris in there, because it's the thing that they want actually isn't a URI. It's some other context. They have sure.

G

A

You thank you. Thank you.

G

For the feedback up next, um it will be a remote presentation.

G

Yeah I will head over the.

Q

I'm standing so that he can throw tomatoes at me.

L

Hi good morning, all right, can you hear me I.

G

Do hear you I it's interesting, it's still showing my slides no moments. Let me shoot. Stop sharing yep, that's better! Oh.

L

G

There you go yeah you're in control, so I think you can run the show now.

L

Can I can I show the slides.

G

I grow the screen.

G

G

You can share your screen now: okay,.

L

Thank you. Thank you. Can you see the slides, yeah excellent thanks? Okay, okay, perfect good morning Japan from Vodafone I'm presenting an implementation of uh extended DNS errors to improve the browser user experience with the network base at the malware protection.

L

So this is for customers that are subscribing network based security products, for example the Vodafone Secure net. The traffic flow in this case is in in case of a clean request operator. Dns respond with the proper IP address in case of a malicious content. The the operator DNS respond with a blocking page.

L

It was all fine before the encryption era, so in case of HTTP request, it was possible for the customer to see a blocking page, so good user experience, but high risks of I mean the middle attacks. The customer understood the reason of blocking and was aware of it of the protection. After the rise of encryption, there are much lower risk of men in the middle, but the user experience is bad, so we are still able to protect customers, but we are not able to show the reason of blocking customers is angry.

L

He doesn't know if it is a network error, an error of the application, and so he doesn't know why he can not reach the destination, but with the Doh and the DNS extended errors, there are the basis to implement a better user experience.

L

Now we are able to block and reach the DNS response. We did extended DNS server code in this case, 17 block at the end, with the reason and the provider.

L

This is how it looks under the cover, so I dig. We see that we have a 17 field thread, the Yuri of The, Blocking, page reason malware and the provider of The Blocking.

L

In this case, thanks to this RFC and the structure there are data for filter DNS is possible to enrich DNS servers with the reason of blocking.

L

We have designed the plugin for Chrome to show the benefit from the user experience perspective, and this plugin can intercept the DNS request and in case of blocking read the extended DNS error and show the block proper blocking page I can go to a demo just a second. If I can change.

L

Q

L

Q

R

L

So, in this case, I enabled the extension. This is a fake malware page and in case the plugin enabled I see the blocking page with the the log of the security product and the reason there is an explanation so that the customer can be aware we can have a several level of blocking. In this case, a block also for parental control is reason. So this is a fake idle site and the while it is blocked. I can see the blockade for parental controls reasons.

L

So going back to the slides.

G

You have to request access.

L

Yes, sorry, yes,.

G

Yeah, okay: there you go okay,.

L

L

Foreign, so we see that instead of seeing a page without meaning, so that the customer is not aware of the reason of blocking, we can see a proper blocking page.

L

This is just a plugin, so this is used as an example, but better approach will be the inter aggression in browsers to improve the user experience from the perspective of the customer, so that the customer is aware of the reason of blocking.

L

G

Okay, thank you. Wes you're, in the queue.

I

Thank you, uh West hardiker isi and one of the authors of the ede RFC. So this makes me super happy to actually see this type of deployment.

I

um A couple of questions you know one I think the obvious one is the web is not the only environment, so you're not combining this with like address redirection or things like that, where you're spoofing responses that don't exist, you're only returning ede codes for real data that would exist.

Q

So the actual return code is, as you saw, on each domain, so we want to when we want to block stuff. We don't want people to go there, so it's I mean in the old days as during composite. We would have returned an IP address of a web server. These days we only do NX domain and then the actual web page that presents the blog page is in the Ed error. Okay,.

I

And what happens with supplemental content like images or JavaScript or css.

Q

Well, these are all kind of different DNS requests, right that it depends on the list that you have that for for blocking.

I

But you could have a main page: that's okay, with content from another name that you are blocking, and so what does the UI do? In that case, where the main page you know domain is fine and you're requesting CSS from malicious.com the the then you can no longer use because it's being blocked. You can't show the error code as well right.

Q

You, probably you have to show it in the small window that you get for that yeah I guess.

K

Yeah when we were discussing the draft, one of the major comments was not to display any new pages right beyond the error codes so that the browser would render them or an app would render them. So the idea was you: don't want the end user to go to some other page which would probably mislead the user into something else.

K

So that's the reason, if you see most of their codes are pretty much standard one so that the application itself would display the appropriate message back to the user without any images or or any JavaScript, or anything like that plain old, simple messaging, to know why it got blocked to avoid any misuse by any of the DNS resolvers to point the user back to some some other web page, asking advertising something or asking the user to do something else.

L

K

L

A good approach, yes, also to have only the text that explain the reason.

G

Okay, thank you very much so question to the to the author to to you. So what do you think the status of the document is? We have you have comments from Paulie the presentation here.

K

Yeah I think we should be able to address both the comments from Ben and Paul and we we will publish it in couple of weeks. Okay, excellent.

G

Thank you, then. Thank you, Joe Palo for.

L

Your presentation.

G

G

Next up is Shivan the presentation.

G

L

G

Can pass access yeah uh right there we go.

G

Okay, one moment.

J

S

So many presentations.

G

S

Cool thanks um here, um Paul and I have been working on domain verification techniques, um sure.

S

G

S

Oh perfect, cool um yeah, so we've been working on a on a draft for a while. um It was an informational draft, but then folks said that it just makes sense to make it a BCP, so we've been kind of um plugging away at it for a while and yeah, as I mentioned, we did a last call recently and we had some. We had some comments, so I'll go through some of the changes. We're planning to do and folks can opine about what they think about that, but just as a refresher.

S

um What is domain verification? The idea is that many providers on the internet need people to prove that they control a particular domain before granting them some kind of privilege. So, for example, the you know, a great great example is Acme, which has a dns-based challenge um for a user to prove that they control a particular domain and hence they should be issued a certificate for it so um and yeah, and previously we had just a survey where we talked about text and cname um and then with the BCP we said.

S

Okay, so it's it seemed like text was just the right way to do. It um and CNA might lead to issues, uh but then we did get some feedback that um maybe we should still keep seeing him, but not recommended, and just say that this is an option that folks can do, but we still recommend using text um so and not be too prescriptive about the fact that people cannot use cname, because it's definitely a thing that people do right now um and is you know, is fine.

S

um Yeah, so this is kind of like what a remained by verifying record looks like and we're saying that.

S

um Well, one of the one of the things that the BCP talks about or draft talks about is that you should have this underscore Foo to the left of the record, the name so that you can identify um what your trying to verify and then Paul said like there's a use case for having the expiry built in to the record, so that just looking at the record, you can see that okay, this is a record that I'm no longer using and I should get rid of it um and just to I guess remind folks.

S

The the idea behind this draft is that in in Practical deployments right now, um the it's often like tons and there's often tons and tons of records that really bloats up the you know DNS response, and then um you kind of kind of you kind of have to fall back to DCP, and that leads through issues. So um so that's the suggestion was to make it very clear in the record itself when the record can be removed.

S

So this makes sense, even though this is not something that, for example, Acme does right now, but be offer this as an option that um if you're you know, if you really care about just putting everything and being extremely clear, then you should do this um or you could also say that it should never expire um which is, and but if you're doing that, then you should say that and not just kind of hope, that no one's going to remove the record and then stuff breaks.

S

uh And yeah, and then you can also have, if you have multiple features that you're trying to do, then you can just kind of keep prepending uh to the left. So you have like underscore feature one as an example, and we're also think that you must provide clear instructions on when the record can be removed either through putting that in the record or through, like some help, text and yeah, and then we also say that you should have detailed help pages.

S

um There was one question about denisec and we currently in the draft. We say that clients should have dnsic signing and service providers must use it. If clients have it, um but perhaps they should just be. It should be less strong and just be recommend um happy to hear what folks think.

S

And that's about it, I think everything else was just clarify like clarifying text stuff, so um yeah so I guess happy to hear about what folks think about those things and um yeah. If generally like what people think about publication thanks.

G

Thank you, Siobhan. Any questions.

G

John at first I'm.

M

G

Okay, well, please, please go ahead! Yeah, sorry, yeah.

C

So my name is jprs and so so yeah uh so uh we demonstrate outside. So we dream about ourselves. Technical information is that our first day uh a host equipment Demos in in using the Euro draft, so so the so yeah I want to discuss in this draft as after a vs sessions and- and so I want to add so uh recommendation for external DNA service providers and uh ensure that underscore sub zones of existing zones cannot be configured by other customers on the same authoritative DNA service. So yeah uh underscore name underscore level.

C

So at the leaf is a so must be. Does uh that's the same owner.

S

C

Underscot after Leaf underscore level is the same owners of the apparent Zone apparent uh domain. Okay,.

S

um Maybe we should like talk offline because I'm not sure and uh answer like exactly how this will work, but maybe you should talk offline about this because I'm not sure I understood exactly the whole thing you said in the beginning, so.

G

S

N

B

On um before we go on to the next speaker, two reminders: we are being asked to wear masks in this room and also please get in the queue from the app so that we can manage the virtual queue along with the physical queue. Thanks go ahead, John yeah.

S

I find you afterwards and you can talk yeah.

A

Yeah John Levine, um You, probably noticed I had some fairly testy exchanges with Paul about this draft. Yeah I think it's actually considerably improved and I have sort of one one and a half suggestions. One is I, think it could you could you could make it clearer what parts are intended to be mechanically interpreted and what, by but by humans, but particularly the thing like the the expiration date? It's like right, yeah like it would be.

A

If you, if you could recommend you, know, put the expiration date in this format, so you can have something that scans your Zone file and takes out the junk. That would be that's actually that would be nice, okay and and I. Think you could also make it clearer why, even though everybody uses I mean the reality is C names are very popular right and in the discussion there were some things about like why?

A

Why some of the naming issues, maybe beyond what you say, what what the C name is colliding with other stuff um like putting long complicated names and is, is harder than putting on complicated contents, which I'm, not sure I believe, but at least it's a plausible argument, so I think you're, pretty close. It's just like so, given that people have been doing it ways, you do not recommend for a long time. It would be nice to make it clearer why you're recommending doing it this way, rather than that way, yeah I.

S

Think, especially for the cname part, um yeah I, think I think right. I think we should just give more clarification around like why we're yeah we're suggesting that yeah. Thank you.

I

With her eyesight um to answer, one of your questions about you know, should DNS SEC, be you.

O

Know mandatory.

I

For uh verifiers for service providers, excuse me um the dnsi proponent in me says it should be a must, but I recognize that that's uh not likely the right solution, so I recommend seems good. What I would encourage you to do is put in additional text. However, that says there. You must use some mechanism to reduce the you know the chances of a client, spoofing or cash poisoning, or something like that, which may be something like what Acme does is. You know query from all or let's encryptos.

T

I

Know querying from all over the world trying to prevent that, but make them do something. But do you know SEC being.

S

So yeah I should I should have mentioned that we actually do say that right now, um but uh it's okay, that's perfect! That's exactly the feedback we wanted thanks thanks.

G

Thank you, okay, thank you very much, chiffon uh yeah good discussion and we could can make good progress with the job thanks thanks a lot next up, uh Schumann yeah.

G

You want to run the slice.

U

G

Will run the slides.

U

G

U

U

Can everyone hear me okay,.

U

All right, great, uh so I'm uh Schumann, my uh collaborator on this draft is Christian elmirod and he's not here in person, but I believe he's online, so I'm hoping he'll chime in uh with comments as necessary.

U

um Next slide, please!

U

So today, I'm talking about a new draft but which describes a method to do authenticated. Denial in DNS SEC, which has been around for a while. It was originally devised by cloudflare and described in a now expired internet draft from 2016..

U

At that time it was called black lies, so we've since renamed it to just compact denial of existence or compact answers. If you prefer something more pithy, uh it is widely deployed amongst a set of commercial online signers today in the industry, uh notably cloudflare ns1 and Amazon, Route 53 and one of its uh distinguishing and controversial features is that it eliminates NX domain responses completely so or at least the traditional conception of NX domain, and that, as you might expect, has some operational implications next slide, please all right.

U

So what this does is for names that don't exist it. These implementations pretend that it does exist. It just doesn't have any resource records for the type you queried for so. In other words, it returns a rather than an NX domain response and no data answer, and crucially in that answer, is a dynamically generated and signed nsac record with proof of the no data and the stated rationale stated benefit for this scheme. Is that we get more compact answers so assigned no data response requires just one nsec record in this corresponding RR Sig.

U

You get higher performance because since there's only one, you only have to do one online cryptographic operation to generate the signature.

U

By contrast, a an actual Annex domain responses requires two nsac records or, if you're using insect three three up to three insect records to prove not only one that the name didn't explicitly exist in the zone, but also that it could not have been synthesized by a wild card.

U

So there's more computation and increase in the size of the response.

U

um So there's another reason which I sometimes forget, but Christian reminded me of recently that a lot of these implementations, for whatever reason you can debate whether this is a good idea or not, but they have challenges, understanding the tree structure of the DNS Zone. So for an MX domain response. What you need to do is you need to find the ancestor of the name that didn't exist to compute the closest closer, so that you can generate the uh the proof that a wildcard couldn't have generated the answer right. So that's a concern.

U

We can have a debate about whether that's the correct way to implement a DNS Zone, but I. Don't think this is the right way to do the right place to do that. There are lots of these implementations out there in the industry by many companies. So next slide, please all right. So what are the operational implications of this scheme for typical end user applications? Probably nothing. In most cases a no data response is treated almost identically to an Annex domain.

U

There are, however, um a no data result can result in additional follow-on queries for additional types of the same name, and this actually has been observed, and it does happen because, if you think of the very common case of a dual stack host, a common DNS query pattern is a quad a followed by an A. So if the quantity didn't exist, an Annex domain would have immediately suppressed the following query, whereas in this case it will generate those additional queries.

U

um But apart from that, there are a variety of diagnostic troubleshooting and traffic characterization tools that may be impacted and have to deal with this new protocol, especially tools that commonly rely on the correctness of the DNS Response Code. Now, arguably, we could say that in the age of dnsc you, you can't trust the Response Code, because it is unauthenticated and can be spoofed right. But if that's the case, then what we have to do is infer the exist.

U

The non-existence of a name by looking deeper into the packet at sine data record, specifically the nsac records and the question is: can we reliably infer the exist non-existence of a name from that? So next slide? Please, and the quick answer is there's a problem because uh it turns out as the spec is currently written. There is no way to distinguish an X domain from empty non-terminal names because they share the exact same type bitmap.

U

um There are some implementations out there that kind of hack around this with a workaround. By for empty non-terminal responses, they basically display a wide type bitmap which, which is composed of every record, that they support, except the name that you queried for. But this has other implications because then you've lost distinguishability of emptying on terminals, you've potentially bloated the size of the type bitmap, and you could potentially confuse tools that do type inference from the type bitmap. So this is essentially a hack and we want a cleaner solution, not a hack. So next slide.

U

U

All right, so what can we do to fix the situation? So essentially, what we need to do is we need to introduce a um distinguisher protocol element in the response either for NX domain or for empty non-terminals I. Suppose you could do it for both of them and I. Think somebody suggested that in the on the mailing list, but really you only have to do it for one of them uh in another.

U

Expired draft I previously have proposed an empty non-terminal distinguisher and that has actually been implemented and deployed in the field by ns1 and is successfully used by US, and there were some specific technical reasons. I chose to the ENT distinguisher and you can read about those reasons here: bro, let's just skip on to the next slide, um so here's an example of that in the field. I think this is a real example. You'll see the Ian.

U

This is a query for an empty non-terminal, ent1 dot, blah blah blah and you'll, see, there's a synthetic type, stuffed into the Anzac type maps at the bottom right of the screen right now, using a private type code. Next slide, please, and now, uh we'll move on to the new proposal in the current draft is that we are instead proposing to do the pseudotype distinguisher for NX domain.

U

Instead, the mnemonic we're proposing for this is NX name, which stands for non-existent name, and we deliberately chose not to use NX domain just to avoid any confusion with the Response Code mnemonic of the same name. Our plan is to use the lowest available, RR type in The, Meta type range and last I checked.

U

128 is still available and very recently cloudflare I think maybe a week or two weeks ago, but um Christian can probably tell you exactly, but cloudflare has recently done a preliminary implementation of the scheme for now using a private RR type code. Although I sh I should say that our plan is to ask for Ayanna for an early allocation of the real time so that we can, you know, get the stuff deployed.

V

In in the field.

U

As soon as possible, next slide, please and here's an example of the final form of what an NX domain response would look like after this. So the response code is still no error. However, the nsac type bitmap has this special synthetic orotype NX name stuffed into it. Next slide, yeah all right.

U

So what about the question of restoring NX domain in the r code field itself, which a lot of people really want to happen, and that's a little bit more challenging for various reasons, but it turns out, we may have to try to do this or at least make our best effort, because, as I mentioned previously, there are tons of tools that only know how to examine the r code and they are currently broken in the face of these mechanisms.

U

In theory, you could work with the developers of those tools to enhance them to, instead of looking at the r code to look and recognize the annexonomy and Annex name signal in the response. But the question is: will that ever happen? How much work is involved in doing that? On the resolver side, uh we could for non-validating queries at least a resolver that recognizes NX domain could substitute uh the annex domain back into the r code in responses. It relates backs to those queries, but I think we really need to have a solution for.

L

U

Queriors as well things that send do equals one, and the related question is: is there a way to put the NX domain R code back into the response that is generated from the authoritative server itself? That's more challenging and I think the only way I know at least to do that is by implementing new edns signaling with its complexity, costs I. Think I received some pushback about it, but at least we should think through that option. Next slide, please all right! So here's a link to the latest draft.

U

It tries to describe completely the current compact answer scheme. It also describes the new NX name, distinguisher RR type, and there is at least some preliminary discussion about our code substitution schemes next slide.

U

And uh finally, my question to the working group and to the chairs is: are we ready to adopt this draft? uh To reiterate? Compact answers is widely deployed in the industry today, and yet it has no formal, published specification and I do not think that is a good State of Affairs and we should do something to fix that and also to make it work better by.

U

You know precisely specifying an NX domain signal, which is what we're trying to do. My assessment is, there seems to be a lot of interest in the draft. Already there's been a lot of uh email on the list.

U

I pointed to some threads here and finally, I will mention that additionally, I have also spoken to ns1 and Amazon Route 53 and those discussions have been positive, they're both amenable to adjusting their implementations to um to incorporate the new NX domain signal and with that I will stop for discussion and advice from the chairs about next next steps.

G

Yeah. Thank you very much. Sorry.

G

Thank you very much. Schumann Leman. Please go ahead.

W

Hi uh larselyman from net node, uh just a very quick question: uh does your uh that's your draft uh recommended to handle this situation differently depending on whether the dobit is set or not.

U

Oh yeah, that's a good question, so I think uh that uh suggestion has been made on the list. Currently it does not, but I think we will mention something. So if, for uh uh you know, do equals zero queriors, we don't have to deal with the dnseg proof, so we can just return a traditional NX domain response.

U

This is what cloud4 in fact does today, but some of the other providers don't so we can recommend that so the question I have, though, is uh you know you could ask? Is it worth doing it if most resolvers today by default, send do equals one query, regardless of what the downstream querier does right. So that's an open question. I have but um I'm, at least in principle, open to documenting that if it helps no.

W

Thank you. Yes, please do uh and a small comment uh that it may actually have uh an impact on the resolver, because the resolver may say say: do one and do the validation arrive at something, and maybe it's actually better to substitute and send the the NX domain going down to the end client yeah. So that's something that I would like to have at least described. That process described in the document. Sure.

U

Okay, yeah all right, yeah I get it so there's some nuances in the in that discussion and then yeah, we'll I'll make a point to discuss it right. Thank you. Yep.

G

Okay, thicker: please go ahead.

X

uh Okay, my mic is on now I hope. uh I was also going to mention. uh Do equals one versus do equals zero as an issue at the resolver response, not the authority server response so that that's important to consider and specify, and that's where much of the complexity arises. You know if the cost of supporting this is having the resolver, you know transform the response, depending on how the client asked gets complicated.

X

uh The uh the other thing that should be specified clearly is the behavior of actual queries you know made, you know to me to probe misbehavior perhaps, but somebody might deliberately send queries for an ex name to. You know, give the resolvers a hard time uh of the world and perhaps authoritative servers. How should either of those respond need some consideration uh uh you know.

X

Do you actually then pretend that there's data at the MX name- and you know mollify the existing unaware validating resolvers, that we'll happily see some sort of empty-ish but record for NX name or or what do we do?

X

So those I think are the the key things to flesh it out fully and there was I guess on the list or DNS operations, perhaps uh a point that it may take a while for the current implementation to go away and in the meanwhile we have confusion and that's why there was a demand for uh making both and and NX domain be Sentinels I, don't know. If that's a compelling argument or not.

U

uh Yeah thanks Victor so on your I'll I'll work backwards. So so your third suggestion, yeah I, mean in principle I'm. Okay with that, especially if it takes a long time for implementations to change to adopt the late. The the current recommendation in the draft I'm a little bit more optimistic, I've I've, spoken to all these vendors and I, think my impression is: they can quickly change their implementations.

U

I could be wrong, uh but if they can quickly do it, it's probably simpler to just have one distinguisher but I I think it's not the end of the world. If there are, there are distinguishers for both NX domain and empty non-terminals.

U

um On your middle point, I'm trying to remember what that was.

U

Oh right, yeah, okay, yeah I, agree that, yes, the draft should mention what should happen if a resolver deliberately sends a query for the NX name pseudotype, even though we don't expect normal software to do that. So I was thinking about that and I think the default Behavior might be okay, it might just just work if you send a nxname query for a name that doesn't exist. You'll, probably just get a no data answer back right, but we could specify that and for something that doesn't exist, then um from.

X

Yeah right content, no data, the bitmap disproves it.

U

Correct correct that this map disproves it yeah and the uh the non-existent name thing is a little bit more complicated. It depends on the whether the authority understands the scheme is using the scheme or not right, but either way, I think we can. We can write up a succinct description of what we expect to happen if we accidentally get these queries from whoever or attackers Etc and uh on your first point, yeah I think I agree we will describe uh the do equals one behavior on both sides at the authoritative server and the resolver.

U

Thank you thanks.

R

Okay, so next Jim Reed Shimon thanks very much for our very clear presentation. I've got much more skeptical view of all this stuff um that this seems to me rather ugly from a protocol point of view and I. Don't think that's the way to solve the problem. We're talking about here and I also think this is a hell of a lot of work just to shave, a couple bits or a couple of bit bytes offer a response, I'm, not sure. If that's the right course benefit, calculation has been done here.

R

It seems to have a lot of protocol work or a hacker in the protocol, just to save a little bit of data and also about the problem here now, with the servers generating sign data on the Fly, the servers might not have access to the keys to be able to do that.

V

R

I, don't think this is I, don't think this is really a good idea. I'm skeptical about it. um If it does go forward, I would think it would need to be an informational, not a proposed standard. Rfc.

U

Okay, so uh Jim, let me ask a clarifying question I. It sounded to me like from your description, you're skeptical, of the compact answer scheme in general. Not the additional tweaks we're putting into yeah.

R

Recover the annex domain section, correct I, don't think I've got the hassle for the.

U

Savings yeah I, agree, I mean when I first encountered this game. That was my same thought and I. Think a lot of other people in the community share that opinion. uh But the truth is, these implementations are already out there and they're being used at a fairly large scale and I, don't see it likely that the situation is going to change. So what we can do is try to improve these protocols.

R

Well, yeah I could accept, have a document that says this is a spec for this stuff, without just so, we've got the uh degree of interoperability between these implementations, but I. Don't think this is something we should be trying to encourage generally because it's an ugly hack in the protocol and that stats us on a very slippery. So if we keep tweaking things in this way and adding unnecessary complexity, in my view,.

U

Yeah fair enough, so let me I I, don't know if Christian is on on the line from uh cloudflare and if he wants to yeah.

B

U

Make a response: okay, yeah, great okay,.

Q

Electricity go first thing: he wants to respond to.

U

Yeah, okay, Christian you're on I think.

V

Yeah um so rightly from a complexity, uh question I would actually say that this simplifies uh things quite a bit, but, more importantly, we are already using this in in production and so are other implementers as well. So, and the issue is that these current implementations are not um they're, not the same, as already mentioned, and as one uses the end Sentinel and we have just recently last week, started to implement the NX name signal.

V

So the idea here is that we can get together on us and and implement the standard for all of us, which then can be interpreted in the very same way by resolvers and clients.

R

Yeah, okay, thanks question: um we kind of agree and disagree. um I still, don't think this idea is is as simple as you're claiming it is you're, adding we're going to have to add more code to them server implementations. So, in my view, that's an incomplexity. You're gonna have to write code to cope with this stuff, so that has complexity in my opinion, as far as documenting something so there's an interruptible. We are doing this thing even though I think it's a bad idea. I'm quite happy with that.

R

V

There is no, let me just respond to that. You have you already have to deal with this today and if you don't add any code to deal with this today, you don't have to add any code to deal with this tomorrow. To be honest, if you wanna upgrade these answers to to sort of actually see that this is a NX domain, just responded in a different way. Then, of course you will need to add code, but you don't have to do that.

V

But then again you don't get the benefits of this, and- and we know this is it this is this- isn't something new situation. We have always had this anytime, you add something: either you implement it or you don't.

R

Okay, I just said: I wouldn't like to see this in a reference implementation of the DNS. That's all: okay, okay,.

G

Great, thank you so uh yeah, we'll really sorry a little bit short of time. So, if you can ask you can ask the question, of course, but keep the time a little bit. Yeah.

Q

It's uh actually a very short remark, so thanks a lot for doing this, I think that we need to document this, but uh in my opinion, we should make the impact to other players in the DNS ecosystem as uh kind of minimal as possible, so not have resolvers do anything special when returning an extra main or something but just really document it have the NX name and the rest. The rest of the ecosystem kind of deal with it.

U

Yeah, fair enough: that's that's a reasonable position. I think some other folks May disagree and they would want uh our code substitution and things that make it easier for other tools, but yeah I mean well thanks.

B

Yeah there's plenty of room for additional discussion. What we are hearing is, we need to take a formal call for adoption to the list and further discussion there. So thanks everybody. Thank you. Thank.

C

G

So next presenter will be Peter Thomason, remote.

M

Yes, hi I hope you can hear me well.

M

G

You yeah I, can hear you, but not very loud.

M

Well, let me just try to ramp up my mic one. Second, okay, um okay, I, don't know yeah.

G

The slides are up or.

M

You want to run himself yep, uh you can do it, it's just a few, so it's not worth changing.

M

um I've um written this draft on consistency, requirements for CDs, cdnet, PNC, sync, processing, I, think I've talked about it. The last two meetings as well, and there has been some feedback um so I'll um talk about updates and also about a new motivation that appeared next slide.

T

M

um So very quick intro um when you do CDs or cdns key scanning uh spec actually doesn't say anything about how the parent should poll. So the most likely thing for parents to do is to use standard DNS resolution which um ends up clearing one name server and um yeah.

M

um The CVS stuff is used for automatic DS management for key rollovers dynastic bootstrapping stuff like that, and if things go wrong, it has a potential security impact. So we should think about whether that's standard resolution is the correct way. Then the c-sync specification um a little bit different. It actually Advocates limiting queries to just one authoritative server, so it does save it explicitly under the CDs spec.

M

But there's also suggestion in this book for using that says that you can ask all of the name servers if you want and then do some serial comparisons, not because of consistency, but because of recency and um yeah. So similar um thought Supply right.

M

It's used for delegation updates, name, server and Google updates and it might have potential security impacts and then especially, if you consider situations where serial is computed, um I I don't know one of several providers like each does their own, then the freshness thing even doesn't make sense until May up, um you may end up with uh incorrect result.

M

So um if you ask a simple, a single name Circle only then obviously you don't ensure consistency across authoritative name servers and um apart from the back and forth slapping you can get when there is two different um record sets the two offs and the parent scans one and then next to the other. For example, um they are quite serious failure, modes um and multi-homing scenarios with multis, Nano, stuff and provider change. Stuff I've talked about this last time, um so I moved to the backup.

M

If you want to take a look at that, but the main takeaway was that each namesp operator is a single point of failure and can break delegations accidentally or militially or maliciously, and that is not what um registrants probably would expect next slide. There's also um a new failure.

M

Mode I mean it's not new, but it occurred to me um um so a paper by Casey claaffy, um that is about an Epp Quirk that sometimes prevents the removal of expired name server names, and then you can hijack at least part of the name of the DNS traffic. If you manage to register that expired name and click on traffic, the query traffic that you can send whatever responses you like, and you would think, okay cool dnsic- does offer Integrity protection against that, um so um that Rogan himself I wouldn't have any say.

M

But, as you know, about 90 of domain names that actually use dnsx and as long as that isn't employed more, let's see what could be an attack Vector here um so assume you have a main with an expired name server. And then there are some other legitimate name servers still in operation and now I'm, the hijacker um I'll just stage one so to speak and they publish their own Keys via series or CDs key records.

M

And if the parent happens to process that, then um their the attacker's keys will end up in the DS record set and will prevent the legitimate responses of the remaining authoritative name servers um to be accepted by validating with solvers, and they will become bogus. So this um breaks the availability of the legitimate name service, even though they are still in the delegation and then even worse.

M

Once you have that um the hijacker can publish an update it in astrocket set on their um server, which is the only one um whose answers will be validatable and also published csync, and then that way, throw out from the delegation name.

M

Server record set the legitimate remaining authoritative name service, which finally breaks Integrity um of the whole thing, and that is exactly the opposite of what you would want, um because um the legitimate names of us have no presence anymore at all, and the attacker is in position where they seem to be the only legitimate party providing service for that domain.

M

um So you could say that's kind of a constructed problem, but it is a way that could be followed and in the 10 years, where the study was done or sorry for the for the Big Data sample period.

M

um In that paper, where it was investigated, how frequent that kind of risk is it turned out that a few hundred thousand domains are exposed to the risk in about one-third were taken over, which doesn't mean that each of them was targeted. Maybe it was just a few name servers and they were hosting many domains, but it's not negligible I would think um and yeah, so the draft essentially proposes. All of that couldn't happen.

M

If you would um check that the CVS records are consistent across name servers when you do the processing as a parent, and the only thing it requires is that you just ask each of them individually next slide.

M

um So this is actually the last slide. um So the update since the last ITF meeting are very minor, um so um the basics essentially are the same. When you process record types that start with a c as a parent, then you must ensure that they are consistent across authoritative name servers and if one doesn't respond, that's fine and you just skip over it, but it can't be that you get responses whose contents are inconsistent.

M

I think Victor um proposed to add an optional retry mechanism with exponential back off for resolving inconsistencies, so um I added that and there's also minor editorial changes, plus the added motivation that I just um talked about with the lame delegation hijacking now. One thing that occurred to me is that the CDs specification says that when you process that stuff, you must ensure that then UTS record set would not break validation.

M

Now that could also happen if you um process a csync record set and, for example, replace the name service in the delegation that it could be that, for example, they don't have the proper DNS keys in their zone or whatever, like the the wrong Arc algorithms and there's currently no um provision that you have to ensure that c-sync updates don't break validation, although c-sync does require dnsic um so um yeah.

M

It just occurred to me that that could be a thing that perhaps can be added to that consistency, requirements document if the working group feels that makes sense, and that um actually is the next question. What would be reasonable next steps? I think some people provided feedback already and um last year, sometime at followers some discussion on the list about it. So there seems to be some interest.

M

I haven't heard much negative feedback so far, in fact, not in public at all and I just wondered if the working group thinks that should be something that should be gen really recommended, in other words, perhaps adopted and then published at some point.

M

That's all I got.

G

Thank you, Peter.

G

Are there any comments from the room? It's a little cute, yeah. Okay, let's see Victor is cute. Please go ahead. Victor.

X

I wanted to mention a corner case for uh for seasync. If somebody is willingly giving up a domain, transferring it to another party uh and the other party doesn't want to do dnsic the target name servers uh will be, you know, I will have an unsigned, Zone uh and so validating the validity of the zone at the Target uh won't be possible. Right a transfer from assigned to unsigned via seesync can't work. No, we don't necessarily need to make that possible, but it's one corner case to at least consider whether it's in scope or not.

M

Yeah um I think one way to address this is um that when processing CDs um we could consider ignoring. So your opinion would be interesting. Actually, we could consider ignoring any um um insecure responses. We get and treat them like an unresponsive name server, and that would allow even when, um for some reason, the new provider that doesn't have um DNA SEC is in the name server record set already.

M

It would allow the old one to publish another CVS record to turn off DNA sex, so that could be done, um but I don't know if that's the best way. Okay,.

G

T

Yes, this is Juan standstone I am so I. I have two objections.

T

Objection number one is that we've spent perhaps 15 years explaining to the world that if you have something that is signed by dnsic and it validates, then it's good and this sort of breaks that logic by saying, except when it's really important, if it's really important, suddenly we have to talk to all the authoritative name servers just to verify whether they are actually agreeing or not, and I I.

T

Think that could have bad implications over time saying if it's really important, don't trust the dnsic signature talk to all the authoritative servers, because someone else will come up at some point in the future saying well, my stuff is really really important: I'd, better check, all the authoritative name, servers and I. Don't think we want to go there.

T

The other reason why I don't like this is because the authoritative servers are really proxies for The Zone owner there are proxies for the registrant.

T

They are assumed to publish information that already strong wants published if they don't as if they disagree or if it's out of sync or whatever. This is more of a reflection on a potential business issue, a potential choice of a bad provider, a potential disagreement between multiple providers or whatever. All of these are non-dns protocol issues. They are business issues and I, don't think we should add complexity to DNS to deal with what is essentially not protocol issues, but rather business issues.

T

Everybody thank.

G

You I'm going directly to West, so um we can take these points also to the mailing list for further discussion.

I

Thank you, uh West herdicker Asin, author of the c-sync document. um It was 10 years ago and and I think I originally wanted to query all the name servers not because of getting you know different answers, but rather to make sure that we always had the most recent version of something from an SOA perspective, but I lost that battle. I think at the time and I. Don't remember why. But the important thing is that the the decisions that were made were about the robustness of keeping the DNS up and running right.

I

So if dnsc was required to do validation of csync and all of the records that csync was going to be updating, then you have to assume that the cryptographic validation with the chain of trust is valid. There's no other as Johan just put it sort of a business relationship beyond that. The the seasync and CDs documents can't fix that fundamental. You know misconception of of the upward hierarchy.

X

L

I

Dealing with things appropriately, I look forward to the discussion about this in the future, though I'm not sure where we should take it.

G

Thank you guys.

I

M

G

Before closing, you have uh well, you can conclude this this, your presentation.

M

Okay, um so in principle, I fully agree that it's a goal of DNA SEC that you only have to ask one- and you know verify one chain of trust, but I- think precisely to to guarantee that that property is a dnastic property. You have to make sure that the chain of trust doesn't break for accidental reasons.

M

Like one provider messing up a provider, change and I do recommend to look at the two backup slides when you have time and see how things can go wrong really easily um in a way that exactly goes the opposite direction. That um I think people should expect um to happen and then very quickly.

M

The second thing there's already precedence for that, um not specifically for what I'm proposing, but for cases where you don't just um as one question validated as I said before the csync RFC says you may ask all of them, so that is already something that hasn't sent. A very bad signal, as Johan is afraid of um that people will be doing it all the time and second, the CD aspect, for example, says you have to assign and check that the CCS record is signed with a ksk and not with the zsk, for example.

M

So there's also a deviation from treating everything the same. It also hasn't caused any side. Issues of people wanting more ksk signing so I think those those fears are unsubstantiated, I'm very happy to take it to the list. Okay,.

G

Thank you, okay, we're running short time. As I already said, next presentation, Johan and well. We have reserved 25 minutes and we have less than 25 minutes, but yeah, okay,.

B

And don't forget we can discuss, we can take all of these to the mailing list.

T

Next slide, please, so this is about work that Peter and I did following the the last iitf, the one in London and the the starting point for this is the the problem statement. So to speak is that scanning is costly and we have a growing number of scanning things in DNS. Now we have CDs scanning and we have seizing scanning and we have things that are slowing down convergence of the DNS hierarchy at a rather high cost um or in some cases, extremely high cost.

T

um Then we also have because both Peter and I work on on uh the multi-signer things uh we we have another case where this is a bit of a problem with scanning, because we have, in the multi-signer case a need to keep signal, keep keys in sync across multiple signers and if they are not in sync, we open up for well for broken signage chain which will cause problems. So that's another point where scanning comes into play, and perhaps we really need very, very frequent scanning, which is obviously not a good design.

T

Choice next slide, please.

T

So then we got to think. Are there any? Is there any priority or anything we could look for for guidance, and obviously there is we have notifies. We have RFC 1996, which says that instead of having secondaries basically scan as in repeatedly poll, the primary four Zone updates.

T

Instead, the primary sends a notification to the secondary and saying now is a good time to actually check for updates, because I happen to know that there have been updates, and we all know that we, we actually use nodeify for basically every every shown on the internet today and it works fine. So then we thought okay. Do. We need to actually update RFC 1996 for this uh to make it work.

T

Also, in our case next slide, please, and it turns out that we don't because RFC 1996 already allows for other RR types and SOA to be sent.

T

I didn't know that before I learned that um so we don't have to update 1996 it's fine as it is it's just that today we only use it for notify with an SOA in it, because we haven't found a use case for any other thing, but now we do have those use cases. So what we are suggesting is notify CDs to inform the parent that the child has published a new CDs and notify csync to inform the parent that the child has published a new seasick next slide. Please.

T

But where should we send them well in the in? Because this is sort of vertical notification rather than the traditional notify, which is sort of Sideways from the primary to the secondary? We need to figure out where to send it, and we obviously know where the parent is. So, let's ask the parent, so our proposal is to send the notification to a destination announced by the parent uh I'm suggesting we started working with this with with other Alternatives.

T

We we're trying to fit this into an SRV record Etc, but we couldn't really get a clean fit. So the the current proposal is to use a new R type for the history uh proposed. We call notify and the notify RR type would be the publication point of where we want to have the notification sent. As you can see in the in the example there we also add a scheme parameter.

T

The reason why we add a scheme parameter is because of concerns that perhaps there may be other needs for how to locate where to send the notification, in spite of us, only defining one such mechanism next slide. Please and and then we get to the slightly more complicated case, which is what we need for multisigner. In the multi-signer case, we have more than one signer and when you have more than one signer that it generates its own Keys, we need to basically cross feed the keys between designers, the public keys.

T

That is so that each signer signs a complete RR set with all the keys so that, regardless of where from you got the keys, they will be signed by the chain that you're following but signers today as in authoritative names or other types of signers, they roll their keys automatically, and they basically don't inform anyone because, for instance, rolling your Zone signing Keys is considered to be a completely internal operation.

T

No need to inform anyone in advance and that's sort of true, if you're, the only designer, but it immediately breaks down if you're, not and in the multi-signer case. You're not so we need to have information about Keys rolling so that we can make sure that they are immediately synchronized across to multiple signers. So we have a similar situation as we have with the CDs and the c-sync scanning. We need to track these changes of the DNS key RSS in each signer and that's costly. So we need some sort of notification next slide.

T

And in because we're short of time, let's basically just skip some of the multi-signer complexity. Here we we have. The multi-signer thing uh talk to all the signers synchronizing stuff, next slide, synchronizing more stuff next slide done next slide.

T

Nice pictures- you can look at them afterwards um and if we don't keep this in saying bad things happen next slide next slide.

T

So here we have the proposal to add a third new type of notification, which is to notify DNS key, and the problem with the notified. Dns key is obviously that well, we need it, but it shouldn't be sent to the parent, because the parent basically doesn't care it should be sent so that it's available to other signers or to the infrastructure that is keeping signing in sync in in a multi-signer context. Next slide, please.

T

And here we have the result with the Red Arrows being the notifications, so assuming that the sign is actually send notifications to a multi-signer controller. That's the music thing at the bottom, so that music controller is aware.

T

When these happen it can do the blue things, which is updating the DNS QR sets in both signers, so they are kept in sync, which is actually what we want to achieve, and it can also take care of sending uh CDs and c-sync notifications to the parent in case the signers are not able to do that themselves because they haven't sprouted that capability yet, and all of this works really really nicely next slide, and then we get to the hairy question of where should we send the DNS key notifications and we cannot send them to the parent because the parent doesn't care?

T

It's obviously the child of cares, and our proposal here is to use the same mechanism as we use in the CDs and CNC case and look it up in the child Zone. Instead, the same new RR type to notify R type and again look for where to send the notification.

T

We have the same format: the same scheme parameter. We only use. This first scheme equals one here in what we Define as most simple mechanism, but we leave it open for the future to Define possible other mechanisms. Should such mechanisms become needed next slide, please yeah. So what about the Triple R model? Well in the Triple R model?

T

In most cases there is no issue I mean, for instance, many cctlds and and other tlds. They already do this type of scanning and they do update the parent Zone based on what they find as they find a CDs for instance, and then they inform the registrar through Epp notifications, somehow on the registrars keeps in track. Should that not be possible in some context? I don't know. But of course that's that's theoretically possible. We could have some sort of notification forwarding either through DNS or directly in app or whatever I.

T

Basically, don't care I'm just making the observation that it could be done somehow.

T

um So to me, the most important thing is to not consider the Triple R model as a showstopper, because if it was a showstopper, then well, we would have lots of problems with also with the CDs and csync scanning like this.

T

So what about the security model? Well, I think one of the best things or RFC 1996 is that it doesn't impact security because it doesn't say anything of whether to trust the hint that the notification is. It only says it could be a good thing doing whatever verifications we intend to do regardless about now, so we keep the security model of whatever the scanner is doing, we're just telling the scanner do it now rather than tomorrow, and thereby we improve service to the client and we improve coherency in this in the system.

T

So the security model is really not a difficult issue here. The last point I want to make is that it's important to be aware that a difference between RFC 1996 notifications, what I call notify SOA is that notify SOA is something that is sent in the DNS protocol between name servers.

T

This is still DNS protocol, but it's not sent between name servers. It's sent to a service. The recipient of these notifications is typically some sort of scanner service or similar or in the multi-designer case. It's a multi-signer controller thing. It's not a name server, just to point that out next slide. Please.

T

And that's it. We propose a bunch of new notifications, we're not changing the protocol, because RFC 1996 already allows this. We suggest that for the location mechanism of how to find where to send the notifications, we add a new RR type, there could be other Alternatives, but this is our proposal, and that would mean that would mean clearly a protocol change, while the added types of notifications by itself is not a protocol change, and we would very much like to see this adopted questions. Victor.

G

So yeah we only have 10 minutes really apologies. So if it's a very very short remark, fine, but I rather have the follow-up discussions on the mailing list, because otherwise the last presenter will be will have no time.

X

uh Once it's a service, we should consider whether the transport is still UDP or something else.

G

G

Thank you. Thank you very much and I'll put again apologies for a limited time. Thank you for being a very competent short excellent thanks. uh Last presenter is remote.

G

N

Okay, can you hear me okay,.

G

Yes, excellent thanks so.

N

This is about a methods for name Surfers, to Signal programs outside of the name service software and which are not necessarily involved with the DNS protocol about conditions that can arise within the name server, and these signals can be used to invoke actions in areas that help provide a DNS service such as routing next slide.

N

Please- and this initiative emerged from a real world use case, so sidn serves the dot and l zone and a few other zones, and they do this in a any cost at fashion and they manage their anycast Network in a highly Dynamic and automated way, which has been presented at the DNS org 39 in Belgrade.

N

They can add and remove any cards any cause nodes dynamically and when any girls node is added, it behaves as follows. So the prefix in which the IP address resides that serves the zones isn't announced yet from that new location. But first is the the name: server loads, all the zones and when it has other zones loaded, it signals outside of the name service software and that triggers the the route or the prefix announcement to be made next slide.

N

Please, and for this they rely on a feature in not DNS, which is called the Perce events, and debus is a technique for Enterprise as communication, it has also a published, subscribe mechanism, sort of not name server can signal, it is started and all zones are ready to serve on a deeper channel to which scripts can subscribe and take action.

N

So dbis is not an IDF standard. It is specified in the free desk desktop.org, which is a collaborative zone for standards and specifications and not formal standards organization.

N

Because of sidms relying on this feature, they now run on naughtiness only in a network and so for business. They would rather than a more diversity of software on their notes, because you know we all have different bugs next slide, please foreign.

N

So for this we would like to standardize this mechanism properly and hence this draft, but to do it correctly, we like to inventory the requirements first.

N

So what other conditions are interesting to Signal out of the name, server and what's associated action? Could I have and what's published subscribe mechanisms would suit that best, so some conditions that we thought of already is, of course the first one are all zones loaded already for which you can start bgp announcements or is a Zone perhaps about to expire, because then you want to remove the prefix announcements same for dnf sex signatures if they expire.

N

We could also imagine that if the query rate is exceeding a certain thresholds, you would like to or one could want to demotify it demotivate, the reachability of the innercast node by lengthening the bgp parts or the other way around shorten it. So it will absorb a denial surface attack and may also be actions which are not related to routing such as, if a zone is loaded, updated uh trigger a external validator to validate them next slide. Please.

N

Next slide, thank you. So there are some existing signaling mechanisms notify, but that stays within the DNS is not fairly suitable. For this use case, sending queries to Extended, DNS errors, monitoring agents, that's very new, not yet RC I, don't think it has a lot of implementation yet because the drunk name server that does it. Of course, it's also more focused towards logging of signals and yeah to be fair. Debus may not be a bad option right.

N

So so far, all the actions that we have inventorized have been local deepest has local or local to the system, security and authentication mechanisms which are standardized within the ITF. It's a very good support on Linux and it's supported on BC and it's easy to use and for reference. I quoted python script, which listens to debash and performs actions from the not DNS repository next slide. Please.

N

So this we discussed this in November after the DNS org per station of sidns any cost Network, and they would like to have a standardized shirt. You can use more software in the same fashion and I informed the different open source, name, server, vendors and some recognize the operator interest for this and I also think it's worth standardizing.

N

So next to Mark hoonberg and Stefan Urban from sidn to represent operator, he managed to recruit a representation from the name server software.

N

Let's go artists, Cassie almonds for IC, who has a lot of exposure to operators, Peter Van Dyke for power, DNS and Daniel Saltzman for not DNS, who was the one who came up with the deepest idea for not DNS in first place and yeah. By presenting this here, I would like to get feedback from you to to get statements of interest. If you are interested in this, in particular, from ncast operators and also I, think it will be good for the to complete the requirements to also inventorize more conditions and actions Associated actions.

N

So this is the presentation and there's one more minute left I. Think.

B

One more minute and then we'll have to wrap up things. Yeah.

W

Hi Willem, this is Limon. Please do this very good. Thank you.

B

B

Okay, that's our agenda for the day right on time, um thanks everybody for being here and for the folks that got up way early or way late out there in radio land to join us remotely.

B

Please keep in mind that all of the drafts we discussed and if we can continue discussions on the mailing list- and it sounds like the chairs- have a couple of calls for adoption to do so uh thanks everyone did. You have anything to add.

G

Thank you all and I hope to see you with the next ITF in San Francisco thanks bye,.

B

We are adjourned.

I

A