To:
minutes@ietf.org, dnsop@cafax.se, plzak@nic.mil
From:
Lars-Johan Liman <liman@sunet.se>
Date:
Wed, 21 Jul 1999 21:19:02 +0200
Sender:
owner-dnsop@cafax.se
Subject:
DNSOP WG minutes.
Here are the minutes from the DNSOP meeting in Oslo last week. Thank you, Ray, for taking the notes and generating these minutes quickly. Best regards, /Liman #------------------------------------------------------------------------- # Lars-Johan Liman ! Internet: liman@sunet.se # Ebone/NORDUnet/SUNET Operations Centre ! BITNET : LIMAN@SEARN # Royal Institute of Technology, Sweden ! HTTP : //www.sunet.se/~liman # ! Voice : Int +46 8 - 790 65 60 #------------------------------------------------------------------------- #---------------------------------------------------------------------- DNSOP WG 15 July 1999 Minutes Reported by: Ray Plzak 1. Agenda Bashing. No agenda changes. 2. Short Announcements a. DNSSEC Workshop in Sweden Lars-Johan Liman A DNSSEC workshop was conducted in Sweden in late May. Attendees were primarily Swedish ISPs with others including people from Norway and the US. There is a report of the proceedings at http://www.isoc-se.a.se/dns-ws.html. The report is not technically detailed. Highlights of the workshop * Bugs were found in the BIND software * There is an inconsistency in operations pertaining to NXT records which is related to queries of different servers. * There is a scaling factor that is introduced by signed records. There was a discussion of signed NS records for the root zone. The authoritative response to a query based upon the hints file was not tested. It is speculated that the signed root NS records probably will not fit in a UDP packet thus causing a TCP failover. This could cause a lot of open TCP connections by the root servers. Bottom Line: DNSSEC software is far from being ready. b. DNS Chapter in Book Evi Nenmeth Evi Nemeth reported that she was writing the 3rd version of her book on UNIX system administration and that at her request, the publisher has released the DNS chapter from the copyright. This will permit the chapter to be used in an RFC. She will confer with Scott Bradner and will get this permission in writing. 3. draft-ietf-dnsop-opreq-root-01.txt - Randy Bush Presented changes reflected in current draft from previous draft * Power requirement statement changed so that the requirement for reliable power to reflect that the available power source would be "as good as" what was a MUST in the previous draft. * One item of contention remaining - ought root servers allow AXFR. Current draft says that a root server MUST not allow AXFR. Discussion on the list suggested that this ought to be changed to SHOULD not. Discussion. There was a general discussion about the requirement for the availability of the information contained in the root zone. Comments: * Information is needed for setting up stealth root zones or for debugging DNS problems. * Source of the content information in the zone should come from ICANN. * An FTP source for the information would be sufficient. * AFXR should be permitted but would be shed when the root is overloaded with TCP requests. * Goal should be limit where possible the TCP requests to the root servers. Next Step - Get comments from the list, produce a new version of the draft, and go for a WG last call for the ID to become a BCP. 4. draft-ietf-dnsop-keyhand-00.txt Ed Lewis An overview of the current draft was presented. This draft had been written earlier as part of an earlier DNSSEC effort. The draft needs to be reorganized and it needs operations/operator experience. The secure dynamic update that this draft discusses is being worked on in the DNSIND WG. The NXT and .PARENT should be dropped from the draft. Key transfer mechanisms are discussed in the DNSIND rollover draft. Other issues are self signing and key management within zone administration. Discussion There was a general discussion about the possession of keys. In particular the possession of child keys by the parent. It was decided that operational experience would determine whether or not there was an affect on UDP overflow. Ed requested that anyone with operational experience to document it and send it to the list. The point was raised without discussion that if the DNSSEC RFC says that the parent MAY have the key of the child that then the Root Ops RFC should say that the root MUST NOT have the key of the child. Masataka Ohta led a discussion about keeping the authoritative source for the key on a private server. A general discussion did not arrive at a consensus as to whether or not this was a requirement or an option. Consensus was that operational experience would be needed before a determination could be made. It was also noted that an RFC may be needed to document this process. Ed closed with another solicitation for experience and stated that there maybe a DNSSEC workshop in the US within the next few months, in which case, the topic of key handling would probably be discussed. 4. Lar-Johan Liman gave a gave a short overview of the relationship between the registrant, the dns operator, the registry, and the registrar. He stated that Mark Kosters was working on a draft about this topic. The general discussion was in regard to clarification of the terms and relationship between the four parties. The consequences of changing registrars was briefly discussed. This would require a change in the administration of the zone and would affect NXT records. That this would probably would require some legal mechanism to be a part of this process would probably strengthen the reason to change the concept and implementation of the NXT record. 5. draft-hardie-dnsop-shared-root-server-00.txt Ted Hardie Ted presented his draft. The discussion raised the following points * Synchronization of servers * Service confusion caused by the existence of different SOA records * The use of NTP would be a requirement. The next version of this draft will be named: draft-ietf-dnsop-hardie-shared-root-server-00.txt 6. draft-ietf-dnsop-shared-root-server-00.txt Masataka Ohta Ohta-san presented his draft The discussion of the draft raised the following issues: * There could be some routing difficulties because all of the servers would have the same IP address and AS number but the AS would not be contiguous. * AXFR will be hard between the servers sharing an IP address as the routing announcement would contain the same AS and thus would be dropped. * There could be routing problems when using TCP * It would be difficult to prevent leakage of incorrect routing information. The next version of this draft will be named: draft-ietf-dnsops-ohta-shared-root-server-00.txt 7. The two drafts were compared. Consensus was that they were about 80% the same. Administration requirements for the Hardie version appeared to be less complex as there would only be one AS administrator to deal with. There was general discussion about conducting a test using a sub-domain of the .TEST top level domain. Both authors are to make presentations at the next IETF meeting. At that time the group will decide which, if either, version to pursue. 8. There was no other WG business. 9. draft-koch-dns-soa-values-01.txt Peter Koch Peter presented his draft which provides recommendations for fixed SOA values to be used by domain administrators. Peter asked for comments. The only discussion was concerned whether the WG should take this draft as work of the WG. Consensus was for this document to proceed to become a RIPE document. #----------------------------------------------------------------------