IETF-751 Olafur Gudmundsson Andrew Sullivan
IETF-752 Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to: The IETF plenary session The IESG, or any member thereof on behalf of the IESG Any IETF mailing list, including the IETF list itself, any working group or design team list, or any other list functioning under IETF auspices Any IETF working group or portion thereof The IAB or any member thereof on behalf of the IAB The RFC Editor or the Internet-Drafts function All IETF Contributions are subject to the rules of RFC 5378 and RFC 3979 (updated by RFC 4879). Statements made outside of an IETF session, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice. Please consult RFC 5378 and RFC 3979 for details. A participant in any IETF activity is deemed to accept all IETF rules of process, as documented in Best Current Practices RFCs and IESG Statements. A participant in any IETF activity acknowledges that written, audio and video records of meetings may be made and may be available to the public.
IETF-753 Forgery Resilience #2.5: Path forward Olafur Gudmundsson Andrew Sullivan
IETF-754 History RFC5452 –Adopted early 2007 –Issued Jan 2009 –Addresses how to add entropy to queries via “standards-compliant” means Mid 2008 word of Kaminsky attack causes lots of mailing list traffic and panic. –DNSEXT starts process to figure out if/what to do for more FR measures –Good uptake in new “hardened” resolver versions. Fall 2008 IETF-73 design team meets and suggests path forward –Nothing happens.
IETF-755 Topic: Additional Entropy Additional Entropy: –DNS Ping: ”just do it” helps when available, does not hurt in any case Withdrawn –0x20: helps in the case when DNS Ping is not available, “Mostly harmless” the only standards actions: specify that server MUST copy QName unchanged into answer and resolver MUST strip 0x20 from answer. –“RTT Banding” or “Name server scatter”: Requires much more work before we can recommend on how to do this, at least a document on how to measure and maintain measures off Round Trip times should be written. i.e. a RTT BCP Discourage for now
IETF-756 Topic: Data Acceptance Cache overwrite recommend against –At same credibility: –Extend TTL’s: CNAME and DNAME chains: – Recommend recursive resolvers perform the full chain processing, i.e. only accept first [CD]NAME from each answer. Fetch better data: –Some attacks rely on caches to overwrite existing data with newer data at same criticality, this can be prevented by explicitly asking authority for the data that is included in referrals. –Implications: more queries, may cause outages due to errors that are currently masked Needs more study before recommendation
IETF-757 Topic: Query Fallback TCP – Should be avoided as much as possible –Study if current OS’s can be tuned to handle the load ORG survives with 15% of queries via TCP
IETF-758 Documents draft-barwood-dnsext-fr-resolver- mitigations-08 draft-wijngaards-dnsext-resolver-side- mitigation-01 Pick one or none ?
IETF-759 Next steps: Open Microphone
IETF-7510 EDNS0 at IETF-75 EDNS0bis-02 –New editor: Michael Graff –Big changes read and comment –Document Goals error handling Size fall back Close bit label registry Mandate ENDS0 support Clarify language Change allocation process for new options ? –Finish this year
IETF-7511 ENDS0 size and DO New version 01 yesterday Main change: If size < 1220 && DO == 1 –clear DO bit in answer and treat as no DO –OR RCODE=FORMERR & OPT RR included –Reason simplify processing and tell requestor that ENDS0 is understood but query is inconsistent.
IETF-7512 EDNS0 size discovery
IETF-7513 Behave DNS64
IETF-7514 IXFR-ONLY
IETF-7515 Charter What to add ? –IXFR-ONLY ? –DNS RFC GUIDE ? –RFC1034/5 rewrite ? –DNSKEY support option ? Will ask mailing list for quick feedback
IETF-7516 IPv4 + IPv6 query
IETF-7517 DNSSEC key algorithms Dr. Crocker: – DNSSEC Algorithm signal David Conrad on RSA/SHA256 in root
IETF-7518 DNSSEC algorithm maintenance policies