I’ve been quite lucky with the timetable, so like Wednesday I could have a relaxed morning on Thursday. Friday is a half day (so that attendees can head home before the weekend) but I popped into London for the last session and to say goodbye to anyone who was still around.
Before lunch on Thursday I had a chat with various people including Tim Griffin (who I have not previously met despite working in the building hext door to him!) and Geoff Huston. Geoff thanked me for my suggestion about avoiding a potential interop gotcha in his kskroll-sentinel draft that I covered on Tuesday, and I thanked him for his measurement work on fragmentation. He told me to not to forget Davey Song’s clever “additional truncated response” idea, so I posted a followup to yesterday’s notes on fragmentation to the dnsop list.
Over lunch there was a talk by David Conrad about replacing the root DNSSEC key. I have been paying attention to this process so there were no big surprises. It’s difficult to get good data on how DNSSEC is configured or misconfigured, hence the kskroll-sentinel draft, and it’s difficult to get feedback from operators about their approaches to the rollover. An awkward situation, but hopefully the rollover won’t have to be postponed again.
After lunch was the DNS-over-HTTPS working group meeting.
This started with some feedback from the hackathon, and then a discussion of the current state of the draft spec. It is close to being ready, so the authors hope to push it to last call within a few weeks. (The DoH WG has been remarkably speedy - it helps to have a simple protocol!)
After that, there was some discussion about what comes next. The WG chairs plan to close the working group after the spec is published, unless there is consensus to pusrsue some follow-up work. There was also a presentation from dkg about using HTTP/2 push to send unsolicited DoH responses: in what situations can browsers use these responses safely? are they useful for avoiding DNS lookup latency?
I still don’t know if DoH is a massive distraction from the bad idea fairy. It feels to me like it might be one of those friction-reducing technologies that changes the balance of trade-offs in ways that have unexpected consequences.
In the next session I missed the jmap meeting and instead spent some time in the code lounge with Evan Hunt (ISC BIND), Peter van Dijk (PowerDNS), and Matthijs Mekking (Dyn), hammering out some details of ANAME (at least for authoritative servers).
PowerDNS and Dyn have existing (non-standard, differing) implementations of this functionality, so we were partly trying to work out how a standardized version could cover existing use cases. One thing that slightly surprised me was that PowerDNS does ALIAS expansion during an outgoing zone transfer - I had not previously considered that mechanism, but PowerDNS is designed around dynamic zone contents, so I guess their zone transfer code has to quite a lot more work than BIND.
We ended up with a few almost-orthogonal considerations: Is the server a primary or a secondary for the zone? Is the zone signed or not? Does the server have the private keys for the zone? Does the server actively expand ANAME when answering queries, or passively serve pre-expanded addresses from the zone? Does the server expand ANAME on outgoing zone transfers, or transfer the zone verbatim?
There are a few combinations that don’t make sense, and a few that end up being equivalent, but it’s quite a large and confusing space to navigate.
I think we managed to resolve several questions (as it were) and had a useful meeting of minds, so I’m looking forward to more progress with this draft.
Shumon Huque has a nice operations draft explaining how to manage DNSSEC keys for zones served by multiple DNS providers which I reviewed on the mailing list.
Ray Bellis presented catalog zones which I quite like, though it isn’t quite the right shape for simplifying the tricky parts of my configuration, though it does simplify our stealth secondary config a lot. But a lot of others in the room do not like abusing the DNS for server configuration
Matthijs Mekking presented his idea for less verbose zone transfers. This is something we discussed in the mfld track at the previous London IETF and although it is quite a fun idea, Matthijs now thinks that if we are going to revise the zone transfer protocol, it would probably be better to move it out of band so that there’s the flexibility to do even more clever things without overloading Bert’s camel.
We ran out of time before we got to Petr Špaček’s camel-diet draft. This is related to the agreement between the big 4 open source DNS servers that next year they will stop working around broken EDNS implementations
For the final session I went to the working group on limited additional mechanisms for PKIX and SMIME. Paul Hoffman clued me in that there would be some discussion of CAA (X.509 certificate authority authorization) DNS records. There’s a revision of the spec in the works, which includes more operational advice that I should review wrt the problems we had back in September preventing some certificates from being issued.
On Thursday evening I went to a Thai restaurant with some friendly Dutch DNS folks. I foolishly chose the “most adventurous” menu item, which was nice and stinky although a bit too spicy. I think I still smell of fish sauce…
The end of my IETF was lunch with John Levine chatting about ISOC and our shared tribulations of the small-scale DNS operator.
And now I am on my way home at the end of a long busy week, hopefully in time to pick up my new specs from the optician.