-
Notifications
You must be signed in to change notification settings - Fork 1
/
dprive-interim-2018-12.txt
150 lines (96 loc) · 3.12 KB
/
dprive-interim-2018-12.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# DNS Privacy Exchange (DPRIVE) WG
## Interim
* Date: 10 December 2018
* Time: 16:00 - 18:00 UTC
* Room:
* Chair: Tim Wicinski <[email protected]>
* Chair: Brian Haberman <[email protected]>
* IESG Overlord: Terry Manderson <[email protected]>
* [DataTracker](https://datatracker.ietf.org/group/dprive/documents/)
---
## Agenda
### Meeting logistics (scribes, jabber, etc.)
Tim Wicinski - minutes
### Interim objectives
### Discussion of requirements/goals for DNS privacy between recursive resolvers and authoritative servers
Benno Discusses https://trac.ietf.org/trac/dprive/wiki/DPriveStage2
Paul Wouters: Anonymous DNS vs Authenicated Queries ?
Paul Hoffman: Edited wording on connection/connectionless text submitted by Erik Nygren.
Mukund: Cost of TLS connections. Resolver makes several requests in sequence in HTTPS.
Cost of TLS over UDP will significantly hamper end user experience.
Stephen Farrell: Zone Owners/Registrant have a perspective.
PW: How far to go to prevent it not being blocked?
Jon Reed: Discussion with pros/cons on where to draw the line on these.
Karl Henderson: No TLS between of recursive /auth unless stub/recursive
DKG: Cut these use cases functionally.
SF: why should stub/recursive TLS be required for recursive/authoratittive?
BH:
SF: Should not be a protocol requirements
DKG: Do you have to treat your cache differently if receive over private vs non-private link
JR: Discuss out-of-baliwicks authorities
Wes Hardeker:
Mukund: Security and Privacy
DKS: recursive resolver just been stood up. being observed.
PH: Two Caches with different privacy. Don't propose to do this work
MS: Two different caches, data resolvers learned over the different transport.
### Large Root/TLD Operator observations, Henderson
Recursive vs Authorative: users can't avoid a work around.
Should focus on availability
look at:
- DNS-over-TLS
- performance, attack vectors
- authorative profile
DKG: Focus on DoT is reasonable.
TW: Similar to DNSEC?
KH: New attack vectors, etc.
DKS: What new attacks
KH: DDoS
DKS: Give clear guidance on balancing availability over privacy
PH: Use case then becomes opportunistic.
DKG: Don't Agree
PH: I said opportunistic not none
DKG:
WH: Explicity named secondary
DKS: Functional Split to signal availability
How do we signal availability?
- not at all, opportunistic try
- per zone,
- per nameserver,
- per IP Address
SF: Inheritance for subdomains
KH: Capability signaling that tony finch is working
DKG: specifically formed domain names.
WH: clarifying question - only use to put in name to get speed
DKG: Name propogated already (glue, etc)
PH: 63 character library limits for
Russ:
### Next steps
Tim Wicinski
Brian Haberman
Alex Mayrhofer
Beno Overeinder
Brett Carr
Dan York
Daniel Kahn Gillmor
Duane Wessels
John Dickinson
Jon Reed (Akamai)
Karl Henderson
Kazunori Fujiwara
Logan?
Manu Bretelle
Mukund Sivaraman
Nabarun Biswas
Paul Hoffman
Paul Wouters
Peter Koch
Petr Spacek
Richard Wilhelm
Russ Housley
Sean Turner
Shumon Huque
Stephen Farrell
Theresa Enghardt
Wes Hardaker
Warren Kumari
Austin Hounsel