RIPE 47

RIPE Meeting: 47
Working Group: DNS
Status: Final
Revision Number: 2

RIPE 47 Meeting

DNS Working Group and DNR Forum Agenda
Date: Tuesday 27 January 2004
Time: 16.00 - 17.30
Location: Grand Ballroom

A. Administrative matters:
- Scribe: Arno Meulenkamp
- Blue sheets
- Agenda bashing
Jaap: (1) The talk about WSIS will be dropped, because it is also on
the agenda of the 0; will be replaced by a report over
the "Last Call Workshop at Ripe NCC" about DNSSEC

(2) The talk about the SSAC DNSS document will not be
separate agenda item, but will be covered during the
"News from ICANN" item

(3) Jakob Schlyter couldn't come.

- Minutes Ripe 46 (http://www.ripe.net/ripe/wg/dns/r46-minutes.html)


B. To merge or not to merge

Heads up for discussion at end of Agenda (Chairs).

Not a lot of discussion on the mailing list, so no decision can be made
currently, discussion needs to be continued.

C. Status reports

CENTR Activity (Kim Davies) [5-10 minutes]

Kim Davies presented the report.

Daniel Karrenberg: Freedom of information?
Kim: Perhaps I should have said data protection laws

provreg (Jaap [1 min])

Jaap Akkerhuis: We were waiting on the IANA XML registry. This is
just recently established, the XML RFC is published. So now the
rfc-editor can continue

IETF WG Update: DNSOP DNSEXT (Suzanne Woolf)

Suzanne Woolf presented an overview of what happened recently in the WGs

enum Patrick Faltstrom

Patrick Faltstrom: the RFC has been approved, the RFC editor will look at it,
it is in the queue right now
Jaap: 3 documents?
Patrick Faltstrom: Yes, 3 documents
Jim Reid: what's the estimate before the RFC editor will look at it?
Patrick Faltstrom: hard to say, we are #5 on the list. Could be up to
3 months from now.

sshfp Jakob Schlyter

Jakob couldn't make it

Update on the IETF CRISP Working Group (Andrew Newton, Leslie Daigle) [By proxy, 5 min, Jaap]

They also couldn't make it, but they did send slides, which Jaap presented.

ICANN/IANA news [10 min]

presented by Doug Barton

No slides.

DNS Infrastructure Recommendation Of the Security and Stability
Advisory Committee.

ICANN report, which can be found here:
http://icann.org/committees/security/dns-recommendation-01nov03.htm

AAAA records in the root, Daniel Karrenberg

There was some research to see what happens with more glue in the
root, this to accommodate IPv6 addresses in the zone file. There
might be a technical problem.

Doug: There are concerns over changing the root zone. We're trying
to work with all parties involved.

Jim Reid: is there look into what might happen when AAAA records
are added, because IPv6 traffic might cause other operational things

Doug: this is looked at.

Iljitsch van Beinum: This is looked at for tld's and root zone?

Daniel: yes

Daniel: what is the time line?

Doug: the RSAC recommendation (see link) needs to be formally
presented to the ICANN board. And it also needs to be published
publicly and we need to see what the feedback is.

Suzanne Woolf: is the IANA looking at how the technical recommendation
would be operationally implemented?

Doug: yes, when we present the plan officially, we also want to add
a recommendation.


D. Registrar/Registry News

News from RIPE NCC

Update on dnsmon: Going beta [5 min], Daniel Karrenberg

It is now Beta, still on development machines, documentation is
much improved, soon completely ready.

Reverse DNS project; Update & Proposals Olaf Kolkman (or replacement)

Olaf presented the project.

Andre: does the mnt-domains in inetnum override the mnt-by in the
domain object? Olaf: no, it only controls the creation of the
object, the mnt-by in the domain object then takes care of protecting
the object.

Peter Koch: you said this will not save the lameness problem,why
not, what are you going to do?

Olaf: it is quite different thing, we're not trying to solve too
many problems at the same time. We check when delegations are
created, that will not change. Lameness might come later.

Peter: Old domain objects could be fed through the system, do you
have any number of lame delegations or other DNS problems?

Olaf: not currently

Jim Reid: with regard to lameness, the working group should look
at this and maybe make a definition of lameness after which we can
map the situation (with the help of the RIPE NCC, perhaps)

Jim Reid: as chair: does this working group approve of this project,
do we think we need to say something about this (as it is internal
housekeeping to some extent)?

Jaap Akkerhuis: time flies. Let's postpone the other registry points
to the other slots.

Date: Thursday 29 January 2004
Time: 09.00 - 12.30
Location: St. Johns II

Chair: Jaap Akkerhuis, Jim Reid
Scribe: Timur Bakeyev, RIPE NCC

Thanks to our scribe.

Introduction. Short description of the Tuesday session.

Scribe is presented to the public.


News from cz.nic - tld.cz, Ing Tomas Marsalek [15 min]
covers: new registry model
enum
idn

A nice story about cybersquatter who claimed 10.000$ for the domain from
one of the bank groups but was sued and charged for half of this sum :>

No questions were asked.

News from PL, Andrzej Bartosiewicz [20 min]
covers: idn
monitoring internal systems
ISO 9001 certification
archiving blessed by Polish Certification Office

file: http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-dn-nask.pdf

Due to the shortage of time the introduction slides were skipped.

Andrzej described the process of deployment of IDN for .pl domain.

The policy is: First come - first served.

In first few days a peak of the interest to the IDN was noticed(1600
registrations), now the average number of new domains registrations is
around 20 per week.

EPP for ENUM part of the presentation was skipped; it was already
presented during the enum BOF.

The overview of the process of monitoring DNS servers and services was
done by Slawomir Gruca.

In the past they had several conflicts, then the customer claimed, that
the given domain wasn't accessible at certain date/time. Since then they
start to use zone signing service via SigNet.pl as a proof that domain
zone did exist in the particular time in this state.

Q: In the slides it's mentioned, that the 'crucial domain list' is used
to monitor the possible harmful changes to the DNS. Who did compile this
list?
A: This is the list of the most popular domains, which was provided by
the 3-d parity. It's assumed that domains from that list are the best
target for fraud. The changes in nameservers layout of these domains
are also verified by a human.

Q: Do you provide monitoring from the end user point?
A: That's in the plans of the company.

Q(Bruce): What is actually tracked for the domains from the 'crucial
list'?
A: List is monitored by script, which checks changes in the name servers
structure and delegation information.


E. Other news

ISC update, Joao Damas [20 min]
covers: Bind road map
OARG

file:DNS/dns-wg-ripe47.ppt

ISC is dead! Long life ISC! ISC had changed their name from Internet
Software Consortium to the Internet System Consortium.

New incidental respond group is created - Operations, Analysis and
Research Center(OARC). http://oarc.isc.org.

F-root server in Paris, Moscow, Dubai, Beijing, Taipei, Singapore.

New Bind forum(and DHCP in future). Bind will remain free!

Two parallel versions were released - Bind 8.4.4 and Bind 9.2.3. Bind8
is in a maintenance phase - only security fixes. Focus is on Bind9 and
improving it's performance and support of DNSSEC.


Q: It is said, that F-root server in Paris is IPv6 enabled. Is this
information publicly available and how to get it?
A: You need to ask sysadmins of their provider.

Q: Is this some kind of a secret then?
A: No, it just means that this setup is still considered under trial
and still in development.

Q: Whom should I contact then?
A: Tiscali.fr.

Q(humorous): Can you, please, stop releasing Bind8? Version 9 is so cool
and existence of the persistently updating Bind8 keeps people from
switching to version 9.
A: For Bind8 only bug fixes are done. All new features are added to the
Bind9.
Comment(Daniel): Bind8 is buggy, that's the reason for so often
releases. Also, it still outperforms Bind9.
Comment(Joao): One nice feature Bind9 has - an automated update of the
hints file(with the list of root servers). With the upcoming change of
the IP of the B-root server tomorrow(30 Jan 2003) it makes it very neat
feature(Bind8 users need eventually to download a new version of hint
file by themselves).

Q: Regarding IPv6 support. http://www.root-servers.org/ lists the IPv6
addresses of some of the root servers. Would it be possible to ship
hints file which will include IPv6 addresses of these servers as well?

A: Speaking about web page - it's a good idea. Hints file... Well, we'll
see :)
Comment: B-root would be available on the old address for quite
reasonable amount of time(2 years).

Q: For Bind8 users - the change of the B-root IP address isn't an
emergency?
A: Completely not, but eventually this file should be replaced.

DNSSEC LC Workshop, Joao Damas [20 min]


The workshop was done in cooperation with NLnet Labs and RIPE NCC.

The goal was to check interoperability of two implementations of the
DNSSEC - one is in the beta version of Bind9.4 and another in NSD2.0.

The results of workshop did prove, that this two versions can
inter operate, but also a lot of updates and remarks were done to the
DNSSEC draft and send back to IETF.

Q: How long will it take before there is a standard?
A: Workshop helped a lot to spot the issues in the current draft
of the standard. It will take a while, before all of them will be
fixed in the document. At minimum, 2 more months...


F. Tools

Fingerprinting DNS, Roy Arends [20 min]

The goal of survey was troubleshooting, statistic information on
distribution of different version of DNS software.

Different versions of different name servers were run in the test
environment to collect an authentic fingerprint of them. Still looking
for pre BSD4.3-tahoe bind implementation.

Comment(Daniel): We have contacts with people who are still own
necessary hardware and software.

Still, no available CISCO DNS implementation(?)

Olaf's DNS calculator was mentioned as on of the amazing examples of
Perl based DNS servers.

Survey also helped in spotting bug in the QR bit handling of one of the
DNS server implementations, which could lead to the DoS attack. Fixed!

Software is available at: http://www.rfc.se/fpdns/

Note from the audience: PowerDNS is mentioned twice on the slide!

Q(Jim Reid): What is the distribution of the DNS software according to
the survey?
A: Out of 50.000 queried servers nearly half do run Bind9, a quarter -
Bind8 and most of the rest are Windows DNS. But if to count by number of
zones, supported by server, then Bind8 is the winer :()

Modifying NSD for DNSSEC, NLnetlabs, Erik Rozendaal [5 min]

Short introduction to NDS - simple, high performing name server for
authoritative zones.

Q(Joao): What kind of traffic is shown on the graphs? Does it reflect
real life scenario, when unreplied(dropped) queries actually create
additional queries, coming from the client side, artificially increasing
load?
A: Have no idea...

PowerDNS & General Thoughts on the (Ir)relevance of DNS (Bert Hubert)

Written in C++, multithreaded DNS server. Multiple backends.

No DJB-isms :)) Had a 0x1FFFFFFF bug in the code :)

Q: Is TSIG supported?
A: I have it in my plans.

G. Experiences

Q: What does phrase in the slides 'automated key compromise' actually
mean :)?
A: The zone dropped immediately.


Internationalised Domain Names in Europe (Kim Davies) [40 minutes]

Q: End user problem: How can I type in Chinese, let's say domain name?
A: Have no idea, the main application for IDN is local usage within
this language speaking country/community.

Q: Any plans for having IDN for TLDs?
A: Not yet.

Q: What browsers are already support IDN out of the box?
A: Two are known at the moment - Mozilla and Opera.

H. To merge or not to merge (continued)

5 minutes past the lunch break.

Jim shouts: Shall we merge or not?

Audience screams: YES!

Everyone runs for the lunch :)

Action Item: Charter for the new group.