1 / 8

DNSEXT IETF-55

DNSEXT IETF-55. Ólafur Guðmundsson ogud@ogud.com Randy Bush randy@psg.com. Agenda . Agenda Bashing Working group document status GSSAPI and TSIG conflict AAAAbis DNSSEC Documents DNSSECbis OPT-in DS Wildcard Opt KEY Signing Flag Domain name Auto-Registration for Ipv6.

honorato-joyner
Download Presentation

DNSEXT IETF-55

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNSEXT IETF-55 Ólafur Guðmundsson ogud@ogud.com Randy Bush randy@psg.com

  2. Agenda • Agenda Bashing • Working group document status • GSSAPI and TSIG conflict • AAAAbis • DNSSEC Documents • DNSSECbis • OPT-in • DS • Wildcard Opt • KEY Signing Flag • Domain name Auto-Registration for Ipv6

  3. DNSEXT documents status. • WG last called pending updates • Opcode DISCOVER • WG Last call • RFC1886bis • DNSSEC OPT-in • TKEY Renewal • RFC editor queue • Restrict KEY • Obsolete IQUERY (auth48) • DNSSEC Roadmap • IESG • AD secure • AXFR-clarify • Unknown types • DS

  4. RFCs Conflict background • DNSEXT WG generated TSIG RFC • DNSEXT WG processed GSSAPI TSIG • IESG processed ID as well • Just before RFC editor started auth48 period • We got a report that there was a conflict between these two documents. • GSSAPI TSIG is on hold while we resolve.

  5. TSIG vs GSSAPI issue • TSIG specifies that TSIG can only be used if original query contains TSIG. • GSSAPI specifies that LAST message in TKEY exchange has TSIG. • Last message is empty, and this proves the key negotiated is working. • From security point of view this is a good thing. • TSIG needs minor updates before advancing to Draft standard: is this extensions one of them ?

  6. DNSEXT DS status • Implementations • 1 revolver (or 2) • 2 server implementations • 3 different management tools in development • 3 workshops on DS since Yokohama

  7. What have we learned at workshops • 3 new under specified corner cases found. • Need to specify what child server returns for DS query at apex. (Done in 10 updated in 11) • Parent not found if child is served by the same server as ancestor other than parent. • RFC2535 capable caches have problem with DS • Are there more undiscovered ?

  8. DS status • One more update: • Deal with ancestor problem • Solution: resolver detects this from authority section and asks for delegation information on parent • DS aware resolver indicator in query ? • ??? • TIME TO DECIDE if DS goes forward, is close.

More Related