[07:28:47] --- ripple has joined
[08:09:39] --- lixia has joined
[08:47:45] --- lixia has left
[08:49:42] --- rip-l has joined
[08:49:55] <rip-l> Test.
[08:54:28] --- suz has joined
[08:54:55] --- suz has left
[08:55:09] --- lixia has joined
[08:55:11] --- suz has joined
[08:55:44] --- dblacka has joined
[08:56:05] --- weiler has joined
[08:56:12] <weiler> good morning
[08:56:37] --- marka-isc has joined
[08:58:36] <marka-isc> wildcard first up. designe meeting the other day
[08:59:17] <marka-isc> identify choices that can be made. No decisions were made.
[09:00:03] --- narten has joined
[09:00:19] <marka-isc> going through published adgenda
[09:00:48] <weiler> it sounds like LLMNR may be pushed to even later in session, since Bernard is available then.
[09:01:06] <marka-isc> wcard-clarify
[09:01:19] <marka-isc> Ed speaking
[09:01:51] <marka-isc> -05 current
[09:01:58] --- robertml has joined
[09:02:08] <robertml> (registered an account elsewhere)
[09:02:47] --- olaf-laptop has joined
[09:02:53] <marka-isc> has title change, added dnssec considerations, more special types to handle
[09:03:14] <marka-isc> clears up definition of "wildcard'
[09:03:45] --- ggm has joined
[09:03:47] <marka-isc> defines "asterix labe", "wild card domain name
[09:04:16] <marka-isc> , "closest encloser" and "source of synthesis'
[09:04:40] <marka-isc> cleans up 1034 text
[09:04:46] <marka-isc> changes to "* CNAME"
[09:05:42] <marka-isc> New rules for NS and DNAME in 06. Don't sythesis.
[09:05:43] --- weiler has left
[09:06:07] --- anewton has joined
[09:06:08] <marka-isc> If not synth don't do wild card signing.
[09:06:36] <marka-isc> in these cases
[09:06:38] --- weiler has joined
[09:06:48] --- dblacka has left: Disconnected
[09:06:58] <marka-isc> * NS is treated as a normal delegation.
[09:07:46] <marka-isc> Sythesis is cancelled at the zone boundary
[09:07:53] --- dblacka has joined
[09:08:21] --- anewton has left
[09:09:00] <marka-isc> rsa asked how signed failed
[09:09:28] <suz> that was sra :) asks what's the problem with signing
[09:09:48] --- johani has joined
[09:10:25] --- johani has left: Logged out
[09:11:39] --- Hollenbeck has joined
[09:11:43] <marka-isc> queries for a.example/ns didn't return delegation
[09:12:10] <marka-isc> and dnssec proofs were wrong
[09:13:04] <narten> which ID is being discussed?
[09:13:14] <suz> wcard-clarify
[09:13:39] <marka-isc> discussions from monday
[09:13:39] --- Margaret has joined
[09:13:46] <suz> SRA and Liman have asked clarifying questions about parsing arguably pathological input
[09:15:08] --- johani has joined
[09:16:44] <marka-isc> text to describe this coming
[09:17:55] --- nevil has joined
[09:18:52] <marka-isc> add "AND NOT A NS NOR A DNAME" to be add to 1034 text
[09:18:52] <marka-isc> Disscusion about "* DNAME"
[09:19:29] --- mattlarson has joined
[09:19:49] <marka-isc> "* DNAME" causes inconsistant answers form the cache and auth servers
[09:19:59] --- ben has joined
[09:20:01] <marka-isc> Signing
[09:20:24] --- mattlarson has left: Replaced by new connection
[09:20:55] --- matt has joined
[09:21:50] <matt> please use the mics
[09:22:12] <marka-isc> Wildcard labels fields don't normally could wildcard. Explicity state that the label count will match when wildcard expansion is disabled
[09:22:12] <marka-isc> (dnssec editors want to kill ed)
[09:22:12] <marka-isc> Discussion on SRV
[09:22:17] <ggm> I'll hurl abuse/heckle if people don't do so.
[09:22:24] <matt> thanks
[09:23:01] <ggm> abuse hurled
[09:23:24] <marka-isc> Mixes use and protocol
[09:26:11] --- olaf-laptop has left
[09:26:39] <marka-isc> sra: bunch of garbage handling here
[09:26:59] <marka-isc> nameservers should raise a warning
[09:27:14] --- ripple has left: Lost connection
[09:28:26] <marka-isc> david conrad
[09:28:26] <marka-isc> treate "* NS" as grabage input
[09:28:26] <marka-isc> marka says "me too"
[09:28:50] --- sra has joined
[09:29:28] <marka-isc> marka: option not to serve zone w/ * NS
[09:30:08] <suz> Steve Crocker asks if there's a guideline document anywhere of what constitutes a well-formed zone
[09:30:11] <marka-isc> Steve Croker: is there a spec to define a good zone. Can it be tightened.
[09:31:44] --- robertml has left: Disconnected
[09:32:30] <suz> discussion (Ed, SRA, Peter Koch): no, not really. Somewhat implementation dependent
[09:33:47] <marka-isc> Wes: If we allow something to be used w/o a failure it will be used
[09:34:09] --- Narten has joined
[09:34:29] <marka-isc> * NS will have unintended consequences when used
[09:34:51] <suz> Ed: this is not necessarily bad, even if weird/unusual
[09:35:25] --- sleinen has joined
[09:35:41] --- fenton has joined
[09:36:16] <suz> Bill Manning: I used to use * NS, and then a particular implementor stopped supporting it. I want it back. I also want it defined somehow-- bad or OK?
[09:36:25] --- mguod has joined
[09:36:31] --- ms has joined
[09:38:11] <marka-isc> Steve croker: Conservative zone checkers
[09:39:34] <suz> discussion of this as suggested work item for DNSEXT? : define a basic, conservative, non-implementation-specific zone-- interoperability issue therefore may be unwise to leave entirely to implementors
[09:40:41] --- RussMundy has joined
[09:40:43] <sra> um, we already have interoperability issues with different implementations having different rules for "this zone is too broken to load", and i don't really see how to avoid it. not specific to this wildcard whackiness.
[09:40:43] <sra> (wireless hnorked again)
[09:40:56] <marka-isc> too mailing list
[09:41:12] <sra> ed gets gold asterisk
[09:41:42] <ben> only matches gold QNAMES
[09:41:47] <marka-isc> SHA1 and DNS
[09:42:27] <marka-isc> Attack on SHA! + Hysterial
[09:42:54] <marka-isc> SAH1 designed to have a work factor of 2^80
[09:43:37] <marka-isc> attack -> 2^69
[09:43:37] <marka-isc> Unknown if it works on structed data?
[09:43:41] --- johani has left: Logged out
[09:43:42] <marka-isc> HMAC is resistant to attack
[09:44:10] <matt> is the speaker using the microphone?
[09:44:16] <marka-isc> USED in two place RRSG, DS and soon TSIG
[09:44:18] <ben> yes
[09:44:28] <matt> audio quality has gone to hell
[09:44:29] <ben> that's three places, mark
[09:44:29] <matt> bummer
[09:44:31] <sra> lapel mike
[09:44:36] <sra> having trouble hearing i take it?
[09:44:41] <matt> yes, barely audible
[09:44:46] <matt> but has been great up until now
[09:44:56] <sra> any better?
[09:44:58] <matt> no
[09:45:08] <ggm> the IETF selected too high a compression btw.
[09:45:11] <rip-l> Yep...remote audio now requires volume set to 11...
[09:45:14] <sra> might work better if microphone turned on
[09:45:14] <weiler> his mike was off
[09:45:18] <marka-isc> RRSIG has a simple sha1 digest. Digest covers some random data
[09:45:18] <ggm> ears boil off
[09:45:23] <weiler> :)
[09:45:33] <matt> I take it it's loud in there?
[09:45:39] <marka-isc> Limited lifetime for coverage.
[09:45:40] <sra> now it is
[09:45:41] <rip-l> There's the mike.
[09:45:49] --- suresh has joined
[09:45:53] <sra> olafur is loud enough that one does not really need mike to hear him in room :)
[09:45:53] <ggm> -some guys in bne who did the APNIC stuff said it was about 2x too much compressed. too much noise.
[09:45:59] <matt> now it's better--thanks
[09:46:00] <marka-isc> rate risk low
[09:46:30] <marka-isc> TSIG is similar extremely low risk
[09:46:39] --- liman has joined
[09:47:30] <marka-isc> DS
[09:47:30] <marka-isc> Long lived. no hmac. some structure.
[09:47:30] <marka-isc> Attacker has to generate keys
[09:47:52] <marka-isc> risk low - medium
[09:48:02] --- mstjohns has joined
[09:48:15] <marka-isc> proposal
[09:49:06] <marka-isc> DS plan to add a new digest
[09:49:43] <marka-isc> RRSIG wait and see
[09:50:12] --- lixia has left
[09:50:15] <marka-isc> TSIG proceed with plans
[09:51:00] <marka-isc> DNSSEC Key rollover IPR
[09:51:23] <marka-isc> Claim filed 2005/Feb/6
[09:51:57] <suz> Sam Weiler: (re: SHA-1 discussion) draft to mailing list earlier this week on hash algorithm rollover issues, please read
[09:53:04] <weiler> thank you. http://www.ietf.org/internet-drafts/draft-weiler-dnsext-dnssec-bis-updates-00.txt Also let me know what else should be there, what's unclear, what's wrong, how to better structure the doc, etc.
[09:53:44] --- Hollenbeck has left
[09:54:19] --- robertml has joined
[09:54:28] <marka-isc> Mike St Johns worried about publicity requirement w/ licence
[09:54:34] --- matt has left: Replaced by new connection
[09:54:35] <weiler> MSJ: this differs from other licenses offered in most IPR disclosures -- last sentence is unusual (re: publicity)
[09:54:51] <weiler> msj thinks many implementers will have issues with that.
[09:55:30] --- matt has joined
[09:56:33] <ben> it is pointed out that the licence says "using" not "implementing", so end-users would be referenceable in publicity
[09:57:31] <weiler> Hummmm. Many of our vendors don't track users.
[09:57:39] --- lixia has joined
[09:57:56] <ben> its an unreasonable requirement, IMO
[09:58:25] <suz> certainly a potential problem for open source :)
[09:58:47] <ben> heh, also a good point
[09:59:30] --- ms has left: Lost connection
[09:59:30] --- mguod has left: Lost connection
[09:59:30] --- fenton has left: Lost connection
[09:59:30] --- sleinen has left: Lost connection
[09:59:30] --- RussMundy has left: Lost connection
[09:59:30] --- mstjohns has left: Lost connection
[09:59:30] --- suresh has left: Lost connection
[10:00:28] <marka-isc> moving on to DNSSEC denial of existance
[10:00:47] <marka-isc> reqirements to be rolled
[10:01:31] <rip-l> Ben or anyone...I do have an I-D draft that has the slideware in it...if anyone wants to look at it. http://www.flagon.com/dnssec/
[10:02:07] <ben> dang it - a bit late, but thanks
[10:03:28] <marka-isc> Sam: what sub set exists in the real world.
[10:03:42] <marka-isc> Ben: next rev covers
[10:04:12] <marka-isc> dns-name-p-s
[10:04:41] <marka-isc> discusses how to fine predecessor / successor
[10:05:38] --- mstjohns has joined
[10:05:42] <marka-isc> With same assumptions about zone content much simpler
[10:06:20] --- RussMundy has joined
[10:06:33] <marka-isc> plan to be treated as informational wg doc
[10:06:58] <marka-isc> epsilon draft
[10:07:20] <marka-isc> Use nsec record that cover less of the zone.
[10:07:37] <marka-isc> minor relaxation of requirements
[10:09:00] <marka-isc> negative answer generate don the fly
[10:09:44] --- ogud has joined
[10:09:45] <sra> what i yelled (without mike): sam's talking about the case where one needs to send an nsec asserting that no rrsets exist at a particular qname
[10:09:55] <marka-isc> note don't need perfect epsilon funct
[10:11:42] <marka-isc> explicty relax to allow NSEC w/ only NSEC and RRSIG at validation time.
[10:11:51] --- jishac has joined
[10:12:01] --- sleinen has joined
[10:12:12] --- jaap has joined
[10:13:02] <marka-isc> WG last call w/ minor changes as wg doc (-00)
[10:13:32] <sra> explicit relaxation: the non-issue that refuses to die, or, more precisely, that is still wandering the night in ghostly torment
[10:14:24] --- mstjohns has left
[10:15:22] --- ms has joined
[10:15:31] <marka-isc> NSEC3
[10:16:54] <marka-isc> NSEC2 and NSEC3 merged into new NSEC3
[10:17:08] <sra> exist rr => nsec3 rrs was a definite improvement (imo)
[10:17:25] <marka-isc> Empty NSEC 3 record for exist
[10:17:27] --- mstjohns has joined
[10:19:24] --- ogud has left: Replaced by new connection
[10:19:26] --- ogud has joined
[10:19:26] --- ogud has left
[10:19:35] <marka-isc> HASH can't be rolled easily
[10:20:27] --- ogud has joined
[10:21:58] <sra> in unlikely event that hash collides, one has an expensive re-signing operation after changing salt
[10:22:08] --- ogud has left: Replaced by new connection
[10:22:11] --- yone has joined
[10:22:11] --- ogud has joined
[10:22:13] --- ogud has left
[10:22:28] --- ogud has joined
[10:22:48] <weiler> Mark: are you sure you intended to write "HASH can't be rolled easily"?
[10:23:25] <sra> although i guess if one really worries about this one can incrementally sign hash with multiple salts in advance to facilitate fast "salt roll"
[10:24:35] <weiler> good point. excellent point. It means keeping both chains (both sets of RRSIGs) up to date, but that's just a x2 increase in steady-state load.
[10:24:45] --- sleinen has left: Disconnected
[10:25:39] <weiler> crocker: "Hash tables of yore"?
[10:25:44] <ggm> George heckles: DNS people are not cryptographers. please stop pretending you understand the math. Ben Laurie is excused this heckle
[10:25:54] <sra> constant factor n where n is how many alternate salts, yeah
[10:25:57] <ggm> (and maybe one or two others I don't know)
[10:26:14] <suz> Ben isn't the only one, but it's a short list AFAIK
[10:26:39] <weiler> Crocker understands the math behind the collisions. He can even explain it.
[10:26:56] <weiler> And derive the functions. On the fly. Without prep time.
[10:26:57] --- raj has joined
[10:27:10] --- Margaret has left
[10:27:28] <ggm> right. thats the point: crocker is frustrated at how silly this discussion is.
[10:27:30] --- raj has left: Disconnected
[10:27:50] <ggm> russ also I suspect
[10:28:21] --- dblacka has left: Disconnected
[10:28:27] --- raj has joined
[10:28:59] --- dblacka has joined
[10:29:00] --- matt has left: Replaced by new connection
[10:29:06] --- raj has left: Disconnected
[10:30:40] --- eludom has joined
[10:31:07] --- lixia has left
[10:31:18] --- robertml has left: Disconnected
[10:31:45] <weiler> Although I initially raised the hash collision point in San Diego, I'd like to point out that I've quit beating that non-existing horse. I've beaten on some of the wording in the doc that I find unclear, but I'm willing to let the doc go without dealing w/ collisions.
[10:33:11] <ben> we need to mention collisions because of truncation, I suspect, but apart from that, yes
[10:33:35] <weiler> yes, indeed.
[10:33:50] <sra> mark is now talking about using only hash as owner name (ie, hash looks like pseudo-tld) with zone name in rdata. chairs calling this "nsec4" to have something to call it.
[10:34:20] * sra personal opinion this will never fly at layer 9 even if this wg thinks this proposal is greatest thing since sliced bread
[10:34:21] <ben> (i.e. this is the same as NSEC3, apart from ownername)
[10:34:28] <weiler> And it's really trwisted.
[10:34:52] <sra> we are so many layers deep in kludges upon kludges at this point that i don't even notice "really twisted" anymore
[10:36:11] --- fenton has joined
[10:36:17] <ggm> its only the DNS. don't worry
[10:36:41] --- matt has joined
[10:36:43] <sra> publish as "worst current practice" series document
[10:36:46] <matt> let's see a draft
[10:36:48] --- raj has joined
[10:36:51] <suz> it's not really in the root zone so it's OK? I don't think so.
[10:36:54] <mstjohns> isn't "hash" defined as "really twisted"?
[10:36:58] --- sleinen has joined
[10:37:00] --- raj has left: Disconnected
[10:37:03] <ben> suz: ye of little faith
[10:37:07] <weiler> Does that mean I should document the DS name hack, too? http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg01663.html
[10:37:16] <suz> oh no....not again.....
[10:37:36] <RussMundy> Bert finally has his own draft
[10:37:46] <suz> and his own RR I think.
[10:37:47] --- eludom has left: Logged out
[10:37:47] --- eludom has joined
[10:37:47] --- eludom has left: Logged out
[10:38:03] --- johani has joined
[10:38:18] --- raj has joined
[10:38:28] <weiler> or, more correctly, http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg01901.html
[10:38:35] --- mstjohns has left: Replaced by new connection
[10:38:35] --- mstjohns has joined
[10:38:35] --- mstjohns has left
[10:38:44] --- mstjohns has joined
[10:39:05] --- eludom has joined
[10:39:29] <sra> this is really a pseduo-rr, right?
[10:39:42] <weiler> what's the difference?
[10:39:42] --- suresh has joined
[10:39:49] <sra> doesn't appear in zones
[10:39:56] <weiler> My cache thinks it's an RR...
[10:39:56] <suz> cf OPT
[10:40:04] <sra> or zone transfers
[10:40:16] <sra> oh goodie a new hybrid
[10:40:33] <mstjohns> only until we fix your cache...
[10:40:41] --- ogud has left: Replaced by new connection
[10:40:41] --- ogud has joined
[10:40:42] --- ogud has left
[10:40:44] <sra> no wait your cace probably thinks it's a wrapper for ncache data
[10:40:47] --- ogud has joined
[10:40:50] <sra> which has always been weird
[10:40:52] <suz> all your caches are belong to us....or BERT
[10:40:59] <sra> and this actually cleans it up a bit doesn't it?
[10:41:09] <mstjohns> Rob - have you had your morning caffeine yet?
[10:41:20] <sra> yes but perhaps it didn't work
[10:41:26] <mstjohns> or has worn off
[10:41:32] <sra> aye
[10:41:49] <mstjohns> me hearties
[10:41:51] <weiler> Ed wants a workshop to do denial of existence.
[10:42:22] <weiler> he wants multiple implementations before proposed standard.
[10:42:46] <ben> isn't that a requirement anyway?
[10:42:58] <weiler> or perhaps it wasn't straight coffee: Cafe Correcto.
[10:43:23] <weiler> It is for Draft Std. (2nd level), not PS (1st level)
[10:43:29] --- lixia has joined
[10:43:37] <suz> I think the req is for draft standard: to advance it has to have multiple interoperable implementations
[10:44:05] --- ogud has left: Replaced by new connection
[10:44:06] --- ogud has joined
[10:44:06] --- ogud has left
[10:44:24] <ben> ah, my mistake
[10:45:10] <suz> David Blacka: defining a sandbox for non-backwards-compatible DNSSEC experiments in public.
[10:45:43] <suz> agenda says draft is http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-experiments-00.txt
[10:47:40] --- Narten has left
[10:47:52] <sra> "coffee does not make you nervous. your own inadaquacies make you nervous. coffee just makes you more aware of your own inadaquacies."
[10:48:20] <suz> essential idea: uses algorithm field to force experiment-specific evaluation, can be ignored by non-participating servers/resolvers
[10:49:09] --- eludom has left: Disconnected
[10:49:54] --- weiler has left
[10:50:38] --- weiler has joined
[10:51:31] --- fenton has left: Replaced by new connection
[10:51:32] --- fenton has joined
[10:51:32] --- fenton has left
[10:51:52] --- amarine has joined
[10:56:25] --- ogud has joined
[10:57:50] --- liman has left
[11:00:56] --- dblacka has left: Replaced by new connection
[11:03:41] --- matt has left: Replaced by new connection
[11:04:11] --- matt has joined
[11:09:46] --- jishac has left: Disconnected
[11:11:49] --- yone has left
[11:11:50] --- weiler has left
[11:11:53] --- mstjohns has left
[11:12:00] --- suresh has left
[11:12:35] --- matt has left: Logged out
[11:13:13] --- nevil has left
[11:13:22] --- suz has left
[11:13:55] --- sra has left
[11:14:20] --- johani has left: Logged out
[11:15:28] --- marka-isc has left
[11:18:21] --- jaap has left
[11:20:09] --- ogud has left: Disconnected
[11:21:55] --- ben has left: Disconnected
[11:23:23] --- lixia has left
[11:30:00] --- amarine has left
[11:34:03] --- ggm has left
[11:34:15] --- ms has left: Lost connection
[11:34:15] --- RussMundy has left: Lost connection
[11:48:46] --- ogud has joined
[12:23:04] --- LOGGING STARTED
[12:34:37] --- LOGGING STARTED
[12:35:58] --- LOGGING STARTED
[12:39:26] --- Hollenbeck has joined
[12:39:29] --- Hollenbeck has left
[13:06:33] --- ogud has joined
[13:13:06] --- robertml has joined
[13:13:22] --- robertml has left
[13:57:43] --- ms has joined
[14:05:14] --- geoff has joined
[14:05:27] --- geoff has left
[16:40:20] --- ogud has left: Disconnected
[16:40:20] --- ms has left: Lost connection
[19:32:48] --- ogud has joined
[19:38:10] --- ogud has left
[20:52:02] --- suresh has joined
[20:52:10] --- suresh has left
[20:53:41] --- suresh has joined
[20:53:47] --- suresh has left