[08:56:12] <weiler> good morning
[08:58:36] <marka-isc> wildcard first up. designe meeting the other day
[08:59:17] <marka-isc> identify choices that can be made. No decisions were made.
[09:00:19] <marka-isc> going through published adgenda
[09:00:48] <weiler> it sounds like LLMNR may be pushed to even later in session, since Bernard is available then.
[09:01:06] <marka-isc> wcard-clarify
[09:01:19] <marka-isc> Ed speaking
[09:01:51] <marka-isc> -05 current
[09:02:53] <marka-isc> has title change, added dnssec considerations, more special types to handle
[09:03:14] <marka-isc> clears up definition of "wildcard'
[09:03:47] <marka-isc> defines "asterix labe", "wild card domain name
[09:04:16] <marka-isc> , "closest encloser" and "source of synthesis'
[09:04:40] <marka-isc> cleans up 1034 text
[09:04:46] <marka-isc> changes to "* CNAME"
[09:05:42] <marka-isc> New rules for NS and DNAME in 06. Don't sythesis.
[09:06:08] <marka-isc> If not synth don't do wild card signing.
[09:06:36] <marka-isc> in these cases
[09:06:58] <marka-isc> * NS is treated as a normal delegation.
[09:07:46] <marka-isc> Sythesis is cancelled at the zone boundary
[09:09:00] <marka-isc> rsa asked how signed failed
[09:09:28] <suz> that was sra :) asks what's the problem with signing
[09:11:43] <marka-isc> queries for a.example/ns didn't return delegation
[09:12:10] <marka-isc> and dnssec proofs were wrong
[09:13:04] <narten> which ID is being discussed?
[09:13:14] <suz> wcard-clarify
[09:13:39] <marka-isc> discussions from monday
[09:13:46] <suz> SRA and Liman have asked clarifying questions about parsing arguably pathological input
[09:16:44] <marka-isc> text to describe this coming
[09:18:52] <marka-isc> add "AND NOT A NS NOR A DNAME" to be add to 1034 text
[09:18:52] <marka-isc> Disscusion about "* DNAME"
[09:19:49] <marka-isc> "* DNAME" causes inconsistant answers form the cache and auth servers
[09:20:01] <marka-isc> Signing
[09:22:12] <marka-isc> Wildcard labels fields don't normally could wildcard. Explicity state that the label count will match when wildcard expansion is disabled
[09:22:12] <marka-isc> (dnssec editors want to kill ed)
[09:22:12] <marka-isc> Discussion on SRV
[09:23:24] <marka-isc> Mixes use and protocol
[09:26:39] <marka-isc> sra: bunch of garbage handling here
[09:26:59] <marka-isc> nameservers should raise a warning
[09:28:26] <marka-isc> david conrad
[09:28:26] <marka-isc> treate "* NS" as grabage input
[09:28:26] <marka-isc> marka says "me too"
[09:29:28] <marka-isc> marka: option not to serve zone w/ * NS
[09:30:08] <suz> Steve Crocker asks if there's a guideline document anywhere of what constitutes a well-formed zone
[09:30:11] <marka-isc> Steve Croker: is there a spec to define a good zone. Can it be tightened.
[09:32:30] <suz> discussion (Ed, SRA, Peter Koch): no, not really. Somewhat implementation dependent
[09:33:47] <marka-isc> Wes: If we allow something to be used w/o a failure it will be used
[09:34:29] <marka-isc> * NS will have unintended consequences when used
[09:34:51] <suz> Ed: this is not necessarily bad, even if weird/unusual
[09:36:16] <suz> Bill Manning: I used to use * NS, and then a particular implementor stopped supporting it. I want it back. I also want it defined somehow-- bad or OK?
[09:38:11] <marka-isc> Steve croker: Conservative zone checkers
[09:39:34] <suz> discussion of this as suggested work item for DNSEXT? : define a basic, conservative, non-implementation-specific zone-- interoperability issue therefore may be unwise to leave entirely to implementors
[09:40:43] <sra> um, we already have interoperability issues with different implementations having different rules for "this zone is too broken to load", and i don't really see how to avoid it. not specific to this wildcard whackiness.
[09:40:43] <sra> (wireless hnorked again)
[09:40:56] <marka-isc> too mailing list
[09:41:12] <sra> ed gets gold asterisk
[09:41:47] <marka-isc> SHA1 and DNS
[09:42:27] <marka-isc> Attack on SHA! + Hysterial
[09:42:54] <marka-isc> SAH1 designed to have a work factor of 2^80
[09:43:37] <marka-isc> attack -> 2^69
[09:43:37] <marka-isc> Unknown if it works on structed data?
[09:43:42] <marka-isc> HMAC is resistant to attack
[09:44:16] <marka-isc> USED in two place RRSG, DS and soon TSIG
[09:45:18] <marka-isc> RRSIG has a simple sha1 digest. Digest covers some random data
[09:45:18] <ggm> ears boil off
[09:45:53] <sra> olafur is loud enough that one does not really need mike to hear him in room :)
[09:45:53] <ggm> -some guys in bne who did the APNIC stuff said it was about 2x too much compressed. too much noise.
[09:46:00] <marka-isc> rate risk low
[09:46:30] <marka-isc> TSIG is similar extremely low risk
[09:47:30] <marka-isc> DS
[09:47:30] <marka-isc> Long lived. no hmac. some structure.
[09:47:30] <marka-isc> Attacker has to generate keys
[09:47:52] <marka-isc> risk low - medium
[09:48:15] <marka-isc> proposal
[09:49:06] <marka-isc> DS plan to add a new digest
[09:49:43] <marka-isc> RRSIG wait and see
[09:50:15] <marka-isc> TSIG proceed with plans
[09:51:00] <marka-isc> DNSSEC Key rollover IPR
[09:51:23] <marka-isc> Claim filed 2005/Feb/6
[09:51:57] <suz> Sam Weiler: (re: SHA-1 discussion) draft to mailing list earlier this week on hash algorithm rollover issues, please read
[09:53:04] <weiler> thank you. http://www.ietf.org/internet-drafts/draft-weiler-dnsext-dnssec-bis-updates-00.txt Also let me know what else should be there, what's unclear, what's wrong, how to better structure the doc, etc.
[09:54:28] <marka-isc> Mike St Johns worried about publicity requirement w/ licence
[09:54:35] <weiler> MSJ: this differs from other licenses offered in most IPR disclosures -- last sentence is unusual (re: publicity)
[09:54:51] <weiler> msj thinks many implementers will have issues with that.
[09:56:33] <ben> it is pointed out that the licence says "using" not "implementing", so end-users would be referenceable in publicity
[09:57:31] <weiler> Hummmm. Many of our vendors don't track users.
[09:57:56] <ben> its an unreasonable requirement, IMO
[09:58:25] <suz> certainly a potential problem for open source :)
[09:58:47] <ben> heh, also a good point
[10:00:28] <marka-isc> moving on to DNSSEC denial of existance
[10:00:47] <marka-isc> reqirements to be rolled
[10:01:31] <rip-l> Ben or anyone...I do have an I-D draft that has the slideware in it...if anyone wants to look at it. http://www.flagon.com/dnssec/
[10:02:07] <ben> dang it - a bit late, but thanks
[10:03:28] <marka-isc> Sam: what sub set exists in the real world.
[10:03:42] <marka-isc> Ben: next rev covers
[10:04:12] <marka-isc> dns-name-p-s
[10:04:41] <marka-isc> discusses how to fine predecessor / successor
[10:05:42] <marka-isc> With same assumptions about zone content much simpler
[10:06:33] <marka-isc> plan to be treated as informational wg doc
[10:06:58] <marka-isc> epsilon draft
[10:07:20] <marka-isc> Use nsec record that cover less of the zone.
[10:07:37] <marka-isc> minor relaxation of requirements
[10:09:00] <marka-isc> negative answer generate don the fly
[10:09:44] --- ogud has joined
[10:09:45] <sra> what i yelled (without mike): sam's talking about the case where one needs to send an nsec asserting that no rrsets exist at a particular qname
[10:09:55] <marka-isc> note don't need perfect epsilon funct
[10:11:42] <marka-isc> explicty relax to allow NSEC w/ only NSEC and RRSIG at validation time.
[10:12:01] --- sleinen has joined
[10:13:02] <marka-isc> WG last call w/ minor changes as wg doc (-00)
[10:13:32] <sra> explicit relaxation: the non-issue that refuses to die, or, more precisely, that is still wandering the night in ghostly torment
[10:15:22] --- ms has joined
[10:15:31] <marka-isc> NSEC3
[10:16:54] <marka-isc> NSEC2 and NSEC3 merged into new NSEC3
[10:17:08] <sra> exist rr => nsec3 rrs was a definite improvement (imo)
[10:17:25] <marka-isc> Empty NSEC 3 record for exist
[10:19:35] <marka-isc> HASH can't be rolled easily
[10:21:58] <sra> in unlikely event that hash collides, one has an expensive re-signing operation after changing salt
[10:22:48] <weiler> Mark: are you sure you intended to write "HASH can't be rolled easily"?
[10:23:25] <sra> although i guess if one really worries about this one can incrementally sign hash with multiple salts in advance to facilitate fast "salt roll"
[10:24:35] <weiler> good point. excellent point. It means keeping both chains (both sets of RRSIGs) up to date, but that's just a x2 increase in steady-state load.
[10:25:39] <weiler> crocker: "Hash tables of yore"?
[10:25:44] <ggm> George heckles: DNS people are not cryptographers. please stop pretending you understand the math. Ben Laurie is excused this heckle
[10:25:54] <sra> constant factor n where n is how many alternate salts, yeah
[10:25:57] <ggm> (and maybe one or two others I don't know)
[10:26:14] <suz> Ben isn't the only one, but it's a short list AFAIK
[10:26:39] <weiler> Crocker understands the math behind the collisions. He can even explain it.
[10:26:56] <weiler> And derive the functions. On the fly. Without prep time.
[10:27:28] <ggm> right. thats the point: crocker is frustrated at how silly this discussion is.
[10:27:50] <ggm> russ also I suspect
[10:31:07] --- lixia has left
[10:31:45] <weiler> Although I initially raised the hash collision point in San Diego, I'd like to point out that I've quit beating that non-existing horse. I've beaten on some of the wording in the doc that I find unclear, but I'm willing to let the doc go without dealing w/ collisions.
[10:33:11] <ben> we need to mention collisions because of truncation, I suspect, but apart from that, yes
[10:33:35] <weiler> yes, indeed.
[10:33:50] <sra> mark is now talking about using only hash as owner name (ie, hash looks like pseudo-tld) with zone name in rdata. chairs calling this "nsec4" to have something to call it.
[10:34:20] * sra personal opinion this will never fly at layer 9 even if this wg thinks this proposal is greatest thing since sliced bread
[10:34:21] <ben> (i.e. this is the same as NSEC3, apart from ownername)
[10:34:28] <weiler> And it's really trwisted.
[10:34:52] <sra> we are so many layers deep in kludges upon kludges at this point that i don't even notice "really twisted" anymore
[10:36:17] <ggm> its only the DNS. don't worry
[10:36:43] <sra> publish as "worst current practice" series document
[10:36:46] <matt> let's see a draft
[10:36:51] <suz> it's not really in the root zone so it's OK? I don't think so.
[10:36:54] <mstjohns> isn't "hash" defined as "really twisted"?
[10:37:03] <ben> suz: ye of little faith
[10:37:07] <weiler> Does that mean I should document the DS name hack, too? http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg01663.html
[10:37:16] <suz> oh no....not again.....
[10:37:36] <RussMundy> Bert finally has his own draft
[10:37:46] <suz> and his own RR I think.
[10:38:18] --- raj has joined
[10:38:28] <weiler> or, more correctly, http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg01901.html
[10:39:29] <sra> this is really a pseduo-rr, right?
[10:39:42] <weiler> what's the difference?
[10:39:49] <sra> doesn't appear in zones
[10:39:56] <weiler> My cache thinks it's an RR...
[10:39:56] <suz> cf OPT
[10:40:04] <sra> or zone transfers
[10:40:16] <sra> oh goodie a new hybrid
[10:40:33] <mstjohns> only until we fix your cache...
[10:40:47] --- ogud has joined
[10:40:50] <sra> which has always been weird
[10:40:59] <sra> and this actually cleans it up a bit doesn't it?
[10:41:09] <mstjohns> Rob - have you had your morning caffeine yet?
[10:41:20] <sra> yes but perhaps it didn't work
[10:41:26] <mstjohns> or has worn off
[10:41:32] <sra> aye
[10:41:51] <weiler> Ed wants a workshop to do denial of existence.
[10:42:22] <weiler> he wants multiple implementations before proposed standard.
[10:42:46] <ben> isn't that a requirement anyway?
[10:43:23] <weiler> It is for Draft Std. (2nd level), not PS (1st level)
[10:43:37] <suz> I think the req is for draft standard: to advance it has to have multiple interoperable implementations
[10:45:10] <suz> David Blacka: defining a sandbox for non-backwards-compatible DNSSEC experiments in public.
[10:45:43] <suz> agenda says draft is http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-experiments-00.txt
[10:48:20] <suz> essential idea: uses algorithm field to force experiment-specific evaluation, can be ignored by non-participating servers/resolvers
[10:49:54] --- weiler has left
[10:50:38] --- weiler has joined
[11:03:41] --- matt has left: Replaced by new connection
[11:04:11] --- matt has joined
