[12:53:36] <ogud> All slides and agenda slides have been posted to website https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66
[12:53:47] <shigeya> Great! thanks
[12:54:57] <Olaf (co-chair)> Anybody on the audio channel?
[12:55:04] <sk> yep
[12:56:03] <shigeya> yes, I'm on.
[12:56:07] <wouter> yep. Nothing to hear I think?
[12:56:08] <Olaf (co-chair)> The audio is audible?
[12:56:12] <shigeya> yes.
[12:56:17] <shigeya> some music
[12:56:53] <wouter> Soun is very faint...
[12:57:05] <Jelte> Hi
[12:57:33] <robertml> olaf: do a voice sound check ?
[12:57:49] <shigeya> good.. very good.
[12:57:55] <wouter> That is very good.
[12:58:31] <shigeya> Actually easier to listen to be on audiocast than at the room, I believe..
[12:58:46] <robertml> as long as it works.
[12:58:52] <shigeya> ;)
[12:59:04] <robertml> 1200 engineers and high tech solutions still doesnt work.
[12:59:29] <marcos.sanz> That is because of the psychological pressure
[12:59:38] <marcos.sanz> that everything has to work perfectly
[12:59:57] <wouter> well the DNS is working perfectly for the audio.
[13:00:04] <robertml> marcos: I bet you could set it all up, single man, and run it for a week with no problems.
[13:02:18] <robertml> Jabber room is here.
[13:02:28] <robertml> How many here are remote participants?
[13:02:50] <shigeya> I'm remote..
[13:03:06] <robertml> comments on previous minutes?
[13:03:32] <robertml> Agenda says: Document status
[13:03:35] <robertml> NSEC3 status
[13:03:43] <robertml> Automated Trust Anchor mgmt
[13:03:47] <robertml> Other Topics.
[13:03:51] <robertml> Milestones.
[13:04:14] <robertml> Marcos Sanz does the minutes, Robert Martin-Legene (me) is jabber scribe.
[13:04:24] <robertml> DNAME will be discussed during Other Topics.
[13:04:33] <robertml> Documents Advanced:
[13:04:53] <robertml> Got 4 documents published
[13:04:58] <robertml> CERT RR bus : rfc4389
[13:05:05] <robertml> epsilon: rfc4470
[13:05:09] <robertml> DS SHA-256 RFC4509
[13:05:33] <robertml> hmm and more.. will pop up from the rfc-ed during the next month.
[13:05:38] <robertml> NSID at last call.
[13:05:51] <robertml> LLMNR discussed at IESG.
[13:06:34] <robertml> DNSSEC Experiments and opt-in is advanced and maybe (or not) ready for LC
[13:07:10] <Olaf (co-chair)> (NSID is at IETF WGLC, to be precise)
[13:07:13] <robertml> Last call completed waiting for chair: DSA Keying and Signature information in the DNS - Needs more reviewers to say they read it.
[13:07:24] <robertml> ok, slides go fast here.
[13:07:41] <robertml> Suggest you get your own copy at https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66 also
[13:07:58] <robertml> dnssec-trans-04 almost in LC
[13:08:32] <robertml> We need reviewers for documents.
[13:08:49] <robertml> DNSSEC implementers ned to look at dnssec-bis-update-03
[13:09:20] <robertml> 2929bis-03 is pretty much done.
[13:09:42] <robertml> nsec3-06 is ongoing. Interest in having the work completed this year.
[13:10:00] <robertml> Holding state: rsasha256, ecc-key-09
[13:10:43] <robertml> for ecc it needs to be a little bit simplified.
[13:10:49] <Peter Koch> trans-04 _is_ in WGLC
[13:10:54] <robertml> NSEC3 status and issues.
[13:11:11] <robertml> David Blacka.
[13:11:35] <robertml> Explains what nsec3 does.
[13:11:41] <robertml> (hinders enumeration)
[13:11:47] <robertml> (opt-in)
[13:11:58] <robertml> What's going on?
[13:12:04] <robertml> Workshop in Frankfurt in May.
[13:12:10] <robertml> Draft now at v -06
[13:12:21] <robertml> Side meeting this Monday.
[13:12:31] <robertml> Upcoming workshop. Date undetermined.
[13:12:36] <robertml> In Frankfurt:
[13:12:45] <robertml> Interoperability testing, discussion
[13:12:51] <robertml> Testing, signing, serving, validation
[13:12:56] <robertml> No major issues found.
[13:13:01] <robertml> But didn't test everything.
[13:13:10] <robertml> Created a semi-perminent test environment.
[13:13:13] <geoff> http://www.nsec3.org/
[13:13:19] <robertml> Notes from the workshop is at www.nsec3.org
[13:14:13] <robertml> Tests still needs to be done: nsec to nsec3 rollover and vice versa signaling mechanisms traversing down various combinations of nsec, nsec3 with and without optin/out
[13:14:24] <robertml> Recent doc changes:
[13:14:32] <robertml> mostly editorial
[13:14:41] <robertml> Added hash length field to RDATA
[13:14:48] <robertml> new sections on signaling and dynupdates
[13:15:05] <robertml> new text on how to handle unknown nsec3 hash algos
[13:16:03] <Olaf (co-chair)> (For slideware see: https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66 )
[13:16:26] <robertml> in -06 all nsec3 responses must use the same parameters.
[13:17:00] <robertml> validators are complicated to do if they need to handle various parameters.
[13:17:12] <wouter> The NSEC3 in one response must use the same params. (not: all responses the same nsec3 parsm, nsec3 rollovers?)
[13:17:19] <robertml> still needs text on how to move from nsec to nsec3
[13:17:49] <robertml> wouter: Is that a question for the mike?
[13:17:59] <wouter> Hmm. Not now :-)
[13:18:09] <robertml> k, say when, prepend with "mike: "
[13:18:14] <wouter> k
[13:18:14] <robertml> please
[13:18:26] <ben> wouter: the answer is they must be the same in a single response
[13:18:29] <ben> not all responses
[13:18:29] <robertml> signaling issue:
[13:18:47] <ben> the I-D is clear on this, I hope :-)
[13:19:06] <robertml> Legacy DNSSEC aware resolvers (nsec3 unaware) should treat a nsec3 signed zone as insecure.
[13:19:07] <Jelte> wasnt that in a single chain?
[13:20:00] <ben> all NSEC3s in a response must come from the same chain
[13:20:03] <robertml> Iterations upper bound issue:
[13:20:17] <wouter> ben: yes that was what I had understood from the document as well.
[13:20:27] <robertml> a high iteration count can look like a DOS
[13:21:32] <robertml> and I dont' know what he's saying now.. :-P
[13:21:57] <Jelte> choosing an upper bound was based on the time it takes to sign
[13:22:00] <ben> he said that we made the time taken to do the max iterations roughly equal to the time to sign
[13:22:01] <robertml> Must learn klingon.
[13:22:32] <robertml> issue: queries for nsec3 ownernames.
[13:22:59] <robertml> it's not determined what to return if someone asks for an NSEC3 RR on a name.
[13:23:38] <robertml> http://www.nsec3.org/cgi-bin/trac.cgi/ticket/22
[13:24:01] <robertml> Issue: Signaling complete nsec3 chains.
[13:24:05] <ben> for information, the current I-D says treat NSEC3s as if they don't exist
[13:24:23] <robertml> How does an auth zone know what are the parameters?
[13:24:25] <robertml> http://www.nsec3.org/cgi-bin/trac.cgi/ticket/38
[13:24:49] <robertml> it'll be much better with a way to signal this.
[13:25:13] <geoff> Note: inefficiency especially apparent when using large zone with RDBMS back end.
[13:25:17] <robertml> inzone seems to make sense.
[13:25:47] <robertml> Most people prefer a solution of signaling somehow with an RR at the zone apex.
[13:26:10] <robertml> Issue: Seperating nsec3 algos from DS algos.
[13:26:32] <robertml> Maybe you don't want the same algos.
[13:27:00] <robertml> Some algorithms might need tweaking to fit into nsec3.
[13:27:09] <robertml> (because of lengths of hash)
[13:27:19] <robertml> Questions?
[13:27:34] <robertml> Paul Angus?
[13:27:43] <ben> Paul Wouters
[13:27:49] <robertml> haha, ok,sorry
[13:28:55] <robertml> A question on if nsec3 can verify nonexistence.
[13:29:01] <robertml> and if that response can be abused.
[13:29:34] <robertml> (yes, no)
[13:29:43] <Jelte> that would be something, if it could not verify nonexistence :)
[13:30:30] <robertml> If there are no input on documents, editors will make decissions where things are unclear.
[13:30:38] <robertml> (obviously input is always welcome)
[13:31:14] <robertml> The workshop is not related to IETF directly.
[13:31:31] <robertml> So information about it is done via nsec3.org
[13:31:46] <robertml> -
[13:32:05] <robertml> Olaf: Want progress.
[13:32:14] <robertml> (in general) :)
[13:32:19] <SuzanneW> topic: key rollover
[13:32:24] <SuzanneW> slide with list of draft names
[13:32:33] <wouter> And anchors.
[13:32:45] <robertml> rollover-requirements-02 almost done.
[13:32:46] <SuzanneW> sorry, "automated DNSSEC trust anchor management"
[13:33:05] <robertml> A list of proposals:
[13:33:17] <robertml> trustupdate-treshold, trustupdate-timers
[13:33:24] <robertml> laurie-dnssec-key-distribution
[13:33:35] <robertml> moreau-dnsext-takrem-dns
[13:33:41] <robertml> weiler-dnssec-dlv
[13:33:56] <liman> Are these slides on the net anywhere?
[13:34:02] <robertml> old-signs-new (proposal by Paul Vixie)
[13:34:13] <marcos.sanz> (For slideware see: https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66 )
[13:34:18] <robertml> (13:16:04) Olaf (co-chair): (For slideware see: https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66 )
[13:34:23] <wouter> http://www3.ietf.org/proceedings/06jul/slides/dnsext-4.ppt
[13:34:38] <robertml> Key rollover scope.
[13:35:19] <robertml> This is about replacing trust anhors based on existing trust.
[13:36:40] <robertml> Reviews: the reviews have been very few.
[13:37:05] <robertml> reviews converges towards threshold, timer or threshold-with-modifucations.
[13:37:08] <SuzanneW> many more people are claiming to have read drafts than have sent reviews (guilty)
[13:37:15] <robertml> ;)
[13:38:02] <robertml> Q: if timers seems ready, what are the benefits of refining threwshold further?
[13:39:50] <robertml> Johan Ihren: What is the document(??) status.
[13:39:58] <robertml> IPR status.
[13:40:58] <robertml> Implementors need to make that decission themselves.
[13:41:11] <robertml> (but olafur says there probably is none)
[13:41:41] <SuzanneW> opinion: existing IPR claim is only about SSL
[13:42:25] <robertml> bill manning: diversinet has a iPR claim on timers and threshold.
[13:42:35] <robertml> Patent app was extended to Canada.
[13:42:43] <robertml> EU application was withdrawn.
[13:42:55] <robertml> Also withdrawn in Canada.
[13:43:12] <robertml> Now only applies to Israel.
[13:43:32] <robertml> Bill believes timers is sufficient.
[13:43:53] <robertml> But has operational characteristics which reviewers seems to not have noticed.
[13:45:13] <robertml> Hum upcoming..
[13:45:20] <wouter> many nots, but it may be clear.
[13:45:23] <robertml> "Do we consider DLV?"
[13:45:24] <SuzanneW> as soon as the chair figures out what we're humming about :)
[13:45:27] <sk> is DLV out of scope
[13:45:33] <robertml> Hum for no DLV.
[13:45:48] <SuzanneW> hum for no DLV in this discussion, explicit limitation of scope of hum
[13:45:56] <wouter> audio hums on the no.
[13:46:06] <robertml> sorry for being very imprecise.
[13:46:30] <geoff> I'm not clear whether the hum was against DLV or DLV within the scope of key rollover?
[13:46:51] <robertml> DLV within the scope of key rollovcer
[13:47:00] <geoff> Tx
[13:47:17] <robertml> Rob, ISC: DLV just consolidates a lot of trust anchors
[13:47:33] <wouter> who is this/
[13:47:34] <geoff> (That's what was said but it also was restated several different ways . . .)
[13:47:43] <robertml> Johan Ihren is talking
[13:47:43] <geoff> Joahann
[13:48:46] <robertml> Mike StJohn: DLV has a trust anchor at it's top. The DLV draft doesn't mention how to roll over the DLV trust anchor itself.
[13:49:16] <robertml> (but it can probably use another proposal)
[13:49:23] <robertml> (for rolling)
[13:49:36] <liman> Johan (not two n).
[13:49:50] <robertml> Hum for considering Lauries proposal.
[13:49:58] <robertml> inconclusive
[13:50:14] <robertml> Too few seem to have read it.
[13:51:31] <robertml> Regarding "timers", Mike says trust anchor deletion needs comments.
[13:52:03] <robertml> possibly not possible in either timers or threshold
[13:52:46] <robertml> Mike does a monologue on what "timers" does.
[13:52:54] <robertml> (by request from Olaf)
[13:53:25] <robertml> [i am tired]
[13:55:47] <robertml> Bill dances.
[13:56:07] <robertml> Bill has no problems reaching the mike.
[13:56:53] <robertml> Bill speaks very slow.
[13:57:12] <robertml> [I dont know what he's saying anymore]
[13:58:23] <ben> he's saying if you are offline for long enough, then you lose the ability to update
[13:58:27] <ben> using threshold or timers
[13:58:37] <SuzanneW> comparing timers and threshold, "dependence on time"
[13:58:48] <robertml> Both have the property that both can make a resolver become out of sync.
[13:58:49] <SuzanneW> MSJ notes timing models are not explicit
[13:58:59] <SuzanneW> (in either draft or just threshold?)
[13:59:07] <Olaf (co-chair)> Aug 18 notes ...
[13:59:08] <ben> should I note that mine is (less) vulnerable to this?
[13:59:11] <ben> :-P
[13:59:37] <robertml> ben: at the mike, maybe?
[14:00:06] <robertml> suzanne: in threshold
[14:00:58] <robertml> Rob ISC: prefers timers but both are fine.
[14:01:19] <robertml> (Who's this?)
[14:01:43] <robertml> ??: Thinks timers look best, by gut feeling.
[14:01:53] <sk> wes hardaker
[14:01:59] <robertml> matt larson: read all drafts
[14:02:01] <robertml> sk: thanks
[14:02:23] <robertml> matt: concerned about changing wire protocol if we go for timers ("for the bit")
[14:03:09] <robertml> the bit is a revoke bit.
[14:03:26] <robertml> Olafur thinks its ok with the bit.
[14:03:37] <robertml> Rob: think the bit is a feature.
[14:04:13] <robertml> henry sullivan: timers seem better. threshold seems easy for everyone to understand.
[14:04:45] <robertml> people will get confused by timers.
[14:05:11] <robertml> wes: like timers because of the revoke bit
[14:05:45] <robertml> and explains why.
[14:06:07] <marcos.sanz> wes: Because it is a self-contained solution
[14:06:41] <robertml> weiler: prefers threshold, not timers which makes him uncomfortable.
[14:06:59] <SuzanneW> no passionate opposition to either
[14:07:00] <robertml> olaf doesnt like hunches
[14:07:25] <robertml> Hum for continuing with timers.
[14:07:37] <robertml> Will work on delete feature.
[14:07:39] <robertml> and then LC
[14:08:04] <robertml> comments to mike soon
[14:08:16] <robertml> so it can get into the new draft
[14:09:15] <robertml> mike: will resubmit the document at end of week
[14:09:21] <robertml> need input within 48 hours.
[14:09:36] <robertml> 47
[14:09:47] <Peter Koch> Olaf is happy with the outcome :-)
[14:09:56] <robertml> Olaf dances.
[14:10:01] <SuzanneW> next up: DNAME (Matt Larson)
[14:10:10] <robertml> DNAME by Matt Larson (new topic)
[14:10:14] <robertml> not that new
[14:10:29] <robertml> 2672 bis: rewrite for clarity
[14:10:58] <robertml> has shortcomings and omissions, needs to be clearer
[14:11:07] <robertml> a goal is not dname2
[14:11:22] <robertml> goal is to clarify without chaning proto
[14:12:12] <Peter Koch> Olafur: DNAME has been on charter since 2002
[14:12:17] <robertml> changing*
[14:12:41] <robertml> Create an ID with issues.
[14:12:46] <SuzanneW> clarification, not revision/"DNAME2"
[14:12:49] <robertml> instead of just publishing new doc
[14:13:22] <robertml> issues with 2672 so far:
[14:13:37] <robertml> defer signaling (never discussed)
[14:14:05] <robertml> says edns-aware servers will NOT understand dname
[14:14:26] <robertml> with signalling response to dname capab querier could omit syntesis
[14:14:36] <robertml> (and omit something)
[14:14:57] <SuzanneW> compress rdata and omit CNAME synthesis
[14:15:06] <robertml> compression of RDATA "in future" must be outlawed
[14:15:22] <robertml> suz: thxx
[14:16:22] <robertml> wont copy slides onto jabber.
[14:16:39] <robertml> (see prev link) :)
[14:17:16] <SuzanneW> possible conflict: DNAME RFC and wildcard-clarify. Dismabiguate.
[14:17:26] <SuzanneW> or, failing that, disambiguate.
[14:18:24] <robertml> Rob: the existing RFC doesn't mention resolvers and non-capable caches, just "the server"
[14:18:54] <robertml> rob: bis must mention dnssec
[14:19:10] <robertml> marka: [speaks with aussie accent]
[14:19:14] <robertml> someone?
[14:19:42] <SuzanneW> Mark was endorsing TTL !=0 to permit caching, I think
[14:20:11] <robertml> next topic
[14:20:12] <robertml> 2929bus
[14:20:16] <wouter> I thought he said that caches can synthesize CNAMEs from DNAMEs.
[14:20:18] <robertml> bis
[14:20:30] <robertml> eastlake
[14:21:07] <SuzanneW> 2929bis
[14:21:13] <SuzanneW> IANA Considerations
[14:22:04] <robertml> 2929bis updates with a more liberal doc
[14:22:21] <robertml> appendix of the draft mentions the updates
[14:22:58] <robertml> http://www3.ietf.org/proceedings/06jul/slides/dnsext-0.ppt
[14:24:42] <robertml> eastlake: can we go to LC with -03?
[14:25:00] <robertml> olafur: if we don't receive negative comments, will soon go to LC
[14:25:15] <robertml> rob: small problem
[14:25:24] <robertml> dont think we need the doc
[14:25:24] <SuzanneW> do we need this doc?
[14:25:56] <robertml> olafur: needed to udate 2929, and to liberalize policies.
[14:25:59] <robertml> liberalise
[14:26:47] <robertml> thomas: ok with LC
[14:29:11] <robertml> thomas: draft is not enough, wants rfc
[14:29:21] <robertml> weiler: wants template system
[14:30:26] <robertml> ???: wants the document because it asks for expert review.
[14:30:43] <robertml> IANA is not qualified(????) for evaluating
[14:30:54] <robertml> new document
[14:31:04] <robertml> draft-eastlake-dnsext-cookies-00
[14:31:22] <robertml> http://www3.ietf.org/proceedings/06jul/slides/dnsext-1.ppt
[14:31:30] <SuzanneW> confusion seems to be on whether template/expert review is higher bar than "specification required," and whether it should be
[14:31:58] <robertml> suz: thx
[14:36:26] <marcos.sanz> robertml: I like it, but shouldn't we fix UDP?
[14:37:06] <robertml> peter koch: like it, should we fix dns or stop spoofing elsewhere?
[14:37:12] <robertml> BCP38
[14:37:28] <SuzanneW> (tentative, spontaneous hum)
[14:37:32] <marcos.sanz> Why not solving at the transport level and providing authentication with DTLS?
[14:38:05] <marcos.sanz> (RFc 4347)
[14:38:48] <robertml> rob: install base is too big, you can never stop answering queries without cookies.
[14:39:21] <robertml> eastlake: people also liked it for it's non-cache-poisoning abilities.
[14:39:35] <robertml> peter koch: dnssec does that too.
[14:40:22] <robertml> mosen: it's ok if it's light weight for the wg to do
[14:40:31] <robertml> because it solves a current problem
[14:40:41] <robertml> thomas: any doc takes time from the wg
[14:40:47] <robertml> what are you really trying to solve?
[14:41:07] <robertml> eastlake: 3 problems are being targeted
[14:41:18] <robertml> mentioned in presentation
[14:41:50] <robertml> marka: make it an edns option if it must be done at all.
[14:42:20] <robertml> eastlake: possibly to make it an edns option
[14:43:50] <robertml> next
[14:43:51] <ultrajtk> from my perspective, the goals are great, but i'm not yet convinced that this can be deployed as designed, the point made earlier and on the list, that you have to allow non-cookie queries being the problem
[14:44:47] <robertml> ultra: are you in the meeting room or do you want me to relay this to eastlake later?
[14:45:05] <robertml> peter koch from dnsop talking
[14:45:24] <robertml> topic?
[14:45:24] <ultrajtk> not in meeting room (i'm john kristoff), i made the point on the list so i don't think there is a need to relay unless you want to
[14:45:40] <robertml> Identifyin and responding to unsolicited queries.
[14:45:51] <robertml> draft-koch-dns-unsolicited-queries
[14:46:06] <SuzanneW> PK talked about the "reflectors considered evil" draft too
[14:46:18] <robertml> jtk: no, we are at another topic now, so I'd prefer if you could reiterate your concern on the list.
[14:47:05] <robertml> please read and send comments.
[14:47:07] <ultrajtk> k - just trying to get in another viewpoint, sorry for arriving late
[14:47:08] <wouter> unsolicited: previously, there had been queries for queries. :)
[14:47:31] <robertml> jtk: I think it wasn't very well received in general.. needs more work
[14:47:44] <Peter Koch> wouter: that was responses fo responses
[14:47:44] <robertml> next topic
[14:47:49] <robertml> marka
[14:48:11] <robertml> draft-andrews-dnsext-soa-discovery
[14:48:37] <robertml> marka: ready for LC
[14:49:33] <robertml> koch: doc encourages strange ideas
[14:49:56] <robertml> marka: (and ready for adoption)
[14:50:47] <robertml> rob: this was good for dynamic updates
[14:51:12] <robertml> topic done
[14:51:23] <robertml> olaf
[14:51:25] <robertml> milestones
[14:52:23] <robertml> looks like http://www.ietf.org/html.charters/dnsext-charter.html doesnt match the slide
[14:52:30] <robertml> at all
[14:52:38] <Peter Koch> these are 2B updated milestones
[14:53:17] <Peter Koch> so, what is this november 2006 item?
[14:53:42] <robertml> draft-fleming-007-21... I could tell you, but then..
[14:55:04] <robertml> see posting to mailing list for suggested milestones.
[14:55:07] <robertml> meeting is over.
[14:55:10] <robertml> comments? ;)
[14:55:26] <shigeya> no, thank you very much for transcript..
[14:55:58] <robertml> welcome
[14:56:11] <robertml> and thanks for people who helped when I was mentally absent.
[15:21:58] --- Peter Koch has left: Computer went to sleep
