[03:09:08] <iljitsch> ping
[03:09:26] <ripple> !gnip
[03:13:58] <ripple> sra - IDN is not a DNS issue.
[03:14:26] <ripple> paf - I'm working with the IDN issue. People who want to know more can contact me after lunch on Weds (or later...)
[03:15:01] <ripple> dmm - (something, performance?) is not on the agenda but Patrick asked me for time if time permits
[03:15:19] <ripple> [Wasn't there a jabber scribe?]
[03:15:20] <ggm> dnsop, monday 1st Aug 10:30 doc review. dns config doc. AD has comments DavidK after this meeting, should be done & sent to RFC-ED. doc is approved RobA document is done
[03:15:39] <ggm> (sorry, lost connex for a bit)
[03:15:47] <ggm> review of work items status
[03:16:26] <ggm> RobA. issue with truncation, trying to get feedback from dnsext. no responses.
[03:16:41] <ggm> if care, see pekka. failing comments, set timeout and go with what you have.
[03:17:06] <ggm> Susan, on server ID draft.
[03:18:24] <ggm> want to see chair comments, doc is failing to get comments in last call.
[03:19:15] <ggm> roba: go cleanup. one major issue, orig. author (drc) asked for rollback to 2-3 year ago state. my view is: its moved on. rough consensus is like that. if disagree, please tell us (will do on ML)
[03:19:43] <suz> not quite ggm....did get some comments but I think they're about improving the doc (clarifying scope and aplicability
[03:20:05] <ggm> sorry suze.. misheard.
[03:20:17] <suz> my fault. I did not make friends with the mke
[03:21:12] <ggm> Olaf: comments on draft (dnssec operational practices) substantial. real issues.
[03:21:34] <ggm> discussed open issues on ML. worked text, solutions. set timeouts. didn't get pushback. so can close.
[03:21:49] <ggm> another thing we got feedback on, table of suggested keysizes, operational circumstances.
[03:22:02] <ggm> one of the authors of keystrength RFC 3766 gave pushback there.
[03:22:11] <ggm> haven't addressed yet. will do this week, post issues to list.
[03:23:24] <ggm> bad dns res draft, larson/barber.
[03:23:34] <ggm> new version out, read and comment.
[03:23:46] <ggm> iaddr-required, (senie)
[03:24:19] <ggm> Dave: did talk to daniel about this. new version is out. had controversy on this, considered changing name. will have out on list after meeting.
[03:24:37] <ggm> key rollover requirements (guette et al)
[03:24:56] <ggm> WG accepted quite some time ago, years ago. haven't seen a lot of support except from authors.
[03:25:16] <ggm> had requests to remove as WG item. never get opinions, few care. whatever.
[03:25:22] <ggm> [chair calls for who-reads. small number]
[03:25:30] <ggm> [chair calls for poll of readers: should we keep]
[03:25:46] <ggm> [smallish vote to drop]
[03:26:41] <ggm> dont publish unreachables/durand.
[03:26:52] <ggm> missed a view deadlines. will be published revised copy soon
[03:27:36] <ggm> respsize/vix/kato no authors here, take to list.
[03:27:48] <ggm> bill can't be put off.
[03:28:23] <ggm> billm. back to WG, get IETF recognition, move to RFC, its in ICONN (sorry ICANN) formal procedures. difficult to reference document which isn't formally alive. need RFC normative
[03:28:42] <ggm> RobA. last time WG considered, author said 'not ready'
[03:29:41] <ggm> Kato:
[03:30:10] <ggm> modification, rewritten part. comment from pekka at last minute. misunderstandings. modify before last call.
[03:30:15] <jlcjohn> (can't hear him)
[03:30:25] <ggm> no, he really said <mumble>
[03:30:40] <ggm> dave: want another revision before WGLC? ok.
[03:30:48] <ggm> expired drafts, guaging interest.
[03:31:01] <ggm> 2 kinda hanging around. local zones draft, expired (vix/kato)
[03:31:41] <ggm> also huston 6to4 reverse.
[03:32:42] <ggm> first draft read and kjeeo> few
[03:32:48] <ggm> how many kill> ,apathy>
[03:34:03] <ggm> minor comment from me on 6to4 deployed testbed.
[03:34:17] <ggm> hads to bring back to life (expired)
the floorshow is fantastic. we just had 'les girls' off-camera. and now its charles aznavour.,
[03:35:36] <ggm> sam weiler, local zones doc.
[03:35:50] <ggm> looks interesting. no advocate. default should be to drop, but we have author in room..
[03:36:21] <suz> does anyone remember the content of the local zones draft? even the general line of argument?
[03:36:37] <ggm> mrk andrews. localzones should be split into 2. one to do namespace. similar to what we've got in v6 local assigned addrs draft
[03:36:39] <weiler> serve .local and 918 reverse zones locally:
[03:36:40] <weiler> http://www.potaroo.net/ietf/idref/draft-kato-dnsop-local-zones/
[03:36:44] <weiler> 1918, rather.
[03:36:48] <suz> thx
thx
[03:38:25] <ggm> ok. now on SRV/DNS-SD.
[03:38:40] <mstjohns> slides are unreadable..
[03:39:11] <ggm> the peasants are revolting over the slide view. thats being fixed.
[03:39:39] <ggm> this is jeroen massar on dnsop service.
[03:40:53] <ggm> proposing standard labels _<service> to be set to local service providers for apps.
[03:41:18] <ggm> needs anycast DNS to resolve.
[03:41:48] <ggm> also ipv6 tunnel discover.
[03:41:59] <ggm> durand. comments. how do relate to draft on service discovery?
[03:42:10] <ggm> jeroen: some relation.
[03:43:10] <ggm> roba, not as chair, "just another bozo"
[03:43:30] <ggm> believe read in draft, looks like propose varaiations be pseudo TLD. has layer-9 issues. don't go there.
[03:43:47] <ggm> second. history behind use of anycast DNS. review the years of argument. (but he said it more nicely)
[03:44:06] <ggm> thirdly. discuss service names over beer. appears to subst one column for another.
[03:44:34] <ggm> Keith. lots of topics to discuss. reaction is, have lot of bad service discovery mechs, don't fit problem space. this is another. or apple stuff.
[03:44:56] <ggm> anytime talk about DNS, 'below IP'
[03:45:09] <ggm> (sorry, scribe hurls abuse "the DNS is not a directory")
[03:45:13] <weiler> "local net knows what's good for you -- isn't true in general"
[03:45:28] <ggm> agree about TLD/Anycast issues. service name issues. too many to rattle.
[03:45:54] <ggm> Durand. looked at in BoF, MN. followup with another BoF. attend, discuss another time.
[03:46:22] <ggm> Michael Sans have service to discover by different proto, can use combination of NAPTR etc in 3958 to solve problem.
[03:46:36] <maxwell> (Marcos Sanz)
[03:46:58] <ggm> sorry. people mumble. and I'm deaf. I shouldna volunteered.
[03:47:09] <ggm> Dave on potential WG items.
[03:47:21] <ggm> is this candidate for WG item? no interest.
[03:47:40] <ggm> the krishnaswamy dnssec split view. doc. no author present.
[03:48:07] <ggm> RobA. need to read, may decide not to make item but have to understand. split DNS is not going away. dnssec is coming. need to know how to do it.
Kurtis, in a pink clown suit is now doing mime to classical french accordian music.
can't beleive i am missing that!
wondering if I have any accordian MP3's...
I have a LOT of accordion MP3 if you want em...
play one?
[03:49:40] <ggm> Kurtis on draft TLD OPS
[03:50:20] <ggm> doc history: not my idea. got stuck with it. ICANN q came down, IAB passed the buck to DNSOP. but want it done.
[03:50:56] <weiler> not his idea, but he wasn't paying attention when it was allocated to him.
ah yes. the volunteer by missing the meeting method..
ggm, stop telling people about the clown suit. There is no physical clown suit. There may well be a metaphorical one.
[03:51:39] <ggm> two docs came out of discussions.
[03:52:06] <ggm> feedback taking it in two directions
[03:52:16] <ggm> submit dns server op guidelines, and TLD ops
[03:53:01] <ggm> not docs with MUST DO lists. checklists. document trade-offs.
[03:53:08] <ggm> want minimal list
[03:54:07] <ggm> both will aim for BCP, server ops is better understood right now than the TLD part
[03:54:25] <ggm> TLD one will include refs to things like EPP
[03:54:35] <ggm> how to be a slave for TLD, applies for any server setup
[03:54:55] <ggm> RobA, chair hat off.
[03:55:07] <ggm> doc makes sense, split makes sense. good to document considerations to run servers is excellent.
[03:55:17] <ggm> hesitent to say no normative lang. some may be appropriate
[03:55:45] <ggm> second doc, TLD ops, agree we don't know where to write. start here and move. probably is going to make the first a normative ref.
[03:56:41] <ggm> liman: requirements vary between TLD. between contexts.
[03:56:49] <ggm> kurtis, requirements word never appeared for a reason
[03:57:10] <ggm> liman but want to see document about whats good and bad
[03:57:49] <ggm> jaap. want to talk on second TLD doc. ISOC has courses for starting TLD
[03:58:08] <ggm> recently documented. nice to catch up with these folks.
[03:58:11] <ggm> kurtis pointers welcome
[03:58:40] <ggm> BillM having walked this road, co-authors of 2010 and contributed to 2780. 2780 is more targetted to TLD than roots
[03:58:52] <ggm> need to be very clear and consise about running TLD registry or DNS side?
[03:59:14] <ggm> wide range of things for auth server
[03:59:58] <ggm> ggm at Q so not jabbering
[04:00:02] --- olaf has left
[04:00:58] <ripple> (...not sure who's speaking at the mike...) I think other registrars would be affected by changes in registries... ???
[04:01:28] <ripple> kurtis - I wasn't thinking about the second (TLD) doc in technical terms...
[04:03:07] <suz> [?? from JPRS]: many varieties of TLD operations, technical & political (echo Manning)....very different to 2870, need for this in TLD ops but hard to generalize
[04:04:24] <ripple> kurtis - something along the lines of: If we stay away from normative language and just try to collect best practices we could end up with a useful document.
[04:05:02] <ripple> ggm - Formalizing some of these behaviors will raise the bar and cause folks to re-consider whether they can in fact offer some of these services.
[04:05:43] <ripple> ggm - I really applaud you writing this document -- but a potential side-effect is that this is a step along a path to making requirements more formal (and perhaps more stringent?)
[04:06:01] <ggm> bthks
[04:06:05] <suz> kurtis says there was no pressure from ICANN, just a question the IAB decided to run with
[04:06:31] <suz> Peter Koch: concern about how document will be used, this group should focus on DNS only
[04:06:39] <suz> second doc should be written by someone else
[04:08:00] <ggm> DK reggo said something about it being more general than just for TLDs I think. (missed this a bit)
[04:08:23] <ggm> next bad DNS auth. fujiwara
[04:08:56] <ggm> <can't hear> sorry
[04:09:34] <ggm> Dave; what do you want WG to do with doc? want dnsop to adopt?
[04:10:11] <ggm> will not continue. done.
[04:10:25] <ggm> dns transport issue (fujiwara)
[04:10:39] <ggm> will continue, update to ship on this one.
[04:10:58] <ggm> yan on ra-dns
[04:11:58] <ggm> (V6 stateless config)
[04:12:04] <ggm> Ding Zhemin.
[04:12:27] <ggm> perform DNS update via stateless addr autoconfig. new RS/RA option to pass info.
[04:14:36] <ggm> Olaf bellows 'security'
[04:14:44] <ggm> admits havne't read draft.
[04:15:05] <ggm> discusses risks of key exchg processes
[04:16:23] <ggm> durand comments on process, assumptions
[04:17:02] <ggm> Zhemin. enterprise network, trust issues are about that config. security is concern
[04:17:50] <ggm> RobA. some portions may want to drop. core part, worth discussing maybe not this WG. but V6mechanism to change reverse tree, in dhcp universe, server does it. potentially, if can deal with security issues, provide analogue for stateless autoconf for that.
[04:18:11] <ripple> specifically, one of the assumptions Alain pointed out is that there's only one DNS domain on the subnet, and that in his experience that's rarely the case. I'd have to agree, even on an enterprise network.
[04:18:12] <ggm> for forward, want to leave it, host does own. reverse, server is preferred. but reduces to previously unsolved problem, lack of security in stateless autoconf
[04:18:48] <ggm> trust is separate issue. recommend (chair hat off) focus this on reverse-tree update, leave rest out.
[04:18:58] <ggm> and FQDN. no local suffix assumptions
[04:19:58] <ggm> Jinmei. do not want higher layerinfo in RAs. discussed how to discover DNS recursive server addr. proposal to include, even for such fundamental info, lot of disagreement
[04:20:36] <ggm> lot of pushbacks. afraid this one will face even stronger pushbacks to use of RA for this applic. level info.
[04:21:36] <ggm> David Henkins ISC. maybe in different draft, how to overcome race conditions. no tear-down events in RA. stateless doesn't do it. so no way to remove info. becomes cesspool swamp. is there a technique? what if 2 clients think they have same name? in draft or ..
[04:21:44] <ggm> author: name collision? being considered.
[04:21:54] <ggm> David where source client identity? thats the root problem. what do you use?
[04:22:05] <ggm> author 'working on it'
[04:22:12] <ggm> Durand. comment on robs comment.
[04:22:25] <ggm> useful in parts, not sure can make secure., and so no point in doing it.
[04:22:34] <ggm> author thats why propose to use router
[04:22:43] <ggm> durand but host has to authenticate. need to explain this
[04:22:59] <ggm> roba. value I see is getting rid of keys for reverse into laptops
[04:23:07] <ggm> Durand agree.
[04:23:21] <ggm> decided not to use stateless autoconf
[04:23:33] <ggm> <missed name> some disagree with Durand. are places where can use insecure methods.
[04:23:55] <ggm> Ted Lemon. solve by using secure DNS updates. key on A rec.
[04:24:04] <ggm> if client knows key, then can change PTR.
[04:24:28] <ggm> use straight DNSSEC.
[04:24:51] <ggm> Keith Moore
[04:26:03] <ggm> keeps raising a red flag, not speciifc to proposal. architecturally, don't think network should make binding hostname to rsrc recs. host knows, if net doesnt agree, net shouldnt overrule host. some kind of config error should flag. to make assertions about host in DNS, change, don't need to further that brokennes. if has purpose, its to set reverse. it is appropriate for net to make that binding. hard to secure. update via different path
[04:26:41] <ggm> in-baliwick servers Minda
suze was wrong. Kurtis DID have a pink clown suit on. just very very small.
[04:27:59] <ggm> .ARPA dns reverse lookup slow. supposed to be lame issue. but hostname use is gluelessness problem. -issue is bind8 caching NS
[04:28:20] <ggm> defines gluelessness. has to re-retrieve NS info via root. 10x overhead
[04:28:32] <ggm> bind8/4 has 5-10 sec timeout problem.
[04:28:55] <ggm> not issue in newer impls
clown g-string?
[04:29:18] <ggm> proposed solution is to use ns names in zone. ns01.16.11.202.in-addr.arpa form
[04:29:28] <ggm> add glue in 11.202.in-addr.arpa zone
[04:29:53] <ggm> ggm in Q. not jabbering
[04:30:54] <ripple> (picking up) Author outlining advantages and disadvantages, can't capture slides fast enough
[04:31:36] <ripple> One disadvantage is that RIRs that "own" a lot of .arpa zones will need many many more nameservers, it appears...
[04:31:50] <weiler> no, just many more names for the same nameservers.
hi marcos
[04:32:06] <ripple> Author's rec: Nameserver of RIR, NIR, or LIR SHOULD use in-bailiwick nameserver. Not only for .ARPA but also for other TLDs
[04:32:48] <ripple> mark andrews - I don't think that we should make any decisions, because BIND 8 is _broken_ (speaking as an author) and no one should be running BIND 8 anymore. The world has passed it by
[04:33:24] <ripple> ggm - We discuss operational aspects of managing the reverse tree in RIR meetings -- if you want to discuss things like this then you need to participate in those meetings.
[04:34:04] <ripple> ggm cont'd - The location of the glue is not where you think it is, as the delegation tree isn't quite what you've stated. The glue might be one "dot point" higher or several points higher.
[04:34:26] <ripple> ggm - we would need to make infrastructure changes to support this.
[04:34:56] <ggm> thnks
[04:34:57] <ripple> RobA (clarifying as chair) - it's not that the victim is running BIND 8, but rather that BIND 8 is being caused to "beat up" other servers.
[04:35:16] <ripple> Peter Koch - you're assuming a clear cache, but this isn't really about glue.
[04:35:26] <ggm> assuming is based on clear cache, counting steps to get info. but its not really about glue, its about easy access to the NS info.
[04:35:35] <ggm> but resolving servers DO have caching. more often than not, is in cache.
[04:35:51] <ggm> may be true for empty, but cache is almost never empty.
[04:36:28] <ggm> working for TLD with 6million delegated domains., if only fraction follow advice, switch from ISP or registrars to needing glue..
[04:36:59] <ggm> assume will be much more trouble due to inconsistencies, not updating parent zone. out of 6m domains, delegate to only 50k NS. if follow advice, have millions of NS
[04:37:15] <ggm> <comment from floor is for reverse> but he also said its TLD as well.
[04:37:27] <ggm> Olaf.
[04:37:34] <ggm> mentioned DNSSEC performance.
[04:38:07] <ggm> has its own validation chain, doesn't depend on glue or NS locations. DS rec points to NXT in validation chain, no glue issues to follow chain. so DNSSEC deployment I challenge the statement about reduced cost in verifying
[04:38:18] <ggm> MarkA
[04:38:29] <ggm> find in-baliwick NS are overkill solution.
[04:39:08] <ggm> simple rules, if followed, make glue cost less problem.
[04:39:54] <ggm> going to in-baliwick breaks some initial design ideas.
[04:40:47] <ggm> sam wieler, there may be a DNSSEC issue. resolver should only check NXT path, robustness issue., but reasonable to also check glue
[04:41:37] <ggm> morishita, anycast node requirements
[04:42:40] <ggm> (for authoritative servers)
[04:43:20] <marka-isc> simple rule "a nameserver serves the zone it lives in (listed in NS records)"
[04:44:14] <ggm> reviews deployment with roots, TLDs. documents to do this, to do IP anycast DNS service, 3528/draft-grow0anycast and auth NS servers. 2182/2870
[04:44:23] <marka-isc> finc
[04:45:18] <ggm> concept of this draft, to be guideline for auth ns ops introducing anycast. -incomplete, want to brush it up
[04:45:57] <ggm> focus on 'global' node, can also be applied to local node. document location issues, costs, measurements. based on .JP experiences
[04:47:11] <ggm> slide documenting issues
[04:47:41] <ggm> V6 issue, being fixed
[04:50:28] <ggm> slide on ICANN 'CNNP test" useful guidelines for validating anycast node.
[04:50:36] <ggm> continuous measurement needed.
[04:50:46] <ggm> looking for future work discussions
[04:51:56] <ggm> asking where to discuss. op meetings, RIR meetings etc
[04:52:46] <ggm> RObA. chair hat on. where to do? main focus is anycast, probably more in Grow. crossover with DNSOP and GROW. portions covered by Kurtis' work. cover by reference. non-IETF yea, need review there, not sure which wants to take lead, nor on ICANN
[04:53:13] <ggm> Dave chair. 2 more items to go.
[04:54:16] <ggm> Lixia on engineering tuning to improve DNS service availability
[04:54:27] <ggm> DDoS can attack hierarchy simply: go to the apex.
[04:55:13] <ggm> looking at TTL issue
[04:56:04] <ggm> discusses lo/hi ttl benefits. hi ttl masks loss of service.
[04:56:28] <ggm> proposed solution, to increase TTL values to 2weeks/1month (recommendation)
[04:57:39] <ggm> simple math on the % of TTL timed out visible at root servers. extending ttl from 2days to 1week alters 50% loss to 14%. to 30days cuts to 3%
[04:58:07] <ggm> cache can fetch at half-time. ttl 2weeks, but refetch in 1week.
[04:58:18] <ggm> maybe put hitcount, base on cache hit freq.
[04:58:27] <ggm> anyone can do long life ttl. as long as NS don't change that often
[04:58:39] <ggm> cost is transition time when changing NS
[04:59:15] <ggm> RobA clarifying. number of resolvers have limit to TTL length. cieling is a week.
[05:00:32] <ggm> cache poisoning risk, can stay poisoned for long time.
[05:00:42] <ggm> want to see discussion. worth persuing? or drop
[05:02:32] <ggm> font size="3"><unknown> thanks for writing up. ggm: TTLs of one week are exceptionally large. TTL defines sig validity period so for DNSSEC, risk is very bad (if broken,) Olaf. ditto sig lifetime cuts off ttl
[05:03:04] --- ryanczak has left
[05:03:06] <ggm> sam weiler. want to see greater refetch, but resolvers keep cached data. couple ways. one is your way,
[05:03:42] <ggm> how about using stale data? {rob cringes}
[05:04:17] <ggm> <missed name> measured or simulated benefits yet?
[05:04:25] <ggm> Lixia haven't got data ready yet.
[05:04:29] <suz> That's Mohsen Soussi
[05:04:33] <ggm> thks
[05:04:43] <ggm> Liman
[05:04:49] <suz> and there were more cringers than just Rob
[05:04:53] <ggm> RObert Martin DK
[05:05:00] <ripple> (and I was the first one whining about this above... --Rip)
[05:05:22] <ggm> complaint about time it takes IANA to change root. some complain about weeks, some about months. upping TTL may be issue to some people
[05:06:29] <ggm> Liman. admin thing, prod IANA. don't set per server in records set. all should have same.
[05:06:37] <ggm> might have to change a number of servers in recset at short notice, things outside your control
[05:07:39] <ggm> Peter Koch ttl delegs on root may have less influence than you think. overwritten by NS coming out of deleg. zone
[05:08:00] <ggm> Rob cuts mike
[05:08:31] <ggm> Olaf. measures of performance of dnssec on K
[05:08:38] <ggm> 15 min presentation. no work item
[05:09:09] <suz> room 315
[05:09:11] <ggm> 10:30 in room 350
[05:09:15] <weiler> 315
[05:09:22] <ggm> sorry. room 315
[05:09:26] <ggm> ggm out
