[04:54:16] --- william.tan has joined
[04:54:18] --- william.tan has left
[06:26:50] --- geoff has joined
[06:26:59] --- geoff has left
[06:27:17] --- geoff has joined
[06:27:34] --- geoff has left
[06:28:11] --- geoff has joined
[06:32:24] --- geoff has left
[08:33:45] --- gberezow has joined
[08:33:59] --- yone has joined
[08:35:37] --- Peter Koch has joined
[08:35:51] --- hpditt has joined
[08:36:05] --- axelm has joined
[08:37:07] --- Peter Koch has left
[08:37:11] --- axelm has left
[08:37:29] --- Peter Koch has joined
[08:37:45] * Peter Koch has set the topic to: 25 minutes to go
[08:47:27] --- hpditt has left
[08:50:18] --- jdq has joined
[08:51:38] --- msj has joined
[08:51:59] * msj has changed the subject to: 5 minutes to do
[08:52:11] * msj has changed the subject to: 5 Minutes to Go
[08:52:41] --- Jelte has joined
[08:52:48] --- hpditt has joined
[08:52:49] <Jelte> good morning
[08:53:52] --- cary has joined
[08:55:49] --- Antoin has joined
[08:56:04] --- axelm has joined
[08:58:17] --- ogud has joined
[08:58:45] <ogud> who is awake
[08:58:47] <ogud> ?
[08:58:54] <Jelte> moi
[09:01:06] --- howard_eland has joined
[09:01:26] --- geoff has joined
[09:01:31] <cary> Sounds fine
[09:01:39] <Jelte> anyone remote here
[09:01:39] <Jelte> ah
[09:01:45] <cary> yes remote
[09:01:47] <geoff> a moi aussi
[09:01:57] --- jabley has joined
[09:01:57] --- fneves has joined
[09:02:01] <Jelte> i'm lagging a wee bit
[09:02:02] --- marcos.sanz has joined
[09:02:05] --- suresh has joined
[09:02:14] --- r@dk. has joined
[09:02:14] <axelm> "note well" is on the screen.
[09:02:36] <axelm> peter koch and rob austein open session
[09:03:00] --- weshardaker has joined
[09:03:20] <axelm> mailing list and wg tools: www.dnsop.org / tools.ietf.org/wg/dnsop
[09:03:46] <axelm> request tracker available - will be mentioned later
[09:04:05] --- dudi has joined
[09:04:05] <Jelte> Agenda
[09:04:06] --- rstory has joined
[09:04:12] --- dblacka has joined
[09:04:20] --- simon.leinen has joined
[09:04:23] --- matt has joined
[09:04:35] --- Jim has joined
[09:04:36] <Jelte> www3.ietf.org/proceedings/06jul/agenda/dnsop.txt
[09:04:47] <axelm> agenda accepted.
[09:04:52] --- marka has joined
[09:05:15] <Jelte> RFC published: RFC4472
[09:05:25] <Jelte> operational considerations and issues with ipv6
[09:05:50] <axelm> awaiting AUTH48 by end of july.
[09:06:06] <axelm> dnsop-bad-dns-res-06
[09:06:18] <axelm> IETF last call requested (to become BCP)
[09:06:21] --- raj has joined
[09:06:53] <matt> HURRAY!
[09:07:03] --- kivinen has joined
[09:07:27] <axelm> dnsop-serverid-07: awaiting PROTO
[09:07:46] <Jelte> draft-huston-6to4-reverse-dns-05.txt
[09:08:19] <Jelte> security directorate review received, awaiting 06, awaiting proto
[09:08:44] --- Suzanne has joined
[09:08:48] <axelm> issue about using ip addresses for authentication - will be addressed in 06
[09:09:09] <Jelte> Active drafts:
[09:09:22] <Jelte> reflectors-are-evil-01
[09:09:27] <Jelte> default-local-zones-00
[09:09:30] <Jelte> respsize-03
[09:09:59] <axelm> starting with "evil draft" discussion now
[09:10:31] --- liman has joined
[09:10:50] <Jelte> Frederico Neves speaking about evil
[09:11:09] <axelm> fixed a few typos
[09:11:20] <Jelte> PRNS -> ORNS
[09:11:35] <Jelte> include text about vendors, not only operators
[09:12:03] <axelm> added text about filtering on incoming query.
[09:12:10] <Jelte> less acronyms
[09:12:19] <Jelte> Open issues
[09:12:24] <Jelte> - title
[09:12:48] <Jelte> proposal to include the word recursive
[09:13:00] <Jelte> ed lewis had a different suggestion
[09:13:17] <axelm> peter koch: want to move forward with this RSN
[09:13:33] <Jelte> <pekka savola> there are various flavours of this attack
[09:13:37] --- ggm has joined
[09:13:49] <Jelte> some with recursive, some with authoritative servers
[09:14:07] <axelm> frederico: text in doc which says we just cope with this kind of attack
[09:14:30] <Jelte> <pekka> so you leave the others out of scope
[09:14:49] <axelm> frederico: reflector factor of other attacks much lower
[09:15:10] <Jelte> disagreement about whether the text is clear about this
[09:15:45] --- rloomans has joined
[09:15:51] <Jelte> Pekka would like to see all relevant attacks explained if this is going to be a bcp
[09:16:22] <axelm> koch: task of editors was specifically to address open recursive, not all "followup" stuff (large RR sets on auth servers, etc.)
[09:16:31] --- marz has joined
[09:16:53] <axelm> koch: if text is not specific enough for sw developers, please send text
[09:17:37] --- william.tan has joined
[09:17:54] <axelm> ??: might be valueable to explain why this specific attack is the one to tackle (aplification factor)
[09:18:04] <jabley> mark andrews, isc is speaking
[09:18:12] --- Onak has joined
[09:18:28] <axelm> frederic: how to proceed?
[09:18:59] <Jelte> Mark explained that this is addressed because this can be fixed configuration-wise, while auth servers must answer queries
[09:19:00] <axelm> peter koch: asking for sense of the room - suggestion to use completely different title?
[09:19:33] <axelm> mark: guidelines about what ACLs to use?
[09:19:43] --- asullivan has joined
[09:19:44] <Jelte> this is not what's on the slides, postponed
[09:20:03] <axelm> hum: how many people care about the title?
[09:20:03] <Jelte> hum for people who care about the title
[09:20:25] <axelm> objection: care about title, but need alternative before!
[09:20:46] <axelm> options: 1) keep title
[09:20:56] <axelm> 2) insert wording
[09:21:01] <axelm> 3) postpone to list
[09:21:27] <axelm> pekko: different question suggested: what should the scope of the doc be - "recursive" restricts scope.
[09:21:45] <axelm> rob: was put on milestones as fast track doc.
[09:21:49] <Jelte> olaf concurs
[09:22:40] <axelm> ed lewis: remembers in-addr reqs ...
[09:22:58] <matt> "Preventing Use of Nameservers in Reflector Attacks" is the current title
[09:23:04] <axelm> ??: current title misleading - too generic
[09:23:19] <Peter Koch> s/nameservers/recursive nameservers/ is Fred's suggestion
[09:23:22] <axelm> rob: too late to change filename, but change is about title.
[09:23:42] <matt> I strongly support adding "recursive" to the title to reflect the scope of the document
[09:23:56] <jabley> I strongly support that too
[09:24:11] <axelm> ??: suggestion "open recursive nameserver"
[09:24:23] --- jaap has joined
[09:25:14] <axelm> olaf: take this to list - important, but involves a lot of word crafting which is not efficient in the session. people wnat a good title, but there are no choices on screen.
[09:25:38] <axelm> peter: doc must not starve just because of title.
[09:25:49] --- narten has joined
[09:25:55] <axelm> mark: agrees that title is too generic.
[09:26:05] <matt> Why not take a hum about adding "recursive?
[09:26:09] <axelm> conclusion: postponed to list - NEXT.
[09:26:09] --- mukamuk has joined
[09:26:34] <Jelte> - Do we need text on recommended response for undersired queries?
[09:26:51] <axelm> mark: dropping the packet is not acceptable
[09:27:17] <axelm> mark: "refused" does not amplify.
[09:27:20] --- mo7sen has joined
[09:27:23] <Jelte> (matt: previous discussion is taken to the list on suggestion from Olaf that this is wordsmithing and without on-screen examples it is not hummable enough)
[09:28:02] <axelm> 1034/1035 says "send refused".
[09:28:35] <axelm> rob: if you know for _sure_ its an attack, may choose to not send something back. but how to know for sure?
[09:28:51] <r@dk.> some sends referral to somewhere up the tree, dont they?
[09:28:59] <r@dk.> depending on configuration
[09:29:10] --- mike has joined
[09:29:31] <axelm> rob: when you start talking about ACLs, you start talking about implementations...
[09:29:46] <geoff> This starts to become a normative discussion if this gets pulled into the doc.
[09:29:58] <axelm> ??: these are guidelines for operators, not implementors
[09:30:28] <axelm> ??: operator has picked an implementation, and no choise.
[09:30:33] <marcos.sanz> ?? is Joao, the coauthor of the draft
[09:30:42] <axelm> sorry.
[09:30:42] <Jelte> first was joe abley
[09:30:44] <Jelte> second was joao
[09:30:59] <marcos.sanz> He should use then different placeholders ;-)
[09:31:10] <Jelte> :)
[09:31:24] <Jelte> peter koch is at the mike now
[09:31:51] <axelm> peter (on floor mike): should not be in this draft - fears that if we address this, draft will be delayed forever.
[09:32:17] <Jelte> this is not a promotion for peter's own draft
[09:32:42] <Jelte> mark: me might want to send this to dnsext
[09:32:51] <Jelte> s/me/we/
[09:33:20] <axelm> olaf: thinks dnsext would look at it, but will delay things.
[09:33:35] <Jelte> this could very wel never be resolved
[09:33:45] <axelm> olaf: could also live with not addressing this.
[09:34:21] --- RussM has joined
[09:34:53] <Jelte> olafur: (without hat, maybe) don't make a recommendation
[09:35:16] <axelm> pekka: fine if 3 sentences
[09:35:27] <axelm> rob: thats a whole draft, not 3 sentences...
[09:35:29] <Jelte> humming time
[09:35:38] --- gberezow has left
[09:35:47] <axelm> 1) who can live with not making a recommendation about this
[09:36:00] <axelm> 2) who has strong support for this
[09:36:17] <axelm> strong preference for 1)
[09:36:31] <axelm> last issue: TSIG recommendation
[09:36:37] <Jelte> keep or delete?
[09:36:44] <Jelte> sig(0) vs TSIG
[09:37:05] <axelm> olaf: TSIG currently not very much used for client auth.
[09:37:31] <axelm> sig(0) not deployed at all, but known to work - have 2 solutions with min. deployment
[09:37:44] <axelm> suggestion to recommend both or leave them out.
[09:39:11] <axelm> rob: gss-tsig uses tsig quite heavily, current implementation use it for updates, not for queries
[09:39:20] --- weiler has joined
[09:39:50] <axelm> considerations about client clock problems mentioned.
[09:40:19] <Jelte> problems with that will be addressed quickly if clients are not getting dns service
[09:40:27] <jaap> If the cloc is that bad, the oprator won't care for other problems either
[09:40:41] <axelm> olaf: slight preference to keep both in.
[09:40:43] <weiler> Unless the NTP client is configured using DNS names instead of IP addrs
[09:40:50] <axelm> 2-way hum:
[09:40:52] <axelm> 3
[09:40:56] <axelm> 1) rip it out
[09:40:59] <axelm> 2) just tsgi
[09:41:08] <axelm> 3) discuss sig(0) as well.
[09:41:18] <axelm> minimal 1
[09:41:25] <axelm> none for 2
[09:41:31] <axelm> strong pref for 3)
[09:41:45] <axelm> conclusion "please add sig(0)"
[09:42:01] <Jelte> mark asks about adding default acl's
[09:42:29] <Jelte> frederico: we do have text about localnet, directly attached nets
[09:43:02] <marcos.sanz> Do we want to add discussion about DNS cookies?
[09:43:19] * marcos.sanz was joking
[09:43:47] * r@dk. is choking.
[09:43:57] <weiler> (about 7)
[09:44:24] <ogud> I think that cookies will be served up later in the meeting
[09:44:39] <Suzanne> I suspect many of us are just here for the cookies anyway
[09:44:51] --- joao@jabber.isc.org has joined
[09:45:04] <Jelte> draft default-local-zones
[09:45:09] <r@dk.> I know Eastlake is.
[09:45:13] <Jelte> discussion about 0/8 vs
[09:45:40] <weiler> there are cookies?
[09:46:02] <marcos.sanz> Clarification: The joke was about adding the cookies to the reflector document
[09:46:05] <axelm> the chocolate cookies are really good ;)
[09:46:13] <marcos.sanz> Otherwise cookies are something very serious
[09:46:15] <Jelte> are people happy with the title?
[09:46:36] <axelm> peter: anyone who thinks this is _not_ ready for WGLC?
[09:46:49] --- Bill has joined
[09:46:52] <Jelte> there is a list with volunteers for review
[09:47:17] <Jelte> anyone strongly opposed to last call?
[09:47:19] <axelm> no objections to go to WGLC
[09:47:31] <Jelte> next
[09:47:34] <Jelte> respsize-03
[09:48:33] <axelm> rob: discussion low, go to WGLC or kill it?
[09:48:47] --- johani@autonomica.se has joined
[09:48:56] <Jelte> anyone opposed to LC for this one?
[09:49:18] <Jelte> enough volunteers for review
[09:49:49] <axelm> sam weiler: do we just need reviewers, or do we additionally need to think this is a good idea?
[09:50:10] <axelm> rob: point of taking names is that WGLC will not be waste of time.
[09:51:31] <axelm> next: proposed WG preliminary milestones
[09:51:46] <axelm> local zones goes to LC in july
[09:51:54] <axelm> give it to iesg august
[09:52:21] <axelm> after that: reflect, then responsize. (to iesg in oct 2006)
[09:52:32] <Jelte> respsize WGLC in september
[09:52:42] <axelm> next: WG charter discussion.
[09:53:05] <Jelte> charter has been discussed last meeting and on the list
[09:53:25] <weiler> Peter: use a larger font
[09:53:50] <Jelte> only one document on the milestones list left
[09:54:18] <axelm> but 3 others which are not covered by milestones.
[09:54:43] <Jelte> and some points of discussion that could be new items for the WG
[09:55:00] <Jelte> list of 4 activities on screen
[09:55:49] <axelm> root servers no longer mentioned in charter - change?
[09:55:58] <Jelte> suggestion by ed lewis to include performance and benchmarking in the list
[09:56:42] <axelm> lars: root servers not special - not want to creation notion that those are special creatures.
[09:58:32] <axelm> rob:transport not just DNSSEC. ipv6?
[09:58:48] <Jelte> this is crossarea
[09:59:10] <Jelte> olaf: the charter is also something to communicate to other parties, so make it very explicit what it is you do and don't
[09:59:29] <Jelte> doesn't matter where in the charter, but mention it
[10:00:02] <axelm> peter: specific items might be milestone, not charter (milestone not as heavy)
[10:00:47] <axelm> rob: anycast?
[10:00:57] <axelm> has lot of implications...
[10:01:34] <Suzanne> "how DNS packets get there and back again" is a big topic
[10:01:36] <axelm> ross mundy: problem of middle boxes fits where?
[10:01:39] <Jelte> rob: transport type has implications for operational consideration
[10:01:56] <marz> s/ross/russ/
[10:02:01] --- matt has left
[10:02:17] <Jelte> rob: that could fit in the box i just mentioned
[10:02:42] <axelm> ed lewis: "dns choices" in the IAB since a long time. care about?
[10:03:02] --- mankin has joined
[10:03:58] <Jelte> ed: is it still being progressed?
[10:04:26] <Jelte> olaf: (as IAB member) we are planing to push this document
[10:04:28] <Jelte> really soon
[10:04:54] <Peter Koch> draft-iab-dns-choices-03.txt
[10:05:39] <axelm> patrik: have received quite a lot of comments about it.
[10:06:40] <axelm> peter: will see this doc as a start of series of docs - broader topic addressed in this WG, and covered by topic #4
[10:06:46] <Jelte> back to charter discussion
[10:07:07] <Jelte> is this an appropriate scope for the WG?
[10:07:14] <axelm> peter: anything missing or to drop from charter?
[10:07:53] <Jelte> rob: people in favour of adding performance and benchmarking?
[10:08:04] <axelm> hum: favour of adding performance and benchmarking to charter.
[10:08:42] <axelm> number of milestone candidates coming up later.
[10:09:04] <Jelte> draaft inaddr-required
[10:09:14] <axelm> only remaining item on milestones list.
[10:09:23] <Jelte> no review, discussion is circling, draft is expired
[10:10:20] <Jelte> the editor can't commit enough resources to the draft for various reasons, so a new co-editor was appointed
[10:10:27] <Jelte> that is andres sullivan
[10:10:31] <Jelte> andrew*
[10:10:40] <axelm> timeline proposed:
[10:10:47] <axelm> sep06: -08
[10:10:58] <axelm> oct2006: open issued fed to tracker
[10:11:09] <axelm> nov06: edit -09
[10:11:16] <axelm> jan07: WGLC
[10:11:31] <axelm> feb07: submit to IESG for BCP.
[10:11:52] <weiler> where's "kill it" on that timeline?
[10:11:57] <Jelte> rt.psg.com
[10:12:15] <jabley> sam: troublemaker!
[10:12:15] --- patrik has joined
[10:12:17] <Suzanne> weiler: you may fire when ready, I think
[10:12:46] <weiler> "pending substantive issues".... How about "if in absence of substantive support...."
[10:13:20] <axelm> rob: example for really bad filename - should we change filename and start over at -00?
[10:13:29] <axelm> hum requested.
[10:13:29] <Jelte> humming
[10:13:46] <axelm> agreed to change file name.
[10:13:59] <weiler> draft-ietf-dnsop-spam-is-king
[10:14:01] <axelm> peter: filename _not_ gonna discuss file name here.
[10:14:29] <Jelte> Other drafts
[10:14:43] <axelm> breaking news: LC for resolver behaviour just started
[10:14:58] <axelm> Other drafts.
[10:15:06] <Jelte> draft-krishnaswamy-dnsop-dnssec-split-view-02
[10:15:22] <suresh> I'm on jabber though :)
[10:15:24] <Jelte> there were comments, suresh will work on it
[10:15:28] <Bill> draft-ietf-dnsop-eb6a963ecd2ef014bff6106d5e7b410d
[10:15:43] <Jelte> do you want to say anything suresh?
[10:15:47] <suresh> will address comments ..
[10:15:48] <axelm> joe jabley talking.
[10:15:49] <weiler> suresh: are you listening to the audio?
[10:16:00] <axelm> "AS112" document stuff.
[10:17:14] <axelm> ISCs AS112 node serves ~3Mbit/s
[10:17:26] <Jelte> two individual submissions: draft-jabley-as112-ops-00 and draft-jabley-as112-somethingelse
[10:17:35] <axelm> few docs.
[10:17:47] <Bill> draft-jabley-as112-being-attacked-help-help
[10:17:49] <Jelte> no iana paper trail
[10:17:55] <Jelte> ah that one
[10:17:56] <Jelte> great filename
[10:18:37] <Jelte> problem for operators, no guidance on how to set it up
[10:19:09] <Jelte> which result in inconistensies and disincentive to roll out nodes
[10:20:21] <axelm> only avail doc on www.as112.net
[10:21:18] <Jelte> so ISC and IANA turn up in the logs of clients
[10:21:38] <Jelte> they are getting angry calls
[10:21:54] <axelm> how to handle process of eg. IANA delegating new zones to AS112
[10:23:16] <axelm> process for new transports...
[10:23:38] <Jelte> document would have empty reference section because there is no as112 doc
[10:23:41] <axelm> asking for adaoption of drafts.
[10:24:40] <axelm> peter asking for hands of intersection between AS112 operators and people who have read those docs - very few.
[10:27:12] <Jelte> rob: what work do you envision for the wg if we adopt?
[10:27:50] <Jelte> joe: reputation of having the wg adopt it is the main reason
[10:28:45] <Jelte> peter: i'm for the documents, but not sure if this wg should adopt this
[10:29:04] <Jelte> rob: this document would go for informational status
[10:29:39] <Jelte> mark: having the wg adopt this would be a good thing, it would give a lot of strength to the doc
[10:29:51] <Suzanne> "working group seal of approval"
[10:30:07] <geoff> Who's speaking?
[10:30:16] <Jelte> the co-author, didn't catch his name
[10:30:20] <ggm> Will Wheaton.
[10:30:25] <geoff> tx
[10:30:35] <ggm> or maybe he said Edith Wharton
[10:31:01] <Jelte> joe: it is central infrastructure, although it is not as important as some other things
[10:31:37] <weiler> swap the filenames
[10:31:43] <Suzanne> the draft says "W. Maton" is the co-author
[10:31:59] <ggm> well a W is just an M upside down so I was half right
[10:32:19] <Suzanne> ggm: yes, the glass is half full
[10:32:26] <ggm> or, in this case, 100% wrong.
[10:32:40] <ggm> don't turn that glass upside down...
[10:32:44] <Jelte> peter: there might be a third document to address the open issues
[10:33:05] <axelm> peter: enough people to find support for WG adoption, need to check against charter, though.
[10:33:21] <Suzanne> you mean the charter that is curently under revision? ;)
[10:33:24] <Jelte> adoption will be proposed on the mailing list
[10:34:24] <Bill> I'm hungry, is it time for cookies yet?
[10:34:30] <weiler> COOKIES
[10:34:32] <weshardaker> FINALLY
[10:34:35] <Jelte> hehe
[10:34:35] <axelm> petterson talking.
[10:34:53] <axelm> s/son/sen/
[10:35:05] <weshardaker> I've been wondering if shouting cookies in a IETF meeting was considered equiv. to shouting fire in a theater.
[10:35:14] <r@dk.> chocalate chip?
[10:35:17] <axelm> "validation of HTTP cookie domains"
[10:35:31] <axelm> recap what http cookies are.
[10:35:33] <weiler> wes: find out.
[10:36:00] <Jelte> i think it's more like shouting theater in a crowded fire
[10:36:04] <weshardaker> weiler: ok.
[10:36:06] <weshardaker> "COOKIES"
[10:36:08] <Suzanne> wes: preferably find out empirically.
[10:36:18] <weiler> Firefox's "Cookie Button" extension is very nice.
[10:36:18] <weshardaker> didn't work
[10:36:39] --- gordon.lennox has joined
[10:36:40] <geoff> Is this work from another WG or individual submission -- didn't catch?
[10:36:57] <Jelte> cookies can be set for a given server, or for a group of servers or withing the same (grand)parent domain as the server setting the cookie
[10:37:14] <axelm> problems with domains in cookies.
[10:37:40] <geoff> Actually I think what I'm asking is this likely to be proposed as a WG item for another WG?
[10:37:49] <axelm> original "one dot" in domain name spec does not work.
[10:37:51] <weiler> can we have the slides shown full-screen, please?
[10:38:05] <jabley> do you need binoculars?
[10:38:11] <axelm> eg. for 3rd level domain TLDs
[10:38:24] <weiler> a monocular would suffice.
[10:38:43] <jabley> a monocle would suit you, actually
[10:38:50] <Jelte> the rfc2965 'one-domain-up' doesn't work
[10:38:59] <weiler> YAY
[10:39:03] <Jelte> because lots of websites have deeper structures
[10:39:54] <Jelte> also problems with domains under for instance co.uk
[10:39:59] <howard_eland> can we get a larger screen?
[10:40:00] <axelm> some TLD's are "mixed" 3rd level 3nd level
[10:40:13] <weshardaker> you know, since cookie headers are limited to a certain size and a certain number of cookies, what happens if in evil.com I fill that and specify that it goes to applies to anywhere in com?
[10:40:34] <Jelte> so, how to limit cookies to be set for subTLD names?
[10:40:34] <weshardaker> (wonder if most browsers start with cookies in subdomains first when trying for the limit)
[10:40:43] <Jelte> you can't catch em all with blacklisting
[10:41:04] <jabley> enumerating the registration policies of all registries world-wide and keeping it up-to-date is a non-starter
[10:41:04] <weiler> "How to prevent setting cookies..." BY BLOCKING COOKIES.
[10:41:04] --- wfms has joined
[10:42:07] <Suzanne> weiler: luddite.
[10:42:11] <Suzanne> cookies are good.
[10:42:16] <Suzanne> cookies are our friends.
[10:42:19] <r@dk.> need coffee
[10:42:26] <wfms> mmmm...cookie
[10:42:39] <marcos.sanz> r@dk: lol
[10:42:45] <Jelte> a separate lookup service is possible, but would have to be deployed ( for every tld)
[10:43:14] <weiler> Cookie Lookaside Validation?
[10:43:16] <weshardaker> we're heading for a COOKIE RR type aren't we.
[10:43:24] <Jelte> a dns lookup for the IP address target domain would produce false negatives
[10:43:36] <jabley> if every registry made such a lookup service available, I expect it would be about as consistent and machine-readable as whois
[10:43:40] <jabley> i.e. not
[10:43:59] <Jelte> MSIE has a short blacklist
[10:44:01] <marcos.sanz> wes: the name is already taken http://www.ietf.org/internet-drafts/draft-eastlake-dnsext-cookies-00.txt
[10:44:07] <Jelte> Mozilla: unknown, has a configurable blacklist
[10:44:27] <weiler> can we do the Chinese firewall thing WRT cookies? (e.g., send TCP RST when we see them)
[10:44:42] <weshardaker> marcos.sanz: Ah. knew about teh draft, didn't know what he'd picked. good.
[10:44:58] <Jelte> Opera does a DNS lookup for certain cases
[10:45:36] <axelm> requirements:
[10:45:46] <axelm> must work when only HTTP is available
[10:45:59] <axelm> must not require OS level protocols (eg. DNS)
[10:46:36] <axelm> suggested action: alternative 1
[10:46:59] <axelm> tlds publish list of subtlds in XML format, clients fetch ~ once per month
[10:47:24] <axelm> (at most once per month)
[10:47:36] <axelm> suggested action: alternative 2
[10:48:17] <Jelte> use dns lookups for ip adderss
[10:48:26] <axelm> draft-petterson-dns-cookie-validate-00
[10:48:34] <Jelte> - easy to implement, does not need new protocol, is already used by sites
[10:48:58] <Jelte> but: not general, require mandated ip address policies for subTLD domains
[10:49:04] --- hpditt has left: Replaced by new connection
[10:49:34] <Jelte> and each webmaster must add ip address at their zone apex
[10:49:51] <Peter Koch> http://my.opera.com/yngve/blog/show.dml/267415
[10:49:58] <axelm> pettersen requests feedback on improvement or even alternatives
[10:50:40] --- narten has left
[10:50:44] <axelm> olaf: 3rd alternative would be to fix policy protocol of cookies itself...
[10:51:16] <axelm> olaf: should not assign meaning to position and content of label
[10:52:24] <Jelte> olaf quickly corrects himself about the ietf and hacks
[10:52:51] <Bill> is it time for _cookie_barrier.com?
[10:52:53] <Suzanne> That IAB hat is lying heavy on Olaf's head, but his point was that we probably shouldn't encourage/endorse hats
[10:52:57] <Suzanne> or hacks
[10:53:15] <Suzanne> "Friends don't let friends jabber on no sleep"
[10:53:17] --- mankin has left
[10:53:31] <Jelte> pekka: i remember this from some years ago, we were told to add an address at our zone, but we did not want to do that
[10:53:55] <Jelte> rob: (no hats) alternative two has no chance to get agreement
[10:54:17] <Jelte> it's misusing the reason to put addresses in the dns
[10:54:23] <Jelte> alternative one, maybe
[10:55:13] <Jelte> you could add an 'i am a registry' resource record in the dns
[10:55:39] <Jelte> mark: if we're going to use the dns for this, we'll need a new type
[10:55:56] <Jelte> you do not want to depend on the address being there
[10:56:11] <Jelte> rob: if you want to put it in the dns, put it in the dns for real
[10:56:42] <Jelte> peter: i have seen this a few times this week
[10:56:58] <Jelte> peter: administrative hierarchy has no connection with the DNS hierarchy
[10:58:15] <Jelte> we need to do something about this false assumption
[10:59:14] <Jelte> rob: remove scope issues by issuing cookies to this node and this node only
[10:59:26] <Jelte> your users would kill you, but hey
[10:59:43] --- satoru has joined
[11:00:30] --- johani@autonomica.se has left: Logged out
[11:01:25] --- r@dk. has left
[11:01:53] <Jelte> sam: consider the dangers of publishing policy
[11:02:24] <Bill> I thought he said the advantages of publishing policy
[11:02:27] <axelm> there is work on publishing policy in the DNS, btw: http://www.ietf.org/internet-drafts/draft-lendl-domain-policy-ddds-01.txt
[11:02:57] <Jelte> err right my bad
[11:02:57] <axelm> that uses NAPTR records to refer from a domain to a policy identifier.
[11:03:22] --- msj has left
[11:03:37] <axelm> draft-pappas-dnsop-long-ttl being presented
[11:04:33] <axelm> talking about TTL of "infrastructure" records (NS plus associated A/AAAA)
[11:05:15] --- satoru has left
[11:05:16] <axelm> existing stuff: 1034 (examples of host records), 1912 (TTL for SOA), 2308 (TTL for neg answers)
[11:05:35] <axelm> not seen a specific doc on "infrastructure" records
[11:05:50] <axelm> duck test: how long are TTLs actually?
[11:06:18] <axelm> ~50 % below 12h !
[11:06:46] <axelm> 1/3 less than an hour...
[11:07:00] <axelm> 0.3% have TTL of zero !
[11:08:20] <axelm> 7 TLDs with TTL less than / equal an hour
[11:08:32] <axelm> recommendations:
[11:09:19] <axelm> at least 1-3 days - preferable 3-7 days?
[11:10:09] <axelm> would increase resiliency of DNS to DDoS attacks
[11:10:17] <axelm> also improves performance
[11:10:22] <axelm> simple to deploy
[11:14:42] --- r@dk. has joined
[11:17:21] <marcos.sanz> Issues with longer TTLs? Dynamic DNS (no impact), all your load balancing games still work. There are potential inconsistencies between authoritative NS/A RRs and the caches, measurement shows that NS/A RRs do not change frequently (only 5% changed within a month). In case servers changed during cache lifetime: inconsistency can be resolved (by paying a cost of query delay) at the authoritative servers or at the parent.
[11:17:46] --- msj has joined
[11:18:26] <Jelte> question to the wg: are there any other issues?
[11:19:06] <Jelte> alex: customers want more or less live updates
[11:19:25] --- msj has left
[11:19:37] <Jelte> lars: it's important to convey the message that long TTL sends about the network
[11:19:40] --- Jim has left
[11:20:00] <axelm> lars: need to show tradeoffs.
[11:21:56] <Jelte> peter: this would have to be fitted in the schedule for something like the next year if we are doing rechartering
[11:22:10] <axelm> asking for sense of room whether working on that issue is a good idea?
[11:22:43] <axelm> lars: opposed on working on recommendations, but working on tradeoffs is fine.
[11:22:51] <Suzanne> documenting tradeoffs good, prescriptons not so good
[11:22:58] <axelm> mark: want recommendations for sub-minutes TTLs
[11:23:01] <Suzanne> unless you're Mark :)
[11:23:16] --- kivinen has left
[11:23:17] <Jelte> humming time
[11:23:25] <Jelte> for: a lot
[11:23:28] <Jelte> oppose: none
[11:24:04] --- ggm has left
[11:24:07] <Jelte> joe abley is volunteering
[11:24:13] <Jelte> howard
[11:24:59] <Jelte> reviewers: olafur, mark, geoff sisson
[11:25:10] <howard_eland> Greg Berezowsky
[11:25:12] <Jelte> someone who will tell his name to geoff
[11:25:17] --- wfms has left
[11:25:21] <simon.leinen> Greg Berezowsky
[11:25:23] <Jelte> frederico
[11:25:37] <geoff> tx
[11:25:37] --- rstory has left: Logged out
[11:25:42] <Jelte> i think i heard one or two other names
[11:25:52] <marcos.sanz> I don't know Mark, but Marcos will.
[11:26:05] <r@dk.> Didnt Jelte raise his hand?
[11:26:11] <Jelte> no
[11:26:23] <marcos.sanz> r@dk: Didn't YOU rais your hand?
[11:26:27] <Jelte> :p
[11:26:30] <geoff> I have: Fredrico, Marcos, Me, Olafur, Greg B, Andrew Sullivan. Did I miss anyone?
[11:26:39] <axelm> fenner: proposed a registry for _underscore names a year ago.
[11:26:53] <r@dk.> geoff: looks right.
[11:27:01] --- fneves has left
[11:27:41] <axelm> peter: different proposals exist, need to work on this. no conclusion right now probably
[11:27:55] <axelm> bill will send proposal to WG list.
[11:28:01] <Jelte> I/O with other WGs:
[11:28:11] <Jelte> dnsext, operations aspects of DNS cookies
[11:29:32] <Jelte> Olafur/Rob: does the operations community feel that we need this?
[11:29:45] --- simon.leinen has left
[11:30:45] <Jelte> lots of people have read it, noone seems to have an opinion about it (either in favour of or opposed to)
[11:30:54] --- RussM has left: Logged out
[11:30:58] <Jelte> olaf: i don't see how we would get this deployed
[11:31:51] <Jelte> rob: it would have been nice to have had this twenty years ago, but now it's too late to get this working
[11:32:17] --- Bill has left: Computer went to sleep
[11:32:18] --- Onak has left: Logged out
[11:32:46] <geoff> Who's speaking?
[11:32:56] <dblacka> Paul Wouters
[11:33:06] <geoff> tx
[11:33:11] <Jelte> paul wouters: having had a nameserver that had this problem, asking this to the operators is not right, it's the target that gets taken out, it's not an operational problem for the recursive nameserver
[11:33:40] <axelm> conclusion: chairs will phrase question to WG.
[11:34:02] --- dudi has left
[11:34:14] <Jelte> Enum: The Universal deployment of EDNS0
[11:34:14] --- mukamuk has left
[11:34:32] --- marz has left: Logged out
[11:35:13] <Jelte> request for the WG to look at the document from a dns viewpoint
[11:35:34] <axelm> lars: contains strongs words, review that and build opinion
[11:35:53] --- rloomans has left
[11:36:33] --- howard_eland has left: Logged out
[11:36:42] <Jelte> alex will copy the wg last call from enum to dnsop
[11:36:57] <Jelte> next item
[11:37:04] <Jelte> mboned: future of MCAST.NET
[11:37:21] <Jelte> a request for requirements was presented to mboned wg
[11:38:15] --- jabley has left: Logged out
[11:38:22] <Jelte> draft-ietf-v6ops-scanning-implications-00.txt
[11:38:44] <Jelte> ipv6 space is so huge that one could use this to hide or obsfuscate
[11:38:53] <Jelte> someone should look at this with reverse mapping in mind
[11:39:29] <Jelte> pointers will be sent to the list
[11:39:50] <Jelte> Ed lewis: DKIM is not on the I/O list
[11:40:00] <weiler> Ed is being a source of joy and love.
[11:40:17] <Jelte> Doug Otis: DKIM will have some impact on this wg
[11:41:09] --- raj has left: Replaced by new connection
[11:41:17] <Jelte> Doug has a draft about a non-spoofed reflector-like DOS with SPF
[11:41:48] <Jelte> he will send a pointer to the draft to the list
[11:42:14] --- Antoin has left
[11:44:23] --- gordon.lennox has left
[11:44:25] --- dblacka has left
[11:44:27] --- weshardaker has left
[11:44:29] --- Suzanne has left
[11:44:32] --- asullivan has left
[11:44:33] <Jelte> i didn't get both his name and hist request
[11:44:35] --- r@dk. has left
[11:44:44] --- marcos.sanz has left
[11:44:46] --- jdq has left
[11:45:06] --- suresh has left
[11:45:50] --- weiler has left
[11:45:57] --- jaap has left
[11:46:42] --- mike has left
[11:47:43] <Peter Koch> john schnitzlein was last at the mike
[11:48:00] --- axelm has left
[11:48:11] --- yone has left
[11:48:42] --- Peter Koch has left: Computer went to sleep
[11:50:58] --- marka has left
[11:51:33] --- joao@jabber.isc.org has left: Logged out
[11:55:53] --- geoff has left
[11:57:31] --- onak has joined
[11:58:45] --- onak has left
[11:59:13] --- patrik has left
[12:02:34] --- ogud has left
[12:04:14] --- mo7sen has left
[12:09:51] --- liman has left
[12:15:46] --- Jelte has left
[12:50:10] --- cary has left
[13:30:45] --- william.tan has left
[14:35:10] --- Bill has joined
[14:35:20] --- Bill has left
[17:15:33] --- liman has joined
[17:16:09] --- liman has left