[05:14:13] Christian Huitema joins the room
[05:34:57] Ash joins the room
[06:09:29] tale joins the room
[06:12:32] Tommy Jensen joins the room
[07:02:52] AlisterWinfield SKY joins the room
[07:06:25] tale has set the subject to: https://codimd.ietf.org/notes-ietf-109-add
[07:09:29] Paolo Saviano joins the room
[07:10:22] Paolo Saviano leaves the room
[07:12:51] Bernie Hoeneisen joins the room
[07:19:40] alex-meetecho joins the room
[07:20:03] Sudheesh Singanamalla joins the room
[07:20:03] Kazunori Fujiwara joins the room
[07:20:03] Daniel Gillmor joins the room
[07:20:03] Scott Hollenbeck joins the room
[07:20:03] PE joins the room
[07:20:03] Ray Bellis joins the room
[07:20:03] Mark Andrews joins the room
[07:20:03] Joseph Kalfa joins the room
[07:20:03] Greg Wood joins the room
[07:20:03] Farni Boten joins the room
[07:20:03] Antoin Verschuren joins the room
[07:20:03] Ralf Weber joins the room
[07:20:03] Robert Story joins the room
[07:20:03] Alessandro Amirante joins the room
[07:20:03] David Lawrence joins the room
[07:20:03] Chris Lemmons joins the room
[07:20:03] Zaid AlBanna joins the room
[07:20:03] Alister Winfield joins the room
[07:20:03] Ted Hardie joins the room
[07:20:03] Bernie Hoeneisen_960 joins the room
[07:20:17] Eric Orth joins the room
[07:20:21] Bernie Hoeneisen_960 leaves the room
[07:20:25] Francois Ortolan joins the room
[07:20:46] Jiao Kang joins the room
[07:20:48] Joseph Kalfa leaves the room
[07:21:03] Dirk Hugo joins the room
[07:21:29] Burt Kaliski joins the room
[07:21:35] Meetecho joins the room
[07:21:38] Barbara Stark joins the room
[07:21:51] Nicklas Pousette joins the room
[07:21:52] Daniel Migault joins the room
[07:22:07] Christian Huitema_901 joins the room
[07:22:26] Peter van Dijk joins the room
[07:22:29] Stephen Farrell joins the room
[07:22:48] Joseph Kalfa joins the room
[07:22:49] Dirk Hugo leaves the room
[07:22:52] Dirk Hugo joins the room
[07:22:59] Tirumaleswar Reddy.K joins the room
[07:23:14] Tommy Pauly joins the room
[07:23:16] Tommy Jensen_869 joins the room
[07:23:34] Ralf Weber leaves the room
[07:24:04] Ray Bellis leaves the room
[07:24:09] Ray Bellis joins the room
[07:24:21] Nicolai Leymann joins the room
[07:24:31] sftcd joins the room
[07:24:31] Ted Hardie leaves the room
[07:24:37] Ted Hardie joins the room
[07:24:39] Ralf Weber joins the room
[07:24:43] Jason Weil joins the room
[07:24:50] Takahiro Nemoto joins the room
[07:24:53] Barry Leiba joins the room
[07:24:54] Barbara Stark-jabber joins the room
[07:24:55] Takahiro Nemoto leaves the room
[07:24:58] Takahiro Nemoto joins the room
[07:25:05] Michael Richardson joins the room
[07:25:18] Martin Thomson joins the room
[07:25:33] Pete Resnick joins the room
[07:25:42] Glenn Deen joins the room
[07:25:51] Barry Leiba (jabber) joins the room
[07:25:58] Paolo Saviano joins the room
[07:26:03] Richard Wilhelm joins the room
[07:26:10] Eric Rescorla joins the room
[07:26:13] Paolo Saviano leaves the room
[07:26:25] Duane Wessels joins the room
[07:26:31] Glenn Deen leaves the room
[07:26:45] Chris Box joins the room
[07:26:50] Peter Koch joins the room
[07:26:52] Merike Kaeo joins the room
[07:26:54] Man Zhang joins the room
[07:27:03] tim costello joins the room
[07:27:11] Akbar Rahman joins the room
[07:27:22] Sean Turner joins the room
[07:27:24] Jason Weil leaves the room
[07:27:28] Jason Weil joins the room
[07:27:30] James Galvin joins the room
[07:27:31] Jari Arkko joins the room
[07:27:44] Mark Nottingham joins the room
[07:27:45] Benjamin Schwartz joins the room
[07:27:53] Libor Peltan joins the room
[07:28:03] James Gruessing joins the room
[07:28:12] Jonathan Reed joins the room
[07:28:13] Kazuaki Ueda joins the room
[07:28:14] Avri Doria joins the room
[07:28:30] David Smith joins the room
[07:28:33] Kirsty P joins the room
[07:28:40] Alwin de Bruin joins the room
[07:28:41] Jiankang Yao joins the room
[07:28:41] Man Zhang leaves the room
[07:28:42] Monika Ermert joins the room
[07:28:45] Mohamed Boucadair joins the room
[07:28:52] Glenn Deen joins the room
[07:28:55] Dirk Hugo leaves the room
[07:28:56] Ole Trøan joins the room
[07:28:59] Geoff Huston joins the room
[07:29:05] Marcus Ihlar joins the room
[07:29:07] Nancy Cam-Winget joins the room
[07:29:10] Dirk Hugo joins the room
[07:29:13] Valery Smyslov joins the room
[07:29:13] Junyu Lai joins the room
[07:29:23] Puneet Sood joins the room
[07:29:28] Chi-Jiun Su joins the room
[07:29:29] Cullen Jennings joins the room
[07:29:30] Vittorio Bertola joins the room
[07:29:32] Frode Sorensen joins the room
[07:29:35] Michael Breuer joins the room
[07:29:35] Harald Alvestrand joins the room
[07:29:46] Jonathan Lennox joins the room
[07:29:47] Mohit Sethi joins the room
[07:29:53] Phillip Hallam-Baker joins the room
[07:29:57] Dirk Hugo leaves the room
[07:29:57] Jason Weil leaves the room
[07:30:00] Jana Iyengar joins the room
[07:30:02] Sara Dickinson joins the room
[07:30:06] Gianpaolo Scalone joins the room
[07:30:06] Cullen Jennings leaves the room
[07:30:10] Jason Weil joins the room
[07:30:13] James Gould joins the room
[07:30:18] Dirk Hugo joins the room
[07:30:20] Stephanie Ifayemi joins the room
[07:30:24] Man Zhang joins the room
[07:30:36] Ole Trøan_ joins the room
[07:30:42] Alissa Cooper joins the room
[07:30:45] Roman Danyliw joins the room
[07:30:52] Vittorio Bertola_ joins the room
[07:30:54] Alexander Mayrhofer joins the room
[07:30:58] Chunshan Xiong joins the room
[07:30:59] Linlin Zhou joins the room
[07:31:02] Andrew Campling joins the room
[07:31:03] Cullen Jennings joins the room
[07:31:07] Dan McArdle joins the room
[07:31:11] Man Zhang leaves the room
[07:31:21] Eve Schooler joins the room
[07:31:27] Xavier de Foy joins the room
[07:31:31] Shumon Huque joins the room
[07:31:33] Joey Salazar joins the room
[07:31:34] <Cullen Jennings> test
[07:31:46] Linlin Zhou leaves the room
[07:31:49] <Ray Bellis> received
[07:31:58] Tadahiko Ito joins the room
[07:32:05] Marco Hogewoning joins the room
[07:32:06] Olaf Kolkman joins the room
[07:32:14] Atsushi Tagami joins the room
[07:32:31] Wassim Haddad joins the room
[07:32:36] <Tommy Jensen_869> And we didn't even get to "are you sure it's plugged in" yet
[07:32:36] Patrick Tarpey joins the room
[07:32:41] Marco Davids joins the room
[07:32:49] Dawei Fan joins the room
[07:32:53] Linlin Zhou joins the room
[07:32:57] chi.jiun.su leaves the room
[07:33:06] Atsushi Tagami leaves the room
[07:33:07] Leif Johansson joins the room
[07:33:10] Atsushi Tagami joins the room
[07:33:14] Naveen Kumar joins the room
[07:33:17] Simon Hicks joins the room
[07:33:24] Simon Hicks leaves the room
[07:33:28] Simon Hicks joins the room
[07:33:30] Sudheesh Singanamalla leaves the room
[07:33:34] fluffy4 joins the room
[07:33:40] Hannu Flinck joins the room
[07:33:43] fluffy4 leaves the room
[07:33:45] ihlar joins the room
[07:33:56] Mohamed Boucadair leaves the room
[07:33:58] Francois Ortolan leaves the room
[07:34:00] Mohamed Boucadair joins the room
[07:34:01] Francois Ortolan joins the room
[07:34:01] Chunshan Xiong leaves the room
[07:34:06] Chunshan Xiong joins the room
[07:34:19] yone joins the room
[07:34:34] Olaf Kolkman (xmpp) joins the room
[07:34:36] Pete Resnick leaves the room
[07:34:44] rickwilhelm-Verisign@jabb3r.org joins the room
[07:35:27] Ray Bellis leaves the room
[07:35:31] Ray Bellis joins the room
[07:35:45] John Woodworth joins the room
[07:35:47] Jim Reid joins the room
[07:36:04] Ulrich Wisser joins the room
[07:36:13] David Schinazi joins the room
[07:36:26] Pete Resnick joins the room
[07:36:27] Mike Bishop joins the room
[07:36:40] Ulrich Wisser leaves the room
[07:36:48] Ulrich Wisser joins the room
[07:36:52] Ron Bonica joins the room
[07:36:56] Igor Lubashev joins the room
[07:37:01] Tommy C joins the room
[07:37:35] Ulrich Wisser leaves the room
[07:37:47] Kirsty P leaves the room
[07:37:50] Francois Ortolan leaves the room
[07:37:52] Kirsty P joins the room
[07:37:53] Francois Ortolan joins the room
[07:37:54] jdub99@sure.im joins the room
[07:38:19] Eric Kinnear joins the room
[07:38:22] Jiao Kang leaves the room
[07:38:36] Jiao Kang joins the room
[07:38:39] Atsushi Tagami leaves the room
[07:38:42] Atsushi Tagami joins the room
[07:39:28] Atsushi Tagami leaves the room
[07:39:33] Atsushi Tagami joins the room
[07:39:39] fightingnemo joins the room
[07:39:44] Ulrich Wisser joins the room
[07:39:47] Marcel Parodi joins the room
[07:40:16] Ulrich Wisser leaves the room
[07:40:19] Ulrich Wisser joins the room
[07:40:31] Atsushi Tagami leaves the room
[07:40:37] Atsushi Tagami joins the room
[07:40:59] <Bernie Hoeneisen> In my Browser I can see that "this room is still closed".
Is this a technical problem, or has the add meeting been canceled?
[07:41:08] Olaf Kolkman leaves the room
[07:41:12] <Benjamin Schwartz> ADD meeting is live and ongoing
[07:41:13] Olaf Kolkman joins the room
[07:41:17] <Daniel Gillmor> https://az.conf.meetecho.com/conference/?group=add&short=&item=1 works for me
[07:41:38] Dirk Hugo leaves the room
[07:41:44] Dirk Hugo joins the room
[07:41:45] Olaf Kolkman (xmpp) leaves the room: Disconnected: Replaced by new connection
[07:41:45] Olaf Kolkman (xmpp) joins the room
[07:41:46] Ulrich Wisser leaves the room
[07:41:53] Ulrich Wisser joins the room
[07:42:00] Olaf Kolkman leaves the room
[07:42:03] Dirk Hugo leaves the room
[07:42:03] Olaf Kolkman (xmpp) leaves the room
[07:42:06] Dirk Hugo joins the room
[07:42:06] Ulrich Wisser leaves the room
[07:42:08] Qin Wu joins the room
[07:42:22] Sergey Myasoedov joins the room
[07:42:23] Kris Shrishak joins the room
[07:42:25] Bernie Innocenti joins the room
[07:42:39] Bernie Hoeneisen_745 joins the room
[07:42:41] Olaf Kolkman (xmpp) joins the room
[07:42:41] Ulrich Wisser joins the room
[07:42:51] Vincent Roca joins the room
[07:43:14] <Bernie Hoeneisen> tnx. After clearing the browser cache, it works now
[07:43:19] andrew_campling joins the room
[07:44:23] Olaf Kolkman joins the room
[07:44:24] <Christian Huitema> If the user does a request for _dns.resolver.arpa, then why not _dot.resolver.arpa?
[07:44:28] Atsushi Tagami leaves the room
[07:44:31] Qi Pan joins the room
[07:44:43] <Martin Thomson> still completely baffled by the insistence on the name and the IP being in the cert
[07:44:47] <Martin Thomson> you have a single reference identity
[07:45:03] <Peter van Dijk> Christian, through SVCB, that one _dns lookup will give you all your options
[07:45:10] <Martin Thomson> don't add more reference identities
[07:45:22] Vincent Roca leaves the room
[07:45:35] <Daniel Gillmor> @Martin -- maybe it's to handle the case where the user has configured by saying "8.8.8.8" thinking that they know what that is?
[07:45:40] Oshani Dayaratna joins the room
[07:45:48] Atsushi Tagami joins the room
[07:46:01] <Martin Thomson> dkg: that is fine, because 8.8.8.8 is the reference identity, and the only SAN that needs to be present
[07:46:01] <Daniel Gillmor> but i agree that it's strange to require it if the user *hasn't* formally added the IP address itself
[07:46:13] <Martin Thomson> the other stuff has no hope of being tied to anything you might trust
[07:46:15] <Ray Bellis> this looks a little like my draft-bellis-dns-recursive-discovery-00 from 2009
[07:46:25] ko-isobe joins the room
[07:46:43] Qi Pan leaves the room
[07:47:07] <Christian Huitema> Putting an RFC 1918 address in a certificate? What can possibly happen?
[07:47:19] <mcr> it can't, so that situation won't work.
[07:47:21] Atsushi Tagami leaves the room
[07:47:27] Atsushi Tagami joins the room
[07:47:33] <mcr> but it does work for 8.8.8.8 and your ISP, and all of your IPv6 goodness.
[07:47:39] <Benjamin Schwartz> It works, but only if the encrypted resolver is on the same RFC 1918 IP
[07:47:48] <Martin Thomson> mcr: you can use your own private anchors for other addresses
[07:48:04] Lorenzo Colitti joins the room
[07:48:05] Roland Schott joins the room
[07:48:08] <mcr> well, at the point where you've configured a private anchor, I think that maybe you don't need any of this.
[07:48:14] Atsushi Tagami leaves the room
[07:48:18] <Martin Thomson> mcr: 'twas mostly in jest :)
[07:48:20] Atsushi Tagami joins the room
[07:48:27] Lorenzo Colitti leaves the room
[07:48:30] Lorenzo Colitti joins the room
[07:48:43] Olaf Kolkman (xmpp) leaves the room: Disconnected: closed
[07:48:43] Olaf Kolkman leaves the room
[07:48:44] <mcr> so everything other than what we just chatted about then?
[07:48:49] Olaf Kolkman joins the room
[07:49:22] Igor Gashinsky joins the room
[07:49:36] Olaf Kolkman leaves the room
[07:49:38] Olaf Kolkman (xmpp) joins the room
[07:49:43] <Mohit Sethi> this ip address in certificate seems odd. and the fact that they might be private ip addresses. didn't the ipsec folks have to rely on Peer authorization database (PAD) for this?
[07:50:02] Olaf Kolkman (xmpp) leaves the room: Disconnected: closed
[07:50:07] <Christian Huitema> How many turtles can we stack on the head of a pin?
[07:50:10] <mcr> Mohit, it won't work for private address. That's useless. So, stop asking.
[07:50:44] <Benjamin Schwartz> DEER _does_ work for private addresses, but only in "opportunistic mode", in which there is no certificate validation.
[07:50:48] Christian Huitema_901 leaves the room
[07:50:50] <mcr> (I have no idea what the PAD reference is about)
[07:50:50] <Mike Bishop> meetecho, I'm getting significant swings in volume. It's not just variation between speakers; I'm getting it mid-sentence as people are talking.
[07:50:52] <Mohit Sethi> I am not asking or supporting that. I was just making sure I understand what the authors are suggesting here
[07:50:52] Ron Bonica leaves the room
[07:51:17] Dirk Hugo leaves the room
[07:51:17] Atsushi Tagami leaves the room
[07:51:18] Christian Huitema_905 joins the room
[07:51:23] Nitin Batta joins the room
[07:51:24] Christian Huitema leaves the room: Disconnected: Replaced by new connection
[07:51:29] <Andrew Campling> @MCR So it won't work for many ISPs then as quite a few use RFC1918 addresses (with DNS forwarders)
[07:51:32] <Mohit Sethi> PAD = Mapping between authenticated names and IP addresses
[07:51:32] <Vittorio Bertola> If it doesn't work with private addresses it's not very useful, at least not in mass consumer networks I know of. So I'm still trying to figure this out.
[07:51:37] Amelia Andersdotter joins the room
[07:51:39] <Meetecho> Mike Bishop: that's weird, it may be the OS changing the volume of the browser dynamically in response to something?
[07:51:40] Atsushi Tagami joins the room
[07:51:42] Christian Huitema joins the room
[07:51:44] Dirk Hugo joins the room
[07:51:51] Olaf Kolkman joins the room
[07:51:57] <Meetecho> The stream itself is consistent (it is for us at least)
[07:52:02] Jiao Kang leaves the room
[07:52:03] Olaf Kolkman leaves the room
[07:52:04] Christian Huitema_905 leaves the room
[07:52:08] Olaf Kolkman joins the room
[07:52:14] Jiao Kang joins the room
[07:52:19] <Tirumaleswar Reddy.K> the draft is targeting discovery of public DNS servers
[07:52:21] <mcr> There are ISPs that have their ISP-wide DNS servers on RFC1918 addresses within their network? Even the morons at the telephone company here who can't do reverse DNS at all, don't do that.
[07:52:33] <Tommy Jensen_869> Coauthor here: we are specifically following the chair's guidance to scope our solutions. This draft targets IP address bootstrapping for public addresses and opportunistic for same-address upgrade
[07:52:33] Dirk Hugo leaves the room
[07:52:35] <AlisterWinfield SKY> No more that the CPE is a proxy / cache
[07:52:37] <Christian Huitema> "reconnecting"
[07:52:47] <Tommy Jensen_869> We do not claim ti targets all scenarios
[07:52:49] <Mike Bishop> Meetecho: Reasonable theory, but I didn't have that last session. But if it's just me, carry on. :-)
[07:52:50] Olaf Kolkman leaves the room
[07:52:55] Olaf Kolkman joins the room
[07:53:38] <Christian Huitema> From my ISP: " DNS Servers . . . . . . . . . . . : 192.168.1.254"
[07:53:43] Olaf Kolkman leaves the room
[07:53:51] Olaf Kolkman joins the room
[07:53:52] <mcr> And, that's not on your LAN?
[07:53:53] <Martin Thomson> Ralf Weber: can't multiple resolvers be upgraded each in turn?
[07:54:13] <Vittorio Bertola> @Christian: that's your local router/CPE, right? Then the upstream resolver possibly has a public address.
[07:54:14] <mcr> @Christian, I think that your ISP won't be smart enough to implement this anyway :-)
[07:54:16] <Mohit Sethi> in IKE you receive a server certificate which doesn't have an IP address, but IPSEC is configured for IP addresses. how do you do a secure mapping. this is what the PAD is supposed to do and perhaps what the authors want. @MCR: It's okay if you don't immediately understand the relation here. but i hope this clarification helps.
[07:54:19] <Ralf Weber> Sure, but what if one is upgraded and one not
[07:54:31] John Woodworth leaves the room
[07:54:35] Olaf Kolkman leaves the room
[07:54:39] Olaf Kolkman joins the room
[07:54:42] John Woodworth joins the room
[07:54:52] Christian Huitema_120 joins the room
[07:55:04] Kazuaki Ueda leaves the room
[07:55:07] <mcr> Mohit, kernel PADs with only IP addresses are fictions created by RFC2401, Real IKE daemons don't do it that way.
[07:55:48] <Mohit Sethi> indeed. it is conceptual; not implemented as an actual database
[07:55:51] <Christian Huitema> Yes, that the IP of my router. I have no idea what the IP of the resolver behind that is...
[07:56:38] <mcr> Christian, then if it forwards blindly to your ISP, then your ISP will reply with the SVRB record of their real DoT/DoH end-point, right?
[07:57:16] <Christian Huitema> Hopefully...
[07:57:25] Pieter Lexis joins the room
[07:57:30] Wassim Haddad leaves the room
[07:57:48] Martin Wu joins the room
[07:58:04] João Damas joins the room
[07:58:07] <Martin Thomson> Tommy's explanation of how the upgrade for DoH from an IP works is problematic. The way you avoid that is to insist on `https://$IP/path` being the DoH template.
[07:58:27] <Vittorio Bertola> The problem is that if you then add a requirement that the "real" endpoint replies with a certificate for the "original" IP address (i.e. a private one), it won't be feasible in practice - am I wrong?
[07:58:45] <Vittorio Bertola> @Martin: even if you want to be more flexible, if we assume that the client already gets the name of the final resolver via DHCP/RA, don't we just need some DoT/DoH discovery mechanism available directly at that name?
[07:58:46] Jiao Kang leaves the room
[07:59:04] <Ray Bellis> this was what my 2009 draft was trying to address
[07:59:09] <Tommy Jensen_869> Vittorio is correct. DEER would not allow a local forwarder to refer a client to a public server given the cert can't claim the referring IP
[07:59:25] João Damas leaves the room
[07:59:37] <Martin Thomson> Vittorio: not sure that I follow that. If the DHCP/RA gives you a reference identity, then that works fine, but if you can do that then you can provide ALL the discovery information.
[07:59:45] João Damas joins the room
[08:00:08] <Jonathan Lennox> Home routers get upgraded when their fans die. Fortunately, this happens fairly frequently.
[08:00:23] <Ray Bellis> home routers don't get upgraded often at all
[08:00:31] <Martin Thomson> On timescales in the order of 10 years, jonathan
[08:00:40] <Tirumaleswar Reddy.K> hosting DoH/DoT servers on private IP addreses and discovery is discussed in https://tools.ietf.org/html/draft-btw-add-home-10
[08:00:41] <Vittorio Bertola> @Martin: I was commenting on the fact that previously during the discussion it was said that you could get the reference identity via DHCP/RA. And you're right, you could just get the DoH template directly. So I'm not sure of the use case that DEER is addressing.
[08:00:45] <Jonathan Lennox> Yeah, sadly their hardware builds have gotten better
[08:00:47] <Ray Bellis> and their DNS resolvers / forwarders are frequently problematic
[08:00:59] <Ralf Weber> That really depends. There are ISP managed routers as well as router vendors backing auto update in these days
[08:01:06] fluffy4 joins the room
[08:01:07] <Vittorio Bertola> Apologies for being slow :)
[08:01:11] <Eric Orth> Non-updated home routers seems to me to be one of the most important cases to solve. But I also agree that it's hard to find that solution, so it seems reasonable to solve the easier cases first.
[08:01:12] <Martin Thomson> DEER is trying to attack the problem of the private DNS relay/proxy
[08:01:13] fluffy4 leaves the room
[08:01:15] Jiao Kang joins the room
[08:01:15] Ole Trøan leaves the room
[08:01:28] João Damas leaves the room
[08:01:30] Ole Trøan joins the room
[08:01:31] <Martin Thomson> half-way
[08:01:31] <Andrew Campling> @Jonathan: experience from some ISPs shows routers still running after 10+ years
[08:01:38] Dirk Hugo joins the room
[08:01:39] <Vittorio Bertola> Ok, but if the private relay has a private IP address it won't work, right?
[08:01:47] fluffy4 joins the room
[08:01:47] fluffy4 leaves the room
[08:01:47] fluffy4 joins the room
[08:01:47] fluffy4 leaves the room
[08:01:49] <Martin Thomson> yes, they all choke
[08:02:13] <Jana Iyengar> @Martin: What do you mean by "choke"?
[08:02:14] Ole Trøan_ joins the room
[08:02:18] Ole Trøan leaves the room
[08:02:24] <Martin Thomson> your home NAT doesn't answer to TLS on port 853
[08:02:31] Corinne Cath joins the room
[08:02:33] João Damas joins the room
[08:02:38] <Martin Thomson> most don't respond to TLS port 443
[08:02:41] <Jana Iyengar> Yup, oh, so you mean that they basically don't respond
[08:03:04] <Ray Bellis> most don't even do DNS over TCP
[08:03:19] <Martin Thomson> opportunistic in this case works fine; you just don't have a reference identity
[08:03:27] <mcr> it could plug 853 through to the DNS IP it got via DHCP. That could be written in a document. It won't be true today. But, port 853 is probably closed right now. Maybe upgrade fails in that case.
[08:03:43] <Christian Huitema> Easy. Dumb resolvers of dumb ISP typically forward to 8.8.8.8 because that's economical. The path to DoH is easy...
[08:04:00] <Ray Bellis> most routers just have relatively dumb DNS ALGs that don't work properly. See RFC 5625.
[08:04:04] Ole Trøan joins the room
[08:04:08] <AlisterWinfield SKY> The real issue is that value engineering often means features are limited by CPE resources (mostly memory or OS flash) oh and engineering resources to support the number of hardware versions.
[08:05:41] <Daniel Gillmor> we can hear you
[08:06:43] <Harald Alvestrand> Declaring this problem unsolvable seems like a valid option.
[08:06:51] <Glenn Deen> this is a practical example of half vs full duplex
[08:06:56] Dirk Hugo leaves the room
[08:07:15] Olaf Kolkman leaves the room
[08:07:20] Olaf Kolkman joins the room
[08:07:27] Tirumaleswar Reddy.K leaves the room
[08:07:30] <Christian Huitema> What if the special use name returned an FQDN instead of an IP address?
[08:07:56] Dirk Hugo joins the room
[08:08:07] Olaf Kolkman leaves the room
[08:08:13] <Vittorio Bertola> That's the idea in other drafts. The problem is how do you deal with potential spoofing of the reply to the query for the SUDN.
[08:08:25] Olaf Kolkman joins the room
[08:08:44] <Vittorio Bertola> (being a SUDN, you can't DNSSEC-sign it)
[08:09:27] Tirumaleswar Reddy.K joins the room
[08:09:38] <Daniel Gillmor> can't such an attacker pull off a one-time attack anyway, by routing you to their preferred IP address?
[08:09:59] <Daniel Gillmor> (via DHCP/RA)
[08:10:15] <Benjamin Schwartz> (I think we are talking about resolver equivalence.)
[08:10:26] Vittorio Bertola leaves the room
[08:10:34] Vittorio Bertola joins the room
[08:10:52] <tale > a fair point
[08:11:39] <Vittorio Bertola> Thanks for these data. 85% is even more than I thought.
[08:11:41] <Ted Hardie> Do the Cellular folks also give private addresses? Those are a big chunk of users, but not exactly 10 year old wifi routers.
[08:12:09] Christopher Wood joins the room
[08:12:28] <Andrew Campling> Also, many non-US ISPs use RFC1918 addresses for current routers, not just old ones
[08:12:36] <Christian Huitema> What David said about cheap resolver forwarding to 8.8.8.8 or 1.1.1.1, we also see in statistics collected by APNIC.
[08:12:38] <Jim Reid> They used to Ted, but 10/8 isn't big enough for some of them.
[08:12:48] <Tommy Jensen_869> @Daniel, it's possible, but if the traffic is left unencrypted, the network authority is still capable of filtering traffic for example. Establishing an encrypted channel will prevent that. Encrypted to the right person > In the clear > encrypted to the wrong person
[08:12:58] <Ted Hardie> @Jim ULA now?
[08:13:13] <Ted Hardie> @Jim or CGN?
[08:13:27] <Daniel Gillmor> @Tommy why is "in the clear" > "encrypted to wrong person" ?
[08:13:38] <Jim Reid> @Ted any or all of these... :-(
[08:13:51] <Kazunori Fujiwara> Who issue _dns.resolver.arpa Certificate ?
[08:13:53] <Daniel Gillmor> because the "helpful" network operator can protect cleartext queries?
[08:14:16] <Tommy Jensen_869> Or the user's PiHole for another example
[08:14:46] <Daniel Gillmor> the PiHole is a "helpful" network operator by definition, right?
[08:14:55] <Tommy Jensen_869> Sure, semantics.
[08:15:03] <Daniel Gillmor> if the user is cooperating with the PiHole, they have other options
[08:15:13] <tale > Semantics is everything in standardds...
[08:15:23] <Christian Huitema> Actually, the APNIC study shows another way. DO a "who am I" query to a trusted authoritative. Such as "resolve <uniquerandom>.special-trusted-resolver.org", which returns the IP of the recursive resolver from which the query arrives.
[08:15:23] <Daniel Gillmor> if the user is not cooperating with the PiHole, then i don't see why they should prefer its protections
[08:16:36] mnot joins the room
[08:16:48] fluffy4 joins the room
[08:16:51] <Christian Huitema> +1 EKR
[08:16:51] fluffy4 leaves the room
[08:16:54] <Andrew Campling> I agree with ekr
[08:17:13] <Jason Weil> For ISP managed routers at least in North America, I believe you will see movement towards the use of publicly addressable DoH resolvers and away from private addressed local resolvers for various reasons
[08:17:15] <Leif Johansson> Is anyone seriously thinking there is a way to maintain a list of "good" resolvers?
[08:17:30] <Benjamin Schwartz> Kazunori: There is no certificate for that name. It's only used in the DNS, not as a "reference identity".
[08:17:35] Marcel Parodi leaves the room
[08:17:37] Ole Trøan_ leaves the room: Disconnected: Broken pipe
[08:18:11] <Jim Reid> @lief, isn't that what Mozilla's TRR list does?
[08:18:32] <Martin Thomson> that's our opinion about "good"
[08:19:01] <Leif Johansson> I'm sure ppl are maintaining lists - I don't think those lists are maintained in anything close to a sensible way.
[08:19:03] <Ralf Weber> And a lot of good resolvers (in my book) can't fulfill that
[08:19:09] <AlisterWinfield SKY> But thats option is unlikely to be scalable to every DNS service on the Internet
[08:19:10] <Tommy Jensen_869> I would say any given implementation labeling a resolver as "good" is a policy decision a bootstrapping mechanism should not take into effect.
[08:19:15] <Mike Bishop> That's a much more sane definition of "equivalent" than simply being managed by the same entity.
[08:19:29] ekr@jabber.org joins the room
[08:19:30] <Ralf Weber> I think that maintaining list over all the internet resolvers is not doable
[08:19:32] <Patrick Tarpey> TRR is hard baked in Chromium & Firefox source code..
[08:19:34] Jiankang Yao leaves the room
[08:19:46] <Leif Johansson> Are we creating a another instance of root-CA maintenance chaos?
[08:19:47] <ekr@jabber.org> @Patrick: well, I think we actually have some way to remotely update it.
[08:20:11] <Andrew Campling> We do have a draft European DNS Resolver Policy document that could define "good" for some circumstances. But of course defining a good resolver feels like policy, and that is out of scope for the working group.
[08:20:12] <Patrick Tarpey> There needs to be a means of fair access to the TRR list, perhaps modeled on HSTS....
[08:20:33] <ekr@jabber.org> @Patrick: HSTS doesn't have a policy component. This does.
[08:20:53] <Daniel Gillmor> the preload list is a kind of policy component
[08:20:58] fluffy4 joins the room
[08:20:58] fluffy4 leaves the room
[08:21:10] <Patrick Tarpey> Its a bottle neck... technological and competition....
[08:21:12] <ekr@jabber.org> @DKG: well, we don't like care if you are a bad actor before we add you.
[08:21:17] <ekr@jabber.org> @DKG: well, we don't like care if you are a bad actor before we add you.
[08:21:22] <ekr@jabber.org> ... to the TRR list
[08:21:36] <Vittorio Bertola> As a minimum, you would need to allow multiple "TRR list providers" with multiple definitions of "good" to choose from. But it looks quite complicated.
[08:21:51] <Jonathan Lennox> EKR: So what makes it a "Trusted" resolver?
[08:22:10] <Martin Thomson> OK, I see your point ekr, thanks.
[08:22:19] <Daniel Gillmor> +1 to ekr's voiced comment
[08:22:21] <ekr@jabber.org> Jonathan Lennox https://wiki.mozilla.org/Trusted_Recursive_Resolver
[08:23:36] Ole Trøan leaves the room
[08:23:38] Park Jung-Soo joins the room
[08:23:39] Ole Trøan joins the room
[08:23:59] Bruno Teixeira joins the room
[08:24:08] Hannu Flinck leaves the room
[08:24:11] Bruno Teixeira leaves the room
[08:24:14] <Leif Johansson> that document doesn't say anything about how you get on the trr
[08:24:14] Bruno Teixeira joins the room
[08:24:16] Hannu Flinck joins the room
[08:24:25] Park Jung-Soo leaves the room
[08:24:26] <Daniel Gillmor> +1 ted
[08:24:43] <ekr@jabber.org> @Leif: wrong link, sorry https://wiki.mozilla.org/Security/DOH-resolver-policy
[08:24:48] <tale > closing the queue
[08:24:49] <ekr@jabber.org> +1 Ted as well.
[08:24:59] Bruno Teixeira leaves the room
[08:25:02] Bruno Teixeira joins the room
[08:25:04] <ekr@jabber.org> That's a good way of defining the "gives the right responses" prong
[08:25:13] Bruno Teixeira leaves the room
[08:25:16] Bruno Teixeira joins the room
[08:25:28] <Vittorio Bertola> yes, +1 to Ted. Perhaps we will discover that we need to focus on sub-cases of equivalence rather than on a generalized equivalence concept.
[08:26:07] Ulrich Wisser leaves the room
[08:26:07] Jonathan Reed leaves the room
[08:26:07] Takahiro Nemoto leaves the room
[08:26:09] Mohit Sethi leaves the room
[08:26:10] Marco Hogewoning leaves the room
[08:26:10] Peter Koch leaves the room
[08:26:10] Chunshan Xiong leaves the room
[08:26:10] Bernie Innocenti leaves the room
[08:26:10] Robert Story leaves the room
[08:26:10] James Galvin leaves the room
[08:26:10] Avri Doria leaves the room
[08:26:10] Jonathan Lennox leaves the room
[08:26:10] Kazunori Fujiwara leaves the room
[08:26:11] Amelia Andersdotter leaves the room
[08:26:12] Mark Andrews leaves the room
[08:26:12] Alessandro Amirante leaves the room
[08:26:12] Burt Kaliski leaves the room
[08:26:12] Bernie Hoeneisen_745 leaves the room
[08:26:13] Marcus Ihlar leaves the room
[08:26:13] Igor Gashinsky leaves the room
[08:26:14] Peter van Dijk leaves the room
[08:26:14] Richard Wilhelm leaves the room
[08:26:14] Antoin Verschuren leaves the room
[08:26:16] Lorenzo Colitti leaves the room
[08:26:16] Phillip Hallam-Baker leaves the room
[08:26:16] Ralf Weber leaves the room
[08:26:18] Valery Smyslov leaves the room
[08:26:19] John Woodworth leaves the room
[08:26:19] Tadahiko Ito leaves the room
[08:26:19] Stephen Farrell leaves the room
[08:26:20] Geoff Huston leaves the room
[08:26:21] Sara Dickinson leaves the room
[08:26:22] Eve Schooler leaves the room
[08:26:22] Alissa Cooper leaves the room
[08:26:23] Xavier de Foy leaves the room
[08:26:23] tim costello leaves the room
[08:26:23] Oshani Dayaratna leaves the room
[08:26:23] Zaid AlBanna leaves the room
[08:26:23] Ted Hardie leaves the room
[08:26:23] Atsushi Tagami leaves the room
[08:26:24] Merike Kaeo leaves the room
[08:26:24] Roman Danyliw leaves the room
[08:26:25] Roland Schott leaves the room
[08:26:25] Gianpaolo Scalone leaves the room
[08:26:25] David Smith leaves the room
[08:26:25] Eric Rescorla leaves the room
[08:26:26] Nicklas Pousette leaves the room
[08:26:26] Benjamin Schwartz leaves the room
[08:26:26] Martin Thomson leaves the room
[08:26:26] Shumon Huque leaves the room
[08:26:27] Tommy Pauly leaves the room
[08:26:27] Jim Reid leaves the room
[08:26:27] Libor Peltan leaves the room
[08:26:28] Alister Winfield leaves the room
[08:26:28] Leif Johansson leaves the room
[08:26:29] Dawei Fan leaves the room
[08:26:29] Alexander Mayrhofer leaves the room
[08:26:29] Alwin de Bruin leaves the room
[08:26:30] Scott Hollenbeck leaves the room
[08:26:30] Barbara Stark leaves the room
[08:26:31] Junyu Lai leaves the room
[08:26:32] Tommy Jensen_869 leaves the room
[08:26:32] Jana Iyengar leaves the room
[08:26:32] Jim Reid joins the room
[08:26:34] Joey Salazar leaves the room
[08:26:34] Puneet Sood leaves the room
[08:26:35] Ray Bellis leaves the room
[08:26:35] Igor Lubashev leaves the room
[08:26:35] Linlin Zhou leaves the room
[08:26:35] Mark Nottingham leaves the room
[08:26:36] Eric Orth leaves the room
[08:26:36] Daniel Migault leaves the room
[08:26:36] Andrew Campling leaves the room
[08:26:36] James Gruessing leaves the room
[08:26:36] Barry Leiba leaves the room
[08:26:37] PE leaves the room
[08:26:37] Eric Kinnear leaves the room
[08:26:37] Akbar Rahman leaves the room
[08:26:37] Tommy C leaves the room
[08:26:38] James Gould leaves the room
[08:26:38] Jason Weil leaves the room
[08:26:38] Chi-Jiun Su leaves the room
[08:26:38] Frode Sorensen leaves the room
[08:26:39] Mohamed Boucadair leaves the room
[08:26:39] Michael Breuer leaves the room
[08:26:40] Nancy Cam-Winget leaves the room
[08:26:40] Patrick Tarpey leaves the room
[08:26:40] Harald Alvestrand leaves the room
[08:26:41] James Gruessing joins the room
[08:26:41] David Schinazi leaves the room
[08:26:41] Chris Box leaves the room
[08:26:41] Monika Ermert leaves the room
[08:26:42] Qin Wu leaves the room
[08:26:42] Kris Shrishak leaves the room
[08:26:42] Duane Wessels leaves the room
[08:26:42] Sergey Myasoedov leaves the room
[08:26:42] Greg Wood leaves the room
[08:26:43] Francois Ortolan leaves the room
[08:26:44] Chris Lemmons leaves the room
[08:26:44] Joseph Kalfa leaves the room
[08:26:44] Naveen Kumar leaves the room
[08:26:45] Marco Davids leaves the room
[08:26:45] Daniel Gillmor leaves the room
[08:26:46] Nicolai Leymann leaves the room
[08:26:46] <mcr> oops. looks like a big network split.
[08:26:46] Simon Hicks leaves the room
[08:26:46] Michael Richardson leaves the room
[08:26:47] Dan McArdle leaves the room
[08:26:47] Sean Turner leaves the room
[08:26:48] Stephanie Ifayemi leaves the room
[08:26:48] Cullen Jennings leaves the room
[08:26:49] Chris Box joins the room
[08:26:49] Farni Boten leaves the room
[08:26:49] Kirsty P leaves the room
[08:26:50] Eric Kinnear joins the room
[08:26:50] Nitin Batta leaves the room
[08:26:50] David Lawrence leaves the room
[08:26:50] Pete Resnick leaves the room
[08:26:51] Jari Arkko leaves the room
[08:26:51] Ted Hardie joins the room
[08:26:51] Glenn Deen leaves the room
[08:26:52] Mike Bishop leaves the room
[08:26:53] Daniel Gillmor joins the room
[08:26:54] Eric Orth joins the room
[08:26:55] Xavier de Foy joins the room
[08:26:56] Pete Resnick joins the room
[08:26:57] Lorenzo Colitti joins the room
[08:26:58] Benjamin Schwartz joins the room
[08:26:59] Olaf Kolkman leaves the room
[08:27:02] <mnot> ooh, wow
[08:27:02] Alissa Cooper joins the room
[08:27:03] Christopher Wood leaves the room
[08:27:03] <Tommy Jensen> Meetecho got tired of listening to us apparently
[08:27:04] Olaf Kolkman joins the room
[08:27:06] Kris Shrishak joins the room
[08:27:07] <Barbara Stark-jabber> Wow. Everyone's leaving.
[08:27:09] Jonathan Reed joins the room
[08:27:10] Jonathan Lennox joins the room
[08:27:13] Simon Hicks joins the room
[08:27:16] <mcr> browser says that the network is splot.
[08:27:17] Sara Dickinson joins the room
[08:27:18] Duane Wessels joins the room
[08:27:19] <mcr> slow.
[08:27:19] <Meetecho> Looking into this
[08:27:19] Cullen Jennings joins the room
[08:27:19] <Daniel Gillmor> it was like "that dkg guy is so boring"
[08:27:19] Ralf Weber joins the room
[08:27:20] Shumon Huque joins the room
[08:27:21] Jana Iyengar joins the room
[08:27:22] <Barbara Stark-jabber> DKG was censored!
[08:27:23] <Jim Reid> I got kicked out
[08:27:23] <mnot> not… goood…
[08:27:26] <mcr> my window on cose has not stopped.
[08:27:27] Lorenzo Colitti leaves the room
[08:27:27] Patrick Tarpey joins the room
[08:27:29] Nicklas Pousette joins the room
[08:27:30] Bernie Hoeneisen_934 joins the room
[08:27:31] Greg Wood joins the room
[08:27:32] Daniel Migault joins the room
[08:27:32] <Ted Hardie> I also got booted
[08:27:32] Lorenzo Colitti joins the room
[08:27:34] Robert Story joins the room
[08:27:34] <Tommy Jensen> @dkg lol
[08:27:35] Mohit Sethi joins the room
[08:27:38] tim costello joins the room
[08:27:39] Phillip Hallam-Baker joins the room
[08:27:39] Barry Leiba joins the room
[08:27:39] Andrew Campling joins the room
[08:27:40] <Christian Huitema> Lost audio
[08:27:40] Dan McArdle joins the room
[08:27:40] Corinne Cath leaves the room
[08:27:40] Martin Thomson joins the room
[08:27:41] Tommy Pauly joins the room
[08:27:44] Roman Danyliw joins the room
[08:27:44] Corinne Cath joins the room
[08:27:45] Glenn Deen joins the room
[08:27:45] Tadahiko Ito joins the room
[08:27:48] Merike Kaeo joins the room
[08:27:49] Ted Hardie leaves the room
[08:27:49] <Jonathan Lennox> I had to reload the meetecho tab, the page became nonresponsive
[08:27:49] Junyu Lai joins the room
[08:27:50] Mark Nottingham joins the room
[08:27:53] <AlisterWinfield SKY> CPU spike and browser vvv-unhappy
[08:27:54] <Benjamin Schwartz> My page got hung up on a blocking JS call
[08:27:54] Ralf Weber leaves the room
[08:27:54] Mike Bishop joins the room
[08:27:54] Ted Hardie joins the room
[08:27:56] Antoin Verschuren joins the room
[08:27:56] Gianpaolo Scalone joins the room
[08:27:56] John Woodworth joins the room
[08:27:57] Alexander Mayrhofer joins the room
[08:27:57] Nancy Cam-Winget joins the room
[08:28:00] Sean Turner joins the room
[08:28:03] Christian Huitema_120 leaves the room
[08:28:03] Monika Ermert joins the room
[08:28:03] Jari Arkko joins the room
[08:28:04] Nicolai Leymann joins the room
[08:28:05] Patrick Tarpey leaves the room
[08:28:06] Cullen Jennings leaves the room
[08:28:07] <Eric Orth> Page was non-responsive until reload for me as well.
[08:28:09] Valery Smyslov joins the room
[08:28:10] Christian Huitema_301 joins the room
[08:28:12] <mnot> Ben: The Internet got caught on a blocking JS call, I think
[08:28:12] Alister Winfield joins the room
[08:28:13] David Schinazi joins the room
[08:28:13] <Martin Thomson> wow, meetecho, that was not good, everyone deadlocked at the same time
[08:28:13] Michael Richardson joins the room
[08:28:17] <tale > Yes, looks like everyone
[08:28:18] Tommy Jensen_965 joins the room
[08:28:19] Harald Alvestrand joins the room
[08:28:19] Bruno Teixeira leaves the room
[08:28:20] Sergey Myasoedov joins the room
[08:28:20] <tale > ha @ mnot
[08:28:21] <Jari Arkko> reload needed here too
[08:28:24] <Vittorio Bertola> Javascript killed the Internet :-D
[08:28:25] Mohit Sethi leaves the room
[08:28:27] Eric Rescorla joins the room
[08:28:27] Stephen Farrell joins the room
[08:28:27] Richard Wilhelm joins the room
[08:28:28] Kazunori Fujiwara joins the room
[08:28:29] <Nicolai Leymann> Here as well
[08:28:30] Igor Lubashev joins the room
[08:28:31] Geoff Huston joins the room
[08:28:32] Paolo Saviano joins the room
[08:28:32] Mohit Sethi joins the room
[08:28:32] Stephanie Ifayemi joins the room
[08:28:34] Roland Schott joins the room
[08:28:35] <Christian Huitema> reload worked
[08:28:36] Kirsty P joins the room
[08:28:36] <Daniel Gillmor> have you tried turning it off and turning it on again?
[08:28:36] Gianpaolo Scalone leaves the room
[08:28:37] <mnot> Vittorio: We should have seen that one coming…
[08:28:39] Peter Koch joins the room
[08:28:41] Naveen Kumar joins the room
[08:28:42] David Lawrence joins the room
[08:28:42] Linlin Zhou joins the room
[08:28:44] Antoin Verschuren leaves the room
[08:28:45] <Jim Reid> Audio and video has died too. I think we should quit for the day.
[08:28:45] Gianpaolo Scalone joins the room
[08:28:45] <Pete Resnick> Sounds like we're back.
[08:28:45] Marcus Ihlar joins the room
[08:28:53] <Jonathan Lennox> I'm hearing Glenn
[08:28:54] Francois Ortolan joins the room
[08:28:54] Igor Gashinsky joins the room
[08:28:54] Cullen Jennings joins the room
[08:28:56] <Jana Iyengar> I can hear Glenn now
[08:28:58] Mark Andrews joins the room
[08:29:01] <Jonathan Reed> I can hear Glenn now, but there's also only 2 minutes left...
[08:29:03] Chi-Jiun Su joins the room
[08:29:03] Jason Weil joins the room
[08:29:03] Barbara Stark joins the room
[08:29:09] Mohit Sethi leaves the room
[08:29:10] Leif Johansson joins the room
[08:29:12] Mohit Sethi joins the room
[08:29:15] <Merike Kaeo> wow that was weird....
[08:29:16] Stephen Farrell leaves the room
[08:29:16] <sftcd> "page unresponsive" here
[08:29:17] <Andrew Campling> Worth moving to the next session?
[08:29:17] <tale > I'm still hosed
[08:29:20] Rick Alfvin joins the room
[08:29:25] David Lawrence leaves the room
[08:29:28] Naveen Kumar leaves the room
[08:29:29] Chris Lemmons joins the room
[08:29:29] Francois Ortolan leaves the room
[08:29:32] Francois Ortolan joins the room
[08:29:33] <Barbara Stark-jabber> As notetaker: Did I miss anything?
[08:29:33] David Lawrence joins the room
[08:29:41] Igor Gashinsky leaves the room
[08:29:44] Bernie Innocenti joins the room
[08:29:46] Naveen Kumar joins the room
[08:29:50] Ralf Weber joins the room
[08:29:50] James Gould joins the room
[08:29:50] Chi-Jiun Su leaves the room
[08:29:50] Jason Weil leaves the room
[08:29:56] <Andrew Campling> @Barbara: no, pretty much everyone had to reset
[08:29:59] <tale > i'm back
[08:29:59] Joey Salazar joins the room
[08:30:00] Chris Lemmons leaves the room
[08:30:03] Igor Gashinsky joins the room
[08:30:05] Zaid AlBanna joins the room
[08:30:06] <Martin Thomson> dkg++: qname minimization, client subnet, logging of queries, etc...
[08:30:07] <Alissa Cooper> Agree with DKG, a binary equivalence concept seems like it doesn't accommodate any richness of semantic
[08:30:09] Chris Lemmons joins the room
[08:30:09] <Tommy Jensen_965> I feel like scoping "same functionality" without any additional conditions turns into a policy discussion. Does "same functionality from same entity" make more sense? Otherwise we'll need a well-defined mechanism for server behavior, which sounds just like policy to me.
[08:30:20] Takahiro Nemoto joins the room
[08:30:24] Jason Weil joins the room
[08:30:26] Stephen Farrell joins the room
[08:30:30] Chi-Jiun Su joins the room
[08:30:32] <Leif Johansson> I undeservedly swore at my wifi :-)
[08:30:34] Burt Kaliski joins the room
[08:30:35] <mcr> dkg, ekr, these are all important concerns, but it seems to apply to Do53 and DoT equally. We just want to know if we are being screwed equally/equitably by each method, right?
[08:30:36] Peter van Dijk joins the room
[08:30:54] Tommy C joins the room
[08:30:59] Peter van Dijk leaves the room
[08:31:02] Peter van Dijk joins the room
[08:31:14] Barry Leiba (jabber) leaves the room
[08:31:16] <Daniel Gillmor> thanks to the chairs and to the meetecho team for coping gracefully here despite the breakage
[08:31:18] <Jari Arkko> Trying to think what the conclusion is. I think we can reasonably find a way to upgrade connection to encrypted and to the same entity that gave us the original unencrypted one. That's very useful. There are of course other things, but most of those are policy-dependent, e.g., who do you trust.
[08:31:18] Chi-Jiun Su leaves the room
[08:31:19] Oshani Dayaratna joins the room
[08:31:19] Igor Gashinsky leaves the room
[08:31:23] Geoff Huston leaves the room
[08:31:23] Chi-Jiun Su joins the room
[08:31:23] Valery Smyslov leaves the room
[08:31:24] Christian Huitema_301 leaves the room
[08:31:27] Barry Leiba leaves the room
[08:31:27] Tommy Pauly leaves the room
[08:31:28] Sergey Myasoedov leaves the room
[08:31:28] Francois Ortolan leaves the room
[08:31:28] Shumon Huque leaves the room
[08:31:29] Martin Thomson leaves the room
[08:31:29] Alexander Mayrhofer leaves the room
[08:31:30] Eric Orth leaves the room
[08:31:30] Greg Wood leaves the room
[08:31:31] Pieter Lexis leaves the room
[08:31:31] James Gruessing leaves the room
[08:31:32] Mike Bishop leaves the room
[08:31:32] <Simon Hicks> bye
[08:31:32] Jonathan Reed leaves the room
[08:31:32] Merike Kaeo leaves the room
[08:31:32] Lorenzo Colitti leaves the room
[08:31:33] Marcus Ihlar leaves the room
[08:31:33] Pete Resnick leaves the room
[08:31:33] David Schinazi leaves the room
[08:31:34] Leif Johansson leaves the room
[08:31:34] Dan McArdle leaves the room
[08:31:34] Stephen Farrell leaves the room
[08:31:35] Richard Wilhelm leaves the room
[08:31:35] Kris Shrishak leaves the room
[08:31:35] Michael Richardson leaves the room
[08:31:36] Ralf Weber leaves the room
[08:31:36] Oshani Dayaratna leaves the room
[08:31:36] Alister Winfield leaves the room
[08:31:36] João Damas leaves the room
[08:31:37] Chris Lemmons leaves the room
[08:31:37] Cullen Jennings leaves the room
[08:31:37] Kirsty P leaves the room
[08:31:38] Mohit Sethi leaves the room
[08:31:38] Alissa Cooper leaves the room
[08:31:38] Nicklas Pousette leaves the room
[08:31:38] Ted Hardie leaves the room
[08:31:39] David Lawrence leaves the room
[08:31:39] Eric Rescorla leaves the room
[08:31:39] Igor Lubashev leaves the room
[08:31:40] Jim Reid leaves the room
[08:31:40] <Tommy Jensen_965> good $timeframe
[08:31:40] Dirk Hugo leaves the room
[08:31:42] Stephanie Ifayemi leaves the room
[08:31:42] Andrew Campling leaves the room
[08:31:43] Tadahiko Ito leaves the room
[08:31:43] Nitin Batta joins the room
[08:31:44] Eric Kinnear leaves the room
[08:31:45] Jana Iyengar leaves the room
[08:31:47] Gianpaolo Scalone leaves the room
[08:31:48] Tommy Jensen_965 leaves the room
[08:31:48] andrew_campling leaves the room
[08:31:49] Jonathan Lennox leaves the room
[08:31:49] Martin Wu leaves the room
[08:31:51] rickwilhelm-Verisign@jabb3r.org leaves the room
[08:31:52] Vittorio Bertola leaves the room
[08:31:55] Benjamin Schwartz leaves the room
[08:31:56] sftcd leaves the room
[08:31:56] Mark Nottingham leaves the room
[08:31:57] yone leaves the room
[08:31:57] Chi-Jiun Su leaves the room
[08:32:00] Jari Arkko leaves the room
[08:32:00] Mark Andrews leaves the room
[08:32:00] Harald Alvestrand leaves the room
[08:32:03] Xavier de Foy leaves the room
[08:32:05] Daniel Gillmor leaves the room
[08:32:05] Nitin Batta leaves the room
[08:32:06] Nicolai Leymann leaves the room
[08:32:07] tim costello leaves the room
[08:32:08] Tirumaleswar Reddy.K leaves the room
[08:32:12] jdub99@sure.im leaves the room
[08:32:14] Zaid AlBanna leaves the room
[08:32:14] Sara Dickinson leaves the room
[08:32:15] Jason Weil leaves the room
[08:32:15] John Woodworth leaves the room
[08:32:21] Jason Weil joins the room
[08:32:24] Peter Koch leaves the room
[08:32:28] Joey Salazar leaves the room
[08:32:29] James Gould leaves the room
[08:32:29] Hannu Flinck leaves the room
[08:32:40] Meetecho leaves the room
[08:32:44] Paolo Saviano leaves the room
[08:32:46] AlisterWinfield SKY leaves the room
[08:32:50] Nitin Batta joins the room
[08:32:53] Nancy Cam-Winget leaves the room
[08:32:53] Roland Schott leaves the room
[08:33:00] <Christian Huitema> The more I see that, the more I believe that throwing a server at the problem would help. "Tell me which recursive resolver I am using, tell me how it is rated". I suppose we could use something like oblivious DNS for that.
[08:33:08] Jason Weil leaves the room
[08:33:10] Marco Davids joins the room
[08:33:18] Nitin Batta leaves the room
[08:33:18] Burt Kaliski leaves the room
[08:33:24] Naveen Kumar leaves the room
[08:33:24] Marco Davids leaves the room
[08:33:27] Naveen Kumar joins the room
[08:33:29] Olaf Kolkman leaves the room
[08:33:38] <mcr> Tiru and I tried to get there, @Christian.
[08:33:39] Marco Davids joins the room
[08:33:41] Linlin Zhou leaves the room
[08:33:43] Bruno Teixeira joins the room
[08:33:48] Ole Trøan leaves the room
[08:33:51] <mcr> but, by "server", I think you mean, third party.
[08:33:56] Naveen Kumar leaves the room
[08:34:02] Glenn Deen leaves the room
[08:34:03] Marco Davids leaves the room
[08:34:09] Barbara Stark leaves the room
[08:34:11] Peter van Dijk leaves the room
[08:34:23] Takahiro Nemoto leaves the room
[08:34:27] mnot leaves the room
[08:34:30] Bruno Teixeira leaves the room
[08:34:31] Sean Turner leaves the room
[08:34:31] fightingnemo leaves the room
[08:34:34] Alessandro Amirante joins the room
[08:34:40] Monika Ermert leaves the room
[08:34:44] <Christian Huitema> Yes. Send a request to <encrypted.third-party.net>. Get encrypted info in the response.
[08:34:56] Qin Wu joins the room
[08:35:19] <mcr> The server itself can contain a signed attestation from the third party, so you don't even need to leak to the third party.
[08:35:25] Bernie Hoeneisen_934 leaves the room
[08:35:29] <mcr> the DNS resolver, I mean.
[08:35:29] Kohei Isobe joins the room
[08:35:30] Bernie Hoeneisen_753 joins the room
[08:35:36] Alessandro Amirante leaves the room
[08:35:36] Phillip Hallam-Baker leaves the room
[08:35:36] Bernie Hoeneisen_753 leaves the room
[08:35:36] Qin Wu leaves the room
[08:35:36] Kohei Isobe leaves the room
[08:35:36] Tommy C leaves the room
[08:35:36] Bernie Innocenti leaves the room
[08:35:36] Robert Story leaves the room
[08:35:36] Simon Hicks leaves the room
[08:35:36] Daniel Migault leaves the room
[08:35:36] Rick Alfvin leaves the room
[08:35:36] Roman Danyliw leaves the room
[08:35:36] Chris Box leaves the room
[08:35:36] Duane Wessels leaves the room
[08:35:36] Kazunori Fujiwara leaves the room
[08:35:36] Jiao Kang leaves the room
[08:35:36] Junyu Lai leaves the room
[08:35:36] Corinne Cath leaves the room
[08:35:59] <Christian Huitema> The client has a trust relation with the third party, which solves a lot of spoofing scenarios, etc.
[08:36:27] <Christian Huitema> I am going to sleep on it...
[08:36:32] <Christian Huitema> Good night.
[08:37:43] Jay Daley joins the room
[08:38:28] Jay Daley leaves the room
[08:40:31] <mcr> @Christian: draft-reddy-add-server-policy-selection-05
[08:40:36] mcr leaves the room
[08:41:13] neednnelg@sure.im joins the room
[08:44:08] neednnelg@sure.im leaves the room
[08:57:22] Ole Trøan_ leaves the room
[08:58:06] alex-meetecho leaves the room
[09:01:51] ihlar joins the room
[09:03:32] ihlar leaves the room
[09:03:59] ihlar joins the room
[09:11:50] Barbara Stark-jabber leaves the room
[09:18:41] ihlar leaves the room
[09:26:04] ihlar joins the room
[09:27:23] ihlar leaves the room
[09:29:12] vbertola joins the room
[09:29:41] Vittorio Bertola_ leaves the room
[09:31:28] ekr@jabber.org leaves the room
[09:32:51] Vittorio Bertola joins the room
[09:33:04] Vittorio Bertola leaves the room
[09:45:20] Christian Huitema leaves the room: Disconnected: closed
[09:54:41] tale leaves the room
[09:54:48] tale joins the room
[10:34:33] Dan York joins the room
[10:37:35] Tommy Jensen leaves the room
[11:01:38] ihlar joins the room
[11:17:29] ihlar leaves the room
[11:24:22] ko-isobe leaves the room
[11:41:28] tale leaves the room
[12:52:18] ihlar leaves the room
[14:28:15] ihlar joins the room
[17:07:18] ihlar leaves the room
[17:24:17] ihlar joins the room
[18:16:16] tale joins the room
[18:33:53] tale leaves the room: Disconnected: closed
[18:43:10] tale joins the room
[19:01:50] tale leaves the room: Disconnected: closed
[19:34:26] tale joins the room
[19:46:40] tale leaves the room
[19:47:01] tale joins the room
[19:47:10] tale leaves the room
[19:47:31] tale joins the room
[20:12:29] Ash leaves the room
[20:21:21] ihlar leaves the room
[21:00:05] Ash joins the room
[21:40:39] tale leaves the room
[23:36:30] Ash leaves the room: Disconnected: read timeout