Logs for dnsext@ietf.xmpp.org, 2003-11-13

[07:03:13] --- LOGGING STARTED
[07:05:00] --- LOGGING STARTED
[07:08:02] --- LOGGING STARTED
[07:09:21] --- LOGGING STARTED
[07:11:34] --- LOGGING STARTED
[11:05:05] --- ogudm has joined
[11:05:31] <ogudm> The meeting starts in less than 2 hours
[11:20:05] --- ogudm has left: Disconnected
[12:39:32] --- ogudm has joined
[12:39:50] <ogudm> Welcome to DNSEXT meeting
[12:54:43] --- brabson has joined
[12:54:50] --- warlord has joined
[12:54:50] --- brabson has left: Disconnected
[12:55:00] --- brabson has joined
[12:56:42] --- anewton has joined
[12:58:26] --- orange has joined
[13:00:11] <anewton> olaf kolkman: introducing meeting, if you use the mike, clearly state your name
[13:00:51] <anewton> ok: if you have notes, please forward them to chairs
[13:01:01] <anewton> ok: thanks Wes Griffin
[13:01:06] --- rajid has joined
[13:01:29] <anewton> ok: agenda: administrivia, working group doc status, call for interop reports, wild card clarify, dnssec-bis session
[13:01:31] --- wgriffin has joined
[13:01:33] <anewton> oK: additions?
[13:01:36] <anewton> room: none
[13:02:10] --- yone has joined
[13:02:10] <anewton> ok: issue tracker. purpose to keep track of issues. helps distinguish work for discussion
[13:02:12] --- dblacka has joined
[13:02:13] --- mellon has joined
[13:02:25] <anewton> ok: keep overview of issues on the list
[13:02:40] <anewton> ok: help track issues that are close, silent, or pending
[13:02:56] <anewton> ok: list participants should supply text to the tracker
[13:03:13] <anewton> ok: open issue with clearly defined subject and text describing change to the draft
[13:03:30] <anewton> ok: provides a forum to describe the issue
[13:04:08] <anewton> ok: forum can be found in monthly posting: https://roundup.machshav.com/dnsext/
[13:04:23] <anewton> ok: if doc editors decide to maintain their own list, they have chair blessing
[13:04:36] <anewton> ok: but interaction with the wg is importnat
[13:04:54] <anewton> ok: requests clarity in identifying issues
[13:05:00] <anewton> ok: questions?
[13:05:23] <anewton> ok: will ask for resubmission of issues if he finds problems with clarity
[13:05:30] <anewton> ok: wg docs review
[13:05:48] <anewton> ok: draft-ietf-dnsext-dnssec-into, etc...
[13:06:13] <anewton> ok: docs in final stages: wglc summary, tkey-renewal, case-insensitive
[13:06:46] <anewton> og: will be sending all 3 next week
[13:07:07] <anewton> ok: waiting for 2535bis to refreencing slide
[13:07:48] <anewton> ok: docs at iesg: axfr-clarify, delegation-signer, 2535typecode-change, keyrr-key-signing
[13:08:09] <anewton> ok: more docs @iesg
[13:08:34] <anewton> ok: dnssec-opt-in (needs none-standards track boilerplate, waitng on 2535bis)
[13:08:51] <anewton> ok: dhcid-rr - asks for info from dhcp wg
[13:09:09] <anewton> og: will ask AD if they can advance it because dhcp is 99% done
[13:09:24] <anewton> ok: dns-threats - needs more IESG review
[13:09:50] <anewton> rob austein: in AD evaluation. Thomas had comments.
[13:10:18] <anewton> ok: opcode discover - needed editorial changes and fell between the cracks, but is rolling agian in Jan.
[13:10:30] <anewton> ok: rfc's published... (many)
[13:10:57] <anewton> ok: RIP since IETF57: dnssec-roadmap, ipv6-name-auto-reg, rfc2782bis
[13:11:07] <anewton> ok: call for interop reports.
[13:11:34] --- rajid has left: Replaced by new connection
[13:11:37] <anewton> ok: asking working group to provide interop reports
[13:11:50] --- rajid has joined
[13:11:51] <anewton> ok: work inside our charter
[13:12:15] <anewton> ok: would be nice to move these docs to draft standard. please send mail to list or chairs so they can coordinate if you are interested
[13:12:24] <anewton> ok: is anybody working on interop?
[13:12:34] <anewton> og: one group working on it, but no progress since Vianna
[13:12:57] <anewton> og: there are a number of other documents I would like to see go on... things that stay for too long should be thrown out.
[13:13:20] <anewton> ed lewis: the iesg will review fater 18 months
[13:13:39] <anewton> russ mundie: chairs have done good job of categorizing, but helpful if it were done for the RFC's.
[13:13:50] <anewton> ok: that is in the charter
[13:13:55] <anewton> og: look at the milestones
[13:14:24] <anewton> ok: wildcard clarify: doc has new editor: Rob Ells?
[13:14:33] --- ggm has joined
[13:14:45] <mellon> kre - Robert Elz.
[13:14:57] <anewton> ok: issues with it: doc updates 1034, caching of qname=*.example
[13:14:59] <anewton> thank you
[13:15:18] <anewton> ok: *.<anydomain> where <andydomain> contains * lables.
[13:15:27] <anewton> ok: cname and the search alg.
[13:15:39] <anewton> ok: ns legality
[13:15:51] <anewton> ok: doc is more than clarification, it updates 1034
[13:16:32] <anewton> ok: summary of list on caching is that they should not try to be intelligent. only authoritative servers should so synthesis
[13:17:00] <anewton> ok: how do you treat * label in <anydomain>.
[13:17:29] <anewton> ok: summary of list, whenever * appears in <anydomain>, treat as normal character... only the * at the end will cause wildcard processing
[13:18:20] <anewton> ok: * CNAME. there is consensus is that 1034 if owner name matches wildcard, only CNAME is returned if qtype is CNAME.
[13:18:57] <anewton> ok: will lead to answers from a cache that is dependent on the query history
[13:19:29] <anewton> ok: if you ask cache for A record, then you will get nothing back. but if you ask for cname, you will get back the cname, on third try will get A back if you query for it.
[13:19:39] <anewton> ok: the answer history is different
[13:20:01] <anewton> ok: list says this is confusing behaviour. fixes: ban wildcard on cname, or fix alg.
[13:20:18] <anewton> ok: the summay is that the alg should be fixed to deal with * CNAME
[13:20:35] <anewton> ok: did anybody follow this:
[13:20:51] <anewton> otasan: doc should be included in set of std. track docs
[13:21:03] <anewton> ok: yes
[13:21:21] <anewton> ok: uncertain on how to deal with these changes... should they go in different docs
[13:21:25] <anewton> ok: open to suggestions
[13:21:37] <anewton> ot: all documents should be included
[13:21:53] <anewton> og: treat the cname change and ns change separately or different docs
[13:22:26] <anewton> sam w.: why dnssec biz is not normative on clarify
[13:22:35] <anewton> ed lewis: this document says something about dnssec
[13:22:45] <anewton> el: dnnsec prompted this issue
[13:23:17] <anewton> ra: the reason we don't need a normative reference is because the reference no longer exists
[13:23:33] <anewton> ra: the rules are self-evident .. they didn't need to mention wildcards
[13:23:42] <anewton> ra: draft instrumental for dnssec
[13:23:48] <anewton> mike patton: one document
[13:24:04] <anewton> mp: procedurally it will be easier
[13:24:21] <anewton> mp: if one topic becomes controv., take it out
[13:24:28] <anewton> el: we already split it once in half
[13:24:36] <anewton> el: don't try to over process this
[13:24:45] <anewton> ok: last issue: ns record owned by a wildcard
[13:25:08] <anewton> ok: delegation split owned by wildcard.. thread on this issue is long and tough
[13:25:16] <anewton> ok: I am trying to summarize it
[13:25:32] <anewton> ok: * owned ns record above split is doable
[13:25:45] <anewton> ok: maybe there are poeple who can implement this
[13:25:59] <anewton> ok: opinions and good arguments, speak up
[13:26:02] <anewton> ra: pure evil
[13:26:07] <anewton> ra: too complex
[13:26:25] <anewton> ot: draft needs clarification
[13:26:31] --- mellon has left: Disconnected
[13:26:42] <anewton> ot: it is not very clear
[13:26:59] <anewton> I didn't catch that.
[13:27:16] <ggm> [me neither -ggm]
[13:27:22] <anewton> ot: thinks it is not very useful
[13:27:37] --- mellon has joined
[13:27:50] <anewton> ok: agrees to split easiness and protocol possibliity
[13:28:18] <anewton> marc andrews: having the protocol allow this means that you have a parent zone delegating on multiple levels and cut points because * does not match a single lable
[13:28:32] <anewton> ma: adv. NS records at a higher level in the tree
[13:28:47] <anewton> og: will the rules for dname be diff for cname
[13:28:53] <anewton> ma: dname makes no sense
[13:29:01] <anewton> ma: all dname processing in the resolvers
[13:29:28] <anewton> ma: you can get really weird records in caches
[13:29:59] <anewton> el: dname is not mentioned because 1035 did not mention it and dname came later. dname has a lot of problems, this isn't the biggest
[13:30:19] <anewton> paf: were do we write we should not use dname
[13:30:35] <anewton> paf: where is the protocol specification and administrative implementations
[13:30:48] <anewton> paf: mentions IAB wildcard response
[13:31:17] <anewton> mp: too much emphasis on how to handle this. does anybody have a compelling use for this?
[13:31:27] <anewton> mp: many people feel it is dangerous
[13:31:38] <anewton> mp: the better option is to say don't do it
[13:31:58] <anewton> ok: the behaviour is under specified in the current std
[13:32:06] --- mellon has left: Disconnected
[13:32:15] <anewton> mp: yes, but should we outlaw it (yes or no)
[13:32:25] <anewton> mp: probably consensus to just outlaw it
[13:32:53] <anewton> ok: people havent' thought of this, thinking about asking the sense of the room. asks the room.
[13:33:08] <anewton> ok: is outlawing * NS is a bad idea
[13:33:25] <anewton> og: do people feel qualified to answer this question?
[13:33:42] <anewton> ok: is that sensible to ask this room... are you informed enough
[13:33:44] <anewton> room: do it
[13:34:03] <anewton> el: outlawing makes sense, but the implications on resolvers, caching... there is work load for this
[13:34:17] <anewton> el: that is why this was nto immediately done
[13:34:38] <anewton> el: if you ban something, there are implications on dnssec, loading zone, etc...
[13:35:05] <anewton> el: the ns records are not authoritative for the zone it is being synthezied in... so what do you do when you see it
[13:35:24] <anewton> michael richardson: outlaw it or not, what happens when I see it anyway
[13:35:30] <anewton> sam: thanks ed and michael
[13:35:46] <anewton> ok: given we take up additional room, should we outlaw * NS
[13:35:58] <anewton> room: agrees
[13:36:21] <anewton> ok: show hands
[13:36:31] <anewton> ra: ask it as yes or no
[13:36:37] <anewton> og: yes?
[13:36:40] <anewton> room: many hands
[13:36:45] <anewton> ok: no?
[13:36:51] <anewton> room: few hands
[13:37:08] <anewton> og: sense of the room is that it should be outlawed
[13:37:23] <anewton> sam: info from the opposers
[13:37:28] <anewton> og: take it to the list
[13:37:35] <anewton> og: should wildcard SOA be outlawed
[13:37:43] <anewton> el: already taken care of
[13:37:49] <anewton> og: yes
[13:37:55] <anewton> ok: onto 2535bis doc
[13:38:06] <anewton> ok: congrats to the editors
[13:38:29] <anewton> ok: introduces roy on 2535bis work... wait for after presentation for clarifying questions
[13:38:49] <anewton> roy: 5 dnssec editors
[13:38:55] <anewton> roy: overview since vienna
[13:39:23] <anewton> ok: there has been ommission that the editor list is not public... will be corrected, url to be sent to wg list
[13:39:39] <anewton> roy: docs: intro, records, protocol
[13:39:46] <anewton> roy: send questsions to editors
[13:39:57] <anewton> roy: 4 resolved questsions,
[13:40:07] <anewton> roy: should resolvers cache known bad data
[13:40:24] --- ggm has left: Disconnected
[13:40:30] <anewton> roy: new kind of type because of the extra crypto
[13:40:39] <anewton> roy: 2535 had a null key, DS updated it
[13:40:57] <anewton> roy: at the last version we did not state if it was allowed at delegation point.. text now there
[13:41:29] <anewton> roy: when a resolver want to shoot itslef in the foot, it is free to do so
[13:41:41] <anewton> roy: key rr typecode be retained for tkey
[13:41:58] <anewton> roy: rollovered to the new ??
[13:42:01] --- ggm has joined
[13:42:14] <anewton> roy: retained key and sig rr
[13:42:22] <anewton> roy: 05 reflects they are retained
[13:42:34] <anewton> roy: 5 questions
[13:42:48] <anewton> roy: q15 stub resolver set the CD bit?
[13:43:12] <anewton> ra: that is backwards... isn't that security oblivious resolvers, not security aware resolvers
[13:43:20] <anewton> ra: we weren't asking permission on this it
[13:43:24] <anewton> roy: i'll check
[13:43:35] <anewton> roy: q18, ttl values for rrsig
[13:43:50] <anewton> roy: the reason for it is that the rrset consistes of type, name, class
[13:44:08] <anewton> roy: all rr for single name should have the same ttl values (rrset)
[13:44:23] <anewton> roy: ttl for rr should be the same of the rrset
[13:44:35] <anewton> roy: q19 duplicate rrs in rrset
[13:44:43] <anewton> roy: still open and being discussed
[13:44:56] <anewton> roy: q20 expanding * in auth section
[13:45:12] <anewton> roy: do we expand it or leave it.
[13:45:20] <anewton> roy: if the question is interpretted wrong, speak up
[13:45:29] <anewton> roy: q21 caching and reuse of nsec rr
[13:45:44] <anewton> roy: what happens when you query for the nsec rr itself
[13:46:04] <anewton> roy: hallway nits... small fixes
[13:46:20] <anewton> roy: implecit requriements (resolver/signer)
[13:46:26] <anewton> roy: more explaining
[13:46:47] <anewton> ra: q15: roy quoted it correctly.. it is wording issue. should be closed
[13:47:13] <anewton> ok: clarfication, when talking to people reqs. for signer related to diff classes of attacks are imposed on the read from thin air
[13:47:33] <anewton> ok: if people know the explicit behaviour, they can figure it out, but the doc does not say it
[13:47:45] <anewton> ok: need editing work here
[13:48:05] <anewton> ok: should be clearer
[13:48:19] <anewton> el: q20 about wildcards should go into wildcard clarify
[13:48:36] <anewton> og: will be covered in detail later
[13:48:39] <anewton> roy: that's it
[13:49:00] <anewton> roy: please read the docs, editors feel almost done
[13:49:09] <anewton> ok: how many people have read latest version
[13:49:13] <anewton> room: some hands
[13:49:17] <anewton> ok: the usual suspects
[13:49:47] <anewton> ok: reading last minutes. there are now two tall vikings running dnsext (chairs put viking hats on)
[13:49:54] <anewton> og: open issues
[13:50:06] <anewton> og: we have been working on dnssec for a very long time
[13:50:18] <anewton> og: press quotes leaders as saying it is done
[13:50:27] <anewton> og: consensus on q15?
[13:50:33] <anewton> ok: we just considered this closed
[13:50:43] <anewton> og: q18 rrsig is not a normal type
[13:50:53] --- ggm has left: Disconnected
[13:51:03] <anewton> og: 2181 says rrset must have the same ttl
[13:51:18] <anewton> og: apparent violation of 2181
[13:51:33] <anewton> og: we think the bis doc should note the violation
[13:51:45] --- mellon has joined
[13:51:46] <anewton> sam: the expiration rule for caching is at the shortest ttl
[13:51:50] <anewton> og: diff q
[13:52:00] <anewton> og: yes
[13:52:05] <anewton> og: same as with any query
[13:52:12] <anewton> mp: feel it is more complex
[13:52:29] <anewton> mp: 2181 goal is that rrsig is part of the rrset the refer to
[13:52:38] <anewton> mp: make that explict.
[13:52:54] <anewton> mp: would not be the case if you expires, the others do... need to think it out carefully
[13:53:13] <anewton> el: break the assumptions, not the protocol
[13:53:25] <anewton> el: tie the sigs to the set they protect
[13:53:48] <anewton> lars: you need to consider the two types fo records, data rr and infra rr
[13:54:01] <anewton> lars: the sig in infrastructrue record
[13:54:15] <anewton> lars: you can stretch that to the cname record
[13:54:33] <anewton> lars: there is nothing that reqs cname to have same ttl as target
[13:54:51] <anewton> lars: implications on shifting around large amount of data
[13:55:04] <anewton> ma: outlaw queries for sigs?
[13:55:37] <anewton> ma: long explanation of storing sigs and another solution
[13:55:51] --- narten has joined
[13:55:54] <anewton> ma: caches do special stuff anyway for sig queries
[13:56:05] <anewton> ma: 3rd solutoin, sig type ????
[13:56:09] <anewton> ok: take it to the list
[13:56:18] <anewton> ma: this is one more solution space
[13:56:25] <anewton> ma: use another bit in the type filed
[13:56:38] <anewton> ma: helps deal with the subtyping problems
[13:56:49] <anewton> ok: not a meeting time thing
[13:56:59] <anewton> jl: agree with ma
[13:57:24] <anewton> jl: need appropriate text on what to do when they are queried directly
[13:57:29] --- ggm has joined
[13:57:46] <anewton> ra: I agree with Marc. But we have already rolled the type codes once, we shouldn't do that for a sig bit
[13:57:59] <anewton> ra: we have already driven it off once
[13:58:09] <anewton> ra: we all know it has to be handled specialized
[13:58:29] <anewton> og: my sense of the room is that the slide is correct
[13:58:41] <anewton> og: the differences and apparent violations
[13:58:47] <anewton> og: q19
[13:58:54] <anewton> og: people have strong feelings on it
[13:59:18] <anewton> og: what should a signer do if it sees multiple identical records in a set
[13:59:46] <anewton> og: should signer supporess, should verifier suppress
[13:59:51] <anewton> og: what approach?
[13:59:55] --- Eliot Lear has joined
[14:00:10] <anewton> lars: how do you diff identical record in a set across queries
[14:00:33] <anewton> ra: rrsig must be associated with the specific rrset it covered
[14:00:49] <anewton> ra: they have to be kept together
[14:01:03] <anewton> og: no merging or selection
[14:01:15] <anewton> sam: I read the discussion differently. thought there was consensus.
[14:01:40] <anewton> sam: for signing and validation, duplicates suppressed... different than seeing them on the wire
[14:01:50] <anewton> og: that is broken protocol. always fail
[14:02:12] <anewton> og: some people wnat liberal actions
[14:02:41] <anewton> roy: I agree with the other person on the list
[14:02:57] <anewton> roy: the signer should not suppress duplicate rrs
[14:03:09] --- leslie has joined
[14:03:11] <anewton> roy: or drop the whole packet on the floor and fail
[14:03:16] <anewton> roy: same for validator
[14:03:48] <anewton> roy: explaining mx example
[14:04:21] <anewton> roy: mentions this behaviour can do load balancing
[14:04:31] <anewton> og: shoots down example
[14:04:54] <anewton> roy: clarifies between validator and signer
[14:05:33] <anewton> ma: detecting duplicates seems to be a waste time by hand when the software can just do it
[14:06:06] <anewton> ma: as for receiving answers other than axfr, there is a risk for a covert channel if duplicates
[14:06:21] <anewton> ma: if that is a protocol error or silently remove, it is up to the admin of resolver
[14:06:53] --- Eliot Lear has left
[14:07:00] <anewton> el: is anyone using dups in unsecured dns today?
[14:07:14] <anewton> el: dnssec should not change base dns
[14:07:51] <anewton> ma: 3rd point from editors. if dropping dups, we need to fix the specs where putting in multiple proofs to got from SHOULD to MUST
[14:08:03] <anewton> donald eastlake: example canonicalization
[14:08:21] <anewton> de: there are cases where things get duped by accident.
[14:08:31] <anewton> og: should it be must or should
[14:08:34] <anewton> de: must
[14:08:48] <anewton> roy: what happens whey you suppress dups on sign and delegate.
[14:09:10] <anewton> ok: rdata in the rr is ??
[14:09:17] <anewton> ok: would like to close this discussion
[14:09:29] <anewton> ra: there are two diff things with suppressing dups
[14:09:40] <anewton> ra: there is modifiying the zone with the wire
[14:09:48] <anewton> ra: what sig should the signer and validtor use
[14:10:02] <anewton> ok: the cannoical form
[14:10:04] <anewton> ra: yes
[14:10:08] <anewton> ok: yes
[14:10:22] <anewton> og: we will send out suggested text to list
[14:10:27] <anewton> og: q20
[14:10:53] <anewton> og: clarification question. editors noted in review that there is an answer in one of the exmaples
[14:11:06] --- ggm has left
[14:11:20] <anewton> og: people are gneerally leaning toward ??
[14:11:30] <anewton> ra: this is the authority section, not the answer section
[14:11:54] <anewton> og: yes, just think the doc should say this is allowed
[14:12:16] <anewton> el: if you are proving the * doesn't exist, how does expansion become an issue
[14:12:23] <anewton> ra: there is no exact match for the qname
[14:12:37] <anewton> ra: there is a covering wildcard, but not of a rr ot the correct type
[14:12:51] <anewton> ok: next q
[14:12:54] <anewton> og: q21
[14:13:17] <anewton> og: caching and reuse of nsec
[14:13:37] <anewton> og: one option to relax rules, the other to allow caches to do negative anser on nsec rr
[14:13:51] <anewton> og: we do not know if all the nsec answers in the cache
[14:14:01] <anewton> og: editor was consent on relaxation on the rules
[14:14:22] --- dblacka has left: Lost connection
[14:14:24] <anewton> og: suggested relaxation: may resue if qname and class same but qtype isdiff
[14:14:45] <anewton> og: or may resue if oname is equal to qname
[14:15:02] <anewton> ok: giving example
[14:15:19] <anewton> og: comments?
[14:15:44] <anewton> david blacka: we really don't understand the danger of reusing nsec
[14:15:55] <anewton> db: the why ought to be in the doc
[14:16:13] <anewton> ra: asked before in another question
[14:16:36] <anewton> ra: we thought the answer last time was that it was scary enought that recursive ns play stupid and not optomize
[14:17:00] <anewton> ma: contradicts 2308?
[14:17:29] <anewton> ma: 2308 doesn't allow the resue of response. but dnssec does it safely
[14:17:47] <anewton> og: dnssec doc should not talk about relaxation
[14:17:58] <anewton> ma: no, do it here but correct on next round of 2308
[14:18:26] <anewton> ma: would like "should not" instead of "must not"
[14:18:53] <anewton> lars: this pinpoints the neg caching ttll and nsec records
[14:19:09] <anewton> lars: relaxation not a good idea
[14:19:16] <anewton> og: recursive server should be dumb
[14:19:19] <anewton> lars: yes
[14:19:31] <anewton> ma: nsec records should be tied to neg. ttl
[14:19:52] --- narten has left: Disconnected
[14:20:01] <anewton> ma: get lots of info
[14:20:13] <anewton> ma: example of smtp chasing cnames
[14:20:35] <anewton> el: agress with Marc sometime back... concerned with neg cach.
[14:20:53] <anewton> el: acceptable because of "may" not "must" or "should"
[14:21:07] <anewton> ok: current questions closed
[14:22:34] <anewton> mp: robustness
[14:23:17] <anewton> ma: go with robust principle as well
[14:23:46] <leslie> ok: sense of the room?
[14:24:05] <leslie> og: should hard failure be mandated? raise hand
[14:24:21] <leslie> ok: before that...
[14:24:28] <leslie> el: what do you mean
[14:24:37] <leslie> og: hard failure: must not be compressed
[14:24:55] <leslie> ed lewis: mp says that should be form error?
[14:25:06] <leslie> rob austein: what ends up happening if the data is compressed is the sig doens't verify
[14:25:25] <leslie> ma: also we should note that this is something we should be logging against the transmitter (assuming you have a log device)
[14:25:40] <leslie> og: people who would argue for hard failure, pls raise hand
[14:25:44] --- ggm has joined
[14:25:57] <leslie> og: that the variant of the robustness princ shoulod be applied...
[14:26:04] <leslie> og: majority of the room did not answer the question...
[14:26:11] <leslie> el: still confused -- robustness principle?
[14:26:16] <leslie> og: text as it exists
[14:26:36] <leslie> ra: asks for binary question, not different calls for belief
[14:26:41] --- gih has joined
[14:27:19] <leslie> mr: let's say we have a new record type, and server has compressed it (server is in violation)
[14:28:02] <leslie> mr: result -- my server is broken, but I tell you to buzz off and I don't detect my server is broken
[14:28:13] <leslie> mp: you are stating you agree with hard failure
[14:28:29] --- ggm has left: Disconnected
[14:28:37] <leslie> mp: should we change second line of text to hard failure
[14:28:46] <leslie> mp: and if yes, is it MAY or SHOULD
[14:28:51] --- ggm has joined
[14:28:58] <leslie> og: rerun poll or go to list
[14:29:07] <anewton> og: asks for hands?
[14:29:13] <anewton> room: some hands
[14:29:24] <anewton> og: disagree with text?
[14:29:27] <anewton> room: some hands
[14:29:32] <anewton> mp: objects to the poll
[14:29:42] <anewton> mp: should be changed to a "may"
[14:29:59] <anewton> ma: suspect pricetag question
[14:30:09] <anewton> og: take this to the list
[14:30:29] <anewton> ok: will probably have a small modification to the text
[14:30:58] <anewton> og: nsec rr does not contain the hooks for types of over 127
[14:31:07] <anewton> og: fix it? list says yes
[14:31:17] <anewton> og: consent is one encoding
[14:31:28] <anewton> og: not backwards compatibility
[14:31:36] <anewton> og: AD says need ID
[14:31:44] <anewton> og: needs to be done quickly
[14:31:54] <anewton> ok: volunteer identified
[14:32:11] <anewton> og: appointed Jakob Schlyter
[14:32:27] <anewton> og: regretts the arm twisting
[14:32:40] <anewton> og: changing format on the wire only
[14:32:50] <anewton> ok: will present all the formats one by one
[14:33:05] --- leslie has left: Replaced by new connection
[14:33:11] --- ggm has left
[14:33:18] <anewton> ok: then will ask for prohibitiive objections on the each format, and will ask for hands on each
[14:33:23] <anewton> ok: beauty contest
[14:33:31] --- leslie has joined
[14:33:50] <anewton> ok: if beauty contest is indecisive, we will chose
[14:34:11] <anewton> ok: prohibitive objection is if you really cannot consent to the format
[14:34:20] <anewton> sam: asks for 5th of do not fix
[14:34:23] <anewton> ok: no
[14:34:53] <anewton> og: proposal 0, allow bitmap to grow
[14:35:13] <anewton> og: gives disadvantages and advantages
[14:35:31] --- ggmichaelson has joined
[14:35:34] <anewton> og: proposal 1: list types present in sort order
[14:36:05] <anewton> og: davidb proposed #2 optimizes for first 256 type coes
[14:36:15] --- ggmichaelson has left
[14:36:31] <anewton> og: max size of record is 64k
[14:36:42] <anewton> og: proposal #3, skip list of blicks
[14:36:50] <anewton> s/blicks/blocks
[14:37:26] <anewton> og: explains optimizations in proposal
[14:37:34] --- ggm has joined
[14:37:35] <anewton> og: max size is 33k
[14:37:58] <anewton> og: proposal #4, variant of #3, bitmap instead of sequence
[14:38:11] <anewton> og: max size is 8.5k but grows differently
[14:38:27] <anewton> og: make comments
[14:38:33] <anewton> ok: first clarifiying question
[14:38:53] <anewton> ra: in cases of listed integer cases, they are sorted?
[14:38:54] <anewton> og: yes
[14:39:08] <anewton> ok: which of these will not be able to store all types if grow to 64k
[14:39:20] <anewton> og: #1 and #2 can only store above 32k
[14:39:54] <anewton> el: they can only represnt 32k at one time
[14:40:00] <anewton> ok: doesn't see it happening
[14:40:16] <anewton> de: these high number types are the ones MS started using without auth
[14:40:27] <anewton> de: had IANA declare them private use
[14:40:34] --- mellon has left: Disconnected
[14:40:46] <anewton> og: #3 and #4 take that into account
[14:41:06] <anewton> unknown: effect on size if not #2
[14:41:11] <anewton> og: grows to 64k
[14:41:33] <anewton> el: optimized for size, what about optimized for speed
[14:41:36] <anewton> og: #0
[14:41:57] --- leslie has left
[14:42:05] <anewton> og: all others make optimization and cost of speed of search
[14:42:27] <anewton> og: if people start using type codes all over the place, #3 and #4 become slow
[14:42:35] <anewton> ok: prohibitive objections
[14:42:40] <anewton> ma: #1 and #2
[14:42:58] --- brabson has left
[14:43:08] <anewton> ok: doing beauty cost for #1 and #2
[14:43:17] <anewton> ra: raises process issue
[14:43:31] <anewton> ra: one person has a problem with more than 32k
[14:43:39] <anewton> ok: contest on all 5 then
[14:43:56] <anewton> el: #1 and #2 can represent all of them at once
[14:44:16] <anewton> ma: people will eventually want to get to all the types
[14:44:33] <anewton> ma: we may never exhaust it, but when we get down to the end we will break dnssec
[14:44:41] <anewton> og: do you really need to optimize?
[14:44:59] <anewton> og: don't see anybody having more than 100 or 200 types
[14:45:06] <anewton> sam: concur
[14:45:36] <anewton> ma: space optimization is important
[14:46:15] <anewton> ra: agree with previous comment, can't see have more than few hundred in a particular name
[14:46:31] <anewton> ra: #0 may not be so good because of Donald's comment
[14:46:56] --- ggm1 has joined
[14:47:00] <anewton> og: that use has been obsoleted. MS no longer does that
[14:47:09] <anewton> ok: raise your hands on proposals
[14:47:20] <anewton> ok: clear outcome will win and be sent to the list
[14:47:27] <anewton> ok: no such clear, we will pick it
[14:47:34] <anewton> ra: vote once
[14:47:46] <anewton> ok: give preference to all the ones you like
[14:47:53] <anewton> ok: vote early, vote often
[14:48:07] <anewton> ok: #0?
[14:48:11] <anewton> room: 2 hands
[14:48:15] <anewton> ok: #1?
[14:48:18] <anewton> room: some hands
[14:48:21] <anewton> ok: #2?
[14:48:24] <anewton> room: some hands
[14:48:32] <anewton> ok: #3?
[14:48:37] <anewton> room: few hands
[14:48:41] <anewton> ok: #4?
[14:48:45] <anewton> room: some hands
[14:48:58] <anewton> og: #1, #2, and #4 have the same number
[14:49:02] <anewton> ok: runoff?
[14:49:08] <anewton> ra: just one vote
[14:49:13] <anewton> ok: ok
[14:49:17] <warlord> but we dont vote in the ietf...
[14:49:29] <anewton> og: #4?
[14:49:39] <anewton> room: 12 hands
[14:49:44] <anewton> ok: #2/
[14:49:54] <anewton> room: 8 hands
[14:49:57] <anewton> ok: #1?
[14:50:03] <anewton> room: 2 hands
[14:50:10] <anewton> ok: proposal 4 goes to the list
[14:50:30] <anewton> ok: doing this on the list would have been harder
[14:50:37] <anewton> ok: doc status
[14:50:54] <anewton> ok: docs will reflect the closed questions. docs need security considerations work
[14:51:02] <anewton> ok: most of the closed questions are incorporated
[14:51:15] <anewton> ok: ones after the last ietf will be incorporated
[14:51:33] --- ggm has left: Disconnected
[14:51:34] <anewton> ok: please review. but take into account security considerations are subject to change
[14:51:47] <anewton> ok: new versions will have a change list
[14:52:01] <anewton> ok: nsec id will probably be delayed a bit
[14:52:11] <anewton> ok: want last call on -00 if possible
[14:52:22] <anewton> lars: laughs
[14:52:38] <anewton> ok: we want wg last call by end of year
[14:53:01] <anewton> ok: as you have noticed, we have discussed nitty-gritty details. means people are reviewing. need more people
[14:53:14] <anewton> ok: urges others to read them
[14:53:18] --- ggm1 has left: Disconnected
[14:53:30] --- warlord has left
[14:53:32] <anewton> ok: dnssec will influence us all
[14:53:46] --- wgriffin has left: Disconnected
[14:53:54] <anewton> ok: reporting on interop good thing as well
[14:54:02] <anewton> ok: want doc set sent up before next ietf
[14:54:38] <anewton> ok: bind9 and nsd will support anything that comes out of this wg
[14:54:50] <anewton> ok: we know of a french implementation as well
[14:54:52] <anewton> ok: meeting over
[14:55:07] <anewton> meeting closed
[14:55:13] --- rajid has left: Disconnected
[14:55:23] --- yone has left
[14:55:28] <ogudm> Meeting is now officialy over thanks Andy for note
[14:56:13] --- anewton has left
[15:08:27] --- ogudm has left: Disconnected
[15:11:28] --- ggmichaelson has joined
[15:12:30] --- ggmichaelson has left
[15:14:04] --- ggm has joined
[15:14:49] --- ggm has left: Disconnected
[15:15:07] --- ggm has joined
[15:15:41] --- gih has left: Disconnected
[15:16:04] --- ggm1 has joined
[15:18:36] --- ggm1 has left: Logged out
[15:18:36] --- ggm1 has joined
[15:18:36] --- ggm1 has left: Logged out
[15:24:14] --- orange has left: Disconnected
[15:38:30] --- orange has joined
[15:39:22] --- gih has joined
[15:39:42] --- ggm has left
[15:43:50] --- gih has left
[16:04:27] --- orange has left
[17:43:49] --- ggm has joined
[17:44:07] --- ggm has left: Disconnected
[17:49:36] --- ggm has joined
[18:14:44] --- ggm has left: Disconnected
[19:23:14] --- ggm has joined
[19:23:37] --- ggm has left