Logs for dnsext@ietf.xmpp.org, 2004-08-05

[10:14:49] --- bluemesa has joined
[10:16:13] --- ogud has joined
[10:28:31] --- ocin has joined
[10:29:27] --- jakob has joined
[10:29:29] --- liman has joined
[10:31:26] --- rpayne422 has joined
[10:32:23] --- raj has joined
[10:32:47] --- peterd has joined
[10:33:02] --- warlord has joined
[10:37:59] --- kivinen has joined
[10:38:19] --- ocin has left: Logged out
[10:41:25] --- ocin has joined
[10:44:25] --- liman has left: Disconnected
[10:44:40] --- orange has joined
[10:45:47] <ogud> good morning everyone who wants to be our jabber scribe ?
[10:45:49] --- yushun has joined
[10:49:02] --- olaf has joined
[10:49:40] --- dblacka has joined
[10:49:54] --- pawal has joined
[10:49:57] --- ggm has joined
[10:50:09] <ggm> Yo! wake up and pay attention!
[10:50:17] <ggm> Olaf does chair stuff
[10:50:32] --- pablo.allietti has joined
[10:50:47] <ogud> ggm is the scribe
[10:50:58] --- liman has joined
[10:50:59] --- kjd has joined
[10:51:08] --- marcos.sanz has joined
[10:51:10] --- vlevigneron has joined
[10:51:12] --- pablo.allietti has left
[10:51:23] <ggm> somebody in the room has sounds enabled on their IM client
[10:51:28] --- wes has joined
[10:51:33] --- herve.prigent has joined
[10:51:46] --- herve.prigent has left
[10:51:49] --- pablo.a has joined
[10:51:54] --- hp has joined
[10:52:27] --- r@dk has joined
[10:52:42] <ggm> RFC3597 interop Eastlake on tsig-sha and ecc-key Rob A on dnsext-nsid (relates to serverid) more wg administrivia open mike
[10:53:19] <ggm> Jakob Schlyter RFC3597 Interop Report
[10:53:21] --- RoyArends has joined
[10:53:40] <ggm> set up two test zones, one class IN ,one class 666
[10:53:48] --- sakai has joined
[10:53:51] --- marka-isc has joined
[10:53:53] <ggm> content almost the same except for the typecode of interest
[10:54:08] <ggm> screen of example RRs. all kinds of strange but legal encodings
[10:54:16] --- RoyArends has left
[10:54:25] <ggm> large typecodes with zero length data, interesting corner cases
[10:54:48] <ggm> not as much vendor response for testbeds as hoped.
[10:54:51] --- rgaglian has joined
[10:55:04] <ggm> 4 auth only NS, two DNSSEC zonesigners, two recursive NS, and 4 stub clients
[10:55:26] <ggm> page of versions. it names the codebases so you may want to read the docs to see which were done.
[10:55:29] --- RoyArends has joined
[10:55:29] --- RoyArends has left
[10:55:43] <ggm> did find some problems. in presentation format mostly.
[10:56:13] <ggm> two had problems with zero length RDATA. one with RR typecode/classes >= 4096 and bug reports were filed for problems, and more or less fixed during interop.
[10:56:24] <ggm> (only one not fixed yet, will be soon)
[10:56:30] <ggm> no other major problems
[10:56:51] <ggm> conclusion: I think it works. in all the tested servers, see no problem with advancing to draft standard
[10:57:08] <ggm> Olaf. Q. bug found, did you ask, were they bugs, or because of spec vaguery?
[10:57:32] --- sakai has left: Disconnected
[10:57:32] --- ripple has joined
[10:57:33] <ggm> Jakob. just bugs. impl bugs. not because of spec. transparency of carrying types ok (? I think he said)
[10:57:38] --- suz-isc has joined
[10:57:48] <ggm> Olafur. 2 impl had same problems, went back to spec, was corner case, doc was clear.
[10:58:31] <ggm> Peter Koch. have at least one recordtype with internal RR versioning did you test that specifically, checking that the impl understand one version which is specified so far, but potentially find others?
[10:58:35] <ggm> Jakob no.
[10:59:00] --- amarine has joined
[10:59:01] <ggm> Peter so maybe we should consider covering that with an Addendum. Such RRtype should be treated as real unknown RR
[10:59:34] <ggm> Olafur. probably not such a bad idea to say always printed as unknown
[11:00:10] <ggm> Ed deciding if spec is clear or not should be done by the implementers. good to have them make statements, something should have been clear, or was not clear. so lets make sure its clear to impl not just specwriters
[11:00:18] <ggm> Olafur cant divulge who the impl are
[11:00:23] <ggm> Ed I dont want you to,
[11:00:38] <ggm> Olafur but I know in two cases admitted their fault, in third havent heard back officially
[11:01:07] <ggm> Olaf: Jakob will write this down, send to namedroppers, keep it there for week or 2, then send to IESG to change status from draft to proposed
[11:01:12] <ggm> I think AD ok with that
[11:01:32] <ggm> This is the second of interop testings, AAAA was done.
[11:02:08] <ggm> Olafur some people last year did testing on TSIG, but haven't got report. I'll chase them. So this is the third. V imp. work. need people to pay more attention to this, volunteer. Jakob how much work?
[11:02:24] <ggm> Jakob mostly the work was trying to get impl to participate, then do the work myself. not that much
[11:02:28] --- johani has joined
[11:02:30] <ggm> maybe 3-4 days total
[11:03:02] <ggm> Olafur thanks to Jakob
[11:03:13] <ggm> Roy Arends said something I missed. sorry
[11:03:33] --- kjd has left: Disconnected
[11:03:46] <ggm> Olaf depends how many of the servers have implemented the RR. not what this report was about and not what this WG is discussing
[11:04:02] <ggm> Donald Eastlake there are private use RRtypes. most of the universe will treat as unknown
[11:04:18] <ggm> Olaf this is not a report on how these things travel through the Infrastructure.
[11:04:28] <ggm> Donald Eastlake Draft on TSIG-SHA
[11:05:15] <ggm> about increasing TSIG algs. docs currently has one alg identifier defined. HMAC-MD5.SIG-ALG.REG.INT.
[11:05:48] <ggm> have been some weaknesses found. all found, do not apply to HMAC-MD5, its not deprecated. MD5 is under suspicion, but not HMAC-MD5. so why augment.
[11:05:58] <ggm> well people out there want to use GOV approved.
[11:06:10] <ggm> Also want to use SHA1 and truncate to 96? bits
[11:06:17] <ggm> SHA1 beleived to be stronger than MD5.
[11:06:25] <ggm> so this draft proposes additional Algs.
[11:06:41] <ggm> thing to keep in mind: TSIG is by private agreement. no negotiation mech defined, its Out of Band
[11:06:41] --- kjd has joined
[11:06:58] <ggm> and a bunch of "strings" to define ALL the SHA algs
[11:07:11] <ggm> recommends SHA1 and the 96bit truncated version be implemented.
[11:07:40] <ggm> draft has a flaw, proposes additional label in name string, bad idea. the TSIG RR has a MAC lengthfield, can be used to truncate.
[11:08:01] <ggm> Q: what do current impl do if MAC length is not right? yield error? need to test.
[11:08:08] --- wes has left
[11:08:12] --- wes has joined
[11:08:44] <ggm> Q about format for FQDN syntax for alg names. was previously thought would be under REG.INT. but these things are not really domain names any more. but should not be under .INT
[11:08:49] <ggm> foo...ARPA or ...
[11:09:01] --- bernt99 has joined
[11:09:07] <ggm> should all the SHAs be included, how about RIPEMD160 or others?
[11:09:12] <ggm> proposed course of action:
[11:09:33] <ggm> strip out braindamage from doc. make a WG draft, not personal draft, then follow WG process to yield PS RFC. Questions?
[11:09:49] <ggm> Ben Laurie
[11:10:02] <ggm> If you dont mandate SHA alg then not interop with FIPS-140.
[11:10:15] <ggm> Don don't see why that should be true. people who want to meet GOV requirement will implement it
[11:10:42] <ggm> Dont think we have to make everyone do SHA1. just the subset of people who care about FIPS certification
[11:10:56] <ggm> Ben point it, not neccessarily FIPS client able to use TSIG to server
[11:11:15] <ggm> Don right to say FIPS1 can't use server which doesnt impl. but then cant use Server which doesnt impl TSIG at all.
[11:11:25] <ggm> Want to see guidance what to do.
[11:11:59] <ggm> Olaf. joke aside, yes, this has everything to do with work we do here (joke is about 'usual process' leading to PS :-) so something we should take up unless strong object
[11:12:20] <ggm> Bill M as current admin for REG.INT, more than happy to put them in, unless want to get new TLD.
[11:12:30] <ggm> Don these are not really TLD, just a string
[11:12:34] <ggm> Olaf just an ALG ID,
[11:13:17] <ggm> Olafur I had something to do with original TSIG spec. coauther put dns name in there, if dont understand alg can look it up and get description. Bad idea
[11:13:26] <ggm> Sam Why does anybody want to use FQDN?
[11:13:35] <ggm> Don only for historic. its how TSIG is defined. minimize changes
[11:13:59] <ggm> [guys I need a restroom break can somebody spell me for 5? I will be back -ggm]
[11:14:09] <ggm> Roba I think we need to put this on the table and work out the issues.
[11:14:22] <ggm> Don not higher level labels.
[11:14:36] <ggm> Olaf any objections in room? will ask list. Will turn into WG item if no objects
[11:14:44] <ggm> Olafur: next speaker Donald Eastlake [laughter]
[11:14:56] <ggm> [unavoidable loss of service for washroom visit -ggm]
[11:15:33] <rpayne422> current draft: ECC keys
[11:15:38] <rpayne422> public key system
[11:15:47] <rpayne422> keys, signatures, etc. much more compact than RSA
[11:15:55] <rpayne422> basic concepts are unencumbered
[11:15:58] --- AndrewD has joined
[11:16:19] --- wes has left
[11:16:36] <ripple> [slide changed, but the last part of the last slide said:] many IPR claims related to ECC implementations
[11:16:47] <rpayne422> history of the draft listed, initial draft Oct '99. Has been kept alive through Aug. 2003, but has timed out.
[11:17:26] <rpayne422> URL missed from bottom of history slide. old drafts are available
[11:17:43] <rpayne422> update draft for boilerplate and security changes?
[11:17:57] <rpayne422> forward: revive as WG draft
[11:18:03] <rpayne422> olaf: still on the list of active documents
[11:18:18] <rpayne422> olafur: is this a proposal for key record and dnskey record?
[11:18:22] <bluemesa> URL: http://www.watersprings.org/pub/id/
[11:18:34] <rpayne422> donald: without a sig, just key record
[11:19:01] <rpayne422> sam: would only be created for old key record
[11:19:26] <rpayne422> olaf: yes, that is correct (and what Donald just stated.)
[11:19:57] <rpayne422> next agenda item: draft-austein-dnsext-nsid-01.txt
[11:20:18] <rpayne422> back to our local herald: ggm
[11:20:43] --- RoyArends has joined
[11:20:58] <ggm> RobA getting bad response to service from Anycast cloud. how to find where it came from
[11:21:27] <ggm> have hack in bind, separate Q in bind 'who are you' -discussion coming out of DNSOPS, don't worry about it being a crock, have to ask does it work?
[11:21:45] <ggm> problem is, its a separate Query: doesnt really answer the question; -what if the routes flap?
[11:22:20] <ggm> the draft for nsid is a proposal for a mechanism using EDNS0 to insert the 'who are you' in the original packet, will get some kind of identity to say which svr in the constellation did it. strawman proposal
[11:22:55] <ggm> basic idea is a signalling flag, 'please tell me who you are' response is NSID response in extensible portion, 'this is who I am' designed to be hop-by-hop, NOT transitive, been some discussions
[11:23:18] <ggm> but at this stage, it asks the directly asked server 'who are you' and thats the reply. in chain have to bug each one.
[11:23:24] --- mstjohns has joined
[11:23:25] <ggm> main open point.
[11:23:38] <ggm> what ID to return?
[11:23:48] <ggm> most straightforward, use name. may not be unique.
[11:24:08] <ggm> use IP. but, may be 'confidential' -anycast is trying to limit risks of exposing direct address.
[11:24:25] <ggm> thinking about whacky hash, makes obscure, but doesnt protect much since its a 32 bit search space.
[11:24:36] <ggm> some hope for 'probabalistically unique IDs'
[11:24:52] <ggm> doesnt conflict with anybody else. but, contains no other information. either feature or bug.
[11:25:07] <ggm> probably want to talk to ISP, its probably meaningful to them.
[11:25:22] --- edmundo.cazarez has joined
[11:25:30] <ggm> last option, arbitrary string of octets. have bad feelings, will be autoconfig, becomes 'my server' and doesnt help very much.
[11:25:50] <ggm> proposal in draft 01 is probabalistic unique value but can set to value, your choice. not set to IP by default.
[11:26:21] <ggm> thats where draft is, still in reqts phase in DNSOP, not yet really ready for doc stage. feedback on mechanism, suggestion that requestor send ID, not just bit.
[11:26:48] <ggm> reason useful, to figure out what version of s/w is querying. interesting idea. for me, handle as separate option. not tied to this proposal.
[11:26:57] <ggm> got request to make it extensible. sub-strucuture.
[11:27:18] <ggm> lot of space in option codes, if we need more stuff, make it separate ops. not convinced by either but up to WG
[11:27:32] <ggm> dont know state of things in DNSOP, if ready to be WG do yet or not.
[11:27:35] --- kjd has left: Replaced by new connection
[11:27:42] <ggm> Olaf want to get reqts from DNSOP, if comes together we can make it WG item.
[11:27:56] <ggm> Donald. thought about using MAC address or part ofi it?
[11:28:00] <ggm> Rob no.
[11:28:12] <ggm> <dude, like I dont KNOW YOU dude>
[11:28:28] <ggm> want to know version number, dont need to put in same topic, 'server 55'
[11:28:40] --- kjd has joined
[11:28:41] <ggm> from my ISP.net, then I can query from 55, whoever he is
[11:29:04] <ggm> <unknown dude> not neccessarily, random-number.ISP.NET
[11:29:13] <jakob> (tero kivinen speaking)
[11:29:23] <ggm> [thx]
[11:29:32] <ggm> Ed
[11:29:40] <ggm> two things. extensibility
[11:29:46] <ggm> lets solve the problem we know
[11:29:51] <ggm> second thing. requirement I'd like to have
[11:30:14] <ggm> run many virtual servers, using bind. want to know which view, how these servers answer. want to be able to set based on server decisions.
[11:30:30] <ggm> I like random as possible means nothing to receiver, only the sender. want server to log so I can crossmatch
[11:30:32] <ggm> Rob no fun
[11:31:03] <ggm> ROb something like view thing
[11:31:07] <ggm> Bill Manning.
[11:31:32] <ggm> stuff that comes out of HIP, create an x509 cert or key, becomes identity of process. its obscure enough, doesnt tie back to domainname
[11:31:42] --- raj has left: Disconnected
[11:31:46] <ggm> Rob have a handle what this buys you that random doesnt?
[11:31:54] <ggm> Bill dont want it to neccessarily be random
[11:32:00] <ggm> Rob use it for other things in HIP.
[11:32:13] <ggm> Olaf one of the things they do is use it as an ID to get packets to it, not what you want here
[11:32:21] <ggm> Bill, can think of things to do with it
[11:32:26] <ggm> Rob discuss
[11:32:49] <ggm> Rodney Joffe. In favour of anonymity. bigger problem is troubleshooting the path to the anon server if you cant identify it at the time
[11:32:54] <ggm> Rob want something which is transitive
[11:33:17] <ggm> ROdney need to identify if its in the path (the problem) or in the server. if its a transitive issue, have no mechanism to identify path at that time.
[11:33:29] <ggm> Rob network path has to be debugging.
[11:33:33] <ggm> ROdney yep
[11:33:47] <ggm> Rob hard. ask all the servers in the path, asking friends to help. no way to do it automatically.
[11:34:00] <ggm> Rodney, right, but there are times when the issue is in the path, not the server.
[11:34:15] <ggm> if can identify which server, which node, is an issue
[11:34:24] <ggm> Rob write up in DNSOP, its part of requirements
[11:34:37] <ggm> Rodney, right, but if solve with anonymous IDs, point at which it has to be not anonymous
[11:34:56] <ggm> Rob not anonymous, magic cookies meaningful to server operater. can make them anything they want, Potentially anonymous.
[11:35:10] <ggm> Rob Susanne? custodian of requirement doc..
[11:35:21] <ggm> Susanne Woolf
[11:35:51] <ggm> only thing to add here, as Rob said, not really ready to discuss here until converged on requirements. feedback to that before we get to heavily into solution
[11:36:10] <ggm> Olafur please use this document as food for thought generating requirements for her, rather than solutions
[11:36:28] <ggm> Olaf given that anycast is getting deployed rapidly, increasing. this is a problem which needs solving. time issue
[11:36:31] <ggm> Rob switching hats..
[11:36:48] <ggm> liaison to rootserver adv. cttee. want this done in a hurry
[11:36:54] <ggm> Olaf. at this point...
[11:37:01] <ggm> gets us back to ...
[11:37:10] <ggm> going through WG active docs
[11:37:16] <ggm> list on screen.
[11:37:26] <ggm> dnsext-wcard-clarify-03
[11:37:35] <ggm> version 4 missed cutoff.
[11:37:50] <ggm> tried to assess what to do with NSEC/NXT recs. how to deny existence, in a space with wildcards
[11:38:05] <ggm> turned out that most of the people working on it didn't have clear understanding of how wildcards work in detail
[11:38:20] <ggm> document proposes minor protocol change in wildcard handling.
[11:38:35] <ggm> shifted doc editor, from ed lewis, but missed cutoff. in Q
[11:38:50] <ggm> Ed is available too, to get back in the loop and edit too. Rob Elz ack for doing work
[11:39:40] <ggm> tkey-renewal-mode v 04
[11:39:50] <ggm> problems with this draft, Olafur..
[11:40:12] <ggm> Olafur. it got through last call with a deadlock condition, left open to random DOS attack. went over this with authors, fixed it in more recent version, expiring
[11:40:23] <ggm> they are going to re-submit with new boilerplate, will redo WG last call
[11:40:29] --- Doug has joined
[11:40:36] <ggm> Please, somebody else read this beside me!
[11:41:29] <ggm> WG final stage. dnsext-mdns-33.
[11:41:42] <ggm> ID nits not satisfied.
[11:42:02] <ggm> Rob use $ORIGIN. (problem is 72char limit on an example string)
[11:42:08] --- yushun has left: Disconnected
[11:42:40] <ggm> waiting for chair write-up. takes burden off IESG. go over I-D Nits, write summary. sheparding. all good
[11:42:54] <ggm> WG stalled.
[11:42:59] --- bluemesa has left
[11:43:11] --- jakob has left: Disconnected
[11:43:18] <ggm> docs waiting for 2535bis, now can unstall, make active. Olaf looks at Don Eastlake...
[11:43:33] <ggm> about publishing key material just like ECC key doc done here.
[11:43:46] <ggm> Don will rev with latest boilerplate
[11:44:10] --- raj has joined
[11:44:16] <ggm> Olaf let me stress, the new Boilerplate is very important. the robot which accepts, will bounce. XML2RFC does a great job of doing it.
[11:44:21] <ggm> Docs at IESG.
[11:44:31] <ggm> requested publication for DNSSECbis. out of WG [applause]
[11:45:24] <ggm> dns threats, nsec-rdata. in queue.
[11:45:28] <ggm> AD is watching
[11:45:55] <ggm> dnssec-opt-in. kept in AD watch pending DNSSECbis. doc needs revision of introduction to get it published as informational
[11:46:37] <ggm> since work going on in denyal of existence, has opt-in functionality, I propose to keep this state for a while, if opt-in functionality goes into the solution for denyal-of-existence then forget it, or pub as informational. reasonable?
[11:46:44] <ggm> Rob
[11:46:59] <ggm> more comfortable if the WG authors say its cool.
[11:47:04] <ggm> Olaf subset of authors in the room.
[11:47:12] <ggm> Olafurs I talked to them offline, do not object.
[11:47:16] --- jakob has joined
[11:47:20] <ggm> Olaf
[11:47:30] <ggm> axfr-clarify. in AD watch
[11:47:53] <ggm> aware its there., needs write-up, there were process questions. deferred to DNSSECbis. will get attention
[11:47:58] <ggm> Thomas Narten
[11:48:31] <ggm> the authors and the chairs and myself have had conf calls, reviews. issues raised, walked through, agreed resolution on most, not all. need to write up. bit more work here to do in WG not all on same page
[11:48:34] <ggm> Olaf so comes back to WG
[11:48:41] <ggm> opcode-discover.
[11:48:52] <ggm> was in WG, timed out. put back as indiv. submission, moved out of WG
[11:49:01] <ggm> dhcid-rr
[11:49:02] --- edmundo.cazarez has left: Logged out
[11:49:12] --- sra has joined
[11:49:19] <ggm> needed for dynamic host config, waiting for documents in the DHC wg to be finished. sitting. nothing we can do
[11:49:23] <ggm> RFCs since we last met
[11:49:42] <ggm> (list of RFCs)
[11:49:53] <ggm> NEW WORK ITEMS
[11:50:05] <ggm> does the group mind if we work on DNSSEC key mgt?
[11:50:23] <ggm> needs charter changes, DNSOP relations, security folk input.
[11:50:26] --- sakai has joined
[11:50:41] <ggm> this was discussed on Monday. want to confirm from the group, the ML, if this WG will work on this.
[11:50:58] --- sakai has left
[11:51:01] <ggm> Ed Lewis. this group is proto and bits-on-the-wire.
[11:51:16] <ggm> so if its stuff on the wire, I'd say yes. but operational issues, like size of key. ... no.
[11:51:46] <ggm> Olaf this is key rollover. how does client pick this up. one proposal, Mike St Johns work has proto changes, alternative MIGHT need proto changes. If not Protoc changes, then things on wire.,
[11:52:04] <ggm> Mike. both proto changes, but not resolution proto. its about resolve behaviour, what it sees.
[11:52:18] <ggm> Johan. should stay here. don't yet know if on the wire or not. dont bounce back and forward,.
[11:52:27] <ggm> John yes needs to be here. please adopt.
[11:52:36] <ggm> Olaf. ok. in favour. will seek charter mods for new goals
[11:52:44] <ggm> Olafur talk to security AD , could stop on toes
[11:53:00] <ggm> have appointed an adult supervisor, experienced with key mgt, russ housely, one of the security ADs
[11:53:01] <ggm> Ed
[11:53:19] <ggm> other thing, we have other work to look at. whats going tocome first? dynamic update to DS or this?
[11:53:21] <ggm> Olaf
[11:53:39] <ggm> bringing up work to Draft Standard requires volunteers for interop. no come forward.
[11:53:45] <ggm> Ed need more encouragement. its in our charter
[11:53:47] <ggm> Olaf we try
[11:53:55] <ggm> Olafur which one will you do ed?
[11:54:02] --- johani has left: Disconnected
[11:54:03] <ggm> Other work
[11:54:22] <ggm> zone enumeration work. (charter rev for task description)
[11:54:30] <ggm> asked Ben to work on it, requirements as first draft.,=
[11:54:38] <ggm> see what Reqts bring, then decide approach
[11:55:08] <ggm> Olafur dont spend too many cycles just on proposals. material to encourage thinking.
[11:55:21] --- sra has left
[11:55:52] <ggm> Olafur once we have handle on requirements, then have to prioritize. then can look at solution space
[11:56:04] <ggm> Olaf, unless objections, take up as WG (will take to ML)
[11:56:07] <ggm> has some priority.
[11:56:11] <ggm> Olaf the plan.
[11:56:34] <ggm> ;slow, but steady progress, getting docs from proposed to draft standard. needs volunteers. do interop.
[11:57:03] <ggm> clean up leftovers, and track proto needs
[11:57:04] --- yone has joined
[11:57:33] <ggm> see need for key mgt. in DNSSECbis noted that 'last mile' is not done, may need to get involved.
[11:57:41] <ggm> this is the overall direction for the next year or so.
[11:57:47] <ggm> OPEN MIKE
[11:58:00] <ggm> silence is golden golden
[11:58:10] <ggm> Olaf. Roy Arendts on fingerprinting if he likes
[11:59:52] <ggm> [Roy was on the phone]
[12:00:03] --- edmundo.cazarez has joined
[12:00:15] <ggm> Fingerprinting DNS implementations.
[12:00:56] <ggm> why do it? three things., troubleshooting,. who probes me? who sends me these queries which dont comply? why 50/sec with ttl of 500? also surveys, for impl, and surveys for protocol compliance
[12:01:02] <ggm> HOW assumptions
[12:01:31] <ggm> protocol non-compliance is often unspecified. implementations dont have to implement entire space eg can serve names without doing TSIG
[12:01:42] <ggm> implementations change over time.
[12:01:57] <ggm> put down some requirements. big one, nothing breaks!
[12:02:42] <ggm> it should be independent of data served.
[12:02:48] <ggm> and of the config.
[12:02:54] <ggm> in the least possible queries.
[12:03:14] <ggm> with least log entries for victim
[12:03:48] <ggm> first thing we set up, small lab, one machine, probe it. broke it, got to implementers, they fixed it. doesnt matter for fingerprinting
[12:04:25] <ggm> if you stop answering recursive Q, only answer with RD bit off, dont get a response. independent of configuration is not possible. not sending back data is also information.
[12:04:45] <ggm> more impl found, greater set of queries needed.
[12:05:50] <ggm> [sorry, I'm confused by his words and so the blog has dried up a bit. I'll try harder to keep up -ggm]
[12:06:05] <ggm> send header only. only asked for . A IN.
[12:06:13] <ggm> 16k possible headers, (in 14 bits)
[12:06:20] <ggm> responses tied to queries to IP.
[12:06:38] <ggm> if query matches response, with same stuff, then same impl.
[12:06:45] <ggm> then did datamining.
[12:07:13] <ggm> so found 'strains' of query-response pairs, huge DB. still didn't know what impl. after identified sets of unique impl, did other approaches
[12:07:22] <ggm> like version.bind, version.server, etc.
[12:08:11] <ggm> found 'cute string' in MARADNS, found stuff which is signature. setting up local installations, found Q-R set, likely to be this implementation. and called operators, asked what they used.
[12:08:27] <ggm> Started in November/Dec last year.
[12:08:39] <ggm> basic tool ready in 3 months, set of NS able to identify.
[12:08:56] <ggm> thanks to list of people Peter BIll Brad Mark Mans Miek and Jaap.
[12:09:05] <ggm> HUGE number of different impl out there.
[12:09:17] <ggm> page of what can identify.. (wow! huge list)
[12:09:28] <ggm> java, perl.
[12:10:03] <ggm> (and usual suspects)
[12:10:04] <ggm> small http server with small dns server inside it
[12:10:08] <ggm> some at big TLDs proprietary implementations
[12:10:13] <ggm> still looking.
[12:10:36] <ggm> have Jeeves code, in pascal (thanks Rob) done in PASCAL , need to emulate PDP10/tops-20)
[12:10:54] <ggm> running Pre BSD-4.3 tahoe/4.4-reno BIND
[12:11:00] <ggm> Lars knows people who have them running.
[12:11:01] --- suz-isc has left
[12:11:14] <ggm> Rob I am certain Mark Crispin would be amused at this. has working tops-20 emulater.
[12:11:33] <ggm> dents: cisco cnr
[12:11:54] <ggm> Jaap. think I know somebody with old stuff
[12:11:58] <ggm> Olaf bof on Internet History
[12:12:27] <ggm> think I have found dents, but ops wont respond. think we found cnr. still an identifying string, dont want to be wrong.
[12:12:42] <ggm> if have new or old breed, tell us. esp. if able to run and include in DB
[12:12:52] <ggm> WHAT NOT . (does not help fingerprinting)
[12:13:05] <ggm> active load balancing. 2 queries in row, different backend.
[12:13:31] <ggm> firewall checking queries. eg fw-1 with app intelligence
[12:14:23] <ggm> send fw1 with dnssec, drops query then tries to find reverse. if you are auth for own space, can check NS, find it doing callback.
[12:14:35] --- mitsubachi has joined
[12:14:42] <ggm> forwarders. can be clean, but can also be forwarders does detect, sends to impl. after sanity checks
[12:15:03] <ggm> http://www.rfc.se/fpdns
[12:15:09] <ggm> extras
[12:15:20] <ggm> QR bit not used. (indicating query or response)
[12:15:34] <ggm> setting QR bit in Q to R makes some impl respond anyway.
[12:15:44] <ggm> can cause query storms (!) between implementations
[12:16:20] <ggm> some impl fixed. check for latest releases.
[12:16:31] <ggm> response storms.
[12:17:07] <ggm> almost HALF the impl have this problem
[12:17:30] <ggm> some are 'reeeely' liberal in what they accept.
[12:17:52] <ggm> surveys done with tool can google for them
[12:18:38] --- pablo.a has left
[12:18:43] <ggm> Olaf, meeting closed. unless people want to come to OPEN MIKE.
[12:18:55] <ggm> Miek
[12:19:05] <ggm> just did dictionary attack on .NL.
[12:19:39] <ggm> ran this for 18hs, starting yesterday, haven't heard from .NL. found 30,000 out of 1,000,000 so I make it 10% of domainspace from dictionary attack. change rules, use HTML spiders, can find more.
[12:19:48] <ggm> I don't think more than 20-30% zones by this attack
[12:20:23] <ggm> (maths does add up, he explained what he found)
[12:20:53] <ggm> many many more queries, using two dictionaries, half a million words, then combine, enumerate to 8 chars, didint finish
[12:20:58] --- RoyArends has left
[12:21:20] <ggm> Olaf very useful. helps define measures to compare against in DNSSEC cases.
[12:21:22] <ggm> Olaf no more?
[12:21:26] <ggm> See you in Washington DC
[12:21:30] <ggm> [we're done]
[12:21:36] <ggm> NO! hang on!!
[12:21:46] <ggm> oh. its just a joke about fingerprinting at the US border
[12:21:47] --- rgaglian has left
[12:21:57] --- mstjohns has left
[12:22:02] --- amarine has left
[12:22:04] --- hp has left: Disconnected
[12:22:09] --- jakob has left: Disconnected
[12:22:27] --- AndrewD has left
[12:22:34] --- Doug has left
[12:22:51] --- ogud has left
[12:22:55] --- bernt99 has left
[12:23:05] --- rpayne422 has left
[12:23:07] --- ripple has left
[12:23:15] --- kivinen has left
[12:23:16] --- marka-isc has left
[12:23:43] --- r@dk has left
[12:23:52] --- pawal has left: Logged out
[12:24:09] --- marcos.sanz has left
[12:24:22] --- dblacka has left
[12:24:30] --- hp has joined
[12:24:52] --- olaf has left
[12:25:02] --- mitsubachi has left
[12:25:06] --- hp has left
[12:25:54] --- peterd has left
[12:26:46] --- yone has left
[12:28:30] --- vlevigneron has left: Replaced by new connection
[12:28:30] --- vlevigneron has joined
[12:28:31] --- vlevigneron has left
[12:29:58] --- orange has left
[12:32:44] --- hp has joined
[12:33:10] --- edmundo.cazarez has left
[12:33:32] --- hp has left
[12:36:54] --- hp has joined
[12:36:59] --- hp has left
[12:40:42] --- kjd has left: Disconnected
[12:41:20] --- raj has left: Disconnected
[12:42:35] --- hp has joined
[12:43:50] --- hp has left
[12:45:10] --- vlevigneron has joined
[12:45:37] --- ogud has joined
[12:48:23] --- ggm has left: Disconnected
[12:49:30] --- ogud has left: Replaced by new connection.
[12:49:31] --- ogud has joined
[12:49:32] --- ogud has left
[12:51:34] --- vlevigneron has left
[12:52:27] --- vlevigneron has joined
[12:52:32] --- vlevigneron has left
[12:52:37] --- warlord has left
[12:55:16] --- ocin has left
[12:58:04] --- ogud has joined
[13:05:55] --- ogud has left: Replaced by new connection.
[13:05:55] --- ogud has joined
[13:05:56] --- ogud has left
[13:11:59] --- droms has joined
[13:12:24] --- droms has left
[13:46:41] --- liman has left
[15:21:43] --- ogud has joined
[16:01:01] --- ogud has left