[06:32:55] MAP joins the room [08:26:12] ogud: Olafur Gudmundsson joins the room [08:26:42] ogud: Olafur Gudmundsson has set the subject to: DNSEXT Meeting starts at 13:00 Dublin Time [08:27:01] ogud: Olafur Gudmundsson has set the subject to: DNSEXT Meeting starts at 13:00 Dublin Time today [08:40:59] Audio: http://videolab.uoregon.edu/events/ietf/ [08:42:42] Agenda: http://www.ietf.org/proceedings/08jul/agenda/dnsext.txt [08:43:49] or http://tools.ietf.org/wg/dnsext/agenda [09:26:45] OatWillie joins the room [09:27:11] Michael, long time no see [09:27:55] morning Olafur [09:50:31] ogud: Olafur Gudmundsson leaves the room [09:55:39] OatWillie leaves the room: Replaced by new connection [10:09:38] ogud: Olafur Gudmundsson joins the room [10:15:11] OatWillie joins the room [10:39:07] ogud: Olafur Gudmundsson leaves the room: Replaced by new connection [10:43:13] OatWillie leaves the room [10:52:22] ogud: Olafur Gudmundsson joins the room [11:09:17] OatWillie joins the room [11:25:08] ogud: Olafur Gudmundsson leaves the room: Replaced by new connection [11:26:31] marco joins the room [11:27:25] ogud: Olafur Gudmundsson joins the room [11:28:17] ogud: Olafur Gudmundsson has set the subject to: DNSEXT Meeting starts at 13:00 in Ballroom #1 second floor main building [11:31:41] ahu joins the room [11:31:47] testing 1 2 3! [11:32:00] <- bert hubert from powerdns reporting live from the netherlands [11:33:21] afternoon bert [11:33:33] <- bill manning, LA [11:33:57] welcome bert [11:34:40] I feel like I'm almost there :-) [11:35:07] thanks ogud [11:40:12] fdupont joins the room [11:40:38] fdupont leaves the room [11:40:58] fdupont joins the room [11:40:59] marco leaves the room: Disconnected [11:41:52] Jelte joins the room [11:45:01] hi jelte! [11:45:28] Stefan Schmidt joins the room [11:45:40] Habbie joins the room [11:53:54] yone joins the room [11:54:33] Antoin joins the room [11:56:04] hey there [11:56:14] hello [11:56:15] Hi Jelte [11:56:26] 4 minutes till meeting starts [11:57:14] hi antoin_! [11:57:23] <- bert hubert [11:57:29] could somebody sing a little song in the mic please? [11:57:32] Hi Bert [11:57:38] marco joins the room [11:58:01] marcos joins the room [11:58:02] [MIC] sing a little song please [11:58:15] Did you hear the tabbing ? [11:58:15] that's fine too :) [11:58:19] yes, thanks [11:58:43] matthijs303 joins the room [11:58:46] shinta joins the room [11:59:11] キレイ。セ joins the room [12:00:04] edmon joins the room [12:00:17] ogud: Olafur Gudmundsson has set the subject to: DNSEXT Meeting in progress @ Ballroom #1 second floor main building [12:01:14] welcome, I'll be your scribe for today [12:01:21] pawal joins the room [12:01:25] presentation slides can be found at https://datatracker.ietf.org/meeting/72/materials.html [12:01:36] fneves joins the room [12:01:39] olafur: meeting opened [12:01:50] andrew sullivan is new co-chair of dnsext [12:01:51] I'll be the Mic-delegate. Please write "MIC:" if you want some comment to be spoken at the microphone [12:01:58] *claps* [12:02:09] koji joins the room [12:02:29] fujiwara joins the room [12:02:29] lars is doing minute scribe [12:02:48] bortzmeyer joins the room [12:02:53] hi stephane! [12:02:57] pk joins the room [12:03:34] Niels Bakker joins the room [12:03:35] materials are also on http://tools.ietf.org/dnsext/agenda [12:03:40] they are complete [12:03:49] dblacka joins the room [12:03:53] matt-larson joins the room [12:04:00] mohsen joins the room [12:04:03] no drafts published [12:04:20] iesg discuss cleared for the dnsext-2929bis [12:04:45] there is a new version of forgery resilience (06) [12:04:50] jaap joins the room [12:04:54] current documents: [12:05:03] rsasha256 [12:05:12] presented by wouter wijngaards [12:05:26] http://www3.ietf.org/proceedings/08jul/slides/dnsext-0.pdf [12:06:02] author is jelte jansen [12:06:18] i should mention that i uploaded -05 this week [12:06:19] the draft says we need rsasha256/512 [12:06:27] changes 03-04 [12:06:31] -05! I could barely handle -04! [12:06:32] removed nsec3 aliases [12:07:00] nsec3 support now implied [12:07:15] (and i removed a reference) [12:07:26] changes for 5: remove the downgrade attack text [12:07:35] thats it [12:07:49] jaap at mic: what jelte said ;) [12:08:00] dname draft is coming next [12:08:46] ?: nsec3 support implied [12:09:03] ? = Francis Dupont [12:09:06] wouter: that means: if you use rsha2, you also should use nsec3 [12:09:10] ah thanks [12:09:26] next presentation: dname update draft [12:09:26] bortzmeyer leaves the room [12:09:29] http://www3.ietf.org/proceedings/08jul/slides/dnsext-1.pdf [12:09:33] keith joins the room [12:09:36] by scot rose and wouter [12:09:43] Roy Arends joins the room [12:09:50] wouter: wanna do this quick:) [12:09:54] I've understood the opposite: if you use rsha2 you may use nsec3 (or nsec) [12:10:23] wouter: keeping up with changes [12:10:33] summarizes on the first slide [12:10:40] I.e., only the support is implied (support != use even you can't use unsupported stuff) [12:10:58] it's phrased as this: Implementations that have support for RSA/SHA-2 MUST also have support for NSEC3 denial of existence [12:11:04] (can I admit that I don't understand DNAME?) [12:11:20] just don't admit it in public [12:11:30] yes, ahu, you may admit anything you like :-) [12:11:32] i thought that was once of the reasons for dname-update [12:11:39] hi roy :-) [12:11:45] can we still be friends? :-) [12:11:45] Hi bert! [12:11:47] i fear there is already a log of this in public ;-) [12:11:49] Bert, are you listening from afar? [12:11:50] yes. [12:11:59] yes, I'm in the netherlands and I have audio [12:12:25] next slide [12:12:28] thats it [12:12:54] recent changes: nits, improving order of the text, [12:13:12] there is quite some lag in the audio I note, or matthijs can type RILLY fast [12:13:12] olafur: last call on this is real soon [12:13:20] i can ;) [12:13:24] both :) [12:13:42] Olafur says, "allow for European vacastion times..." [12:13:47] i have future vision :p [12:13:50] (for Bert to judge audio lag) [12:13:55] matt, that was timed exactly right for me [12:14:00] LOL [12:14:07] yes, pretty special :> [12:14:13] thanks [12:14:13] next up: dnssec-bis update [12:14:17] bortzmeyer joins the room [12:14:22] there are no slides for this [12:14:27] Suz joins the room [12:14:33] david blacka has "something" to say about this [12:14:34] onakayu joins the room [12:14:39] Dave just starts speaking [12:14:46] david is the new editor [12:14:49] otmar joins the room [12:15:23] 2 things: stuff that was discussed in philly, and the multiple trust path discussion [12:15:42] Steve Crocker joins the room [12:15:50] how many understand the latter issue... [12:15:54] could not count hands [12:16:08] around half of the people raised their hands [12:16:08] problem: when you have different paths to follow [12:16:17] 10<#hands<20 [12:16:32] discuss this on ML, come up with text [12:16:50] hopefully a conclusion before september [12:17:00] olaf kolkman: conclusion == last call? [12:17:08] andrew: probably yes [12:17:43] but first we need to have clear how things are interpreted [12:18:22] olaf: not sure if implementation activity is going on, which is good for clarification [12:18:34] Pels joins the room [12:18:59] andrew: next presentation: edns-bis [12:19:07] olafur: the editor claims its done [12:19:18] last call soon? [12:19:29] issue: what level of mandate this doc is [12:20:00] next slide: current docs continued [12:20:22] next up: dnsext-tsig-md5 deprecated [12:20:45] mc joins the room [12:21:08] fdupont: main problem: we have no proof that md5 is weaker than others [12:21:12] Roy Arends leaves the room [12:21:18] Roy Arends joins the room [12:22:03] (with hmac that is) [12:22:06] andrew: paul hoffman proposed for alternate text [12:22:14] yes [12:23:34] WPM01906 joins the room [12:23:42] hah hah, he said "hash out" [12:23:47] doh. [12:23:49] get it? [12:24:06] enjoying yourself, are you Matt? :) [12:24:13] we have it [12:24:14] matt, i'm dutch ;) [12:24:14] is MD5 safe for hashing out a question? [12:24:20] Yeah, but it's a tough room! [12:24:22] if you HMAC it [12:24:31] you got me smiling at least [12:24:32] define "safe" ... [12:24:52] peter koch: if we wanna have requirements, we have to be explicit, this is far from last call... [12:25:09] how packed is the room, btw? (I'm remote) [12:25:18] have you ever opened a can of sardines? [12:25:22] Remco joins the room [12:25:27] virtually empty [12:25:27] matt, that bad huh? [12:25:29] are you familiar with the density of a neutron star? [12:25:35] hi remco! [12:25:36] well, it's not that packed [12:25:36] otmar: around 70 ppl [12:25:50] next up: ed lewis with axfr clarify [12:26:02] http://www3.ietf.org/proceedings/08jul/slides/dnsext-5.pdf [12:26:05] and at least 4 remote participants [12:26:15] And now a word from someone who is clearly an agent of the BIND Company [12:26:18] ahu leaves the room [12:26:25] ed: draft tracker details [12:26:32] berthubert joins the room [12:26:39] no iesg evaluation, thats funny cause it was in last call once [12:26:39] test [12:26:49] draft goes back to 2000 [12:26:51] test succeeded [12:26:53] ahu_, pong [12:27:00] This draft is older than both of my children. [12:27:14] also older than mine matt :-) [12:27:21] Hey, congratulations, BTW! [12:27:22] But not than mine [12:27:25] by YEARS :-) [12:27:33] About MD5: I said HMAC-MD5 is not proved weak or even not stronger than HMAC-SHA256 [12:28:03] whew, I'm glad there's a point coming! [12:28:17] thaqnks matt [12:28:27] maurits is also listening in, but he is not making sense of things :-) [12:28:38] We can enter crypto stuff if we'd like (I am not a cryptographer but I have some in my friends so I know how to talk with them without being ... [12:28:45] ralph at mic: some issues were addressed [12:28:45] テスト [12:28:47] dblacka leaves the room [12:28:51] Steve Crocker leaves the room [12:28:54] dblacka joins the room [12:28:54] Steve Crocker joins the room [12:28:56] Stephane: did that one succeed? [12:29:03] Yes, I saw the characters [12:29:09] But I cannot read them [12:29:11] recent editing work: hunted implementors [12:29:13] Chinese ? [12:29:17] test in Japanese Katakana [12:29:18] test test [12:29:20] marcossanz, looks asian to me [12:29:26] japanese I think [12:29:44] Roy Arends leaves the room [12:29:46] The text said, "Ed is my hero." [12:29:51] Roy Arends joins the room [12:29:53] LOL [12:30:00] Will you try "paf inversion" in XMPP, now? [12:30:06] current issues: 2 sections 1.4's second one will stay [12:30:22] YEs, I will try. And if it works, we have to deprecate XMPP for sec reasons [12:30:24] 3.2 submitted text doesnt make sense [12:30:47] finally, a comment on ML (see slide) [12:31:15] ad comments central question "whats in a zone?" [12:31:26] look at 1034 rfc sec4.2.1 [12:31:38] 4 options [12:31:55] For those who do not know what is "paf inversion": http://stupid.domain.name/node/681 [12:32:17] its debating on [12:32:31] we defined two more options [12:32:42] added: occluded data from dynamic update and dname [12:33:04] healthyao joins the room [12:33:21] marco leaves the room: Replaced by new connection [12:33:21] marco joins the room [12:33:24] rob at mic: [12:34:22] ed: what to do with typos [12:34:25] Steve Crocker leaves the room [12:34:27] Steve Crocker joins the room [12:34:38] bortzmeyer leaves the room [12:34:52] and this works w/ incremental updates how? [12:34:53] rob: distinguish between transfer and loading zone [12:35:01] ed: this should be in doc [12:35:16] tap tap tap.... [12:35:20] wait, is the assumption here that a 'zone' that includes occluded data is by definition 'bad'? [12:35:21] edmon leaves the room [12:35:23] matt larson: load the whole thing and serve it? [12:35:42] rob: essentially yes, no tweaking and modifying the zone [12:35:47] matt: what about primary [12:35:54] rob: implementation dependent [12:36:05] OatWillie leaves the room [12:36:10] matt: clarify this for primaries as well? [12:36:13] OatWillie joins the room [12:36:14] edmon joins the room [12:36:17] yone leaves the room: Replaced by new connection [12:36:24] ping [12:36:37] yone joins the room [12:36:40] rob: at some point it starts serving the zone, once that happens it should not modify the zone [12:36:51] try again [12:36:59] andrew: this sound this need text [12:37:02] ed agrees [12:37:19] bortzmeyer joins the room [12:37:20] plz tell me how this works w/ incremental update [12:37:20] action item document needs section on: Zone loading issues [12:37:27] 25 minutes left [12:37:28] andrew: ed will write proposal? ed: yes [12:37:50] good thing Mark Andrews is at the mic! [12:37:58] ed: incremental update is out of scope [12:38:04] healthyao leaves the room: Replaced by new connection [12:38:29] aalain joins the room [12:38:34] incremental update may change the atomic nature of zone loading [12:38:37] Jim Galvin joins the room [12:38:40] bortzmeyer leaves the room [12:38:42] Danny joins the room [12:38:54] jabley joins the room [12:38:57] mark andrews: what to do with loading master zones [12:39:16] Jim Galvin leaves the room [12:39:30] bind8 had lot of problems with this proposal [12:39:51] i don't like that remark about changing glue either [12:39:59] ogud: Olafur Gudmundsson leaves the room: Replaced by new connection [12:40:11] ogud: Olafur Gudmundsson joins the room [12:40:17] WPM01906 leaves the room: Replaced by new connection [12:40:18] WPM01906 joins the room [12:40:44] mark andrews: dont merge [12:41:05] bortzmeyer joins the room [12:41:20] Roy Arends leaves the room [12:41:26] peter koch: confusion about zone content, there ought to be a difference between transfer master-slave and serving queries [12:41:26] Roy Arends joins the room [12:41:32] yes [12:41:39] Jim Galvin joins the room [12:41:40] i agree with peter :) [12:42:08] lars comments [12:42:21] edward continues [12:42:25] bortzmeyer leaves the room [12:42:34] not purely a section; this has to do with errors, occlusion and glue [12:42:37] jelte: not really, I think nsd behaves "strange" in some corner cases [12:42:43] marco leaves the room: Replaced by new connection [12:42:43] marco joins the room [12:43:03] who says i don't? :) [12:43:08] next steps are (have we ansered the ad and djb comments) and (wait for more input) [12:43:34] mark coming up at phone [12:43:47] mic i mean [12:44:05] mic or phone? [12:44:07] mark: implementation added extra record, ... [12:44:18] lol [12:44:36] andrew: next action is discussion [12:45:02] ?: original axfr explanation there is another problem with that [12:45:04] ? = Alfred Hönes [12:45:37] OatWillie leaves the room [12:45:58] WPM01906 leaves the room: Replaced by new connection [12:46:00] WPM01906 joins the room [12:46:01] bruce joins the room [12:46:07] is the text in the current draft correct, with respect to replying with multiple rrs and single rrs [12:46:09] shinta leaves the room: Replaced by new connection [12:46:12] 15 minutes [12:46:15] shinta joins the room [12:46:25] matt-larson leaves the room [12:46:30] dblacka leaves the room [12:46:33] bert = we are scheduled until 3pm [12:46:38] dblacka joins the room [12:46:51] "the spec says one thing, but implementations might not follow" [12:47:06] next item: dns profile document [12:47:09] by olafur [12:47:15] nothing happened since the last meeting [12:47:34] marcossanz: I see, thanks! [12:47:39] matt-larson joins the room [12:48:07] if we have nothing in september, we will kill the current effort [12:48:13] or should we do this now [12:48:19] comments? [12:48:40] peter koch: it is useful work, approach is not workable [12:48:44] living document thingy [12:50:29] ed lewis: not useful, is implementation dependent, there should be a list of implementations that have such a checklist [12:50:36] olaf: did we adopt the last time? [12:50:53] olafur: we are asked to do this by other area directors [12:51:04] other areas have difficulties [12:51:07] that's not a decision [12:51:18] i just quote [12:51:26] and i just comment :) [12:51:29] ahead on schedule:) [12:51:42] alright:) [12:51:43] yes the delay is pretty long, which is annoying [12:51:51] proposed new work coming up [12:51:52] reconnecting every once in a while helps I think [12:52:08] scot rose talks [12:52:22] which one? [12:52:39] i believe crocker-dnssec-algo-signal [12:52:40] draft-crocker-dnssec-algo-signal [12:52:47] thx [12:52:50] two goals: reduce response size between validating clients and authservers [12:52:59] i think the goal is unreachable [12:53:02] second: i missed [12:53:03] regarding rfc4035 [12:53:12] really small number read this [12:53:15] i read it [12:53:27] Then why didn't you raise your hand? [12:53:32] i did! [12:53:41] hehe [12:53:42] okay i didn't [12:53:47] I KNEW it [12:53:52] are you on my webcam again? [12:53:56] more proposed work: vixie-dns 0x20 [12:54:04] deferred to forgery resilience [12:54:13] Clarification to RFC 1123 [http://tools.ietf.org/html?rfc=1123] [12:54:14] another itme: clarification rfc 1123 [12:54:56] andrew: idna labels will move into the zones, they are not alphabetic, that is problematic [12:55:05] it is a small change, and we have volunteers [12:55:16] already [12:55:25] this is gonna be under pressure of icann [12:55:32] that text in 1123 almost reads like a 'should', rather than a 'must'. [12:55:33] If ICANN really wants this, let's see what we can get in return [12:55:46] personally, I'd like a black helicopter [12:55:50] a warm handshake most likely [12:56:09] dblacka leaves the room [12:56:16] dblacka joins the room [12:56:25] rob: this is an iana discussion not an ietf one [12:56:27] Roy Arends leaves the room [12:56:33] Roy Arends joins the room [12:57:03] andrew: hat off, the problem is its justifying a protocol change [12:57:17] peter: 1) pressure under icann is a non-starter [12:57:19] ICANN is not the boss of us! [12:57:21] matt, of all the people here I'd expect you the most to already have an arsenal of black helicopters at your disposal [12:57:33] Steve Crocker leaves the room [12:57:34] now I will have to kill you [12:57:34] 2) im not optimistic that it will be little work [12:57:40] Steve Crocker joins the room [12:57:48] it will have a long debate [12:58:07] I think I hear the black helicopter starting to warm up its engine outside [12:58:15] Time for my escape! [12:58:16] steve crocker: not from icann:) expand on peter comments [12:58:34] Actually, my black helicopter is silent [12:58:41] those implementations should die anyhow [12:58:44] indeed [12:58:55] implementations have problems with dealing longer tld names (longer than 3) [12:59:10] anybody implementation having issues with -- needs to leave the internet [12:59:23] somewhere we need clarification what we are willing to accept [12:59:28] we've had .museum for nearly 5 years now, right? [12:59:45] olaf: we should focus on technical stuff, not political [12:59:56] Yes, and guess how many emails I've gotten at matt@museum! [13:00:05] andrew: there is a simple technical problem [13:00:08] you have an MX at the TLD? [13:00:20] No, I was making a hilarious joke. [13:00:22] I was ahu@tk for a while marcossanz :-) [13:00:26] it didn't work very well [13:00:34] most people couldn't mail me [13:00:37] well rfc3597 has been out for 5 years too, but if we remove all implementation that do not support that from the internet it's gonna get pretty quiet [13:00:46] jelte: this is a problem? [13:00:52] jjansen: not all rfc's are equal :-) [13:00:56] alfred hones at the mike [13:01:02] ICANN is not the boss of us, but neither are we the boss of ICANN. We can decline to be pressured by ICANN's constraints, but there's then no reason why they can't or won't proceed without our input. [13:01:23] healthyao joins the room [13:01:27] we need something that all protocols can rely on, but there is more interest than only the dnsext group [13:01:33] I want to have my cake and eat it, too [13:01:44] the cake is a lie [13:01:59] one proposal that can be considered is to make an errata [13:02:25] from a simple document change we have gone to a major search for WMD! [13:02:28] dblacka leaves the room [13:02:28] andrew: an errata may not change the meaning of the text [13:02:35] dblacka joins the room [13:02:37] Roy Arends leaves the room [13:02:43] Roy Arends joins the room [13:02:46] next proposed work item [13:03:35] (crickets chirp) [13:03:44] :) [13:03:47] those are pretty tactile crickets [13:04:06] mark andrews talks about dnssec and dynamic zones [13:04:11] attention span...fading... [13:04:22] listen to the discussion about up and down arrows. [13:04:30] ah [13:04:41] slides? [13:04:47] did anybody else just hear a bottle getting uncorked on the audio feed? [13:04:48] there are slides in the room [13:05:06] for what that's worth :-) [13:05:09] niels_, i did [13:05:14] niels_, gives me an idea [13:05:15] Niels: you got us. we are all getting drunk here [13:05:20] you havent enough time to sign a zone in a dynamic environment [13:05:22] Remco leaves the room [13:05:33] Steve Crocker leaves the room [13:05:36] we have to deal with SLAs [13:05:45] Steve Crocker joins the room [13:06:01] Prior topic proofs me right: http://ogud.blogspot.com/ [13:06:05] proposal: do dnssec changes incremental [13:06:25] ogud: :-) [13:07:00] 1. signalling: - UPDATE, - new ns command protocol [13:07:50] mark discusses an example: unsigned to signed with nsec [13:08:07] and one with nsec3 [13:08:20] and one with rolling nsec3 parameters [13:08:39] and if you are interested, contact mark [13:08:48] (in working on this, that is) [13:08:53] ed @mic [13:09:00] sounds complex [13:09:10] and is it necessary? [13:09:50] i wrote something, and we had to change the protocol, first announce signatures and than the keys [13:09:55] I have the impression that dnssec is already operating under enough contraints [13:09:56] i remember that there were discussions on this on the nsec3 interoperability workshops [13:10:04] mark: i had the same problem [13:10:15] rob coming to the mic [13:10:16] adding 'dynamic updates should be very fast' to it won't make things any simpler [13:10:24] comments [13:10:26] agree with mark [13:10:35] not convinced for standardization [13:10:52] there are difficulties that we have not explored yet [13:11:18] Doing "changes incrementally" (whatever that means) is not the only solution to the problem. You can run a transaction in a lower isolation level. [13:11:34] it requires tricky operational stuff [13:11:47] olafur: we need a design team? [13:12:15] rob: im not sure if we are ready, first see if there is "animo" [13:12:33] andrew: last proposed new work [13:12:47] WARNING! stuff coming from nat-pt [13:13:04] please look out in other areas [13:13:26] scribe hat off: v6ops, intarea, behave, idnabis, and lots lots of others ;) [13:13:35] scribe hat on [13:13:36] berthubert perks up [13:13:45] coming to the forgery resilience work [13:13:49] yay [13:13:50] olafur first [13:14:24] phase #2 [13:14:34] nice slide whats coming up [13:14:46] http://tools.ietf.org/html?draft=draft-ietf-dnsext-forgery-resilience [13:15:00] "How can an avalanche be stopped?" [13:15:06] - build fences [13:15:14] or run away or ski faster [13:15:16] or pray [13:15:20] or let it be [13:15:25] or deploy dnssec [13:15:48] marco leaves the room [13:15:48] ok, these slides sound like being rather entertaining. [13:15:48] now serious [13:15:52] bortzmeyer joins the room [13:15:57] forg-resil 07 [13:16:03] marco joins the room [13:16:11] - passed wglc will be sent to iesg next week [13:16:16] and deploy now [13:16:25] this doesnt solve all problems [13:16:30] so there is a list of ideas [13:16:33] that might help [13:16:41] from remote and room participants [13:16:59] think of: [13:17:03] - the short therm [13:17:11] - what can we do without updating software [13:17:15] - and so on [13:17:21] but first more entertaining stuff [13:17:27] huguei joins the room [13:17:29] about dns protocol economics 101 [13:17:38] "all changes have a cost" [13:18:09] how high is it for implementations, deployment, operators, clients, [13:18:12] is there fallback [13:18:13] ray joins the room [13:18:21] huguei leaves the room [13:18:22] and [13:18:25] bortzmeyer leaves the room [13:18:28] when can this be deployed [13:18:32] Remco joins the room [13:18:47] dblacka leaves the room [13:18:47] the slides are not online? [13:18:48] in a year or in worst case scenario: 7 years [13:18:55] dblacka joins the room [13:19:02] ahu_, i heard they were powerpoint? [13:19:10] I can see powerpoint :-) [13:19:15] ray leaves the room [13:19:34] Roy Arends leaves the room [13:19:40] Roy Arends joins the room [13:20:02] Steve Crocker leaves the room [13:20:03] http://www3.ietf.org/proceedings/08jul/slides/dnsext-6.ppt [13:20:09] Steve Crocker joins the room [13:20:09] http://www3.ietf.org/proceedings/08jul/slides/dnsext-6.ppt [13:20:25] now: wouter wijngaards proxies paul vixie [13:20:33] about dns 0x20 [13:20:52] bortzmeyer joins the room [13:20:56] http://www3.ietf.org/proceedings/08jul/slides/dnsext-2.pdf [13:20:57] slides: http://www3.ietf.org/proceedings/08jul/slides/dnsext-2.pdf [13:21:10] wouter describes an abstract [13:21:33] key points: its nice to have more bits, until we get a serious solution [13:21:45] how does it work: covert channel in the qname [13:21:58] qname is case insensitive [13:22:17] bit 0x20 is not used by responder [13:22:24] but are echoed [13:22:45] so you can use it as an additional nonce [13:22:56] see examples [13:23:37] character cases can be converted to bits [13:23:55] lowercase == 1, uppercase == 0 [13:24:14] but what to do if the responder doesn't copy the ox20 bit [13:24:30] subject to downgrade attacks [13:24:40] time for a strawman question.. MIC: Has this been verified to work as expected against IDN names? [13:24:48] in the case of a mismatch: try all other servers up to 3 times [13:25:00] Wouter explains 0x20 [13:25:02] otherwise give up [13:25:18] (Sorry, typed in the wrong window) [13:25:20] (more of a client library issue than protocol issue) [13:25:22] IDN names are encoded in ascii on the wire,so they are [13:25:23] yes, even better with IDN names, since they are generally longer [13:25:30] standardization needed [13:25:34] NiCe IdEa [13:25:38] But have more digits [13:25:55] dblacka leaves the room [13:25:59] so they transparent to this ... [13:26:03] dblacka joins the room [13:26:08] the silly thing about 0x20 is it doesn't actually help a lot against someone taking over .net or . with the 'kaminsky attack', because that attack has the greatest effect on -short- names, where 0x20 only adds a few bits [13:26:21] it shouldnt be mandatory, however let the dns specs amend to require responders copy the entire QNAME including all 0x20 bits [13:26:26] roy: tHis mEaNs tHaT wE wilL All uSe fAncYcAsE. [13:26:34] people walking to the mine [13:26:36] mic [13:26:40] StUdLyCaPs [13:26:41] Why is Kaminsky attack more efficient on short names? [13:26:51] (Except in the case of 0x20 of course) [13:26:59] ed: keep trying is a bad thing [13:27:00] bortzmeyer: less bits to work with [13:27:10] bortzmeyer_, it's not more efficient - it's more effective as it allows you to control more names from just one succesfull attack [13:27:10] or to guess [13:27:22] [MIC]: (Bert Hubert) Isn't it true that the shorter a domain name (least labels), the more interesting it is to spoof, and that very short names have very little 0x20 bits (or zero 0x20 bits)? [13:27:28] Still do not understand. I doubt [13:27:44] Bert: ok, i am queuing [13:27:46] [MIC]: think 1. or 2. or 3. etc [13:27:56] wouter: you would like to try a couple of times [13:27:59] berthubert: it is Better Than Nothing [13:28:02] bortzmeyer_, taking over authority for .net gives you control over millions of domain names; taking over authority for freshmeat.net just gives you one [13:28:05] Steve Crocker leaves the room [13:28:12] forgot name of guy at mic [13:28:14] Steve Crocker joins the room [13:28:24] Wes Hardaker was at the mic [13:28:41] wouter: resolver has to pick the random numbe [13:28:41] bortzmeyer_, it's not better than nothing because it will just drive attackers to take over . or .net, in which case 0x20 really doesn't add any security [13:29:24] steve crocker: it is clever, but also feel uncomfortable: ok in alphabetic, but not in idna [13:29:25] speaker is wrong about idna [13:29:35] wouter: it is done after the translation [13:29:45] marco leaves the room: Disconnected [13:29:53] steve: another thing: it is yet more complex on both sides [13:30:05] yes, he's wrong about idna [13:30:19] how far should we walk? [13:30:36] wouter: dnssec is the best measurement, but until then [13:30:38] jabley leaves the room [13:30:38] marco joins the room [13:30:52] richard: agree with steve [13:31:08] observation: longer domain name is more entropy [13:31:13] but the risk is .com [13:31:17] and other tlds [13:31:23] ah, speaker is making my argument [13:31:34] no no no no :-) [13:31:36] wouter: it does not work like that [13:31:43] the spoofer doesn't send such long queries :-) [13:31:46] indeed [13:31:47] he sends 1. 2. 3. 4. [13:31:50] this is wrong [13:31:58] this is not true! [13:32:06] i.e. I agree with ahu [13:32:11] me too :) [13:32:14] roy: we should announce this :-) [13:32:14] attacker chooses the name [13:32:18] bert proxies: the shorter, the more interesting too spoof [13:32:27] dblacka leaves the room [13:32:29] wouter: same answer [13:32:34] dblacka joins the room [13:32:39] rob: cnn.com is very spoofable [13:32:48] jim reid: dafty hack [13:32:51] yes, with or without 0x20 [13:33:03] end application may make use of case preservation [13:33:33] resolver knows original casing, mapping back the case at the resolver [13:33:41] jim reid: second point [13:34:12] this is only useful for some of domain names [13:34:15] matt larson at mic [13:34:16] my problem is that it provides a varying number of bits of entropy; which can be as small as zero, so it would still need other additions (exponentially adding complexity), and is pretty fragile in itself [13:34:31] these bits are a gift for us [13:34:38] my problem is not that it's variable, but that that variable number is -zero- in the place that actually matters [13:34:49] the draft needs to explicitly mention that; ie, if an application asks for ieTf.oRg, and the resolver then wanders off chasing IetF.oRG, the question must come back _as presented_ to the resolver (the resolver must translate between different versions of QNAME) [13:34:49] most servers are not messing with 0x20, so yes its a bit of a hack [13:34:57] but we get this essentially for free [13:35:12] so tremendous benefit and support [13:35:16] this is only critical for some sites, not all of them. How critical is it for reverse zones? [13:35:16] lars at mic [13:35:29] make sure to implement this at the root [13:35:42] 1 query has no benefit: priming query [13:35:51] but still a good idea [13:36:12] olaf: dnssec is the only long-term solution [13:36:17] this just gives us time [13:36:17] ho hum... I'm not hearing an answer to the question (on the audio) about it having been verified to work as expected with idn names. [13:36:43] It is irrelevant to idn names [13:36:56] he said that any idn name would at least have 2 letters [13:36:58] We only go for SCII [13:37:04] ACSII [13:37:09] andrew: how many read [13:37:10] alot [13:37:16] support: lots of hum [13:37:27] no support: someone really loud hums [13:37:34] wg adopt [13:37:42] Just tested: all the root name-servers are case-preserving [13:37:47] yeah they are [13:37:58] 99.9% of the servers work fine [13:38:00] peter: we should not adopt it in the wg [13:38:03] you've tested all anycast nodes? [13:38:14] Roy Arends leaves the room [13:38:21] Roy Arends joins the room [13:38:28] No, I presume all instances of a same root server are identical [13:38:30] andrew: measuring the sens [13:38:30] e [13:38:36] matt-larson leaves the room [13:38:46] matt-larson joins the room [13:38:56] next up: open discussion on forgery resilience further work [13:39:05] jaap: yes yes, its ascii on the wire. whether common applications care about the case that comes back from the local resolver is still open. [13:39:40] rob: i heard pleasant news: dnsop meeting: joe ably presentation: measuring edns0: tentative reports 90+% [13:39:51] buy joe more beer:) [13:39:57] get rid of edns fallback [13:40:07] (also in natpt solutions) [13:40:20] the case between the application and resolver should must be preserved of course. [13:40:26] Steve Crocker leaves the room [13:40:30] Steve Crocker joins the room [13:40:36] olaf: clarification: fallback when [13:40:56] olaf: is it only for recursors talking to authservers? [13:41:11] rob: yes, with th rd bit turned off [13:41:30] matt larson: if we can eliminate edns fallback [13:41:43] than we can stay off this particular attack as long as we want [13:42:15] who is speaking? [13:42:20] matt larson: is dnssec the real solution? it is the solution we have now, but it is complex [13:42:22] matt larson is speaking [13:42:22] matt larson [13:42:37] making edns mandatory would instantly make edns ping the best solution [13:42:46] jjansen: indeed [13:43:32] still matt larson: dnssec deployment is years away [13:43:54] it is a good solution, but look at other solutions as well [13:43:57] peter at mic [13:44:19] operational side effects of 0x20 [13:44:42] peter also appreciates the work of abley [13:44:59] peter has slightly different statistics [13:45:25] he warns about over enthousiasm [13:45:35] this is my fault actually hehe [13:45:52] what about pushing tld's to add edns0 checks to their dnscheck scripts? [13:45:58] peter: how do systems react on iunknown ends options [13:46:00] abley at mic [13:46:06] that should increase the popularity of those checks [13:46:10] results are tentative [13:46:26] karl? at mic [13:46:41] Carsten STrottman [13:46:50] thanx [13:47:00] ed at mic [13:47:39] dnssec is actually 0x20, but has lots of more bits [13:47:59] question is: what is the cheapest way to give us more bits [13:48:13] prefer unguessable nr of bits [13:48:58] olafur: none of the solutions preclude eachother [13:49:23] I just realize that dnx0x20 misses any comment about possible interactions with DNSSEC [13:49:30] olaf: clarification: we are talking about cahce poisoning, spoofing attacks [13:49:35] but there are other attacks [13:49:47] its a tradeoff decision [13:49:49] i.e. what if cases don't match, but DNSSEC states that no spoofing is taking place? [13:49:51] edmon leaves the room: Computer went to sleep [13:50:19] olafur: we have 10 minutes left [13:50:31] macros: think of rogue secondary name servers [13:50:36] rob at mic: dnssec also protects against other threats [13:50:38] then the answer should be right (or dnssec is broken) [13:50:41] its end to end [13:50:50] that needs to be fleshed out in the draft [13:51:02] and for some situations we need end2end [13:51:16] ".nl" has a secondary name server in AFNIC. Since ".nl" is not signed, we could poison ".nl" :-) [13:51:20] thus dnssec [13:51:20] Unless they have DNSSEC [13:51:30] heads up, Antoin [13:51:31] bortzmeyer_: we know you wouldn't :-) [13:51:54] bortzmeyer: you've got it on disk, why bother with a poison attack? ;) [13:52:09] jim reid: dont rush 0x20 and than in 6 months we perhaps need a new change [13:52:12] I was using "poison" in a very general sense [13:52:17] heh [13:52:38] olafur: deploy multiple solutions [13:52:44] jim reid: might be confusing [13:52:53] hear hear [13:52:58] hear hear [13:53:07] wes at mic [13:53:20] some nat issues [13:53:23] peter koch at mic [13:53:37] agreed with ed lewis too much today ;) [13:53:44] 0x20 will not kill dnssec [13:54:05] dblacka leaves the room [13:54:12] dblacka joins the room [13:54:40] peter: first make a proposal, then the WG judges and dont rush things [13:55:32] yes please [13:55:33] olafur: recommend people with smart ideas to send text [13:56:24] sometime next month could be tomorrow... [13:56:28] roy arends walking up to mic [13:56:33] and jon dickinson [13:56:40] suprise presentation [13:56:49] showing kaminsky spoof [13:56:51] demo [13:56:58] cool! [13:57:05] ok now i want a video feed [13:57:08] 2 independent code bases (john and roy) [13:57:19] cool :) [13:57:22] john will present [13:57:28] booting:) [13:57:31] One of the two is using ldns [13:57:33] ohno [13:57:46] john is using ldns indeed [13:57:52] if the stream dies now, you know how it happened :-) [13:58:04] I accessed the audio stream by IP address... [13:58:11] :-) [13:58:14] me too :) [13:58:15] one program: dig, other window: exploit [13:58:22] or if the stream is replaced by rick astley [13:58:25] (which is insanely ironic for the _dns_ext working group) [13:58:27] doh :) [13:58:37] Jelte, oh noes [13:58:37] ... never let you down ... [13:58:53] Niels Bakker: thats good reason, you're at the best point in europe to be spoofed ;) [13:58:55] THe demo effect? [13:58:58] demo law: doesn't work [13:59:15] olaf: somebody turned on dnssec :) [13:59:38] ok third time it works [13:59:46] Seven seconds [14:00:02] Steve Crocker leaves the room [14:00:11] healthyao leaves the room [14:00:14] somebody set up us the demo [14:00:18] john did some runs during dnsext meeting [14:00:29] and some were very fast [14:00:38] peter at mic [14:00:47] (half a second spoof) [14:01:01] キレイ。セ leaves the room [14:01:03] koji leaves the room [14:01:06] aalain leaves the room [14:01:06] peter: where is the stuff [14:01:17] on johns laptop [14:01:29] matt-larson leaves the room [14:01:30] meeting closed [14:01:30] fdupont leaves the room: Computer went to sleep [14:01:34] matthijs303 leaves the room [14:01:45] marcos leaves the room [14:01:46] Roy Arends leaves the room [14:01:47] pawal leaves the room [14:01:53] shinta leaves the room [14:01:54] dblacka leaves the room [14:02:01] jaap leaves the room [14:02:09] onakayu leaves the room [14:02:20] Habbie leaves the room [14:02:24] otmar leaves the room [14:02:25] fneves leaves the room [14:03:08] Pels leaves the room [14:03:10] keith leaves the room [14:04:54] bruce leaves the room [14:05:21] Antoin leaves the room [14:05:24] marco leaves the room: Disconnected [14:05:51] Jim Galvin leaves the room [14:06:23] Niels Bakker leaves the room [14:07:11] fdupont joins the room [14:07:27] bortzmeyer leaves the room [14:07:51] pawal joins the room [14:08:06] bortzmeyer joins the room [14:09:19] Stefan Schmidt leaves the room [14:09:55] Suz leaves the room [14:10:23] bortzmeyer leaves the room [14:10:37] mohsen leaves the room: Computer went to sleep [14:10:55] Jelte leaves the room [14:12:39] pk leaves the room: Replaced by new connection [14:12:39] pk joins the room [14:13:33] pawal leaves the room [14:13:58] Remco leaves the room [14:17:12] fdupont leaves the room: Computer went to sleep [14:20:00] jabley joins the room [14:20:26] ogud: Olafur Gudmundsson leaves the room [14:20:27] jabley leaves the room [14:20:59] bortzmeyer joins the room [14:24:15] healthyao joins the room [14:25:04] yone leaves the room: Replaced by new connection [14:25:18] pawal joins the room [14:26:10] healthyao leaves the room [14:33:46] berthubert leaves the room [14:41:06] ogud: Olafur Gudmundsson joins the room [14:41:30] ogud: Olafur Gudmundsson has set the subject to: DNSEXT Working group jabber room [14:41:42] ogud: Olafur Gudmundsson leaves the room [14:44:46] fujiwara leaves the room [15:05:30] fdupont joins the room [15:15:04] onakayu joins the room [15:19:19] WPM01906 leaves the room [15:20:06] onakayu leaves the room [15:31:52] bortzmeyer leaves the room [15:33:31] pk leaves the room [15:44:37] bortzmeyer joins the room [15:46:11] fdupont leaves the room: Computer went to sleep [15:50:36] MAP leaves the room [15:53:42] healthyao joins the room [15:57:49] mohsen joins the room [15:58:12] fdupont joins the room [15:59:14] fdupont leaves the room [16:12:54] bortzmeyer leaves the room [16:15:07] healthyao leaves the room [16:15:29] bortzmeyer joins the room [16:17:14] bortzmeyer leaves the room [16:22:55] Roy Arends joins the room [16:24:54] bortzmeyer joins the room [16:24:58] Roy Arends leaves the room [16:30:26] pawal leaves the room [16:30:42] bortzmeyer leaves the room [16:31:08] bortzmeyer joins the room [16:35:58] pawal joins the room [16:40:08] pawal leaves the room [16:49:50] pawal joins the room [16:51:48] mohsen leaves the room [17:04:49] liman joins the room [17:05:03] liman leaves the room [17:21:02] bortzmeyer leaves the room [17:25:14] bortzmeyer joins the room [17:34:41] bortzmeyer leaves the room [17:35:51] bortzmeyer joins the room [17:44:17] Danny leaves the room [17:56:31] Danny joins the room [17:59:20] bortzmeyer leaves the room [18:00:25] bortzmeyer joins the room [18:01:00] bortzmeyer leaves the room [18:03:25] bortzmeyer joins the room [18:18:56] Danny leaves the room: Replaced by new connection [18:18:57] Danny joins the room [18:35:29] bortzmeyer leaves the room [18:40:36] mc leaves the room [18:46:59] pawal leaves the room [20:47:15] bortzmeyer joins the room [21:08:27] bortzmeyer leaves the room [21:36:22] Danny leaves the room