[00:04:18] bortzmeyer joins the room [00:12:56] ogud: Olafur Gudmundsson joins the room [00:13:22] ogud: Olafur Gudmundsson has set the subject to: IETF-76 meeting later today :-) [01:08:41] ogud: Olafur Gudmundsson leaves the room [02:15:57] bortzmeyer leaves the room [04:16:12] bortzmeyer joins the room [05:03:07] ogud: Olafur Gudmundsson joins the room [05:18:08] ogud: Olafur Gudmundsson leaves the room: Replaced by new connection [06:09:32] bortzmeyer leaves the room [06:38:42] shigeya joins the room [06:51:38] bortzmeyer joins the room [07:04:48] wouter joins the room [07:05:52] Hi Stephane. Do you know what the audio channel number for Orchid East is? [1-8: 3 is used for Camellia] [07:08:07] No, but I can ask (but, currently, I'm (physically) in the Terminal room [07:10:02] http://videolab.uoregon.edu/events/ietf/ietf766.m3u is not sufficient info? [07:12:08] I guess I can try until I hear Olafur or Andrew :-) [08:04:03] marka joins the room [08:09:31] SUNGUONIAN joins the room [08:18:52] nemo joins the room [08:19:44] nemo leaves the room [08:23:09] bortzmeyer leaves the room [08:23:22] Jelte joins the room [08:23:27] Yoshiro YONEYA joins the room [08:24:52] Chris Griffiths joins the room [08:26:19] Exodus joins the room [08:26:43] nemo joins the room [08:27:04] Exodus leaves the room [08:27:31] markkao joins the room [08:28:06] yo.takata joins the room [08:28:59] mellon joins the room [08:30:04] rhe joins the room [08:32:31] YuzoTateno joins the room [08:34:57] Takehito Akagiri joins the room [08:37:48] YuzoTateno leaves the room: Replaced by new connection [08:38:51] ogud: Olafur Gudmundsson joins the room [08:39:06] ogud: Olafur Gudmundsson has set the subject to: IETF-76 meeting [08:39:15] Welcome [08:39:17] andrew is sure starting to look like ed... [08:39:18] johani joins the room [08:39:57] Simon Perreault joins the room [08:39:58] fujiwara joins the room [08:39:59] Andrew Sullivan joins the room [08:40:51] Suz joins the room [08:41:10] James Galvin joins the room [08:41:34] matthijs joins the room [08:41:40] fdupont joins the room [08:41:48] bortzmeyer joins the room [08:42:09] doug.mtview joins the room [08:42:11] weiler joins the room [08:42:38] benno joins the room [08:43:09] fneves@jabber.registro.br joins the room [08:44:17] I am listening [08:44:22] tachibana@jabber.org joins the room [08:44:23] ray joins the room [08:44:25] should there be sound already? [08:44:30] yes [08:44:30] yes [08:44:31] there is sound [08:44:34] yes [08:44:35] it's very quiet [08:44:35] Jaap Akkerhuis joins the room [08:44:39] hm [08:44:39] you need to turn it up [08:44:39] ok for me [08:44:43] yes [08:44:46] roque joins the room [08:44:47] ggm joins the room [08:44:58] Christopher Inacio joins the room [08:45:13] jinmei joins the room [08:45:20] Ed got married [08:45:23] we all clapped [08:45:28] Patrik minutes [08:45:33] Joao can't scribe, I'll do what I can [08:45:43] first topic, DNSSEC related drafts. [08:45:58] Eason joins the room [08:46:16] algs [08:46:22] registry fixes [08:46:22] YuzoTateno joins the room [08:46:49] new version submitted in next 2 days [08:46:55] no discussion will go [08:46:57] calvin joins the room [08:47:07] Joao joins the room [08:47:08] some words may find way into separate draft [08:47:19] if registry needs maintenance, how to express in std format [08:47:25] SUNGUONIAN leaves the room: Disconnected. [08:47:29] handing back to Joao [08:48:15] orange joins the room [08:48:15] SUNGUONIAN joins the room [08:48:17] PK: has this been discussed. it is a deviation from what an iana registry is [08:49:07] olafur: going into the general area [08:49:50] this is the tall WG. [08:50:22] Jelte: the registry has a column that is not used anymore. can this be fixed? [08:50:24] shinta joins the room [08:50:27] olafur: send text [08:50:39] Stephen joins the room [08:51:24] pawal joins the room [08:51:28] Bernie joins the room [08:51:32] paul hoffman: need clarification on the use of mandatory *re: 4035* [08:51:46] Vincent Levigneron joins the room [08:52:17] new topic: crypto alg id for dnssec. Paul Hoffman [08:52:24] bkuerbis joins the room [08:53:06] what's the name of the draft? [08:53:42] draft-ietf-dnsext-dnssec-alg-allocation [08:54:31] toshio.hiraga joins the room [08:55:04] request for discussion on the draft. no comments since it became a wg i-d [08:55:19] zephyia joins the room [08:55:58] norisuke_hirai joins the room [08:56:00] jelte: issues with having a few codes reserved for testing [08:56:37] PH: could add a new "no name" code point [08:56:54] would you be happy with code point that allowed to stay in the same code path? [08:57:22] jelte: will think about writing it down [08:57:31] John Schnizlein joins the room [08:57:36] jpc joins the room [08:57:39] jelte: add text that something on std track will not be mandatory [08:57:45] PH: it's already implied [08:57:54] I really don't see a big issue here. It's just the algorithm matching code [08:58:41] to answer jelte [08:58:50] abelyang joins the room [08:58:58] last call before the last call [08:58:59] olafur: ask for comments, if none -> 2 weeks will ask for last call [09:00:12] PH: none of the reviewers have commented so far [09:00:25] PH: believe document should be info not std [09:00:42] Geoff Huston joins the room [09:00:55] ph: believe it should get a code point, though [09:01:52] Remember, everyone, that if you agreed to review a document it does not mean you agreed to support it [09:02:17] ph: it should be an informational and go through [09:02:19] maybe people forgot they promised... [09:02:40] next topic: dnssec bis updates [09:02:50] at a minimum informationa [09:04:07] *waiting for slides to come up* [09:04:07] url [09:04:50] am I being seen? [09:04:52] are the slides available on the materials page? [09:04:54] divertion: wglc on dname going on [09:05:02] yes, we see you marka [09:05:07] Christopher Inacio leaves the room [09:05:12] larissas joins the room [09:05:23] the new slide is not. [09:05:50] what does the new slide say? [09:05:55] Options: [09:05:58] -- closest [09:06:06] --all must work -- try all, all must be SECURE [09:06:19] --any may work -- try until you get (any) SECURE .... [09:06:33] bob halley: closest is least surprising option [09:06:51] thanks, Sam [09:06:52] BH: precludes having closest as default [09:07:04] thanks [09:07:13] Geoff Huston leaves the room [09:07:16] (continuing 3rd bullet) if any yield bogus, and all others are insecure, result is bogus. if all insecure, result is insecure [09:07:36] bh: prefer work on how to refresh to stale TAs [09:08:19] ed lewis: any is the most robust and the system is already becoming more brittle [09:08:39] aalain joins the room [09:08:49] gson joins the room [09:08:57] yao joins the room [09:09:16] el: don't create problems/false positives [09:09:30] any at the same level [09:09:34] rob austein: it's a matter of local policy. all options are viable [09:09:37] depth [09:09:57] what do you mean depth? [09:10:32] number of labels [09:10:32] sam weiler: inclined to agree with Rob [09:11:05] yes, what I mean is: if you want to convey a message then expand what is it about depth that you want to mention [09:11:18] We need to nail down a default behaviour because there are different interpretations and people need to be able to know what is the _usual_ behaviour. [09:11:59] Andrew: what people? [09:11:59] [i.e. speaking as WG chair, people are asking this, so it tells us that the documents as they exist have an ambiguity] [09:12:09] can someone walk to the mike and voice andrew's message? [09:12:12] I am encumbered [09:12:29] no need for the mic [09:12:36] indeed, the docs are ambiguous. some of us are proposing that they stay that way (and maybe become more explicit that they're ambiguous) [09:12:52] bill manning: like the idea of not setting a default and force user to select a local policy [09:13:18] koji joins the room [09:13:27] rob: disagree. there must be a default, sw must run [09:13:33] defaults all ready exists [09:13:46] pawal leaves the room [09:13:59] pawal joins the room [09:14:10] yes marka, currently defaults are 'any at the same level' and closest (deeper levels) [09:14:36] @weiler: "people" means "anyone who wants to use this stuff". [09:14:47] wouter: as the person who first raised this, can you deal w/ "any"? and you want to make a case for needing to nail this down? [09:15:05] Even an explicit statement that the protocol doesn't define the rule would be better than what we have. [09:15:09] I want documented what Bob voiced as 'it is not trivial' [09:15:22] matthijs leaves the room [09:15:37] matthijs joins the room [09:15:47] polk.tim joins the room [09:15:51] sunguonian joins the room [09:16:06] Vincent Levigneron leaves the room: Replaced by new connection [09:16:07] Vincent Levigneron joins the room [09:16:14] paul H: local policy makes a lot of sense. let vendors deal with it together with customers [09:16:17] the end state in root + local not tlds and other intermediries [09:16:30] SUNGUONIAN leaves the room [09:16:44] olafur: document which one not to set? [09:16:50] ph: no [09:17:44] wnagele joins the room [09:18:09] wes hardaker: point of defaults is to reduce user surprise [09:18:46] ph: all other ietf sec stds have options, why does dnssec need a default for this [09:19:03] we have a DEFACTO DEFAULT TODAY [09:19:11] sorry for the caps [09:19:17] Christopher Inacio joins the room [09:19:24] Yes, it's whatever someone at ISC thinks it should be [09:19:24] shane kerr: still intend to write down all theoptions? [09:19:30] general agreement in the room [09:19:40] ggm leaves the room [09:20:19] russ mundy: support idea of documenting options [09:20:57] ed lewis: this is not about interop, just quality of implementation [09:21:32] It's also about what it can do [09:22:03] wouter: that work for you? [09:22:04] olafur: summary, doc should just describe not mandate options [09:22:08] gen. agreement [09:22:16] we have no rfc-conformant dnssec implementations today, since that defacto standard goes against what is (in the way i read it) defined in 403X [09:23:01] request for people to read docs in adoption queue [09:23:17] ecdsa, dsa-sha2 & transport-signal [09:23:24] That experts in the field can come to the conclusion Jelte just outlined is why I am convinced we need to say something explicit about the issue. [09:23:25] weiler: okay, just intend to implement the draft's choice. [09:23:47] aah, we don't get to comment on transport-signal? [09:23:50] new topic: dns & tcp [09:24:02] sunguonian leaves the room [09:24:04] ray bellis: dns transport over tcp (tcp-requirements) [09:24:13] andrew: good point [09:24:19] Jelte: you can interrupt before we go on :) [09:24:39] (but likely best to send comments to the list) [09:25:17] yeah i should read up on the discussion that has already been held a bit more, kind of skimmed over that at the time, since i hadn't read the draft yet [09:25:26] roque leaves the room [09:25:37] weiler: so my pref is closest (much like two other vendors somehow), but if ANY is put to paper I wanted the caveats and troubles to be spelled out to avoid protocol breakage. [09:26:21] so the current conclusion is to put several options to paper, without picking one. [09:26:42] Big TXT rrsets :-) [09:26:46] kariem joins the room [09:26:51] your help w/ the "caveats and troubles" would be welcome. and it sounds like Andrew still won't be happy. :-) [09:28:43] Sam: as I said on list, I have a preference, but I way prefer that we just make this clear. There is an interop issue here in that otherwise, the behaviour other software can expect from a validator is underdetermined [09:28:46] is this "DNSEXT is the protocol police?" [09:29:09] rob austein: real reason why people don't do tcp is provisioning (server) [09:29:12] (the new topic, not trust anchors) [09:29:43] The hard part is you may have to pay the cpe vendor to report the problem [09:30:19] sunguonian joins the room [09:30:41] ra: this a firewall problem. this is transfering the cost from a firewall problem in to a dns server cost [09:30:42] joao: you *do* tcp for provisioning [09:31:23] I am just relaying the people at the mic [09:31:42] yes, i think you misheard rob [09:32:28] no, what rob said is: enabling tcp has an impact on server provisioning [09:32:35] no he got it right; the reason ppl don't do tcp is because provisioning for tcp is much harder than for udp [09:32:52] meaning, how big a server you need [09:32:56] ah ok, thanks for clarifying [09:33:03] rhe leaves the room [09:34:13] doug otis: breaking point at 512 bytes is not realistic today [09:34:51] do: 1280 a better break point [09:35:00] shinta leaves the room [09:35:00] fine tuning in the mailing list [09:35:23] fernando gont: tcp for dns security considerations [09:36:01] rhe joins the room [09:38:28] Vincent Levigneron leaves the room: Replaced by new connection [09:38:29] Vincent Levigneron joins the room [09:39:34] Takehito Akagiri leaves the room: Replaced by new connection [09:42:51] Takehito Akagiri joins the room [09:43:47] doug otis: tuning stacks would break it for other protos. is this the right approach? [09:44:18] f. gont: this just an option if tcp is used. yes there is a tradeoff [09:44:49] joe abley: anyone with resource problems in dns servers will have dedicated servers so in practice it may not have an impact [09:45:06] polk.tim leaves the room [09:45:12] nemo leaves the room [09:45:22] stephane b.: most root + tld servers have tcp enable. most attacks don't use tcp [09:45:37] we should record shane waying 'who are you?' and automatically play that whenever someone starts talking at the mic [09:45:48] shane kerr: that doesn't mean this is not a problem. if you start relying on tcp, then there will be attacks [09:46:30] sb: people would attack it because it is enabled [09:46:48] joel j: attackers use the inexpensive way to attack [09:47:44] we are still mainly UDP if the firewalls and crappy cpe boxes are removed [09:47:59] orange leaves the room: Replaced by new connection [09:48:01] mumumu66 joins the room [09:48:34] ted lemon: why would this be different than for www (re: 3-way handshake) [09:48:57] ray bellis: doc does not make it less reliable, majority already do [09:49:17] rb: only those who can't use ends need tcp [09:49:34] olafur: how much more expensive is tcp? [09:49:40] roque joins the room [09:49:52] Vincent Levigneron leaves the room: Replaced by new connection [09:49:53] Vincent Levigneron joins the room [09:49:58] rb: tcp: 3,000 qps, udp: 23,000 qps on a modest server [09:50:27] rb: will write this down for next iepg [09:50:58] doug otis: defending a TCP service is not easy/cheap [09:51:56] do: think about estimate on tcp costs not only for normal state, also during attack [09:52:25] rob a: objection against requirement [09:52:35] olafur: is the escape clause enough for you (rob) [09:52:38] ra: not decided [09:52:51] @Doug: since the issue here is that UDP with large packets isn't working, aren't we already broken? In that case, worrying that the TCP might break isn't such a strong objection? [09:53:28] ted lemon: there is not that much state kept, it should not be a problem [09:53:40] @Rob: I think the document is supposed to be saying what implementations support, _and not_ what deployments should do [09:53:47] @ajs - exactly [09:54:07] do: yes, one can defend tcp stacks, but issue is provisioning of servers [09:54:12] so it should not be saying "protocol police will attack you if you don't operate TCP, provision, &c" [09:54:23] if that's not how you read the text now, please send patches [09:54:36] (same thing to Doug? at mic right now) [09:55:00] peter koch: would want to see actual measurements to support the concerns, if any [09:55:34] pk: split protocol req and operational req. ietf does not reach operators [09:56:30] pk: find another means to reach non-compliant operators [09:56:58] geoff huston: an experiment on implementing stateless tcp [09:57:01] It's mainly the vendors [09:58:07] same talk as IEPG on sunday [09:59:04] Original article: http://www.potaroo.net/ispcol/2009-11/stateless.html [10:02:54] sound dropped for me... [10:03:33] back [10:03:38] ralph droms: where do you get seq # [10:03:47] geoff: just make one up, it is stateless [10:04:09] wes hardaker: have tried running this on a simulator that drops packets? [10:04:50] answer: no, but you can try [10:05:09] yao leaves the room [10:05:10] erik kline: you can specify mtu on a per file desc basis [10:05:53] geoff: yes, you can [10:06:53] kenji rikitake: introduce another value in the fallback cascade [10:06:54] the advances socket api is already being used [10:07:16] bortzmeyer leaves the room [10:07:26] Peter Koch joins the room [10:07:36] k r: can't negotiate small mtu [10:07:36] Mark - BTW - does BIND disable Nagle on TCP sockets? [10:07:47] geoff: no solution [10:07:51] abelyang leaves the room [10:07:53] polk.tim joins the room [10:08:04] can't remember [10:08:19] olafur as dns protocol police [10:08:36] olafur: can tell impl what to do [10:08:42] his badge isn't impressive enough [10:08:42] bortzmeyer joins the room [10:08:47] abelyang joins the room [10:08:47] ogud: if we don't do it, then operators won't have a choice [10:08:49] I couldnt' find anything that enabled it in the source - in my test client doing write(<2 byte header>) ; write(DNS data) was 25% faster without Nagle [10:08:58] Q: does the text in the rfc need to be update? [10:09:04] rfc1123 [10:09:15] 2Q: is the draft reasonable? [10:10:43] Roy Arends joins the room [10:11:06] It would not have helped [10:11:12] babble ;) [10:11:34] abelyang leaves the room [10:11:47] paul hoffman: 1123 needs clarification, there are bad implementations out there [10:12:01] 1123 was always wrong [10:13:21] peter koch: clarification wouldn't do harm but wouldn;t help. if doc is enough then say "shall do edns(0)" [10:13:26] DNS implementations need to support answers that don't fit into udp [10:13:55] not if you know the answers will always fit into udp. [10:14:07] PK: fix the root cause, middleboxes [10:14:20] vendors can't know that [10:14:48] rob austein: not convinced there is a need to update. people won't read clarificiation just like they don't read 1123 [10:15:09] operators are the only ones that can know if you can get away with udp [10:15:17] toshio.hiraga leaves the room [10:15:50] ray bellis: need doc [10:16:18] ogud: question the mailing list rather than hum here [10:17:18] AOB [10:18:09] stephane b: signalling for v4/v6 addresses requests [10:18:34] sb: suggetion was new ends option [10:19:02] ogud: issues have been raised against this. will look at any new proposals. [10:19:24] ed lewis: second what stephane said [10:19:27] bortzmeyer leaves the room [10:19:38] calvin leaves the room [10:19:40] TC should be set if glue needs to be dropped [10:20:09] paul hoffman: ask alfred to write it up [10:20:11] simple answer - coalesce the multiple questiosn into a pipeline of packets in a single TCP stream (joke ;-) ) [10:20:53] kivinen joins the room [10:21:03] kivinen leaves the room [10:21:34] rob austein: not expensive to repeat last question at auth server at bottom of tree [10:21:47] shane kerr: not so clear when looking from the edge device [10:22:08] roque leaves the room [10:22:47] Negative response synthesis. [10:23:06] ra:what you need is a new proto between stub and recursive [10:23:07] send NSEC w/ positive answers [10:23:37] jakob schlyter: reminder session wed 15:00 in castleview1 [10:23:45] bortzmeyer joins the room [10:23:48] wouter leaves the room [10:23:49] Simon Perreault leaves the room [10:23:59] wouter joins the room [10:24:30] jinmei tatuya: [10:24:32] ray leaves the room [10:24:38] [10:24:49] Bernie leaves the room [10:24:58] session is over [10:25:00] koji leaves the room [10:25:01] fdupont leaves the room: Computer went to sleep [10:25:05] Suz leaves the room [10:25:06] Eason leaves the room [10:25:07] Stephen leaves the room [10:25:09] mellon leaves the room [10:25:09] Joao leaves the room [10:25:12] matthijs leaves the room [10:25:16] Roy Arends leaves the room [10:25:18] kariem leaves the room [10:25:18] doug.mtview leaves the room [10:25:20] Thanks everyone. Don't forget the blue sheets! [10:25:21] Yoshiro YONEYA leaves the room [10:25:22] Jaap Akkerhuis leaves the room [10:25:24] mumumu66 leaves the room [10:25:37] markkao leaves the room [10:25:50] wnagele leaves the room [10:25:54] Andrew Sullivan leaves the room [10:25:57] gson leaves the room [10:25:59] norisuke_hirai leaves the room [10:26:09] pawal leaves the room [10:26:15] zephyia leaves the room [10:26:30] tachibana@jabber.org leaves the room [10:26:33] johani leaves the room [10:26:52] Peter Koch leaves the room: Computer went to sleep [10:27:07] Jelte leaves the room [10:27:08] Chris Griffiths leaves the room [10:27:14] benno leaves the room [10:27:25] yo.takata leaves the room [10:28:05] bkuerbis leaves the room [10:28:10] fneves@jabber.registro.br leaves the room [10:28:12] James Galvin leaves the room [10:28:20] marka leaves the room [10:28:58] aalain leaves the room: Replaced by new connection [10:30:41] wouter leaves the room [10:30:48] sunguonian leaves the room [10:33:51] larissas leaves the room [10:33:57] shigeya leaves the room [10:34:12] polk.tim leaves the room [10:34:44] weiler leaves the room [10:40:36] jinmei leaves the room [10:41:38] aalain joins the room [10:42:55] John Schnizlein leaves the room [10:43:49] Takehito Akagiri leaves the room [10:44:30] YuzoTateno leaves the room [10:46:34] ogud: Olafur Gudmundsson leaves the room [10:46:34] bortzmeyer leaves the room [10:47:07] calvin joins the room [10:47:10] calvin leaves the room [10:56:20] Vincent Levigneron leaves the room [11:03:14] ogud: Olafur Gudmundsson joins the room [11:03:29] ogud: Olafur Gudmundsson has set the subject to: IETF-76 meeting concluded [11:03:34] ogud: Olafur Gudmundsson leaves the room [11:09:17] mumumu66 joins the room [11:17:28] aalain leaves the room [11:50:39] shigeya joins the room [12:54:26] John Schnizlein joins the room [12:55:03] John Schnizlein leaves the room [13:23:27] bortzmeyer joins the room [13:27:37] johani joins the room [13:29:17] johani leaves the room [14:15:04] shigeya leaves the room [14:18:45] sunguonian joins the room [14:19:00] sunguonian leaves the room [14:19:01] Jaap Akkerhuis joins the room [14:20:10] bortzmeyer leaves the room [14:20:49] Jaap Akkerhuis leaves the room [14:32:32] jpc leaves the room [15:08:15] jpc joins the room [15:09:17] jpc leaves the room [15:14:07] Peter Koch joins the room [15:20:26] Peter Koch leaves the room [16:46:50] jpc joins the room [16:51:33] jpc leaves the room [17:31:38] Roy Arends joins the room [17:41:43] Roy Arends leaves the room [19:00:10] Christopher Inacio leaves the room [22:17:27] fujiwara leaves the room