Logs for dnsop, 2006-11-10

[00:27:58] --- ggm has joined
[00:28:00] --- ggm has left
[11:46:33] --- jakob has joined
[11:46:43] <jakob> EHLO
[11:48:53] --- jad has joined
[11:49:08] --- jad has left
[11:53:59] --- asullivan has joined
[11:54:17] --- fujiwara has joined
[11:54:52] --- Antoin has joined
[11:55:45] --- Antoin has left
[11:55:57] --- keith_nm has joined
[11:56:10] --- wouter@jabber.secret-wg.org has joined
[11:56:21] --- wouter@jabber.secret-wg.org has left
[11:56:29] --- wouter has joined
[11:56:46] --- sleinen has joined
[11:57:01] <wouter> Hello. I will be your jabber scribe for this meeting.
[11:57:10] <jakob> thank you wouter!
[11:57:30] --- Antoin has joined
[11:57:41] --- fneves@jabber.registro.br has joined
[11:58:06] <wouter> This iss the DNS operations workgroup meeting at IETF 67 in San DIEGO, USA
[11:58:10] --- Antoin has left
[11:58:38] --- Antoin has joined
[11:59:03] --- sleinen has left
[12:00:20] --- Antoin has left
[12:01:07] --- Suz has joined
[12:01:16] --- jad has joined
[12:01:22] <wouter> Rob is starting to open the meeting.
[12:02:20] <wouter> The chair graciously gives time for participants to wake up on this friday morning
[12:02:43] --- geoff has joined
[12:02:49] --- sleinen has joined
[12:02:51] --- Jelte has joined
[12:02:54] <jakob> the participants graciously gives time for the chairs to wake up as well
[12:03:02] --- sleinen has left
[12:03:39] <geoff> FYI, I am your dutiful note taker today.
[12:04:18] <wouter> Thank you Geoff
[12:05:51] --- rstory has joined
[12:06:08] <wouter> The room is quiet
[12:06:12] --- Jelte has left
[12:06:30] --- Jelte has joined
[12:06:42] <geoff> Wouter: always a pleasure.
[12:07:18] <geoff> Even at 9am Friday.
[12:07:19] <geoff> :(
[12:07:42] --- Antoin has joined
[12:08:03] --- oatwillie has joined
[12:08:30] --- sleinen has joined
[12:08:40] <Jelte> hi
[12:08:49] <oatwillie> greet
[12:08:51] <wouter> Peter Koch (co-chair) starts the meeting. Rob Austein (co-chair).
[12:09:04] <wouter> The Note Well is presented.
[12:09:16] --- mrw has joined
[12:09:23] <wouter> Administrivia
[12:09:36] --- raj has joined
[12:09:38] <wouter> Look at website and so on.
[12:09:38] --- glozano has joined
[12:10:25] --- ggm has joined
[12:10:42] <wouter> Scribes are noted. Is there remote attendence?
[12:10:43] <Jelte> yes
[12:10:46] <rstory> yes
[12:10:50] --- koji has joined
[12:10:52] <oatwillie> yes
[12:10:53] <Jelte> sound is clear
[12:11:04] --- liman has joined
[12:11:04] <wouter> Oh nice. It is not always in this ietf.
[12:11:18] <Jelte> i'd almost add 'for now' ;)
[12:11:21] --- msj has joined
[12:11:31] <wouter> Blue sheets should be circulating
[12:11:41] <wouter> Are there changes to the agenda? Silence
[12:11:43] --- doug.otis@gmail.com has joined
[12:11:53] --- scottr has joined
[12:12:18] <Antoin> http://www3.ietf.org/proceedings/06nov/slides/dnsop-0.pdf
[12:12:27] <wouter> Agenda bashing. slide. Document status.
[12:13:08] --- aalain has joined
[12:13:16] <wouter> Reverse 624 is discussed.
[12:13:25] --- roy@uk has joined
[12:13:30] <wouter> It was never adopted, but it was reviewed a lot and now in AD review
[12:13:39] <wouter> In or part wglc items.
[12:13:39] --- weshardaker has joined
[12:14:23] <wouter> There is an agenda slot for default local zones and for reflectors are evil drafts
[12:14:42] <wouter> Need reviews for reflectors drafts, wglc tomorrow
[12:15:07] <msj> Substandard reviews? That's what I heard...
[12:15:10] <wouter> Olaf question: clarifictaion, 5 lmit threshold on reviews.
[12:15:29] <wouter> Is that the limit for consensus, do 5 people approve or 5 persons minimum
[12:15:47] <wouter> Rob: if we cannot get 5 positive reviews from the group
[12:16:09] <wouter> As it stands fewer than five people are in favor.
[12:16:21] <wouter> Olaf: Yuo can look for consensus among the 5 people.
[12:16:30] <oatwillie> where is the audio for this?
[12:16:48] <wouter> Rob: Two people like it one asys it is garbage.
[12:16:49] <Jelte> http://videolab.uoregon.edu/events/ietf/ietf676.m3u
[12:17:08] <wouter> Mark: nits reviews can also get consensus
[12:17:33] <wouter> Peter: Commas are for the RFC editor, this is about content
[12:18:01] <wouter> Peter: First we had 10 volunteers for review. We would like to reach 5
[12:18:11] <wouter> Slide: active drafts
[12:18:55] <wouter> The respzsize-03 is -06 or more in the repository.
[12:19:08] <wouter> How many people jknwo what localzones ia about? many
[12:19:35] <wouter> Generally in support of document. Request for slight changes. And some are opposed to going forward.
[12:19:51] <oatwillie> i don't like local zones...
[12:20:02] <wouter> New draft from clarifications asked
[12:20:23] <wouter> Open issue: effect on private networks
[12:20:56] <oatwillie> read it ... very concerned about hardcoded blackholes and alternate namespaces
[12:21:54] <wouter> Mark is trying to pick out configuration for which there are problems.
[12:21:54] --- weshardaker has left: Lost connection
[12:22:01] --- mrw has left
[12:22:52] <Antoin> Pleas qualify alternate namespaces..
[12:23:10] <wouter> Peter: please read draft.
[12:23:30] <wouter> Mark: we want to make this thing namespaces, it will be very hard to get off this list.
[12:23:44] <wouter> Even harder than getting on the list of blackholed zones
[12:24:00] <wouter> Peter: you are referring to the initial list of zones in this document.
[12:24:04] <wouter> Mark: yes
[12:24:59] <oatwillie> shipping a list of "bad" zones and preconfiguring them is tantamount to forever removing them from useful service. they will NEVER go away, ever.
[12:25:03] <wouter> Draft will get to a 2nd last call on the mailing list.
[12:25:39] <wouter> reflectors are evil thing:
[12:25:49] <oatwillie> defining "bad"/local zone behviour should be the exclusive perview of the server admin, not the whim of the software developer.
[12:25:52] <wouter> Ed asks to extend the wglc because we are all travelling
[12:25:53] <oatwillie> imho
[12:25:54] <Jelte> (the person not saying his name sounds like ed)
[12:26:02] <wouter> (he is)
[12:26:14] <wouter> next week
[12:26:21] <oatwillie> reflectors are not evil, UDP is... :)
[12:26:41] <Suz> oatwillie: "whim" is such a pejorative term.... ;)
[12:27:02] <oatwillie> sz: could be
[12:27:30] <wouter> Joao: what will happen? Chairs: the 2nd last call is not for those changes.
[12:27:34] --- RussMundy has joined
[12:27:53] <wouter> People should check tools website for diffs
[12:28:06] <wouter> wglc next week a summary and then the outcome
[12:28:17] <wouter> closing date last call will be sunday next week
[12:28:25] <wouter> 20something. 19th.
[12:28:45] <wouter> Last call has been extended on request of the wg
[12:28:53] <wouter> Next slide. respsize document\
[12:28:59] <wouter> This has been here for some time.
[12:29:05] <geoff> Was confused by all the CNN Veteran's Day coverage today!
[12:29:07] <wouter> Are editors in the room.
[12:29:09] <wouter> Akira is here.
[12:29:24] <wouter> Akira: paul has made changes based on the comments last jmeeting.
[12:29:38] <wouter> It is very stable. And comments may lead to a next version. But almost ready for wglc.
[12:30:20] <wouter> Peter: Status of the draft is sense -03 was readyfor lc, then editor not in the room came with more versions. Aks wg if we are happe
[12:30:25] <wouter> y with changes?
[12:30:37] <wouter> Should be rollback to 03 or lc this one.
[12:30:43] <wouter> Olaf: is not lc the purpose to review.
[12:31:01] <wouter> Peter: editor added changes outside of wg.
[12:31:16] <Jelte> hehe
[12:31:17] <wouter> Olaf: if the wg is ok with it, then that is fine.
[12:31:39] <wouter> Has anyone read the documnet? Silence. Do not start not (it is completely different) (laughter in the room)
[12:32:13] <wouter> Peter: question on response size depends on length of query name.
[12:32:28] <wouter> This needs to be in document. Some average or something Any comments/
[12:32:45] <wouter> John is invited but does not comment.
[12:33:02] <oatwillie> iv'e read it
[12:33:05] <wouter> Next slide. The reverse mapping considerations. Andrew Sullivan will present.
[12:33:06] <Antoin> http://www3.ietf.org/proceedings/06nov/slides/dnsop-1.pdf
[12:33:52] <wouter> Andrew: Is editor of the draft. Previously known under another name, so now -00. Older name controversial name.
[12:34:01] <wouter> Closed Issues.
[12:34:20] <wouter> Will com back on policy refernces
[12:34:38] <wouter> Open issues.
[12:35:05] <wouter> Issue 4 is a problem more than other issues.
[12:35:13] <wouter> Issue 10 less.
[12:35:16] <wouter> Issue 4.
[12:35:35] <wouter> People object because RIR does not have authority
[12:35:52] <wouter> Andrew thinks the contractual relationship can do it.
[12:35:56] <wouter> But it will be changes.
[12:36:11] <wouter> Remove individual discussion of policies and more general.
[12:36:33] <wouter> Olaf on mike: You refer to RIPE region but there is no policy in the RIPE region that requires reverse mapping.
[12:36:47] <wouter> Andrew yes the changes preclude this in draft
[12:36:59] --- scottr has left
[12:37:15] <wouter> Ed: Leave technical description and policy to the RIRs, they have their procedure.
[12:37:31] <wouter> Do not recommend how to do it. Do not police or urge, recommend. Do the protocol.
[12:37:44] <wouter> Say that you want to have it happen, but do not dictate operational requirement.
[12:38:00] <wouter> Michaelson: You are much safer ground with softer words.
[12:38:22] <wouter> Andrew: have motivational statement, and get rid of individual policies.
[12:38:29] <wouter> About 6 people read the latest versino of the draft]
[12:38:42] <wouter> Is anyone against policies taken out?
[12:38:53] <wouter> Nobody against it. Sense of the room is to take it out\
[12:38:59] <wouter> Issue 8
[12:39:34] <wouter> Come back to ip6 in a moment.
[12:39:36] <wouter> Issue 10
[12:39:56] <wouter> Will send the text to the list that Andrew received on this
[12:40:02] <wouter> Trivial problem.
[12:40:12] <wouter> Peter: so you suggest issue 10 on mailing list.
[12:40:18] <wouter> Text patch to the mailing list.
[12:40:20] <wouter> Issue 12
[12:40:53] <wouter> People complain it will be hard to do for ipv6
[12:41:37] <wouter> v6ops has a hiding document - scaling implications 01 on agenda at end o f this meeting
[12:41:54] <wouter> We conflict with that document if we mandate full mapping
[12:42:10] <wouter> Who read the v6 doc? No one, not a lot.
[12:42:18] <wouter> Needs guidance.
[12:42:39] <wouter> Peter: The wg wil review scanning implications and send this doc to v6 for review as well.
[12:43:03] <wouter> Bad to have two conflicting BCPs at the same time. That would be sub-optimal.
[12:43:12] --- shigeya has joined
[12:43:13] <wouter> Ed: Do you want ot recommend or describe the reverse map.
[12:43:25] <wouter> Do not recommend. But describe how to do it.
[12:43:42] <wouter> Rob: we never decided to recommend over how to.
[12:44:07] <wouter> Andrew: Doc says if you do not have this, some things happen.
[12:44:17] <wouter> no-brainer to have it for ip4.
[12:44:55] <wouter> Peter: Let us avoid early conflicting communicating. Mail to mailng list.
[12:45:08] <wouter> Mark: ipv6, make sure that delegations are created.
[12:45:19] <wouter> And they decide to put reverse mapping for themselves.\
[12:45:33] <wouter> Because of the size of the space you cannot synthesize a zone.
[12:45:47] <wouter> Every end node can update itself if it wants to.
[12:46:00] <wouter> If you do not want a PTR record, you can not do so, it is their choice.
[12:46:18] <wouter> Encourage that the reverse zone is created and passed to the end site
[12:46:30] <wouter> Peter: zones ad LIR, RIR or end site.
[12:46:37] <wouter> Mark: all the way to the end site, like a 48
[12:47:10] <wouter> George michaelson: We then need to authenticate people, and that is hard is people don't
[12:47:25] <wouter> in ip4 that is less, in ip6 there are so many dots that it gets hard
[12:47:36] --- farias has joined
[12:47:42] <wouter> You can encourage delegation. State expectation and desires.
[12:47:54] <wouter> Andrew: agreed that required is bad.
[12:48:10] <Jelte> what was that?
[12:48:13] <wouter> Peter: can you send to mailing list more details on the dots comment. Yes he will.
[12:48:29] <wouter> Mark: We are talking to the ISPs not the RIRs
[12:48:34] <wouter> Issue 13
[12:48:52] <wouter> Ed: agrees with Mark.
[12:49:21] <wouter> Andrew: why is this useful for enum? Someone said.
[12:49:37] <wouter> Ed to the mike. Confusion may be that enum is a reverse tree itself.
[12:49:44] <wouter> Rob: it looks like one, but is not one.
[12:49:51] <wouter> Has some of the same properties.
[12:50:09] <wouter> Peter: We do not extend the scope of this doc to enum. Issue will be struck
[12:50:20] <wouter> That is it, we are done.
[12:50:20] <oatwillie> is a telephone number a lable or and address?
[12:50:33] <wouter> Any other issues?
[12:50:56] <wouter> Silence.
[12:51:06] <wouter> Next agenda item. Charter and milestojnes
[12:51:47] <wouter> Milestones is a running gag. Some action baskets to the wg. One accepted on the mailing list. Writing it up. ADs are expecting it. Peter has not got to it.
[12:51:50] <Antoin> http://www3.ietf.org/proceedings/06nov/slides/dnsop-0.pdf page 13
[12:52:00] <wouter> Milestones are updated. See slide.
[12:52:12] <wouter> slide 14
[12:52:53] <wouter> Reverse mapping will see another mapping. For feb 07 lc.
[12:53:09] <wouter> Will see another version
[12:55:00] <wouter> Anyone wants to work on infrastructure TTLs> suggest people to chairs.
[12:55:18] <wouter> Monitoring and measurement, terminolgy and procedures, suggestions needed.
[12:55:28] <wouter> No comments by anyone.
[12:55:44] <wouter> Other inerb
[12:56:06] <Antoin> http://www3.ietf.org/proceedings/06nov/slides/dnsop-2.ppt
[12:56:08] <wouter> Other internet drafts. Individual submissinos. Presented now. Doug otis will present his spf-dos-exploit draft
[12:57:14] <wouter> Douglas: explains SPF.
[12:58:55] <wouter> Each 10 mechanisms that can have 10 submeachnisms for 100 scripts executed
[12:59:23] --- sra has joined
[12:59:52] <wouter> Number of names that may be qualified for the script, the 100 transactions are for every name you want to resolve
[13:00:41] <wouter> The message can be spam anyway, which is no cost to the sender
[13:03:41] --- paulwouters@jabber.org has joined
[13:04:30] <wouter> SPF does not do exponential backoff
[13:06:03] --- patrickn has joined
[13:06:34] <wouter> With more receivers executing DPF scripts gives the danger.
[13:06:55] <wouter> SPF is not providing much protection against it. 2.6% of mail gets blocked.
[13:07:17] <Suz> so the point here is that SPF opens up this attack vector but doesn't really help with the threat it's designed to mitigate?
[13:07:25] <ggm> yep.
[13:07:29] <ggm> double benefit eh!
[13:07:51] <wouter> That is correct, Suz, that is the point that Douglas is making.
[13:07:58] <jakob> why did they design something so complicated? sigh....
[13:07:59] <Suz> just making sure I get it.
[13:08:19] <wouter> Well 2% of spam is a lot of course ;)
[13:08:43] --- msj has left
[13:08:58] <geoff> One mitgating factor is that SPF seems to be losing "hearts and minds", though.
[13:09:05] <wouter> How to prevent slide.
[13:09:23] <geoff> Seems like most interest has moved on to DKIM.
[13:09:24] --- mikemlb has joined
[13:09:37] <RussMundy> I think that there's a lot of debate about the usefulness of SPF and I think that Doug is expressing one point of view about the usefulness of SPF
[13:09:59] <wouter> Authenticate client before executing SPF.
[13:10:21] <wouter> (That would be weird, because if you authenticate, it is not spam)
[13:10:26] <ggm> well its usefullness as an amplification attack is quite clear. I for one, welcome our new (spammer/DoS) lords and masters and welcome my share of v1@gra...
[13:10:28] <jakob> X.400 rulez
[13:10:46] <wouter> Questions?
[13:10:51] <ggm> inter-X400 MTA signing was not such a bad idea. shame about the sesh overheads
[13:10:52] <geoff> Good idea to intervene early and often on DKIM DNS implications early and often . . .
[13:11:04] <wouter> Rob is summar: Do not execute scripts from strangers.
[13:11:21] <jakob> as in "Do not execute scripts."
[13:11:24] <wouter> Peter: Receiver of spam is abused to generate DNS messages to the target
[13:11:40] <wouter> Wilhiam wilson mike: wants to explain.
[13:11:42] --- harald has joined
[13:11:58] <ggm> William Liebzon
[13:12:02] --- roy@uk has left: Logged out
[13:12:03] <wouter> Put a special DNS record in a DNS. Puts that dns name in a spam message sent by botnet.
[13:12:42] <wouter> This attack can be done using different DNS records. Cause large number of NXDOMAIN requests.
[13:12:58] <wouter> What records? MX, CNAME, NS, SRV
[13:13:03] <wouter> where you can create the same attack.
[13:13:06] <wouter> No. Yes No Yes
[13:13:14] <wouter> He will post the example.
[13:13:31] <wouter> Chair: please calm down. We are not bashing SPF or advocating.
[13:13:32] <ggm> *why* isn't this about bashing SPF?
[13:13:33] <geoff> Don
[13:13:42] <geoff> Don't the maths differ, though.
[13:13:52] <wouter> Chair: Please do notdiscuss antispam technology
[13:14:04] <wouter> Out of scope of wg. We see an attack vector here.
[13:14:06] <liman> I want to see the yes - no - yes - no - yes - no ping-pong match in the jabber logs. :-)
[13:14:15] <wouter> Do we have a need or opportunity to counter it.
[13:14:44] <Antoin> the oing pong was too fast...:-)
[13:14:45] <wouter> Rob: wants to further limite discussion. Scripts based. No! Ok, look ed like that.
[13:14:58] <wouter> The fact that the script is distributed via DNS is not relevant for us.
[13:15:14] <wouter> The wg scopr is the DNS effects of what is going on here.
[13:15:29] <wouter> WIlhiam: want to say this is a general attack
[13:15:40] <wouter> You have some domain with large number of NS records, say 10
[13:16:00] <wouter> You cause receipient to go to domain. Thet will get to domain and go to those servers.
[13:16:20] <wouter> And those are victim servers. That is 10x amplifications, MX, SRV, CNAME work too
[13:16:35] <wouter> By means of DNS you amplify
[13:16:51] <wouter> Has less to do with SPF, only one type of record.
[13:17:03] --- mjo has joined
[13:17:06] <wouter> You can do this without SPF.
[13:17:11] <wouter> Chair: you made your point now.
[13:17:34] <oatwillie> any votes for HINFO and WKS?
[13:17:46] <wouter> Wilson: wants to make point about SPF. He says each spf lookup does not cause 10 more lookup.s
[13:18:02] <ggm> s/Wilson/Liebzon/
[13:18:09] <wouter> Olaf: What is the attack ? Alice mail server with lookups, Bob zone with SPF recoerds, Carol with spamer
[13:18:17] <wouter> Sorry Liebzon.
[13:18:39] <wouter> Who are the multiple parties and innocents hurt?
[13:18:55] <wouter> Douglas: responds...
[13:19:14] <wouter> There can be innocent victims involved that do not receive or send these scripts.
[13:19:24] <wouter> The redirection can be done and will not show up in logs.
[13:19:36] <wouter> You have victims being attacked without easy tracing
[13:19:49] <wouter> This attack can be distributed very handily.
[13:20:03] <wouter> Olaf: if it is not in logs. Resources in email system or DNS system?
[13:20:15] <wouter> It uses the email system, where the logs will not show these attacks
[13:20:53] <wouter> Wont see victim domain in logs. Victim has no SPF record runs no email.
[13:21:20] <wouter> Ed: Is this a problem where secure by looking up in DNS generally?
[13:21:29] <wouter> As a reaction you lookup in the DNSm,
[13:21:33] <wouter> like for DKIM, etc.
[13:21:46] <wouter> Douglas: For DNS you can always construct a query that takes long.
[13:21:54] <wouter> CNAME chaninig.
[13:22:02] <liman> ggm: Actually I believe that s/Liebzon/Leibzon/.
[13:22:14] <wouter> Ed: but the application launches a lot of queries to DNS to secure it.
[13:22:28] <wouter> And someone gets slammed with DNS traffic.
[13:22:40] <wouter> Why SPF? It provides 100x amplification.
[13:22:51] <wouter> Liebzon: it is only 10x for SPF.
[13:22:54] <wouter> Like MX.
[13:23:09] <wouter> Andrew Sullivan: Is t here a general issue that we need to take up?
[13:23:24] <wouter> If you secure your application with DNS you could blast people with DNS queries?
[13:23:40] <wouter> Rob: Yes but the discussion seems to be on SPF good/bad
[13:23:43] <oatwillie> this makes me long for the return of bitstrings
[13:23:49] <wouter> We cannot tell now.
[13:24:10] <wouter> Olaf: more architectural, whenever you use DNS you run on these sorts of questions.
[13:24:15] <wouter> It is fair question.
[13:24:33] <wouter> Douglas: When you limit through ACLs that gets reflective attacks gone.
[13:24:43] <wouter> This attack is staged without using resources to the attacked.
[13:24:48] <wouter> attacker (sorry)
[13:25:04] <wouter> Queue closed.
[13:25:26] <wouter> Liebzon: The person can cause others to do the attack for him.
[13:25:56] <wouter> SPF is not worst... PeterL: you made your point.
[13:26:05] <wouter> What is the underlying problem?
[13:26:15] <wouter> Is it the chaining deeper and deeper?
[13:26:32] <wouter> Douglas: I recommended some changed long ago, but were not adopted.
[13:26:37] <Suz> last question came from Michael Graff
[13:26:43] <wouter> Thank you Suz.
[13:27:11] <wouter> Douglas: You can use the local part of the email message, and so see who executes the SPF script.
[13:27:33] <wouter> Spammers send themselves messages.
[13:27:51] <wouter> So muck upstatistics. Peter; this is derailing from agenda.
[13:28:13] <wouter> Michael: looks like a problem in future.
[13:28:22] <wouter> Maybe guideline how to design records that are nice.
[13:28:26] <wouter> For DKIM for example.
[13:28:30] <wouter> Douglas: potential there.
[13:28:31] <wouter> \we
[13:28:57] <wouter> Wes Hardaker: A number of other spam lookup stuff.
[13:29:09] <wouter> DNS helps decrease this attack, because of caching.
[13:29:23] <wouter> If you wanted to deploy for this, DNS helps because of caching
[13:29:46] <wouter> Because these fields are out there already, it is DNSop (not -ext)
[13:29:52] <wouter> Caching benefits.
[13:30:00] <wouter> Douglas: script can
[13:30:05] <wouter> randomize the queries.
[13:30:20] <wouter> Cache will not help a lot.
[13:30:24] <wouter> Queue closed.
[13:30:39] <wouter> Peter: about how app is designed to use the DNS
[13:30:46] <wouter> no matter how info is transported.
[13:31:00] <wouter> Question: are there indications of attacks in the wild?
[13:31:06] <wouter> Douglas: It is hard to know.
[13:31:16] <wouter> Does not have hard evidence
[13:31:22] <wouter> It coul start happening
[13:31:34] <wouter> Could give a document on guidelines what to avoid.\
[13:31:55] <wouter> Peter: to the extent that we can provide guidelines to app area, not sure what to do
[13:32:16] <wouter> Douglas: distributed application like email, allow anonymous oethers to start transactions runs a risk.
[13:32:31] <wouter> Rob: Not seeing a lot of DNS op content here.
[13:33:02] <wouter> Olaf: Why I asked, there is a 3rd not consenting party. If you use SPF and you lose your resources. But the SPF party is consenting.
[13:33:15] <wouter> Is the 3rd party getting hurt or normal DNS traffic.
[13:33:29] <paulwouters@jabber.org> any party not publishing/querying records cannot be involved unless you are a recursive open nameserver, so this is a generic problem right?
[13:33:38] <wouter> The SPF running guyes asked for these DNS replies.
[13:33:54] <wouter> Peter: attack not in responses. It is ain queries.
[13:34:42] <wouter> paul: no, any domain name can be named and DNS queries flow to it.
[13:35:10] <paulwouters@jabber.org> so you have to answer, perhaps with nxrecord?
[13:35:13] <wouter> Douglas: this group. The attack is using DNS records.
[13:35:19] <wouter> paul: yes.
[13:35:31] <paulwouters@jabber.org> couldnt they use ANY query for that?
[13:35:45] <wouter> Ed: It may be there is nothing in the DNS protocol that can help with this.
[13:36:07] <wouter> Application guidelines in a generic form may be needed.
[13:36:11] <Jelte> are we still ahead of schedule? :)
[13:36:12] <wouter> paul; no.
[13:36:14] <wouter> Closed.
[13:36:51] <Suz> Jelte: seems extremely unlikely!
[13:36:57] <wouter> Peter: someone may come up with idea to cicumvent this problem.
[13:37:09] <wouter> Minute taker. Do you have enough input to add to this.
[13:37:13] --- jabley has joined
[13:37:15] <wouter> Geoff to the mike.
[13:37:31] <wouter> Somethings that needs to go to the list.
[13:37:47] <Antoin> http://www3.ietf.org/proceedings/06nov/slides/dnsop-3.ppt
[13:37:53] <wouter> Crocker on attrleaf.
[13:38:49] <wouter> Version -03 is underway
[13:39:09] <wouter> With large changes
[13:43:06] --- _roy has joined
[13:43:08] <Jelte> a lot of people miss that one about SRV
[13:43:47] <wouter> SRV record needs specs to be able to use it, it says in RFC
[13:44:12] <wouter> Rob: RR types, Dave: yes
[13:44:58] <wouter> Multifield _ items. _http._tcp
[13:45:01] --- msj has joined
[13:45:18] <wouter> Those combinatorials are simple? No it is not
[13:45:24] <wouter> Too complicated to cover things
[13:45:38] <wouter> Protecntiall a hierarhcy of tables. The first name defines a scope.
[13:46:06] <wouter> Single _names. Some a subordeinate names, point to another table in the first table.
[13:46:17] <wouter> The second table specifies RR types or points to another table.
[13:46:22] <wouter> Example slide with tables.
[13:46:57] <shigeya> (so, there are more slides than the one on the proceedings site.. - I'm not in the room..)
[13:47:06] <wouter> If entry in SUB no entgry in RR column
[13:47:23] <wouter> Or, it has an examplee of a first table and a second table.
[13:47:32] <Antoin> 3th slide...
[13:48:00] <wouter> Table has columns, Name, label, sub, RRtype, DFINE
[13:48:49] <wouter> No need to repeat a list of names, cite that list.
[13:48:59] <wouter> for <NAPTH labels> notgation.
[13:49:22] <wouter> Olaf on the mike: he likes it. Do not miss that several scopes define ways to make new entries.,
[13:49:34] <wouter> Tell IANA how to maintain the table
[13:49:43] <wouter> RFC is required says Dave
[13:49:50] <Jelte> RFC + security considerations
[13:50:00] <wouter> Olaf: Under SRV, ETU may have other bars for entry.
[13:50:05] <wouter> Dave:
[13:50:14] <wouter> Reasonable points, spec on the right states the requirements.
[13:50:23] <wouter> (RFC is entered in the DEFINE field)
[13:50:37] <wouter> Olaf; most cases, but some maybe not. Make this easy for the IANA folk.
[13:50:45] <wouter> Add a column on allocation policy.
[13:51:05] <wouter> Column: allocation policy in rfc for ecample.
[13:51:14] <wouter> Dave: wants to take discussion online.
[13:51:27] <Jelte> security considerations are important because adding SRV records for existing protocols could cause ambiguity
[13:51:37] <wouter> Rob: Likes this better than previous version. Likes table mechanism. Hard for IANA to administer.
[13:51:44] <wouter> Real pain for them.
[13:51:53] <wouter> Dave: Why he needed only one table.
[13:52:09] <wouter> ive simple instructions in the table.
[13:52:32] <wouter> Doug otis: As you look into the SRV record, uses it the most. Not all fields used consistenly.
[13:52:50] <wouter> One of the thinsg you _spf points to RFC 4408, does not use thet psf label.
[13:53:02] <wouter> Dave: He thought it defined it. It is only an example.
[13:53:18] <wouter> Rob: Substantive refernce.
[13:54:03] <wouter> Ed: TXT records at _spf are different from at other places?
[13:54:11] <wouter> Dave: that is reality now.
[13:54:19] <wouter> SRV is defined like that
[13:54:36] <wouter> So yes, it is already happening.
[13:54:42] <wouter> To provide a registry.
[13:54:57] <wouter> Rob: label to interoperability.
[13:55:08] <wouter> Ed; prefers new RR types.
[13:55:26] <wouter> Does not see why this is a IANA thing. Search using the RFC editor search thing.
[13:55:32] <sra> what i said was: "this is the mime approach: labeled non-interoperability as opposed to unlabeled non-interoperability" :)
[13:55:43] <wouter> Why do we need it? Not to keep track but to help avoid collisions.
[13:55:57] <wouter> Not an IANA function to provide bibiliography.
[13:56:06] <wouter> Dave: See as IANA, dunno where else.
[13:56:18] <wouter> Discuss further later.
[13:56:28] <wouter> Mark: This is a good idea. It does stop collisions.
[13:56:33] <wouter> Ed; collisions now?
[13:56:43] <wouter> Mark: it will stop potential for collisions now.
[13:57:06] <wouter> Dave: Likelyhood of collisions and a need to find the list of things.
[13:57:11] --- oatwillie has left
[13:57:45] <wouter> Peter koch (no hats): likes _ names. Question: are you proposing registry is relaxing requirement thatSRV records need more specification? No.
[13:57:51] <wouter> Dave: no.
[13:57:54] --- Jelte has left
[13:58:29] <wouter> Peter: About defining resolution context. Coming up with a registry before the architectural guidelines inIAB table is not uncontentious.
[13:58:41] <wouter> Decide on shape of registry before deicison we need one is a bit premature.
[13:58:48] --- glozano has left
[13:59:11] <wouter> Olaf: The dns choices document is sitll in IAB work queue, is waiting for 2929bis to get out of dnsext.
[13:59:36] <wouter> That document provides the considerations which tradeoff _ prefixes are , when they are to be considered.
[13:59:55] <wouter> Document in their document why they use _s.
[14:00:14] <wouter> Olaf (no hats): issue is that we defining stuff for TXT records.
[14:00:30] <wouter> The TXT record has a fairly well defined scope.
[14:00:45] <wouter> These scopes may collide with that (end personal opinion).
[14:01:22] <wouter> Dave: About ordering. When you need particular approach is not fundamental. View that this is about when to use an _.
[14:01:40] <wouter> Dave: whenever it is OK to use, and already used, use this procedure.
[14:02:06] <wouter> Dave: When the formal decision has to be resolved before registry about what already exists.
[14:02:22] <wouter> Rob: A good idea to get guidelines out before registry about the stuff.
[14:02:40] <wouter> We are mostly talking about TXT records. That mean whatever you say
[14:03:12] <wouter> This makes more uses. DNS choices will be done first anyway.
[14:03:23] <wouter> Olaf: Make a normative reference so it gets out right anyway.
[14:03:32] <wouter> Rob: Yes normative reference.
[14:03:47] <wouter> Dave: Understand concerns. Missing why it is needed.
[14:03:56] <wouter> Rob: want clarify before toolkit.
[14:04:11] <wouter> Doug: SPF rfc explicitfy does not use a prefix.
[14:04:15] <wouter> Rob: Not fix that here.
[14:04:39] <wouter> Dave: This does not say anything about what RRtypes. Whether itis stupid or what rules ap[ply.
[14:04:56] <wouter> Rob: only stuff _ label now in scope of discussion.
[14:05:02] --- farias has left
[14:05:09] <wouter> Doug: Cannot differentiate wildcard and _ label
[14:05:19] <wouter> Rob: why we need the iab document
[14:05:34] <wouter> Ed: when is appropriate to do prefixing. SRV, NAPTR.
[14:06:21] <wouter> Disccusion on enum is closed by Peter
[14:06:40] <wouter> Olaf: do want to block document, but educational to make this normative reference, why to add it.
[14:06:46] <wouter> Peter thanks Dave
[14:06:49] <wouter> Dave:
[14:07:02] <wouter> Dvae: dnsop list is appropriate venue for this? Peter; Yes!
[14:07:22] <wouter> Rob: Ask to take up as wg doc or not?
[14:08:34] <wouter> Dave: Its fine with him.
[14:08:52] <wouter> Individual to group is a major step of success.
[14:09:14] <wouter> Wants to keep discussions to improve it.
[14:09:31] <wouter> Rob: sense that people want to make on this topic.
[14:09:48] <wouter> Olaf: wg item or in collab>
[14:09:55] <wouter> Rob: hum. I
[14:10:05] --- harald has left
[14:10:07] --- harald has joined
[14:10:08] <wouter> The hum says that everyone here says that yes we want to work on it
[14:10:23] <wouter> Lots for, none against
[14:10:31] <wouter> Peter: Agenda. AS 1112.
[14:10:44] --- harald has left
[14:10:49] <wouter> mail list accepted work basket.
[14:11:20] <wouter> Why not use stale/lame delegations?
[14:11:39] <wouter> Opinions ont he mike , queue forming.
[14:12:04] <wouter> Michael: you are not putting a DOS attack on them with this NS.
[14:12:17] <wouter> ROB; Why don't thery deserve to DO Sthemselves if they wont stop to other people
[14:12:29] <wouter> Mark: A query should get a correct answer.
[14:12:55] <wouter> Some have looked up the address. We want those machines not to fail. You want them to get a valid answer.
[14:13:03] <wouter> A valid answer, not servfail
[14:13:19] <wouter> Michael: Some people visited upon are not guilty.
[14:13:33] <wouter> Peter: asks for explanatory text, what we want at that stage.
[14:13:40] <wouter> Michael will send text.
[14:13:50] <wouter> During discussion of the draft.
[14:13:59] <wouter> Peter: RFC 2317bis
[14:14:16] <sra> i think "michael" in this case was actually dave hankins (also isc)
[14:14:29] <wouter> Yes
[14:15:35] <wouter> Peter: Any other issues for this document? R~
[14:15:48] <wouter> Raise them on the mailing list? Comments here?
[14:16:18] <wouter> Mark to the mike. Need to revisit 2317 and clean up some bits and pieces.
[14:16:39] <wouter> ISPs need to know that the parents need to allow the parent zone to be transferred.
[14:17:03] <wouter> Peter: thanks for the comment. Anyone on jabber or here to be the editor , preferably with handon experience
[14:17:12] --- mikemlb has left: Logged out
[14:17:17] <wouter> Suggest to wg chairs, in Prague a proposal.
[14:17:27] <wouter> Next slide. DNS search path issues
[14:19:18] <wouter> Mark Andrews: I raised the AAAA problem. like 8 years ago.
[14:19:22] --- msj has left
[14:19:34] <wouter> Mark: problems are historical.
[14:19:51] <wouter> libresolv is a guilty party here.
[14:20:05] <wouter> It used the search list , before it used the name as is.
[14:20:14] <wouter> It never stopped on nodate response.
[14:20:32] <wouter> Resolvers should stop on nodata instead of continue searching.
[14:20:38] <wouter> Peter: this is not a bugreport.
[14:20:52] <wouter> Mark: I cannot change libresove behaviour without an RFC.
[14:21:07] <wouter> Peter: is anyone still alive. Someone yells Yo
[14:21:11] <Suz> Peter requests signs of life
[14:21:36] <wouter> Peter: slide on other I/O wgs items.
[14:21:43] <wouter> How amny people to dnext people.
[14:21:58] <wouter> Anyone here not at dnsext and brave enough to raise handse (no one)
[14:22:03] <wouter> many people from dnsext.
[14:22:13] <wouter> cookies draft.
[14:22:46] <Antoin> DNAME
[14:23:03] <Antoin> Wouter presenting
[14:23:46] <Antoin> DNAME issues more operational of nature reported on mailinglist
[14:24:29] --- _roy has left
[14:24:30] <Antoin> no ifferent draft for operational DNAME ssues
[14:25:16] <Antoin> please comment on namedroppers list
[14:25:19] <wouter> Thanks Antoin.
[14:25:34] <wouter> Next on agenda. the scanning implications.
[14:25:42] <wouter> Please review it , lc in v6ops soon
[14:25:47] <wouter> mbone d
[14:26:55] <wouter> Someone comesto the mike to present a slide lost in email
[14:27:05] <wouter> John.
[14:27:34] <wouter> John connects his laptop for the lisde
[14:27:37] <wouter> slide
[14:27:43] <raj> John Schnizlein
[14:28:13] <wouter> John: go to section 3.1 for the draft. You all have computers.
[14:28:13] --- msj has joined
[14:28:21] <wouter> No slide is displayed.
[14:28:40] <wouter> The text in 3.1 is the clearest statement of problem in GEOPRIV wg.
[14:28:47] <wouter> If you want to find location server.
[14:28:57] <wouter> Client has to find location server.
[14:29:04] <Suz> doc is http://www.ietf.org/internet-drafts/draft-ietf-v6ops-scanning-implications-01.txt
[14:29:10] <Suz> or not.....wait a sec....
[14:29:11] <wouter> This be done using NAPTR in dns - proposal
[14:29:22] <wouter> No the geopriv draft.
[14:29:23] <raj> http://www.ietf.org/internet-drafts/draft-schnizlein-geopriv-binary-lci-00.txt
[14:29:30] <wouter> It looks up itself.
[14:29:55] <wouter> If it does not know its name, it looks in reverse for NAPTR or PTR.
[14:30:06] <wouter> Or follows PTR and then looks for NAPTR
[14:30:13] <Suz> http://www.ietf.org/internet-drafts/draft-schulzrinne-geopriv-relo-01.txt is what's lsited in the agenda
[14:30:15] <wouter> Is this a good use of the DNS? question
[14:30:20] <wouter> Thanks Suz
[14:30:26] <Suz> how many IETF'ers does it take to find an I-D?
[14:30:39] <Suz> and does it take longer on Friday morning than it would have Tuesday afternoon? :)
[14:30:43] <wouter> Doug: any naming, meaninful to associated with delagation point.
[14:30:56] <raj> Is the one I gave the correct one? I'm not sure.
[14:31:05] <wouter> Suz: it depends whether everyone on the planets turns on ip6 today.
[14:31:06] <asullivan> raj: yes
[14:31:23] <Suz> planets
[14:31:28] <Suz> all the planets
[14:31:30] <wouter> Doug: You are asking for work here. the RIRs
[14:31:35] <asullivan> oops, sorry, I missread the links
[14:31:43] <asullivan> no, the one that suz gave is the one
[14:32:00] <Suz> the second one Suz gave, that is :)
[14:32:09] <wouter> Peter: client gets to location server. Trying to find a server.
[14:32:32] <wouter> It is asking about its own IP adress, where info for it is attached
[14:32:35] <asullivan> Heh. I'll shut up now, before I confuse things even more
[14:32:53] <wouter> Rob: some people have to leave.
[14:33:04] <wouter> Rob: I find this a little scary.
[14:33:14] --- jakob has left
[14:33:32] <wouter> Do also people also find this scary? Who will review? Andrew, George, Mark (sortof). Thanks.
[14:34:02] <wouter> Two reviewers for the v6ops issue? Andrew again, someone else? Please come forward on the mailing list.
[14:34:09] --- fneves@jabber.registro.br has left
[14:34:13] --- doug.otis@gmail.com has left: Logged out
[14:34:14] <wouter> Peter: end of session? AOB? None.
[14:34:20] --- koji has left
[14:34:21] --- ggm has left
[14:34:29] <paulwouters@jabber.org> thanks guys
[14:34:30] <wouter> Thanks for coming and staying for dnsop, see you in Prague!
[14:34:34] --- sra has left
[14:34:38] --- shigeya has left
[14:34:40] <keith_nm> See you in Seattle next week at OARC !
[14:34:45] --- asullivan has left
[14:35:17] --- RussMundy has left
[14:35:22] --- patrickn has left
[14:36:16] --- Antoin has left
[14:37:05] --- raj has left
[14:37:06] --- wouter has left
[14:37:19] --- fujiwara has left
[14:38:59] --- sleinen has left
[14:39:57] --- keith_nm has left
[14:41:29] --- Suz has left
[14:42:47] --- jad has left
[14:43:14] --- mjo has left
[14:50:35] --- paulwouters@jabber.org has left
[14:51:59] --- liman has left
[14:56:21] --- msj has left
[15:00:03] --- rstory has left
[15:02:21] --- jad has joined
[15:02:53] --- jad has left
[15:07:18] --- geoff has left
[15:18:06] --- robert has joined
[15:23:51] --- aalain has left
[15:34:09] --- robert has left: offline
[16:19:42] --- MAP has joined
[16:25:58] --- MAP has left
[16:30:41] --- harald has joined
[17:16:19] --- harald has left
[17:24:10] --- jabley has left
[19:07:30] --- liman has joined
[19:45:14] --- liman has left