[19:22:49] Ralf Weber joins the room [20:11:13] Ralf Weber leaves the room [20:11:20] Ralf Weber joins the room [20:19:21] pk joins the room [20:20:35] pk has set the subject to: DNSOP IETF 74: start at 1520 PDT, 2220 UTC [20:27:21] Ralf Weber leaves the room [20:27:27] Ralf Weber joins the room [20:36:03] hoz joins the room [20:36:33] hoz leaves the room [20:41:53] Ralf Weber leaves the room [20:41:59] Ralf Weber joins the room [20:49:32] Ralf Weber leaves the room [20:49:38] Ralf Weber joins the room [20:55:45] Ralf Weber leaves the room [20:55:51] Ralf Weber joins the room [21:00:50] wouter joins the room [21:09:23] Ralf Weber leaves the room [21:09:28] Ralf Weber joins the room [21:15:29] Ralf Weber leaves the room [21:15:35] Ralf Weber joins the room [21:24:08] Ralf Weber leaves the room [21:24:15] Ralf Weber joins the room [21:30:16] Ralf Weber leaves the room [21:30:22] Ralf Weber joins the room [21:38:53] Ralf Weber leaves the room [21:38:59] Ralf Weber joins the room [21:49:00] Ralf Weber leaves the room [21:49:05] Ralf Weber joins the room [21:55:58] Final agenda for today available at [21:56:46] Please observe the "Note Well" at [22:00:45] wfms joins the room [22:04:52] pk leaves the room: Computer went to sleep [22:05:59] yone joins the room [22:07:38] Exodus joins the room [22:07:43] Exodus leaves the room [22:07:53] markkao joins the room [22:10:12] sm joins the room [22:14:31] schnizlein@jabber.isoc.org joins the room [22:15:17] John Schnizlein joins the room [22:15:30] schnizlein@jabber.isoc.org leaves the room [22:16:06] Jelte joins the room [22:16:15] Antoin joins the room [22:17:33] Doug Barton joins the room [22:19:19] bruce joins the room [22:19:54] fdupont joins the room [22:20:36] Andrew Sullivan joins the room [22:20:56] marka joins the room [22:21:09] ASHIDA joins the room [22:21:37] mikemlb joins the room [22:21:53] liman joins the room [22:22:31] sandoche2k joins the room [22:23:33] blue sheets, and peter has started speaking. [22:24:12] benno joins the room [22:24:29] raj joins the room [22:24:46] Peter Koch kicks off the meeting [22:24:54] jaeyounkim joins the room [22:25:09] jabley joins the room [22:25:14] weiler joins the room [22:25:28] audio is fine [22:25:29] sounds good [22:25:30] exellent! [22:25:32] koji joins the room [22:25:43] dblacka joins the room [22:25:49] mohsen joins the room [22:26:02] wunderbar. [22:26:29] EvanHunt joins the room [22:26:55] jcossio joins the room [22:26:59] mattlarson joins the room [22:27:09] agenda bashing, some minor late-minute additions. [22:27:09] Agenda bashing slide up [22:27:21] http://tools.ietf.org/wg/dnsop/agenda [22:27:21] xiaodong.lee joins the room [22:28:22] matthijs joins the room [22:29:09] no drafts in rfc-editor queue, 5 drafts in/past wglc. [22:29:31] fenton joins the room [22:31:10] fujiwara joins the room [22:32:01] wes hardaker: edits are minor, please read etc [22:32:27] counting how many people have read the draft - 6 people with hands up [22:32:41] draft-ietf-dnsops-name-server-management-02 (I think) [22:32:52] ASHIDA leaves the room [22:32:55] going onto active drafts now. [22:33:01] arifumi joins the room [22:34:17] trust-anchor-03 - ready for WGLC ; no comments in the room [22:34:36] ah, I missed the chap coming to the mike :( [22:34:49] dima in the mike [22:34:57] dima on the mike (sorry) [22:35:41] audio ok there too [22:35:44] Dmitri Krioukov actually [22:35:50] on the mike [22:36:57] Olaf Kolkman on the mike [22:37:35] Ricardo Patara joins the room [22:37:42] (furthermore, sha256 DNSKEYs do not have an rfc yet) [22:38:34] the SHOULD in the doc re sha-256 isn't on type of keys to be used, just on DS. [22:38:43] dima again on the mike [22:38:49] What if we deprecate SHA-256 [22:38:51] only problem with deprecating sha1 is that there are a lot of operating systems that do not support 256 yet [22:39:06] are these comments for the mike (ralf/jelte) ? [22:39:13] yes [22:39:15] there is no deprecating, there is only recommending [22:39:20] with default crypto libraries [22:39:26] But I agree with what peter just said [22:39:30] so imho the should is fine [22:39:39] only put deprecation of SHA1 in the document [22:39:49] jinmei joins the room [22:40:20] kshu joins the room [22:40:22] Olaf Kolkman starts presentation [22:40:36] DNSSEC Operational Practices, version 2 [22:40:44] slide Administration up now [22:41:30] I-D at: http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-01 [22:41:39] Ricardo Patara leaves the room [22:43:29] jaap joins the room [22:44:25] Key Size considerations slide up now [22:45:11] Rob Austen questions [22:45:20] Paul Hofman on the mike [22:45:50] 1024 bit is 'too small' for NST as of 2011, start with 2048 bits. [22:46:52] and what is the lifetime in years for the keys from that nist recommendation? [22:47:14] same for sha-1, must be sha-2 as of 2011 [22:47:41] Jelte, put it to the mike? [22:48:11] slide Key Effective Periods up now [22:48:23] nah, too late, but thanks :) [22:48:57] Suz joins the room [22:49:29] Stephen joins the room [22:49:38] Do you want to know about your stability risks sooner or later? [22:49:49] key algorithm rollover slide [22:50:54] it's actually more like a reverse pre-publish, but hey :) [22:51:06] (non-)cooperative registrars slide [22:51:57] Antoin Verschuur on the mike [22:52:36] Ricardo Patara joins the room [22:53:16] (antoin) either you have a non-cooperative registrar, or a cooperative registrar - one option is exchanging private keys between operators, or the public keys change. [22:54:02] mattlarson leaves the room [22:54:04] Edward Lewis on the mike [22:54:10] mattlarson joins the room [22:54:19] caching is also the only real problem with dnssec, making it bogus if you don't go insecure [22:54:54] jabley leaves the room [22:55:25] (ed) required key length as mentioned previously is from one source; re this doc, don't specifically set the key length. [22:55:46] kjd joins the room [22:56:23] Paul Hoffman on the mike [22:56:51] Mark Andrews (1280) on the mike [22:57:15] (mark) NSEC or NSEC3 ? [22:57:28] (olaf) please send to list [22:58:22] (name not heard) longer time for key rollover? [22:58:36] (olaf) thinks it mentions 12 months [22:58:48] name of the speaker? [22:59:21] (olaf) please send text which term is reasonable [22:59:34] Jaap Akkerhuis on the mike [22:59:47] john: it was ondrej sury [23:00:04] (liman is being helpful with the rogues gallery ;) ) [23:00:06] (jaap) remark the EU commission is planning to write a similar document, explaining operator how to run dnssec [23:00:15] dblacka leaves the room [23:00:23] dblacka joins the room [23:00:37] heh [23:01:32] Olaf asks for input/text for the document to proceed. [23:01:47] Say, do we need a SHA384 or SHA512 DS algorithm definition draft as well? [23:02:03] dnssec key rollovers and timing issues - johan ihren up. [23:02:23] Ricardo Patara leaves the room [23:03:21] Doug Barton leaves the room [23:03:34] ah, the two-letter acronym draft [23:03:51] key rollovers are.... slide [23:03:53] :) [23:03:54] i think i counted more than 15 of them :) [23:04:31] I already advised to replace them with terms that relate to their successor/predecessor, that saves some terms [23:04:40] Doug Barton joins the room [23:05:00] ZSK State transitions slide up [23:05:02] zsk rollover... now zsk state transitions. [23:06:58] would someone dare to mention that there may be scenario's where a key is used to generate signatures but it is not published yet? :) [23:06:59] animated slide (so same slide still) [23:07:21] take it to the mike? [23:07:24] they seem to use prepublish, not double-sign [23:07:26] (jelte) [23:07:36] now up to 'rollover policy' slide. [23:07:43] no, they need to remove complexity from the draft first [23:07:52] i'll send it to the list later, with other comments [23:08:21] To be fair, some of the complexity in the draft just describes actually complex interactions [23:08:38] certainly [23:08:38] 'safe behaviour' slide. [23:09:26] followed by emergency rollovers. [23:10:07] farias joins the room [23:12:12] which is continued into another slide [23:13:26] olaf at the mike. [23:13:49] (olaf) its a cure for insomnia ;) [23:14:16] hehehe [23:14:17] (olaf) is there a simple recomendation that you could distill from this that is not in the current operational practices. [23:14:21] D'oh! [23:14:22] but it hadnt two letter terms :p [23:14:38] about 15-20 of them... [23:15:10] (olaf) what are the maximum values for the timings? [23:15:29] (johan) its a function of policy, likewise for the number of active keys [23:16:53] now back to johan's presentation on the key and signing policies slide. [23:18:35] present draft only deals with key timing issues/policies, not signing timing issues/policies - draft is complex enough as it is. [23:18:49] up to the 'next steps' slide. - any questions? [23:19:04] Stephen leaves the room [23:20:05] Stephen joins the room [23:20:07] wes hardaker at the mike [23:22:45] (wes) nothing about trust anchors in the document - (johan) only dealing with state transitions. [23:23:12] Stephen leaves the room: Replaced by new connection [23:23:12] Stephen joins the room [23:23:50] antion vershuren (?) at the mike [23:24:06] evan hunt at the mike [23:25:17] olaf kolkman at the mike for a final comment [23:25:55] wg hum is that we'll work on it, no-one opposed [23:26:25] three! not two documents [23:26:34] liman with draft-liman-names [23:26:49] first slide - asbestos suit please. [23:26:58] seems to be someone's treehouse burning [23:27:18] draft-liman-tld-names-00 actually [23:27:29] xiaodong.lee leaves the room [23:27:56] intent is to make it clear which octet value combinations are allowed in the DNS label closest to the root [23:27:59] ogud: Olafur Gudmundsson joins the room [23:28:24] ogud: Olafur Gudmundsson leaves the room [23:28:35] Ralf Weber leaves the room [23:28:41] Ralf Weber joins the room [23:28:42] is going to go home and rewrite it to make it even clearer (eg, dealing with IPs, unicode etc) [23:28:56] strictly technical limitatons slide [23:29:25] mattlarson leaves the room [23:29:27] no-one is opposed to the guidelines in that slide. [23:29:27] speaking of wire format, yes [23:29:33] mattlarson joins the room [23:29:36] old conventions/standards slide [23:30:18] we need to be careful when we talk about labels to distinguish between wire format, "ascii text" format, and idna/punycode [23:30:40] benno leaves the room [23:30:44] doug: yes. [23:30:51] benno joins the room [23:30:55] ondrey at the mike. [23:31:27] (ondrej) also in 1035 (liman) not same semantics - recomendations, not SHOULD/MUST/etc [23:31:40] mark andrews at the mike. [23:32:03] (mark) with the tlds, you don't want anything wider than whats in 952. [23:32:33] ASHIDA joins the room [23:32:36] (mark) 952 is modified by 1123, what is on the slide isn't what is on 1123 [23:32:41] joe abley at the mike [23:32:53] (joe) other record types [23:33:04] ed lewis at the mike [23:33:33] (ed) no host at the root zone [23:34:35] (rob austin) re 4th point in the slide, we're not in agreement [23:34:54] traditional (ACSII) TLD labels slide [23:35:32] 1123 says 'the highest-level component label *will be alphabetic*' [23:35:44] mattlarson leaves the room [23:35:54] mattlarson joins the room [23:36:12] Ralf Weber leaves the room [23:36:18] Ralf Weber joins the room [23:36:23] semantic re is policy, but used as basis for later policy/technical decisions [23:36:41] ? at the mike [23:36:55] francis dupont [23:36:56] benno leaves the room [23:37:05] benno joins the room [23:37:06] 'new' IDN TLD Labels slide [23:37:14] ogud: Olafur Gudmundsson joins the room [23:37:27] reemphasis on that this document is limited to the wire format [23:37:43] ergo, IDN is 'somebody else's problem' ;) [23:37:50] good plan :) [23:37:50] proposed way forward slide [23:38:04] 250 pages is a conservative estimate :) [23:38:19] (screensaver kicked in) [23:38:44] use 1123 as basis, allow IDN with reference to the idn docs [23:39:54] mark andrews at the mike [23:40:01] (mark) good way forward [23:40:06] andrew sullivan at the mike [23:40:08] (andrew) [23:40:40] (andrew) should ask 1123 authors of original intent, is the text intentionally ambigious? [23:40:49] ed lewis at the mike [23:41:04] I don't think anyone ever made the text intentionally ambiguous [23:41:14] but maybe different people have read it differently [23:41:24] ed tends to ramble. [23:41:32] (remember that this is before 2119) [23:42:01] well it is a good question [23:42:19] Ralf Weber leaves the room [23:42:25] Ralf Weber joins the room [23:43:27] will continue to exist as individual submission for some time [23:43:33] maybe we should try to redefine the ipv4 adress string representation instead ;) [23:43:48] Jelte: that would be easier [23:43:58] andrew sullican with draft-bagnulo-behave [23:44:24] still need comments on this [23:45:07] jelte: create A4, bring A6 out of experimental? [23:45:59] andrew was done in 100 seconds. [23:46:27] oleg ponomarev with using dns for mapping host identifiers to locations [23:46:44] this one will be longer [23:46:49] i/o with hiprg working group [23:47:27] hip rr slide up now [23:47:34] kjd leaves the room [23:47:38] wouter leaves the room [23:47:39] now slide up [23:47:41] for those listening at home, oleg is probably the most well-dressed chap in the room. [23:48:10] wfms leaves the room [23:48:24] "ok, but" slide up [23:48:26] wouter joins the room [23:48:55] question is "hit to ip" mapping [23:49:02] dht (p2p) is slow [23:49:27] idea is now to use dns for this mapping [23:49:39] "updates" slide up [23:50:11] 'initi`l deployment" slide up [23:51:07] "some numbers" slide up [23:51:39] "summary" slide up [23:51:54] Olaf Kolkman on the mike [23:52:17] (olaf) why use DNS in such a flat fashion? [23:53:28] raj leaves the room [23:53:38] raj joins the room [23:53:39] peter koch at the mike [23:53:54] (peter) is there consensus in the HIP community for this? [23:54:01] (olaf) recap of answer, its available, works, but probably doesn't exploit the nice characteristics of DNS [23:54:52] ogud: Olafur Gudmundsson leaves the room: Replaced by new connection [23:54:52] Bruce on the mike [23:55:10] (bruce) local or global deployment [23:55:12] ? [23:55:34] ogud: Olafur Gudmundsson joins the room [23:56:13] Olaf: did you think of the operator's burden of managing all the hit's [23:56:15] ? [23:56:36] answer to my question was that it would be local, but possibly global where host-using-HIP communications crossed org boundaries. [23:57:10] weiler leaves the room [23:57:10] peter covering i/o with other WGs. [23:57:27] any other business [23:57:54] joe ... with dnssec ixfr issue [23:58:10] dnssec ixfr issue with 2 signing engines being involved [23:58:32] joe gersch [23:58:48] use time % 60 (whole minutes) [23:59:26] Ralf Weber leaves the room [23:59:32] Ralf Weber joins the room [23:59:47] second slide - possible solutions [23:59:54] arifumi leaves the room [23:59:59] weiler joins the room