driu - Thursday, July 19, 2018

driu

driu@jabber.ietf.org

Thursday, July 19, 2018< ^ >

Room Configuration

Room Occupants

GMT+0
[19:38:45] meetecho joins the room
[19:44:25] sKCYaWZI joins the room
[19:45:11] Carsten Strotmann joins the room
[19:45:12] Daniel Kaiser joins the room
[19:45:18] Melinda joins the room
[19:47:47] SHollenbeck joins the room
[19:48:25] Wouter Wijngaards joins the room
[19:49:03] Mats Dufberg joins the room
[19:49:08] Timothy Morizot joins the room
[19:49:58] ted.h joins the room
[19:52:53] Taiji Kimura joins the room
[19:52:58] Bernie Volz joins the room
[19:53:19] sftcd joins the room
[19:54:40] Petr Špaček joins the room
[19:55:50] <meetecho> Working on the missing slides
[19:56:21] tim.wattenberg joins the room
[19:56:35] <ted.h> Dry-You?
[19:57:36] Yoshiro Yoneya joins the room
[19:58:17] Lucas Pardue joins the room
[19:59:36] Roger Carney joins the room
[19:59:39] mnot joins the room
[19:59:58] <mnot> If you’d like something to be relayed to the room, prefix with MIC:
[20:00:25] <Mats Dufberg> What about the slides? Are any shown?
[20:00:40] <tim.wattenberg> Meetecho is working on it
[20:00:53] <Mats Dufberg> Thanks.
[20:01:34] <mnot> “juice”
[20:01:39] <tim.wattenberg> Chair slides, page 4
[20:01:50] <Mats Dufberg> Ok.
[20:01:58] danyork joins the room
[20:02:18] nygren joins the room
[20:03:22] Martin Thomson joins the room
[20:03:32] <Martin Thomson> What is the ALPN label for DNS over TLS?
[20:03:42] <mnot> My head hurts
[20:03:55] <Martin Thomson> mnot: try vicodin
[20:04:50] <mnot> Slides: DHCPv6 DNS Threats
[20:04:50] <tim.wattenberg> DHCPv6 DNS Threats slides, Page 1
[20:05:05] <Mats Dufberg> Thanks!
[20:05:09] Suzanne joins the room
[20:05:41] <tim.wattenberg> Page 2
[20:06:34] <ted.h> For the DNS URI, see https://tools.ietf.org/html/rfc4501, but note that it doesn't currently let you specify a transport.  It would need an update to specify one.
[20:06:43] <Martin Thomson> are any of these new?
[20:06:56] <mnot> https://everyrfc.org/?search=dns%20uri
[20:07:50] <ted.h> Some of those are about storing URIs in the DNS, though.  And, also, NAPTR, about which we do not speak.
[20:07:59] <tim.wattenberg> Page 3
[20:08:00] Peter van Dijk joins the room
[20:09:24] Bernie Volz leaves the room
[20:09:25] Bernie Volz joins the room
[20:11:11] <mnot> Slide 4
[20:11:44] <tim.wattenberg> Slides seem to be working now on Meetecho ;-)
[20:11:55] <Lucas Pardue> (Y)
[20:12:04] <Mats Dufberg> Thanks!
[20:12:05] <meetecho> Yep, it was a problem with the HDMI cable apparently
[20:12:19] <Mats Dufberg> Last mile. :-)
[20:13:22] <mnot> (Is someone taking minutes?)
[20:14:00] <ted.h> OCSP is not a reputation service in my mind.
[20:14:31] <ted.h> It tells you whether a binding is correct or has been deprecated.  A reputation is whether the thing-that-this-is-bound-to is doing what is expected.
[20:15:01] <Peter van Dijk> the OCSP comparison makes sense on the protocol level but not semantically, indeed
[20:15:28] mnot is now wondering if he just missed Paul finding a scribe, or if we’re running without one
[20:15:54] <ted.h> The whitelist/blacklist problem has the "mint a new identity" problem here, right?
[20:16:18] <tim.wattenberg> Scribe might not be on Jabber, but I guess nobody asked for one
[20:16:19] <Martin Thomson> why are we concerning ourselves with this problem?
[20:16:37] nygren leaves the room
[20:17:12] <mnot> Paul is taking notes
[20:17:17] <mnot> I’ll jabber scribe
[20:17:35] Olafur joins the room
[20:18:05] Olafur leaves the room
[20:18:49] nygren joins the room
[20:20:01] Bjorn Hjelm joins the room
[20:20:54] <Martin Thomson> that didn't ask the question, which was "why does the slide mention OCSP?"
[20:21:06] <99rst> ok he's probably talking about privacy policies. We haven't solved this for websites.
[20:21:59] <Peter van Dijk> tongue in cheek - i thought we had those fancy p3p headers or whatever they were called
[20:22:05] <Martin Thomson> 99rst: P3P solved that over a decade ago
[20:22:41] <99rst> Martin Thomson: P3P is not being used. P3P was too difficult to write for devs. And legal policies didn't translate well to P3P. So I don't think it was solved.
[20:23:19] Olafur joins the room
[20:23:23] <Martin Thomson> 99rst: </sarcasm> (I didn't realize that this wasn't obvious, so maybe p3p isn't as dead as I thought...)
[20:23:23] <mnot> I was a contributor to P3P. I can say authoritatively, it’s bad.
[20:24:17] rlb joins the room
[20:24:20] <ted.h> Extend https://datatracker.ietf.org/doc/draft-borenstein-kidcode/ to cover DNS URIs! (No, don't.  It was a bad idea 65 IETFs ago, and still is)
[20:24:35] Suzanne leaves the room
[20:25:38] <Lucas Pardue> wow
[20:25:46] <Peter van Dijk> @mnot thank you for your honesty!
[20:26:03] <Peter van Dijk> @ted.h there is a http header / html meta variant of that that 'adult' sites today appear to be serving quite decently
[20:26:31] <Peter van Dijk> rtalabel.org
[20:26:50] <ted.h> @Peter van Dijk, Don't you mean indicently?
[20:27:06] <ted.h> That would have worked a lot better if I could spell.  Sorry.
[20:27:16] Bjorn Hjelm leaves the room
[20:27:47] <Peter van Dijk> hahaha
[20:27:59] <Peter van Dijk> so i just checked and the #1 adult site I could think of does not appear to have the header
[20:29:18] <ted.h> TOFU baby ducks.  That sounds…odd.
[20:31:04] Jan Komissar joins the room
[20:31:15] <Martin Thomson> ted.h: it's an equivalency, not a combination
[20:31:26] <ted.h> Current DHCP option registry, for comparison:  https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
[20:32:59] Aaron Falk joins the room
[20:33:01] <Martin Thomson> Ted has a pretty good case here for no more use of DHCP for DNS here
[20:33:18] <Aaron Falk> meetecho: the audience mic is really loud in Viger
[20:34:03] <rlb> +1 mt
[20:34:18] <Martin Thomson> PvD isn't the answer any more than DNS is
[20:34:32] <rlb> what is PvD?
[20:34:32] <Martin Thomson> it has all the same weaknesses
[20:34:48] <ted.h> Is this https://datatracker.ietf.org/doc/draft-pfister-capport-pvd/ ?
[20:34:58] <Martin Thomson> ted.h: the thing that depends on
[20:35:06] <Martin Thomson> https://datatracker.ietf.org/doc/html/draft-ietf-intarea-provisioning-domains
[20:35:24] <Martin Thomson> the idea is that you get an RA that tells you where to find configuration information for this "network"
[20:35:25] <ted.h> @MT Thanks
[20:35:48] <Martin Thomson> but the original information is no different to DHCP in the sense that the network provides the information
[20:36:18] Suzanne joins the room
[20:36:51] <Martin Thomson> Control of the network shouldn't privilege you to install certain services, though I concede that this is necessary today
[20:36:59] <mnot> Indeed.
[20:37:06] <Melinda> +1
[20:37:38] <rlb> yeah that's totally a realistic user model, ted
[20:37:44] <mnot> Slightly related, domain names have the most value as a name space when they’re global.
[20:37:47] <Martin Thomson> Imagine if you had a "Facebook" DHCP option that told you where to go to get Facebook
[20:38:05] <Lucas Pardue> does it requires an NDA?
[20:38:06] <rlb> mt: isn't that part of internet.org? :)
[20:38:58] danyork leaves the room
[20:41:22] <ted.h> Overheard at the IETF would have a field day with today's mic line.
[20:41:43] <Martin Thomson> the problem is less that you have no shared key, it's that you don't have any expectation about the identity of the DNS server you might end up talking to
[20:41:57] <Peter van Dijk> @ted.h somebody should send ietfmemes a hint
[20:42:41] danyork joins the room
[20:44:27] <nygren > "I trust this because it's hard to get certs or configure DNSSEC" seems like an poor security model, unless I'm misunderstanding.
[20:45:16] Timothy Morizot leaves the room
[20:45:28] <Martin Thomson> nygren : I heard "better than status quo", which is true, if unsatisfactory
[20:45:42] <Martin Thomson> where status quo is DHCP + cleartext DNS
[20:46:51] Dan York 2 joins the room
[20:47:10] <Martin Thomson> I know, we need SRV capabilities... not
[20:47:11] Dan York 2 is now known as DY2
[20:47:54] DY2 leaves the room
[20:47:58] Dan York 2 joins the room
[20:47:59] Dan York 2 is now known as DY2
[20:48:11] Roger Carney leaves the room
[20:49:10] <Bernie Volz> Other information (such as network changes via RAs) should trigger a DHCPv6 "reconfiguration".
[20:49:14] DY2 leaves the room
[20:49:18] Dan York 2 joins the room
[20:49:18] Dan York 2 is now known as DY2
[20:50:18] <Bernie Volz> See https://tools.ietf.org/html/draft-ietf-dhc-rfc3315bis-13#section-18.2.12.
[20:50:33] DY2 leaves the room
[20:50:37] Dan York 2 joins the room
[20:50:38] Dan York 2 is now known as DY2
[20:50:45] DY2 leaves the room
[20:50:46] <Martin Thomson> that section number is scary
[20:50:47] Dan York 2 joins the room
[20:50:48] Dan York 2 is now known as DY2
[20:51:36] Suzanne leaves the room
[20:51:53] DY2 leaves the room
[20:51:56] Dan York 2 joins the room
[20:51:57] Dan York 2 is now known as DY2
[20:52:34] Aaron Falk leaves the room
[20:53:14] DY2 leaves the room
[20:53:17] Dan York 2 joins the room
[20:53:18] Dan York 2 is now known as DY2
[20:53:29] DY2 leaves the room: Replaced by new connection
[20:53:29] Dan York 2 joins the room
[20:53:30] Dan York 2 is now known as DY2
[20:54:00] mnot leaves the room
[20:55:40] DY2 leaves the room
[20:56:02] danyork leaves the room
[20:58:35] Suzanne joins the room
[20:59:06] <Lucas Pardue> we don't want to DoHssify
[21:00:03] Taiji Kimura leaves the room
[21:01:46] <Martin Thomson> q: does a bloom filter prevent enumeration? (in the same way that NSEC5 might)
[21:02:13] <99rst> Martin Thomson: I don't believe so
[21:02:28] <nygren > and when you're switching between DoH servers it is doh-si-do?
[21:02:30] nygren leaves the room
[21:02:56] Samuel Weiler joins the room
[21:02:57] nygren joins the room
[21:02:57] <Martin Thomson> 99rst: that was my intuition
[21:03:00] <Suzanne> Now *that's* a mic line!
[21:03:03] <Samuel Weiler> we're up to 11…..
[21:03:14] <Martin Thomson> spin bit discussion was better
[21:03:25] <Samuel Weiler> 12
[21:04:50] ted.h leaves the room
[21:05:22] <99rst> Bloom filters are a nice way to compress information. (with the false positive caveat)
[21:05:36] <99rst> beyond that I'm not sure if we get anything else here
[21:06:08] <Samuel Weiler> It seems like this is "preloading".  the bloom filter is an inconsequential detail.
[21:06:20] <99rst> right
[21:06:41] <Samuel Weiler> (we're at 11.  someone sat down?)
[21:08:04] <Samuel Weiler> I'm not worried (much) about the security properties of preloading.  If you get no answer or an answer that fails validation, no somewhere else.
[21:08:12] <Samuel Weiler> s/no/go/
[21:08:48] <Lucas Pardue> ted of line blocking
[21:09:01] <Martin Thomson> +Lucas
[21:09:11] <Suzanne> Nicely done @lucas
[21:10:05] ted.h joins the room
[21:10:37] <Samuel Weiler> 13.  12.  Olafur sat down.
[21:10:50] <Martin Thomson> Mark managed to botch the explanation here
[21:10:55] Aaron Falk joins the room
[21:11:09] ted.h leaves the room
[21:11:14] ted.h joins the room
[21:11:23] <Martin Thomson> badly
[21:12:13] Aaron Falk leaves the room
[21:13:54] <Olafur> Basically we need to solve the "resolver operating policy" first before talking about this
[21:14:03] <Samuel Weiler> [Mark admins that the Bloom filter is a distraction.]
[21:14:14] <Samuel Weiler> admits
[21:15:36] rlb leaves the room
[21:15:41] <ted.h> I don't get understand how this gets a middle ground, if I get the other servers from cloudflare.
[21:16:31] <99rst> ted.h: not every site is hosted on cloudflare. some are on AWS. So you'll also have an AWS DoH server, One for Azure etc. But I agree there aren't that many large CDNs.
[21:17:08] <ted.h> @99rst  That's what I thought originally, but the model appears to be every entry is a recursive that handles any DNS query.
[21:17:15] <Samuel Weiler> ted: this was an incentive to get big cloud providers to run more DoH servers.  Names that will get performance benefits going to a particular one get routed there (via the preload) otherwise just pick one.
[21:17:36] Aaron Falk joins the room
[21:17:54] <Samuel Weiler> ted: so I may not have understood your concern
[21:18:55] <ted.h> @Sam  So, you think the model is that if the origin is in the bloomfilter, send it there?  I may have misunderstood, but I think he is arguing instead for a spray of queries across multiple co-equal servers.
[21:19:15] Aaron Falk leaves the room
[21:19:26] <Samuel Weiler> Yes, i think so.
[21:19:34] Aaron Falk joins the room
[21:20:02] <99rst> ted.h: I agree with your original understanding. From the draft (section 1.1): When a DOH server is colocated with ... HTTP services.
[21:20:09] <Martin Thomson> ted.h: I think that you are getting the drift now
[21:20:11] danyork joins the room
[21:20:19] <Martin Thomson> I was worried there
[21:20:26] Spamvictim joins the room
[21:20:39] <99rst> ted.h: section 1.2 further elaborates on that
[21:23:14] <ted.h> @MT  The problem I pointed out is that nominating a server as co-equal gives the nominating server a lot of power to (accidentally or purposefully) DOS that server *including the HTTP resources it serves*.  It also means that there will be a huge problem with split DNS, which is pretty common.
[21:23:19] <Martin Thomson> I imagine that your OS vendor, Browser vendor, AV vendor, and maybe more have access to that info
[21:23:31] <99rst> More from section 1.2: When clients can direct their DOH queries to
[21:23:36] <99rst>    the HTTP server which will eventually serve their traffic
[21:23:45] <Martin Thomson> DoH is terrible for split DNS
[21:24:07] <Samuel Weiler> DHSoverTLS, too, arguably.
[21:24:11] <Suzanne> @mt arguably split DNS deserves it
[21:24:18] <Samuel Weiler> Suzanne++
[21:24:19] <Carsten Strotmann> @Martin Thomson: split DNS is terrible :)
[21:24:35] <Martin Thomson> ted.h: DOS is possible for any server you trust to provide you with DNS results
[21:25:05] =JeffH joins the room
[21:25:12] Jaromir Talir joins the room
[21:25:14] <ted.h> Split DNS is like the Wandmaker's view of Voldemort:  The things it has done are terrible, yes, but great.
[21:25:29] <Martin Thomson> q: how big is all the DNS?  could we download the lot?
[21:25:35] <Suzanne> prolly.
[21:25:44] <99rst> Martin Thomson: pass it around in CDs?
[21:26:06] <danyork> We’ll just package it all up as a .tgz or .zip
[21:26:07] <Samuel Weiler> depends on how well of the 'populate the v6 reverse space' hacks catch on.
[21:26:09] <ted.h> @MT  All the DNS is not available to you.  And the answers to some queries available to you would change during the download time.
[21:26:13] <Martin Thomson> 99rst: station wagons full of tapes
[21:26:13] <=JeffH> i thot zone arbitrary xfers were tough to get these days….
[21:26:37] <Martin Thomson> ted.h: rsync
[21:26:43] <nygren > @dkg can spray paint QR-code versions of it all on walls for us?
[21:26:48] <Samuel Weiler> can we turn the whole DNS into a single Bloom filter?
[21:26:50] Bernie Volz leaves the room
[21:27:17] <Martin Thomson> we could build a DNS transparency log
[21:27:21] <ted.h> @MT  Backend databases are locked for the length of the time for the sync?  That's going to be a tough sell.
[21:27:25] <Martin Thomson> that's a merkle tree
[21:28:59] <Melinda> Probably, but not definitely.  What's under discussion here would be.
[21:29:17] <Melinda> (Also, putting DNS under a compliance regime:  blurgh)
[21:32:40] <nygren > the enumeration aspect might actually have transparency value.  If using a bloom filter, having a public list used to construct multiple differently seeded bloom filter might not be a bad thing.
[21:32:51] Jaromir Talir leaves the room
[21:33:49] mnot joins the room
[21:34:06] Suzanne leaves the room
[21:34:38] SHollenbeck leaves the room
[21:34:41] <Melinda> Also, if you look at, say, Trillian, it's got an SQL database behind it, storing the Merkle tree.  One performance characteristic of Merkle trees is that they're expensive to extend but very cheap for lookups.
[21:35:22] nygren leaves the room: Disconnected: closed
[21:36:28] nygren joins the room
[21:36:55] <Martin Thomson> mdns+doh seems perfectly reasonable to me
[21:38:05] <nygren > @MT: you mean using mdns to find a local doh service?
[21:38:10] <ted.h> @mt In the enterprise world, there are lots of cases where the mDNS doesn't cover the same range as split DNS.  If they go to local DOH servers, their world stays the same, of course.  Will Firefox allow Enterprise users to opt out of the Cloudflare arrangement?
[21:38:33] <Martin Thomson> ted.h that is the plan, as I understand it
[21:38:40] danyork leaves the room
[21:39:06] <Martin Thomson> nygren : mdns to find local servers; enterprise cases don't work there, but see my answer to ted.h
[21:44:40] Samuel Weiler leaves the room
[21:45:20] Aaron Falk leaves the room
[21:45:41] <ted.h> So I should assume that cloudflare sets client-subnet?
[21:46:00] <Martin Thomson> hah, that's in the agreement from memory
[21:46:12] tim.wattenberg leaves the room
[21:46:40] Suzanne joins the room
[21:46:50] Petr Špaček leaves the room
[21:46:53] Petr Špaček joins the room
[21:47:31] <Petr Špaček> I'm almost sure Cloudflare does not do ECS ... because we have not implemented ECS into Knot Resolver.
[21:47:39] mnot leaves the room
[21:47:40] Aaron Falk joins the room
[21:50:24] Aaron Falk leaves the room
[21:50:24] ted.h leaves the room
[21:50:25] <Peter van Dijk> I have consistently observed 1.1.1.1 to not do ECS, indeed
[21:50:26] Melinda leaves the room
[21:50:27] Martin Thomson leaves the room
[21:50:27] nygren leaves the room
[21:50:43] Spamvictim leaves the room
[21:50:44] Wouter Wijngaards leaves the room
[21:50:49] Spamvictim joins the room
[21:50:49] Spamvictim leaves the room: Disconnected: closed
[21:50:50] Jan Komissar leaves the room
[21:50:59] Daniel Kaiser leaves the room
[21:50:59] Carsten Strotmann leaves the room
[21:50:59] Mats Dufberg leaves the room
[21:50:59] Peter van Dijk leaves the room
[21:50:59] Petr Špaček leaves the room
[21:50:59] Lucas Pardue leaves the room
[21:51:06] Olafur leaves the room
[21:51:42] =JeffH leaves the room
[21:54:09] sKCYaWZI leaves the room
[21:54:48] meetecho leaves the room
[21:55:33] sftcd leaves the room
[21:56:46] mnot joins the room
[21:58:29] Dan York 2 joins the room
[21:58:29] Dan York 2 is now known as DY2
[21:58:40] DY2 leaves the room: Replaced by new connection
[21:58:40] Dan York 2 joins the room
[21:58:40] Dan York 2 is now known as DY2
[21:58:41] danyork joins the room
[21:58:54] DY2 leaves the room
[21:58:59] danyork leaves the room
[21:59:54] Yoshiro Yoneya joins the room
[22:00:06] Yoshiro Yoneya leaves the room
[22:00:42] Yoshiro Yoneya leaves the room
[22:03:06] Suzanne leaves the room
[22:07:03] Suzanne joins the room
[22:07:25] Martin Thomson joins the room
[22:07:30] Martin Thomson leaves the room
[22:07:35] Suzanne leaves the room
[22:09:49] <99rst> 1111aaaaaaaaa111111111111111aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[22:11:19] Olafur joins the room
[22:11:19] Spamvictim joins the room
[22:11:26] Spamvictim leaves the room
[22:12:20] mnot leaves the room
[22:12:43] Olafur leaves the room
[22:14:54] nygren joins the room
[22:17:26] ted.h joins the room
[22:17:43] ted.h leaves the room
[22:23:16] Samuel Weiler joins the room
[22:59:34] nygren leaves the room
[23:01:31] nygren joins the room
[23:01:40] nygren leaves the room: Disconnected: closed
[23:03:53] Aaron Falk joins the room
[23:06:40] Samuel Weiler leaves the room
[23:11:14] nygren joins the room
[23:11:33] nygren leaves the room
[23:11:56] Aaron Falk leaves the room
[23:11:57] Samuel Weiler joins the room
[23:17:32] Samuel Weiler leaves the room
[23:20:26] Aaron Falk joins the room
[23:26:54] Aaron Falk leaves the room
[23:30:24] nygren joins the room
[23:31:33] nygren leaves the room: Disconnected: closed
[23:33:35] nygren joins the room
[23:52:46] nygren leaves the room

Powered by ejabberd - robust, scalable and extensible XMPP server