►
From YouTube: IETF102-DNSOP-20180718-0930
Description
DNSOP meeting session at IETF102
2018/07/18 0930
https://datatracker.ietf.org/meeting/102/proceedings/
A
B
D
E
Warren
Kumari
just
doesn't
know
that
so
yeah.
The
authors
just
saw
Oliver's
note
fund
that
the
name
doesn't
quite
seem
to
line
up
we're
more
than
happy
to
change
the
name,
just
an
email
saying
that
seems
like
a
reasonable
point
and
that's
kinda.
What
working
group
lost
cause
before
you
know
point
out
things
that
that
were
missed.
D
Yeah,
so
for
what
it's
worth
as
far
as
engaging
consensus,
that's
actually
the
chairs
job,
that's
what
y'all
passed
the
big
bucks
for
and
all
that
coffee
versus
absolutely
right.
What
we
need
is
additional
input
program
comment
so
that
we
can
call
consensus
and
so
that
our
area
director,
with
his
different
hat,
actually
you
know
as
a
process
point
because
more
as
a
co-author
on
this
document,
we
have
a
different
area
director
who
is
well
we
hand
it
off
if
we,
if
we
decide
to
advance
it,
but
in
any
case
it
gets.
D
C
B
St.
James
again
I
agree
with
the
silences
failed,
but
let
me
put
one
more
piece
here:
that's
gonna
confuse
things
slightly,
sorry
I
believe
a
document
like
this
is
useful
and
should
good
forward
I
have
a
problem
with
the
content
of
this
document
that
I
have
expressed
and
tried
to
fix
for
a
long
period
of
time
in
the
current
form.
I
believe
this
document
is
more
harmful
than
good.
B
A
G
A
Up
for
adoption
is
more
lighthearted.
Subject
the
multi
writer
DNS
SEC
draft
this
Corp
adoptions
on
Friday
as
well,
and
it's
informational.
It
describes
operational
practices.
She
wants
to
talk
a
bit
and
we
are
an
operational
group.
So
it'd
be
you
know,
I
know
some
people
said
this
doesn't
really
kind
of
fit,
but
they're
got.
We
had
some
people
who
said
yes,
it
does
seem
to
fit
what's
going
on
sort
of
thing
and
you
know
I
think
people
are
trying
to
do
this
today.
Well,
I
know
we're
trying
to
do
this
day.
A
So
that's
always
this
and
that
and
also
drops
just
in
this
stuff's,
just
sort
of
came
in
to
name
biz
basically
showed
up
this
week
and
I'm
very
happy
about
this.
It's
it's
its
initial
and
we
feel
the
initial
RFC
was
a
big
win,
the
privacy
space,
but
you
know
we
all
got
burned
by
some
operational
issues
who
got
burned
by
that
by
nine
twelve
update.
You
know
besides,
you
know,
you
know
myself,
it
wasn't
me.
A
A
Also,
oh,
this
is
just
a
link
to
the
github
that
we
work
inside
out
nice
eyes
raised
already
point
out
something
that
I
dropped,
so
I'm
going
to
go
update
that
I
apologize
for
that
and
in
this
slide
it's
actually
looks
better
know
what
we
got
going
on
now.
So
our
agenda
on
today's
good
talk
about
algorithm
update.
Will
women
Andre
to
talk
about
cookies,
operational
impacts
with
cookies,
we're
going
to
have
a
fun
discussion
of
something
at
the
apex?
A
We
had
the
discussion
about
SRV
an
HTTP
yesterday,
there's
a
source
side,
meaning
there
is
some
interesting
back
and
forth
between
the
two
crowds.
So
iĆve
got
a
dance
operations
view
slash
user
community
and
then
Andre
he's
got
some
stuff.
You
know
and
he's
done
some
experiments
and
we'll
them
selling
some
stuff
from
the
employer
side.
So
it's
three
of
us
are
going
to
do
a
quick
little
round
and
turn
it
AP
back,
but
the
our
bone
here
is
like
I
want
to
plant
a
path
forward.
You
know
everybody
does
this.
A
I
H
See
this
is
just
an
update
on
like
long-standing
the
criminal
DNS
in
a
sec.
I'll
get
an
update,
so
Wow.
I
H
So
it
also
did
you
come
into
view
if
you
haven't
all
who
read
the
document
a
lot
of
ads,
so
we
want
to
refresh
your
list
of
DNS
algorithms
at
more
as
mandatory
to
implement
or
remove
the
old,
insecure
ones
and
do
the
same
for
the
DSC
vs
algorithms.
So
this
is
a
quick
recap.
What
the
document
says.
It
removes
the
rsam
v5
DSA
algorithms
8.
H
H
It
removes
the
ECC
ghost
because
the
ECC
goes
that
we
implemented
in
DNS.
Sec
has
been
deprecated
by
the
Russian
government.
There's
a
new
issue,
see
ghost
curve,
but
that
hasn't
been
standardized
for
or
DNS
X.
So
if
anybody
wants
it,
the
work
needs
to
be
done
and
it
promotes
the
EC.
Ec
DSA
be
two
five.
Six
two
mandatory
algorithms
recommend
from
my
group
recommended
one
and
it
promotes
the
IDI
255
one.
H
Nine
two
two
recommended
status
if,
like
gold
teeth
after
the
implementation
catches
on
to
require
the
make
deserve,
like
mandatory
algorithm
deployment
in
the
future,
so
for
the
serious
algorithms
we
did
a
similar
thing
again
show
on
and
ghost
is
it's
forbidden
to
reviews
and
as
a
yes
developers
still
must
implement
their
the
show
on,
and
it
may
do
the
ghost.
If
Dave
Rome
editions
want
to
do
right
so
they're,
the
other
change
we
did.
Are
we
like
change
their
algorithm,
that's
mandatory
to
implement
and
every
implementation
should
everywhere
else.
H
H
L
H
Far
as
I'm
a
row
at
least
I
assume
you
landed,
labs
and
seasoning
has
all
these
implemented.
I
have
no
idea
about
power
DNS,
but
I
would
guess
that
every
CCDA
say
is
there
and
well
I
know
they
were
first
to
implement
the
EDSA
effect,
so
so
it's
everywhere
is
implemented
by
for
things
we
care
I
have
no
idea
about
the
proprietary
implementation.
So
if
there's
somebody
from,
of
course
that
nurse
here
would
like
to
hear
from
them,
but
I
think
we
covered
most
of
our
bases.
Mark.
P
H
A
presentation
that
I
can
DNS
symposium
about
well
like
the
old
stuff
in
the
DNS,
and
that
was
one
of
my
points
that
we
should
do
stuff
like
deprecated,
diffie-hellman
and
add
elliptic
curve
diffie-hellman
to
duty
key
and
update
the
six
zero
define
the
transactional
security,
two
six
zero
for
the
new
algorithms,
but
that's
out
of
the
scope
of
Zuccarello,
I'm
happy
to
elaborate
on
the
only
new
one
need
to
come
in
like
this,
but
let's
not
spoil
this
and
yeah
I'm.
Not
servicing
has
been
you
it's!
It's
related
builds
this.
H
H
I
could
change
it
to
shoot,
but
it's
because
it's
an
equivalent
and
it's
defined
in
the
RFC
I.
Don't
remember
that
defines
the
must
and
choose
the
recommended
and
not
recommended
assay,
alias
for
should
and
should
not,
and
it
felt
to
me
that,
because
we
remove
all
those
pluses
minuses
that
the
recommended
feels
like
you
like,
you
should
do
that,
like
we.
H
K
H
K
I
Okay,
so
I
just
want
to
make
a
quick
note
in
response
to
Mark
Andrews
about
the
the
tea
sequence,
six,
zero
algorithms
and
those
actually
lagging
much
more
behind
other
ones
of
instance.
If
you
were
running
a
red
hat
server,
then
only
recently
could
you
use
something
that
is
not
as
weakest
d5,
so
I
think
we
should
be
much
more
conservative
with
those
and
I'm
not
sure
if
you
should
pull
them
into
this
document.
U
B
I'm
Jenn
Penton
I
just
want
to
clarify
that
this
is
has
to
do
with
the
implementation.
What
goes
into
implementation
is
not
what
you
actually
sign
with,
because
I'm
concerned,
especially
looking
at
the
82
try
5
1
million
line,
it's
sort
of
saying
recommended,
but
it's
only
a
recommended
on
the
validation
side
who
seems
like
you
could
produce
an
interoperability
problem.
People
actually
took
that
seriously.
H
B
B
D
Whatever
laughing
that's
well
actually,
I
have
one
I
have
a
question:
if
nobody
else
does,
if
I
was,
if
I
heard
you
correctly,
there's
no
implementation
discussion
in
science,
but
I
don't
immediately
save
the
draft.
Would
it
be
a
big
challenge,
the
brief
implementation
status
section
just
because
that's
a
said
something
that
we've
discussed
recently.
E
Work
and
I
do
see
people
tonight
when
you
show
up
down
here.
So
what
can
I
adjust
on
the
previous
point?
I
know
that
the
document
does
talk
right.
You
know
this
should
be
implemented
and
it's
not
what
should
be
used,
but
lots
of
people
will
just
flip
through
documents
and
see
like
the
big
table
and
assume
that
that's
what
they
should
use.
So
you
might
work
like
h1
blink.
You
know
read
text
above
and
below
the
table
being
like
just
to
reminder.
This
is
a
permutation,
not
what
they're
recommending
you
to
pray
right
now.
H
E
V
Tail
I'd
like
to
actually
ask
that
you
not
make
it
blink,
as
wine
just
asked
that
idea,
but
actually
what
I've
got
up
here
for
was
I'm
curious
it.
We
just
need
a
really
quick
on
on
agreeing
that
the
must
and
recommended
language
is
just
fine
without
switch
or
the
must
and
Yan
recommended
without
it.
Switching
to
requires
or
just
I
think
we're
really
actually,
mostly
in
agreement
that
we're
all
okay
on
that.
But
since
we've
heard
some,
you
know,
suggestions
at
different
terms
would
be
used.
D
D
D
D
P
S
The
problem
is
that
there
is
no
handshake
between
the
one
that
sends
the
query
and
one
that
gives
the
answer
and
one
solution
is
to
use
a
stateful
transport,
but
that
doesn't
scale
very
well
with
eNOS,
because
Venus
can
girl.
He
is
killed
too
many
men
clearly
to
shake
it
because
there's
no
stated
the
authoritative
server
T
should
be
keep
state
for
every
client,
and
so
the
copy
is
a
way
to
address
this.
That's
just
having
a
single
secret
on
the
server
versions
of
the
so
a
sort
of
handshake.
S
If
you
have
mating
handshake,
you
are
known
to
the
authority
to
develop
or
the
visual
for
for
that
manner,
possible
man
that
works
for
both
step
to
evolve
a
resolver
to
authoritative.
If
you
have
made
he
then
he'll
check,
then
you
are
a
non
flight.
You
get
the
large
answers
or
the
the
better
of
each
consciousness.
S
If
you
did
not
like
the
uncheck
that
you
will
be
get
a
short
answer
or
they'll
be
subject
to
response
rate
limited
or
tomorrow
apology,
so
the
the
operators
of
deenis
that
had
to
deal
with
amplification
attacks
immediately,
they
they
had
to
deal
with
it
immediately
and
implemented.
Things
like
priority
lists
for
the
non
visa
office.
They
get.
Statistics
on
these
are
golden
fifty
visual
first,
that
we
always
see
and
they
don't
always
get
answers
and
dealt
with
it.
S
The
reason
that
we
push
for
this
image
via
drop
or
our
sheet-
and
there
is
an
issue
with
it's
important-
that
all
vendors
do
the
same
thing.
Of
course,
especially
any
cost
deployments
that
the
same
cookie
were
the
same
algorithm
is
north
of
stop
sheriff's.
That
participates
in
communication
for
a
certain
idea,
so.
H
Enrichment,
Francis
and
a
big
debt.
You
heard
me
back
again,
so
the
operational
impact
that
the
good
differential
operational
effects
is
that
the
service
can
have
improved,
foresee
space
of
cookies.
So
if
you
have
a
cookie,
you
can
assess
what
I've
said
you
can
disable
are
all
you
can
do
or
fancy
stuff
due
to
by
deciding
move
towards
Watson
pledge
you
to
recline
or
water
plane.
H
There's
not
if
you
have
a
better
responsiveness
under
attack,
because
you
can
like
roll
away
like
it's
without
without
cookies
and
redirect
him
to
CB
to
get
a
cookie.
H
They
might
have
a
different
deployment
schedule,
let's
just
import
like
deploy
a
new
version
of
bar
that
has
cookies,
but
you
have
out
like
NS
d
or
no
DMS
or
power
DNS
at
at
the
same
note,
and
they
don't
have
a
cookies
at
the
same
time.
So
now
you
have
a
at
the
same
when
it
comes
note,
hidden
behind
the
same
IP
address.
You
have
a
different
servers
with
like
different
state
of
implementation.
H
Difficulties
without
cookies,
different
cookies,
it
gets
too
confusing
for
operators,
the
baggage.
From
my
like
my
experience,
you
can
also
have
like
an
accrued,
a
different
operators
for
parts
of
the
cloud,
so
there's
parts
of
the
clouds
for
the
fruit,
that's
provided
by
a
sea,
the
other
power
is
provided
by
trout,
/
and
they
again
desire
different
implementations
with
different
like
cooky
and
there's
some
like
need
for
synchronous,
those
cookies.
Otherwise
it
might
feel
quite
wrong.
The
other
thing
is
that
the
uncle
kind
of
configured
server.
I
H
Server
server
secret
at
random.
So
again,
even
if
you
deployed
multiple
instances
of
the
same
same
server
and
needham
configure
it.
You
know,
however,
like
different
several
several
keys
hidden
behind
the
same
IPS,
even
though
here
you
have
the
same
server.
The
other
thing
is
that
there's
different
default
algorithm
and
there
are
incompatible
algorithms
in
what
the
input
data
goes
in
into
did
like
the
function,
it
doesn't
be
a
function
and
there
are
so
deployments,
and
this
is
with
the
permission
of
ripe
NCC,
the
Clery
does
like
transiting
to
your
routine.
H
So
almost
every
time
you
ask
you
get
a
different
implementation,
so
if
you
run
a
loop
over
over
the
karyotype
ers,
so
it's
not
that
not
only
are
reaching
for
one
like
with
the
BGP
will
switch,
but
it's
at
like
a
local
program
order
for
the
nodes,
and
you
are
still
connected
to
the
same
any
cost.
No,
but
they
rotate
the
implementations,
their
answer
there.
The
answer
we
carry
so
on
every
on,
like
on
every
query:
you
get
a
different
cookie
based
on
the
on
the
server
you
just
you
just
hit
so
the
solution.
H
That
we
will
define
that
we
will
write
a
new
draft
that
will
define
the
like
the
mandatory
algorithm
to
implement
between
the
implementations
similar
thing
to
what
we
did
to
do
sit
governors.
So
so
both
the
Crippler
functions
and
the
how
to
input
data
into
into
the
function
is
feed.
It
will
be
standardized,
as
that,
like
this
is
mandatory.
We
want
to
add
a
sip
hash,
this
children
function.
H
H
The
other
thing
is
that
we
probably
should
remove
the
non-critical
to
secure
algorithm,
there's
been
as
FN
be,
how
to
define
in
the
origin
round
and
that
needs
to
be
removed,
because
it's
not
really
suitable
for
this
kind
of
use
under
the
commit
should
provide
the
guidance
both
to
the
DNS
vendors
and
the
DNS
operators
how
to
deploy
in
such
scenarios.
I
The
Church
of
the
right
algorithm
is
not
for
her
say
so:
okay,
Rafa
and
so
on.
Eh
in
his
cookie
makan
who's
asked
me
what
to
use
and
I
just
forwarded
sufficient
to
talk
it
to
reference
practice
of
your
solution.
I
mean
answer.
Yes,
his
betters
father
is
faster
at
least
twice
faster,
so
it's
a
Christian
for
cryptographer,
so
you
give
it
to
a
little
after
I
say
what.
X
X
Cookies
that
you
have
this
problem,
you
need
to
standardize
along
for
interoperability
between
multi-vendor
anycast
server
pools,
so
I
think
that
they
made
the
other
improvements
viable
in
the
cookie
graph.
I
think
is
what
you
do
is
to
Rev
that
draft
and
welcome
other
co-authors
in
doing
that.
Well,.
H
L
H
W
Genre
doc,
my
king
go
back
okay,
so
you
mentioned
a
couple
times
about
the
the
anycast
problem.
I've
heard
you
say,
multiple
vendors
at
the
same
anycast
node,
there's
no
clarify
terminology.
It's
are
you
talking
about
actually
different
DNS
software
at
the
same
many
times,
murder?
Okay,
what
about
the
situation
of
same
gun,
where
at
multiple
anycast
nodes,
where
the
route
may
change
between
queries?
It's
not
a
problem
was
that
cookie
is
his.
H
Server
specific,
so
if
you
like
that
the
name
server
as
a
cookie
to
the
client,
is
it
client
server,
not
client
domain
acceleration?
So
so,
if
it,
if
you
have
multiple
name
servers
with
multiple
different
IP
addresses,
there's
not
a
problem
because
they
think
each
one
each
of
them
could
have
a
different,
unique.
Who.
W
I
guess
I'm
asking
what
if
a
response
goes
to,
you
I
mean
so
this
the
server
sends
the
cookie
right.
Yes
and
the
cookie.
Then
in
the
response,
the
cookie
in
the
response
has
to
be
something
the
server
know.
It's
a
generator
right
and
yes,
it's
couple
inches
from
different
cookie
and
some
other
variables:
okay,
on
the
server
side,
so
I
guess
I'm
just
saying
for
the
point
about
providing
guidance
to
operators
it
would
be.
It
would
be
great
to
have
some
specific
recommendations
about
how
to
handle
okay.
A
V
Implementers
to
implement
I
would
say:
I
would
encourage
us
to
not
have
options
or
to
make
it
as
clear
and
simple
of
exactly
what
we
want
people
to
do
and
do
not
provide
too
many
choices,
because
this
is
going
to
be
handed
to
somebody
who's
to
go.
Write
this
or
add
this
into
something
and
they're
going
to
go.
Look
at
it
and
say
what
do
they
have
to
implement
and
so
to
the
point
where
we
can
give
them
the
clearest
and
shortest
list.
H
A
V
X
H
Okay,
so,
basically,
if
DNS
cookies,
what
is
it
trying
to
solve?
And
if
we
look
at
this
from
the
perspective
of
the
kaabah,
we
have
a
handshake.
We
can
avoid
cookies
totally
if
we
to
TCP
right
one
under
the
scope
of
this
board.
Now
it's
not.
This
is
a
question
on
alternatives.
This
is
extra
work.
We
are
going
to
spend
a
lot
of
time
talking
about
it.
We
can
do
the
same
thing
with
the
existing
technologies,
and
so
why
do
this
so
you're
suggesting
to
kill
the
cookies?
Yes,
I
think
this
is
not
good.
H
N
H
I
know
there
are
different
implementations
with
different
algorithms
being
implemented
in
in
the
cookies
and
I
need
to
serve
this
proverb.
So
if
you
won't
just
kill
the
cookies,
please
fry
traffic
to
the
cookies
and
rentable
in
Riverside,
but
I'm
continuing
this
work
because
I
have
a
real
problem
to
solve
and
one
of
the
year
solutions
you
could
have
Dylan
historic,
mrs.
a
please
don't
eat
my
cookies
use,
TCP.
I
Z
H
Is
outer
scope,
the
DNS
cookies
are
already
there.
We
are.
This.
Is
this
support
about
standardizing?
You
can
do
so.
I
would
advise
you
to
go
to
read
the
DNS
cookies
Ralph,
the
RFC,
sorry,
there's
there's
an
RFC
on
Dina's
cookies.
Please
go
read
it
and
in
his
answers
so,
but
but
no
it
doesn't
doesn't
do
anything
to
do
privacy
and-
and
if
you
are
on
path-
and
you
can
inject
it-
the
piece
you
are-
you
can
read
it
like
the
answers
and
that
responses
anyway.
H
Y
Tab
lemon,
so
this
is
kind
of
a
little
bit
on
the
same
topic.
There
was
a
presentation
in
interior
yesterday
about
p.m.
tu
issues
and
basically
the
recommendation
was
don't
use.
Fragmentation
which
I
know
seems
slightly
off-topic,
but
of
course,
the
reason
why
we
have
that
issue.
The
reason
why
it's
an
issue
is
because
DNS,
particularly
DNS
SEC,
tends
to
send
large
packets
around
largely
to
keep
packets
around
it,
so
those
can
be
fragmented
and
that
creates
pretty
serious
problems.
Y
P
H
Y
I
think
that
the
the
point
that
you're
getting
from
from
the
people
that
came
up
to
the
mic,
including
me
to
talk
about
this,
is
just
that.
We
really
ought
to
actually
open
that
question
before
proceeding
with
this
further,
because
and
and
not
make
a
big
delay
about
it.
But
just
like
have
that
conversation,
because
I
think
that
you
know
we're.
Y
AB
Y
AB
H
M
Do
you
want
to
kill
EDP
today
is
that
is
what
you're
asking
for
literally,
you
are
saying,
get
rid
of
you
Danis,
a
beauty
thing.
That
is
what
you're
saying
get
rid
of
the
completely
cohesive
cookies
work
with
unfragmented
packets
fragmentation
is
a
separate
issue
that
cookies.
There
are
a
thorough
mission
and
you
were
confusing
the
two
so.
M
Cookies,
cookies
to
mobile
things
they
protect
against
amplification
attacks.
They
also
protect
against
first
responses.
I,
really
don't
like
to
having
to
open
a
new
solid,
basically
for
every
single
query.
Over
UDP
cookies
have
two
sides:
they've
got
a
client
side,
a
client
cookie
as
well.
That's
designed
to
give
enough
entropy
to
the
question
that
you
can
guarantee
you're
not
getting
a
smooth
response
back.
We
can
go
back
to
a
single
socket.
The
UDP
with
cookies.
M
E
And
so,
regardless
of
whether
or
not
we'll
duplicate
cookies,
and
if
got
my
own
views
of
that,
it
seems
leaving
things
like
this
is
dangerous
and
it's
going
to
be
a
while
before
cookies
can
be
actually
removed
everywhere.
If
that
were
the
idea,
so
it
seems
like
fixing
it
leaving
it
as
a
rake
in
the
drafts
to
come
over,
because
we
are
very.
R
To
handle,
like
thousands
of
these
connections,
very
high
performance,
someone
said
fast
open,
that's
the
right
answer
and
it
has
cookies
perfection
as
a
DNS
server
implementer.
We
don't
have
cookies
as
and
we
don't
because
the
amplification
factor
in
our
case,
because
we
use
online
signing,
is
much
much
like
over
and
another
thing
that
I
want
to
point
out.
Is
that
cookies?
H
I
How
about
us,
redhead
I,
just
want
to
say
that
I
would
like
all
the
open
resurfaced
that
I
accidentally
added
to
the
Internet
at
earlier
times
to
have
an
April
penis
cookies
by
default,
so
that
they're
not
part
of
number
of
occasion
attack
and
even
if
that
is
the
only
goal
of
the
cookies.
That
is
a
useful
thing
to
have.
So
please
do
not
kill
cookies.
H
Basically,
I
think
if
we're
going
to
spend
any
time
and
effort
of
things
like
this,
we
should
make
teacher
DNS
over
TCP
better.
We
should
have
longer
than
insertions,
because
we
have
first
for
clients
and
we
should
just
bite.
The
bullet.
Udp
is
not
for
them
affects
that
for
certain
situations
and
regards
to
mark
what
Mark
said
get
over
it,
you
have
to
deal
with
lots
of
sockets
you
have
lots
of
otters,
is
to
listen
to
in
many
cases.
Yes,
oh,
so
it's
not
right!
He's
my
IC
hat
on
I
improved
it
networking!
H
P
J
Schwartz
says:
we've
heard
definitely
are
a
lot
of
interesting
cookies
from
certain
I
guess:
recursive
and
authoritative
vendors
I'm
really
interested
to
hear
there's
anybody
who
writes
resolvers
or
is
responsible
for
large-scale
stub
resolver
deployments
effectively,
but
that
has
implemented
cookies,
who
plans
to
implement
cookies
and
I'd
also
be
interested
to
know
if,
between
recursive
and
authoritative.
If
anybody
has
operational
experience,
they
could
that
were
inform
how
useful
these
the
cookies
that
have
actually
been.
Not
necessarily,
it
really
may
be
on
the
list.
S
V
Tell
her
I
just
wanted
backup
on
warrens
point
that
this
is
already
an
existing
mess
that
really
needs
to
be
addressed
on
its
own
I,
really
strongly
disagree
with
Oliver
that
the
solution
is
just
TCP
everywhere.
You
are
gonna,
get
tremendous
pushback
from
operators.
On
that
point
about,
there
seems
to
be
quite
happy
to
go
that
route.
That
is
certainly
not
universally
the
case
among
providers
and
you
know,
I
think
no
amount
of
improvement
in
the
say
of
live
buying.
Networking
code
is
going
to
really
change
that
situation
very
much
and
beyond
that.
V
One
of
the
things
that
you
know
in
this
room
were
mostly
DNS.
People
that
I
think
of
significant
part
of
the
community
is
overlooking,
is
the
existing
tension
that
we
have
with
one
of
the
primary
uses
of
the
domain
name,
space,
which
is
the
HTTP
community
and
just
how
they
feel
about
the
you
know
any
possibility
of
adding
more
resolution
time
if
at
the
end
of
release
right
like
this
is
standing
alone
here
and
saying.
Oh
well,.
V
A
D
A
Thank
you,
I
would
just
say
to
Oliver
I
understand
what
you
want
us
to
do.
Anything
like
that,
but
I
would
say
how
successful
have
we
been
that
massively
upgrading
the
global
DNS
infrastructure
with
any
kind
of
change?
We
wanted
to
do
in
any
kind
of
timeframe
right,
so
so
I
mean
yes,
we
cannot
have
an
aspiration
to
go
to
TLS
everywhere
or
something,
but
it
will
take
decades
or
something
at
the
way
we
are
currently
able
to
change
the
overall
within
its
infrastructure.
W
A
This
is
something
that
see
if
we
can
figure
out
a
path
forward
on
I'm
going
to
talk
about
some
stuff
from
the
operation
community,
because
I'm
an
operator
in
this
is
Dena.
Stop
and
Andre
woman
had
some
sort
of
implementer
sort
of
other
views
in
the
world,
and
some
experiments
have
done
so
sort
of
going
to
bender
here.
So.
Y
A
Why
do
we
do
this
because
sov
works,
but
but
it
only
works
on
robots
humans
can't
deal
with
us
or
be
anybody
work,
but
it's
not
a
CDN
right.
You
should
put
their
users
right
and
this
is
not
going
away.
I
think
you
know
that
this
is
what
I
see
we
have
a
generation
of
engineers
now
could
just
assume
that
you
can
have
a
cname
or
some
sort
of
synthesizer
for
the
theme
packs
of
his
own.
Why?
Because
the
cards
it
all
supports
it
right
and
I
tell
people.
A
A
A
I
A
A
AB
A
I
I'm,
not
sure
I
agree
with
the
definition
of
the
problem.
I
mean
for
me.
The
problem
is
that
users
are
the
main
name
on
the
one
these
domain
name
to
be
or
stood
somewhere
in
the
city,
and
so
they
needed
that
won't.
We
deserve
some
sort
of
indirection
between
the
domain
name
of
the
server
name.
We
already
have
a
clean
solution
for
that.
It's
a
selfie
now
I've
been
to
the
HTTP,
have
a
meeting
yesterday.
So
I
know
it's
not
easy.
I
There
are
a
lot
of
problems,
but
my
feeling
is
that
whatever
solution
we
find
we
seen
in
in
and
it
it
would
have
also
known
as
the
same
sort
of
problem,
Connor
chase
transition,
etc.
So
why
I
suggest
not
to
frame
the
problem
as
I
won't
see
him
at
the
attacks,
but
rather
I
want
an
indirection
from
dominum
to
several
men,
and
then
we
have
several
possible
solutions
in
the
stories
I'm.
A
Going
to
go
anywhere
with
that
and
I'm
just
saying:
we
just
need
that
editor
and
a
path
forward
right,
because
then
we
can.
If
we
can
pick
something
that
we
can
move
forward
on
and
it's
something
we
can.
You
know
build
tooling
around.
Then
we
can
get
a
path
forward
to
and
we
can
you
know
I
can
use
my
stick
as
a
you
know
as
a
vendor.
As
a
you
know,
customer
of
a
lot
of
vendors
to
be
doing
and
to
make
changes
right,
I'm,
very
well,
yeah.
So.
A
This
also
needs
to
support
a
Lea's
plus
mx4
subdomains,
not
at
Apex
yeah.
So
an
output
on
my
hat
and
say
it
to
Roslin,
so
they
use
the
problem
right
is
that
we
all
used
to
run
our
websites.
Well,
many
of
people
run
all
right
websites
on
WWE
example
calm,
but
then
we
had
tired
of
saying
www,
so
we
started
just
say:
example.com
yeah,
and
now
we
want
to
do
that
really
attire
on
a
non
website.
A
If
you
go
and
you
pull
the
dot-com
zone
and
you
look
at
the
ants
record,
you
will
see
probably
the
largest
percentage
of
AWS
records
in
there
right.
I.
Don't
know
that
I,
you
know
somebody's
note,
but
that's
what
we
say.
I
just
I
want
to
get
to
a
place
where
I
can
actually
support.
You
know
domains
in
sort
of
multiple
places
that
I
can
actually
transfer
between
Oakland
right.
Let
me
help
me
get
there
right.
You
guys
are
smart
help
me
get
there.
A
T
R
Do
something
please:
you
had
something
new
and
I'm
totally,
not
yeah,
no
okay,
yeah.
Second
one
is
that
I
personal
preference
would
go
with.
It
would
be
to
go
with
the
S
or
V
solution,
but
I
understand
that
there
are
complications
and
indicators
for
that.
So
just
know:
Nazi
name,
I
guess
are
we
but
yeah?
If
you
have
done
something
Betty,
that's.
A
M
A
Know,
I
I'm
going
to
sort
of
chain
those
doors,
and
that
was
an
interesting
discussion
and
Shane
Kermit.
Some
great
notes
up
there
I
think
he
posted
an
sob
and
one
of
the
things
and
about
was
I,
think
they
should
be
attached
to
our
minutes,
because
I
think
there
are
some
really
good
conversations
that
went
on
in
there
and
I'll
ask
the
people
that
contributed
if
they're,
okay
with
that
as
well
so
but
yep.
A
C
C
Let
me
say
that
maybe
that
there
is
a
better
solution
here
right.
It
may
be
the
right
thing
to
do.
The
reason
that
your
records
don't
work
is
because
then
you
have
to
do
more
luck,
ups
and
that's
bad,
and
we
already
talked
about
the
TCP
delay
a
second
ago.
Here's
the
deal
that
doesn't
prevent
software
from
offering
sort
of
better
solutions
to
the
people
asking
the
question:
if
you're
asking
a
X,
then
maybe
you
could
retry
a
certain
excuse
me,
you
can
return.
The
serve
record,
I
mean.
A
B
I
personally
reject
the
notion
that
this
is
driven
by
demand
from
another
protocol,
yet
this
is
driven
by
the
meatbags
who
are
typing
on
the
keyboards
and
they
want
convenience
or
death.
Yes,
right,
those
are
like
HTTP.
It
didn't
cause
this
right.
The
fact
that
someone
wants
to
type
one
word
cause
this.
B
AA
Instead
of
washing
your
own
zone,
you
locally
host
the
parents
right,
so
you
can
have
seen
him
at
the
label
now.
This
was
a
terrible
hack
and
yeah,
and
a
lot
of
people
have
done
this
and
I
just
checked.
It
still
works,
they
still
have
it
and
it's
a
horrible
heck.
We
need
to
get
away
from
that
and
I
love.
This
discussion
I
think
it's
very,
very
important
to
solve.
If
we
don't
solve
it,
those
hacks
will
remain
and
will
remain
forever.
AA
It
also
means
you
can
be
priority
in
a
sector
cetera
and
one
thing
I
learned
last
week
about
minimum
responses.
It's
a
binary
configuration
statements
and
is
that
you
can
make
it
so
that
a
questions
respond
to
the
NS
records
UK,
so
can
that
makes
the
main
response
right
in
the
absence
of
amateur
actors,
only
TMS
records
at
a
child's
anyway
they're,
not
necessarily
my
humble
opinion,
the
confuse
of
helping
little
people.
AA
AA
A
O
O
On
the
Internet
of
several
that
have
been
used,
I'm
reminded
of
what
happens
with
you
know
the
many
applications
that
I've
used
over
the
years,
so
you
using
SFTP
using
gopher
and
using
like
a
variety
of
these
other
services
that
that
inherently
date
me
of
looking
up
stuff
on
Archie
and
such
in
looking.
Yes
thank
I'm,
trying
to
melt
your
brain
No.
O
So
in
looking
at
what
happens,
there's
there's
a
lot
of
special
handling
cases
for
how
applications
deal
with
certain
things
like
see
names
like
it,
the
mail
servers.
If
you
email
a
cname
record,
it
will
actually
rewrite
the
addresses
and
the
headers
to
go
and
match
wherever
that
seeming
follows
mr.
and
it
may
still
yeah
yeah.
So
so,
there's
a
lot
of
like
historical
experience
with
how
we
handle
this,
but
there's
also,
if
you
would
email,
you
know
a
host
name
and
it
didn't
have
an
MX
record.
O
If
you
know
the
send
mail
postfix
whatever
we'll
try
that
direct
IP
address,
which
is
what
we're
seeing
from
any
of
these
applications
today-
and
it
seems
to
me
like
an
acceptable
way
to
address
some
of
these
things-
is
to
go
and
assign
some
record
types
for
these
applications.
They
don't
have
to
use
them
just
in
the
way
that
mail
doesn't
have
to
use
them,
but
we
have
the
opportunity
for
them
to
use
that
capability
to
then
go
and
follow
something
be
it.
You
know
the
a
name.
O
You
know
the
alias
or
whatever,
and
go
and
provide
a
method
such
that
somebody
can
do
stuff
too.
So
they
can
go
and
say:
hey
I
want
to
do.
Multi,
CDN
and
I
want
to
use
charles
network
and
share
its
network
together
in
some
way,
and
it
seems
like
it's.
We
need
to
at
least
try
something
and
and
present
that
to
folks
damned
time
from
user
is
a
key
key
thing
that
we
need
to
focus
on
is
not
so
much.
A
C
A
Interesting
he
would
deepen
that
right.
Thank
you,
Tony
so,
and
I
was
actually
sitting
up
here.
For
my
sake,
to
say
to
us,
this
isn't
four
o'clock
I
mean
thing
I.
This
is
a
user
like
the
the
use
of
DNS
has
developed.
You
know
as
we
and
we're
getting
that
feedback
back
in
here
as
the
opera's
maturation
proof
that
the
use
of
DNS
is
involved
in
the
use
of
the
way
people
use
it
out
there,
because
we
do
yeah
people
don't
want
to
type
in.
A
And
they
will
wind
up
being
stuck
in
too
centralized.
You
know
proprietary
systems
because
of
the
fact
that
at
the
end
of
day,
I
have
a
business
goal.
I
need
to
make
sure
that
my
website
works
at
units
cited
org
all
right,
I
gotta
have
it.
It's
got
to
be
there
because
that's
what
people
want
to
use
in
some
way,
all
right
now
mine
does
work.
N
A
Be
able
to
do
that
this
is
good.
So
if
my
business
will
is
that
and
some
vendor
says
to
me-
I
can
do
it
for
you.
It's
simple,
you
push
this
button
for
you
right
now.
Maybe
it
means
they
have
to
foil
my
DNS
and
everything
else,
all
that
stuff
and
I
have
to
host
with
them
and
everything
else,
but
I'll
do
it,
because
my
business
is
that
example.com
has
to
be
there
without
w.
A
B
Or
co-chair
I
just
heard
Jose,
the
first
one
that
said
something
Dan
just
said
some
of
it
and
it
seems
like
we
were
driving
a
protocol
change
down
at
this
level
for
a
change
way
up
in
meatspace
and
I'm
a
little
bit
that
those
make
me
nervous.
We
may
be
no
other
way
to
do
it,
but
we
really
need
to
be
careful
about
doing
this,
because
you
know.
B
R
R
Ends
up
in
a
name.
You
have
to
do
a
second
thing
anyhow,
but
the
complexity
thing.
We
have
software
to
solve
that.
No
one
writes
HTML
code
by
hand
anymore,
there's
a
reason
for
that.
It's
complicated.
So
we
have
software
tools
that
help
us
with
that.
So
I
see
a
business
niche
for
someone
here,
I'll
take
it.
If
you
don't
to
stand
up
a
online
service
configure
my
DNS
calm.
A
K
S
S
S
If
there
is
a
CNN
next
to
show
no
other
records
hell
from
an
implementation
perspective,
still
rising
on
CNN
at
the
apex
or,
together
with
something
else,
will
be
very
hard
because
there's
no
incremental
employment,
other
visual
first
have
to
be
adapted
first
before
people
can
actually
use
that
feature,
so
the
moshe
proportional
already
eight
years
ago,
which
is
very
recently
being
updated.
I
believe
that
later.
S
S
D-Mail
that
it
it
does
work
for
everything
example
but
net,
but
not,
for
example,
but
net
itself.
It's
not
the
thing
that
he
uses.
What
a
name
expired
on
my
birthday
last
Sunday,
but
I
think
it
was
it
moved
forward
and
it
addressed
things
that,
like
trying
to
initiate
a
solution
to
a
stupid
and
so
I,
don't
know
I
I
guess
it
could
just
be
except
again
to
work
on
this
from
my
perspective,
but
also.
G
N
AB
H
This
this
hackathon
I
ran
this
little
experiment
because
we're
talking
about
with
rewards
and
in
a
great
tradition
of
running
code,
I
wrote
some
code,
so
the
goals
of
the
experiment
during
the
hackathon
was
to
like
put
the
C
name
plus
D
name
in
the
pan
zone
and
to
see
what
works
it
breaks
and
the
other
experiment
was
C
name
was
Dean,
aiming
to
apex.
Put
them
in
today.
Pixel
dissolve
and
see
what
works
and
breaks.
H
I
hacked
up
the
binds
to
allow
the
C
names
everywhere,
basically
and
I
running
somewhere
on
my
machine,
and
these
are
real
name,
so
we
can
well.
No
please
listen
to
me,
then
go
play
with
them,
so
the
easy
mains
do
exactly
what
what
they
say
and
if
you
want
meaning
email
or
send
you
the
contents
of
the
zone.
So
you
can
see
what's
there
so
the
cinema,
the
apex
I
just,
did
a
bind
ballerinas
recur,
sir
resolver
Google,
Public
DNS.
Very
sorry,
Public
DNS
is
probably
running
at
one
apiece
code.
H
H
Most
kind
case
is
that
the
cname
mask
everything
in
the
apex,
even
as
we
record
Anna's
reports
and
X
records
everything
it
sort
of
votes.
But
everything
is
like
right
here:
X.
It
is
your
target
domain
and
I'm,
not
sure
this
is
like
if
it's,
if
it's
orange
yeah,
as
you
can
see,
I
learned
to
use
the
cars
in
the
presentation
next
step.
Is
it
connects
on
C?
H
H
W
H
A
H
H
H
It's
a
pretty
working
group
I'm,
just
like
I
just
found
it
if
you
even
put
the
Syrian
plus
D
name
similar
what
to
Roy
and
said
it's
early
for
so
it
might
be
like
interim
solution
before
we
come
up
with
something:
that's
right,
well-designed,
it
doesn't
really
replace
a
name
it
because
it's
redirects
everything
like
this
is
this
is
no
because
18
is
only
for
a
in
accord
a
but
the
scene
opposing
radios
holes
all
over
Maine
to
to
like
different
part
of
the
tree,
but
it
provides
a
quick
okay
solution.
That's
the
problem!
H
Space
is
is
a
little
bit
different
than
than
I
am,
but
it's
worth
thinking
about
it
might
be
a
solution
also.
It
will
look
like
me
to
TLDs
to
support
this,
but
if
the
TLD
evils
to
like
support
ID
and
in
a
very
large
way
right,
that
might
be
a
way
forward
by
proceeding,
was
da
me
sign
it
and
then
redirect
all
the
idea
remains
to
the
light
device
domain.
H
G
L
I
think
this
is
worth
writing
up.
I
would
not
suggest
progressing
it
because,
as
Tony
said,
this
biz
is
the
be
name
issue
which
is
it
totally.
The
C
name
does
are
the
records?
Are
the
apex
tend
to
be
for
stuff?
For,
like
your
your
mail
server?
Is
here
and
your
webserver?
Is
there
soon
a
Mandy
name
at
the
apex?
Is
it's
an
I
can
problem
where
it's
like
I?
Have
this
Chinese
in
that
Chinese
domain?
L
Would
where
the
characters
are
written
differently
and
we've
gone
around
and
around
and
around
with
that
and
the
conclusion
I
have
come
to
which
I
think
a
lot
of
other
people
have
come
to
is
that
this
is
primarily
an
issue
of
probably
the
problem.
They're
trying
to
solve
is
primarily
a
problem
of
provisioning.
The
application
servers
so
like
when
you
know
you
can
put
in
a
DNA
like
back
when
cat
had
be
names.
You
know
you
had.
L
You
know
just
wear
something
cap
with
accents
and
it
would
give
you
would
be
name
it
to
these
something
today,
this
equivalent
thing
without
accent,
cat
that
went
and
that
looked
through
I,
just
sort
of
did
some
samples
like
how
many
of
the
web
servers
interaction
provision
to
handle
both
names
and
the
answer
rounded
to
0.
So
it's
yes,
it's
it's
an
application,
provisioning
problem
eyes
it,
but
the
time
you
can
vision
the
applications
to
make
the
best
server
work.
L
H
L
H
A
AB
A
J
A
Think
we
want
to
work
with
the
HDTV
boy.
Beat
that
conversation
yesterday.
He
sort
of
led
me
down
that
path.
I
think
we
need
to
figure
out
some
sort
of
see
if
we
can
sort
of
bridge
that
gap
and
yes
I
yeah
and
the
minute
such
a
note
I
think
we're
going
to
add
them
to
the
minutes
that
he
will
add
to
the
minutes
for
Dino
Zoff
and
our
poly
standard
about
that.
Mr.
Hoffman,
no
okay,
it
was
explicitly.
A
W
W
D
D
Discuss
the
more
important
than
what
happened
inside
yesterday
is
how
much
interested
in
working
on
this
and,
if
we're
happy
to
host
the
discussion
and
ideas,
are
placed
as
long
as
that's
appropriate.
If
we
find
that
there's
a
gap,
for
instance
that
there's
a
different
set
of
people
that
need
to
be
there,
no
objection
it.
G
AD
U
U
N
U
Since
the
last
version
that
we
presented
there
was
expanded
text
on
in
the
signing
algorithm
consideration
section,
and
there
are
two
new
sections
on
authenticated
denial,
algorithm
considerations
and
keira
and
there's
a
couple
of
additional
edits
in
progress
which
we
haven't
published
yet
by
the
end
of
the
week.
So
the
early
versions
of
the
draft
had
a
lot
of
material
in
the
front
end
that
basically
presented
a
kind
of
taxonomy
of
possible
deployment
models,
and
we
maybe
the
most
interesting
part
of
the
draft,
are
the
new
stuff.
N
U
U
P
U
U
A
A
Right
we
think
this
is
it's
informational,
its
operational,
it's
good
guidance
I.
You
know
we're
not
breaking
anybody's.
You
know
for
some
people
to
do
stuff,
but
it's
something
that
is
happening
now
and
we're
trying
to
do,
but
other
people
are
trying
to
do
as
well.
It's
like
so
you
know,
please
take
a
look
at
it
and
please
read
and
we've
gotten
some
good
feedback
this
week
bit.
You
know
cover
adoptions
open
till
Friday,
so
you
know.
AC
AC
Something
that
might
be
useful
to
add
to
the
draft,
which
is
the
we
already
male
moving.
Vendors
is
difficult.
When
had
you
do
Indiana
SEC?
Does
this
model
add
any
more
complexity
to
the
problem?
If
you've
deployed
with
your
vendors
and
then
you
need
to
change
one
or
both
of
them,
so
maybe
we
should
just
have
a
discussion
section
in
a
flowing.
We
don't
think
it
adds.
Problems
were
all
kind
of
we
thought
about
it.
It
does
right.
U
Yes
right:
okay,
that's
a
good
point,
so
that
was
on
my
to-do
list
with
your
second
yeah
migrating
from
one
provider
to
the
other.
How
would
you
do
that
in
this
configuration
I
think
actually,
with
their
mechanisms
proposed
to
miss
model
about
synchronizing
keys
across
providers,
does
actually
help
so
I
think
that's
a
section
already
planning.
U
V
D
V
B
It
sort
of
intends
to
break
DNS
SEC
in
interesting
ways
and
it's
it's
sort
of
a
a
weasel
wording
of
well.
You
could
do
this
or
you
could
do
that
or
you
do
another
thing
or
you
could
sign
on
things
like
that,
and
it
would
be
nice
to
have
a
much
more
vague
statement
on
that
rather
than
I.
Don't
you
know
that
I
think
this
is
ready
for
a
reduction
in
the
current
form
because
of
a
particular
set
of
problems.
Okay,.
X
X
I
K
L
Really
now
I'm
going
to
say
more
or
less
the
same
thing
as
Pollock
must
be
unprecedented,
but
to
me
this
smells
like
an
experiment.
I
think
I
think
the
experiment
is,
you
know:
can
it
can
people
actually
figure
out
ways
to
implement
this
with
with
DNS
check
that
works?
You
know,
and
you
know
like
is
the
fact
I
think
creating
an
archetype
that
requires
online
signing
is
I,
think
it's
a
fairly
significant
change
to
the
model.
L
You
know,
and
then
you
know,
and
then
is
this
sort
of
a
whole
meta
question
of
in
the
way
we've
done
this
stuff.
Historically,
is
we've
come
up?
You
know
like
I.
I
have
I
have
zones
that
are
that
create
zillions
of
records
on
the
floor,
but
I
use
not
servers
for
it
because
I
I
said:
oh
I,
don't
see
what
I'm
doing
to
be
ubiquitous
enough
to
to
to
try
to
push
it
into
a
regular
DNS
over
I
guess,
I,
guess
the
other.
L
L
V
AB
A
V
A
number
of
records
by
dollar
generate
or
similar
technology
to
be
able
to
transfer
those
records
from
one
server
to
another
server
and
that
seriously
relationship.
For
example,
you
know
large
ASP.
You
may
have
customers
that
want
to
be
able
to
own
their
records
but
have
a
copy
of
the
more
reliable
environment
and
send
that
information,
but
they're
too
large
to
actually
parse
through
all
of
the
possible
permutations
so
being
able
to
transfer
the
records
is
a
it's
a
big
okay.
L
There
are,
there
are
people
who
believe
that
that
happen.
Generic
reverse
DNS
for
v6
is
a
good
idea.
I
am
NOT
one
of
them,
so
I
think
that
goes
back
to
the
question
of.
Does
this
solve
a
problem
that
should
be
solved?
You
know
within
within
v4
addresses
or
within
any
you
know
a
number
and
if
you
were
actually
a
numerating,
the
addresses
of
actually
of
actual
devices
I
think
it's
fair
to
say
that
with
modern
DNS
servers
you
could
use
his
own,
maybe
large,
but
it
will
be
tractable
well.
N
D
A
A
A
Z
M
M
M
V
V
M
M
M
D
B
V
The
DNS
phase
is
really
quite
an
amazing
claim
to
make
given
the
number
of
ways
we
try
and
push
the
DNS
protocol
on
all
directions,
and
even
if
you're,
using
incremental
updates
for
you
know,
Kim's
own,
you
still
ends
up
with
a
nine
hundred
megabyte
zone.
It
seems
right,
like
so
v6
reverse
is
not
the
only
use
case.
The
cname
mapping
case
is
another
one.
We
have
encountered
others
one
other
way
that
generate
has
a
problem.
That
I,
don't
think
I
heard
John
mentioned
was
that
it
also
has
a
real
hard
problem
with
carve-outs.
V
They've
encountered
this
problem
operationally
like,
if
you
have
a
special
record,
that
kind
of
breaks
the
pattern
in
the
middle
of
the
zone.
You
actually,
then
your
generate
can't
like
say
you
needed
to
add
a
cname.
For
some
reason.
All
of
a
sudden,
your
generate
pattern
creates
an
invalid
zone.
You
have
to
fix
that
up
with
them.
They
give
you
separate,
generate
problems,
and
then
the
idea,
while
I
can
appreciate
the
sentiment
of
saying
oh,
oh
well,
and
then
we
should
just
do
away
with
our
generate
that
doesn't
actually
make
the
use
cases
go
away.
V
I
AD
To
be
a
cbq,
though
so
I
think
there
was
earlier
some
question
about
like
how
often
this
case
happens
and
if
we're
looking
at
reverse
DNS
measurements.
We
see
that
around
15
to
20
percent
of
those
are
already
doing
some
form
of
dynamic
generation
from
the
ER
records
and
I
think
there's
account
graph
and
the
v6
ops
talking
about
how
to
handle
reverse
DNS,
slash
PDR
for
v6
deployments,
a
nice
piece
right
so.
V
A
I'm
just
gonna
say
John.
Thank
you
for
bringing
this
here.
We
have
been
asking
for
quite
a
while
to
have
operators
bring
real
operational
issues
that
they're
having
into
this
group,
so
I
wouldn't
want
to
just
say
thank
you
for
bringing
this
there
and
I
would
say
to
mark
or
to
you
know
again.
These
are
the
issues
that
people
are
seeing
as
they
try
to
solve
the
business
realities
of
implementing
this
stuff
and
I
understand.
Where
John's
coming
from
understand.
We.
V
I
So
this
I
gave
this
presentation
at
the
icon
ideas
meeting.
So
this
is
a
reassuring
version,
because
everybody
here
is
indeed
an
expert,
and
so
one
priority
in
a
sec
when
we
start
using
uses
a
hierarchy
of
trust,
is
that
you
know
parents
are
not
as
trustworthy
as
we
might
like.
It
might
be
coerced.
It
might
be
the
mightier
things
that
we
as
a
zone
don't
want,
and
most
people
believe
that
the
most
powerful
key
is
high
up
any
hierarchy.
Such
is
the
root
key
anity
of
the
equivalent.
I
We
do
these
bad
things,
but
there's
people
who
say
that
you
know
as
long
as
this
system
is
rooted
in
the
trust
of
those
those
high
level
top-level
domain
and
root
Keys.
Then
we
cannot
trust
this
because
it's
all
under
control
of
governments,
so
so
so
that
is
one
part,
and
the
other
part
is
that
we
really
want
to
duty
in
a
sec
transparency,
and
we
currently
cannot
do
that
because
of
a
few
limitations.
So
what
are
the
attacks
that
are
actually
need
to
prevent
against?
I
So
one
of
them
is
the
sort
of
the
deep
link
attack
right.
If
the
dot
or
domain
says
you
know,
archives
at
IDF,
dot,
org
resist
above
the
key
or
this
DEA
record,
and
they
can
just
skip
the
delegation
for
someone
and
the
other
attackers,
of
course,
that
someone
can
marry
can
just
take
over
the
entire
tree
and
sort
of
flip
the
child
out
all
by
itself,
and
no
one
will
hear
it
scream.
I
So
the
proposed
solution
is
to
add
a
bit
to
the
Deena's
key
flag.
That
says:
I
expect
my
parent
to
behave
or
so,
and
I
expect
I
will
commit
publicly
to
never
deep
sign,
so
a
parent
will
say
so.
For
instance,
if
it's
this
big
and
say
I
will
only
do.
Delegations
I
will
never
sign
anything
deeper
beyond
one
labor
cut,
so
they
will
not.
I
So
if
you
see
an
art
shake
for
something
in
the
archives
that
I
kept
at
or
coming
from
the
TLD,
you
know
that
this
is,
you
know
the
Caesar
false
record
and
they
have
been
coerced
into
into
signing
this
or
they
lost
or
private
key
or
something,
and
the
good
thing
is
because
Adina's
keep
it.
It
actually
reflects
in
the
Diaz
record.
I
So
once
once
you
do
this
as
a
parent
level,
the
parents
instead
yes
record
upstream,
it
actually
gets
published
to
the
world,
and
the
parent
can
just
sneak
a
change
this
without
actually
changing
daddy
s
record
so
either.
This
needs
to
be
a
really
advanced,
targeted
attack
where
you
are
an
empty
cache
and
you
will
get
the
D
s
record
from
the
route
down
and
it's
all
new
or
the
D
s
record
will
be
completely
different.
Q
Record
clarifying
question:
can
you
go
back
one
slide
just
quickly,
I
think,
there's
a
little
additional
nuance
here.
Where
you
say
delegation
only
I
think
it's
implied
delegation
only
one
level
down.
That's
correct!
You
can't
sign
a
delegation
two
or
three
levels.
Deep,
that's
correct!
So
it's
not
just
delegation.
It's
like
all
the
levels
below
me
are
leaf
nodes,
correct,
okay,
yes,.
I
M
I
Okay,
so
so,
like
I
said,
the
benefits:
are
it's
a
public
commitment
by
the
parent?
So
it's
much
harder
to
do
targeted
attacks
or
coercion,
because
this
is
like
broadcast
everywhere
and
a
good
thing
is
that
you
can
do
transparent,
deena,
SEC
transparency,
because
we
no
longer
need
to
worry
about
these
deep
these
deep
signatures,
because
they
will
be
invalid
because
the
bit
we
only
actually
need
to
lock
the
things
that
we
care
that
you
care
about.
It's
a
delegation.
I
It
gets
changed
on
us,
so
we
only
need
to
log
the
s,
records
and
DNS
key
records.
And
then,
if
there's
some
sort
of
targeted
attack,
then
you
actually
have
a
little
graphic
proved
it
and
shame
the
keys
publicly
and
see
what
happens
and
so
I
cast
decides.
I
feel
went
to
try
and
resolve
PowerPoint
of
notes
at
CAA.
It's
it's
setting
just
a
random
key
flag
like
I,
just
stole
a
bit
I
squat
with
it
and
and
I
just
wanted
to
make
sure
that
all
the
resolver
is
behave
properly.
I
I
Some
some
problems,
or
at
least
in
some
less
nice
properties,
would
be
so
first
of
all,
as
Mark
said,
and
we've
got
the
Antonine
terminals,
so
people
like
Co
that
UK
or
I
think
the
enesta
know
they
would
have
displayed
over
zone
and
create
sub
zones.
Designed
is
probably
the
second
is.
It
doesn't
protect
early
records
in
the
in
the
child
effect
itself,
but
those
tend
to
not
contain
public
key
information
of
fingerprint
information.
I
I
My
child
speaks
for
itself
Devine.
It
also
implying
that
you
that
your
parent
cannot
undo
this
commitment
for
you,
so
it
actually
works
both
downwards
and
upwards.
So
if
you
then
see
that
the
so
let's
print
and
say
if
if
no
one
thought
see
a
is
skipped
because
their
boot
goes
directly
to
I'd,
say
any
day
skip
dot,
CA.
N
I
That's
not
that's
not
what
you
expect
either
if
this
denotes
like
I
said
so.
You
basically
also
sending
a
victim
to
say
something
about
the
parent,
not
skipping
you,
so
that
that's
a
little
bit
extra
security,
and
it
also
would
mean
that
the
route
doesn't
have
to
set
this
because
it
dot
CA
sets
this
flag
and
say:
I.
Will
you
know
I
will
never
skip
my
children
and
you
should
go
only
fellow
delegations.
I
It
also
kind
of
means
that
the
route
should
not
be
able
to
override
that
commitment
by
the
CA
key,
like
I
said,
if
you
do
the
exemption
for
the
prefix
ones,
that
will
be
good,
because
the
regular
host
names
cannot
have
an
underscore.
I
might
serve
really
only
address
the
services
and
it
doesn't
affect
existing
hosts
their
names
and
then
one
other
idea
I
had
from
someone.
Q
With
that
are
all
the
questions,
hi
Jorge
from
AP
Nick,
so
two
different
points,
but
they
might
be
as
versions
of
the
same
thing.
If
you
have
this
and
if
you
had
a
complete
chain
from
the
some
terminal
delegation
point
all
the
way
up
through
the
zone
cuts
to
the
road,
then,
if
you're
thinking
about
query
minimization,
the
hunting
problem
of
where
is
the
zone
card
has
actually
been
solved.
Q
I
So
a
to
a
point
because
you're
like
if
here's,
if
you're
an
empty
cache-
and
you
asked
for
a
year
for
backup
noise
at
CA,
you
could
still
get
a
deep
sign
directly
right
like
you.
Do
you
don't
know
if
there
is
a
zone
good
enough,
but
if
you're
told
that
there's
not?
How
do
you
have
any
reason
to
believe
it?
But
if
you
know
follow
this
down
back
so
so
on
an
empty
cache,
this
doesn't
actually
work
so
so
you're
still
true.
Q
And
then
this
data
doesn't
work
but
for
a
cash
crept
resolver.
But
if
you
have
the
signal
in
the
D
s
and
the
DNS
Keys
over
the
zones
you
are
looking
at,
you
know:
I
don't
need
to
worry
the
question
for
sisters,
art
ins,
because
they
just
said
they
don't
do
it,
but
that
was
the
first
part.
The
second
part
is
kind
of
a
counter
statement,
which
is
it's
because
of
things
that
people
say
to
me
in
x509,
PKR
children
cannot
force
parents
to
behave,
and
so
this
is
a
statement
of.
Q
A
I
AA
AA
Came
for
secondary
parents
and
Dutch
this
trick
right.
Actually
there
like
a
delegation
only
and
just
for
clarity,
there's
there
you
need
to
clarify
a
little
bit
more.
You
don't
have
to
do
that
now.
The
difference
between
delegation
only
and
single
label
delegation
are
right.
You
can
delegate
to
level
two
to
lay
those
down,
but
right
that
that's
just
clarification
and
apparent
the
dust
is
the
transparency
flag
basically
can
still
be
coerced
not
to
do
deep
linking,
but
that
one
label
down
it
can
actually
delegate
somewhere
else
under
its
own
control.
Yes,
and
then.
I
Very
deeply,
yes,
so
again,
that's
why
you
still
need
a
kind
of
DNS
I
transparency,
where
you
will
see
that
they
change
cues,
because
they
don't
have
the
private
key
right.
So
they
have
to
change
the
private
humidity
s
record
of
the
child's
own,
but
they're
taking
off
a
share
bit,
and
so
you
can
log
that
and
then
I
mean
yes,
like
the
devil
owes
be
the
case.
But
without
this
you
can
actually
not
love
anything
because
you
don't
know
how
to
deep
to
go.
N
AA
Just
trying
to
just
try
to
limit
the
level
of
coercion
finish
that
you
trying
to
protect
in
the
the
other
thing
is
this
dish.
This
seems
a
bit
similar
from
a
point
of
view
as
the
label
counter
in
the
are
sick
records,
where
you
basically
say,
I've
signed
this
many
levels
and
this
is
to
protect
against
crosstalk
stuff.
So
that's
just
not
right.
Thank
you.
A
I
To
take
C
records
and
everything
that
that's
just
fine
as
long
as
they
don't
contain
more
than
one
dot,
because
if
you're
not
actually
skipping
skipping
label
for
the
off
incluye
right,
so
so
any
any
any
certain
advantages,
and
you
you
take
on
the
orphan
blue
route
and
be
considered
an
illegally
signed
record
and
would
be
rejected.
Yeah
yeah,
to
be
fair.
You
shouldn't
be
often.
J
Then
Schwartz
so
I
think
I
may
have
asked
this
question
on
Friday,
but
so
I'm,
a
big
supplier
of
DNS
I
transparency
really
excited
about
that.
I
agree
with
your
analysis
that
DNS
air
transparency
requires
a
commitment
from
the
zone
not
to
do
deep
signing.
What
I
don't
understand
is
why
that
commitment
needs
to
be
in
the
DNS
or
even
machine
readable.
It
seems
to
me
that
a
commitment
not
to
do
deep
signing
written
on
paper
for
humans
is
sufficient
for
DNS
are
transparent,
but
now.
I
C
Less
fertilizer
yeah,
it's
a
scalability
problem,
that's
really
what
it
comes
down
to
is
that
if
you,
if,
if
you
don't
signal
it
within
protocol
or
signal
it
somewhere,
then
it's
very
hard
for
any
day
to
figure
out.
You
know
what
can't
be
logged
suffix
list
right
so
so
this
is
basically
a
you
know.
We
allows
there's
a
transparency
type
logging
to
happen
at
this
particular
point
in
the
tree,
and
you
know
going
back.
That's
really
where
all
this
stems
from.
I
sat
on
probably
three
or
four
trans
working
groups
where
it's
coming
back
yeah.
C
You
have
to
log
every
DNS
response
ever
you
know
received,
and,
and
so
it's
an
unbounding
right,
it's
an
unbounding
problem,
this
founds
the
problem,
so
that
that,
if
an
NS
record
even
changes
or
an
organ
records
change
that
is
now
detective
over
the
transparency
thought,
whereas
before
it
was
very
hard
to
tell
you
know
without
reading
everything
under
the
Sun,
including
in
second
everything
else
that
that
was
needed
in
terms
of
did
you
ever
swim,
then
yeah.
So
so.
J
The
claim
that
I'm
making
here
is
that
it's
sufficient
for
the
to
do
dns
a
transparency,
the
route,
it's
sufficient
for
the
route
on
paper
to
say
we're
not
going
to
do
any
deep
signing
beyond
the
TLDs
and
then
you
can.
You
can
do
transparency
on
the
route
and
similarly
any
TLD
or
I
can
by
policy
across
all
the
TLDs
can
say
the
TLDs
won't
do
any
deep
signing,
and
then
you
can
do
this
for
all
the
TL
DS.
So
I,
don't
I!
J
W
I
U
Just
want
to
make
a
comment
on
that
point,
which
is
what
I
wanted
to
do
right
when
we
were
first
discussing
this,
these
ideas,
a
few
ITF
SPAC
I,
remember,
we
were
sitting
at
a
table
and
your
assumption
is
most
of
the
TLD.
Is
our
delegation
only
and
that
doesn't
appear
to
be
true
because
instantly
they
had
an
argument
from
a
bunch
of
TLD
operators
say
we
have
lots
of
deep
names
in
our
Quixote,
so
you
can't
do
this
unless.
I
C
So
I'll
continue
ingress
again,
I
say
as
aggressive
co-author
I
should
mention
Emma
:,
so
so
fun
I've
had
some
discussions
about
this,
but
really
we
would
like
feedback
on
especially
these
bullets
in
terms
of
what
should
go
into
the
document.
I,
don't
change!
The
slide
on
me.
I
was
about
to
talk
to
them
in
terms
of
how
simple
or
how
complex,
to
make
the
signalling.
C
Could
create
new
sub
delegations
in
deals
and
then
there's
ways
around
it
whether
you
should
include
a
depth.
My
my
suggestion
for
the
does
not
protect
child
apx
data
would
be
you
know
we
limit
the
types
of
things
that
a
zone
that
that
bit
set
can
do.
It
can
include
glue,
and
you
know,
des
records
and
NS
records
and
that's
it
whatever
delegation
requires.
Without
so
it
shouldn't
be
able
to
spoof
child
records
at
all,
and
then
prefix
logos
sort
of
the
same
thing.
It's
it's.
C
That's
not
really
how
it's
designed
and
then
we've
also
talked
about
doing
whether
we
should
have
one
bit
that
signals
both
upward
or
downward
or
whether
we
have
one
bit
up
and
one
bit
down
and
things
like
that
so
feedback
on
the
list,
because
I
don't
think
there's
enough
time
here
today
to
go
into
it.
But
but
please
do
comment.
A
D
For
this
draft
does
sound
like
more
discussion
is
warranted
on
the
list
and
in
particular
viewers
would
be
hot
trouble.
But
you
can
you
folks
with
operational
interests
and
needs
here?
Also,
don't
forget
the
CDNs
working
the
bus
call
open.
If
you
haven't
read
that
document
lately
go
take
a
look
at
it
and
tell
us
if
you
want
to
publish
it
and
if
not,
why
not,
tomorrow
afternoon,
well
the
6:10
to
7:10
p.m.
slot
in
the
big
room
next
door
and.