►
From YouTube: IETF102-DRIU-20180719-1550
Description
DRIU meeting session at IETF102
2018/07/19 1550
https://datatracker.ietf.org/meeting/102/proceedings/
A
C
B
Can
you
hear
me?
Can
you
hear
me
in
the
back?
Okay,
thank
you
or
you
can
speak
less
loudly
hi
I'm,
Paul,
Hoffman
I
am
chairing.
So
someone
just
told
me
I
just
revised
the
slides.
Someone
told
me
that
many
people
were
hey.
Folks,
folks
were
starting
and
when
we
say
we
I
mean
me
so
I
was
just
told
that
there
were
multiple
hallway
conversations
today
about
the
boss,
and
many
people
didn't
understand
that
this
was
not
a
working
group
farming
boss.
So
let
me
emphasize
and
that's
not
a
change.
That's
always
been
the
case.
B
This
fall
and
by
the
way,
there's
the
what's
in
the
middle
of
that
I
can
I'm
not
seeing.
That
here
is
that
thank
you.
Warren
handle
hardware.
Thank
you,
so
the
origin
of
this
boss,
oh
and
yes,
thank
you
and
by
the
way,
I
am
sucking
today
as
a
working
as
a
bath
chair,
I'm,
late
I.
Did
these
slides
moments
ago
and
I
forgot
to
start
the
blue
sheets
Warren.
B
Would
you
do
me
a
favor,
so
the
origin
of
this
boss
was
that
there
were
some
issues
that
came
up
on
the
dough
working
in
the
dough
discussion
that
weren't
dough
specific,
that
they
were
sort
of
side,
thoughts
and
people
said.
Oh,
we
should
deal
with
that.
We
didn't
want
to
deal
with
in
dough
per
se.
I
talked
to
the
area
directors
and
they
said
sure
let's
have
a
Boff,
but
let's
not
assume
that
it's
working
group.
B
For
me,
there
is
some
interest
in
some
of
these
things,
but
as
you'll
see
when
we
get
to
the
topic
list,
they're
quite
diverse
writing
a
charter
for
AB
off
with
a
whole
bunch
of
diverse
ideas
is
easy.
Writing
a
charter
for
a
working
group
with
a
whole
bunch
of
diverse
ideas
ends
up
in
tears,
so
this
a
working
group
or
working
groups
might
come
out
of
later
work,
but
there's
going
to
be
no
charter
discussion
today
and
there's
gonna
be
no
charter
discussion
at
the
end.
B
In
fact,
we
sort
of
have
a
foolish
agenda,
although
I
could
be
wrong
and
the
speakers
might
be
fast
and
I
and
so
I'll
be
surprised.
So
please
don't
think
of
this.
As
the
first
meeting
of
jewy
I'm
sorry
drew
you,
oh
yeah,
I
can't
even
pray,
I
purposely
chose
it
so
wouldn't
be
able
to
be
pronounced
and
I've
just
proven
that
that's
true,
yes
and
it's
Marie
says
it's
French,
which
is
good
because
I
don't
actually
speak
French,
so
this
is.
D
B
I'm,
sorry,
now
it's
at
the
bottom,
all
right!
Thank
you
and
the
little
square
give
I
am
now
fuller,
okay,
so
here's
the
agenda
and
I
might
actually
take
up
a
reasonable
amount
of
the
15
minutes,
because
we've
got
a
couple
more
slides
with
for
those
of
you
who
heard
about
the
Boff
but
didn't
actually
read
it
on
the
the
Boff,
the
ietf,
the
Boff
wiki
will
do
that.
We've
got
a
bunch
of
presentations.
Do
you
need
to
hop
in
and
meet
Eko.
B
B
And
actually
I
have
no
good
excuse
for
being
this
disorganized.
I
was
going
to
do
this.
All
at
lunch,
I
was
having
a
nice
lunch
and
I
totally
spaced
it
out.
So
we've
got
a
bunch
of
presentations
from
people
who
said
on
the
list
that
they
wanted
to
do
things.
We've
got
slides
for
most
of
them.
Sarah
has
said:
if
we
don't
get
to
her,
that's
fine,
but
she
has
no
slides,
but
the
levels
of
security
and
privacy
is
something's
very
interesting.
We
will
go
through
this.
B
If
there's
you
know
time
at
the
end,
great
I'm
now
going
to
hold
this
guy
again.
So
on
the
the
reason
that
we
got
this
Boff
approves
so
for
those
of
you
I
know
that
there's
some
newcomers
in
the
room
when
you
propose
a
Boff,
you
have
to
actually
sort
of
say
what
you're
going
to
talk
about,
and
is
it
working
with
farming
and
such
like
that,
since
this
wasn't
working
group
forming
the
area,
directors
and
IAB,
whoever
approved
it?
B
Actually,
let
me
throw
up
just
like
a
bunch
of
bullet
points,
and
so
these
are
three
of
the
bullet
points,
the
first
one
that
made
me
think.
Oh
we
should
do
this
is
right
now
you
know
you
get
your
address
of
your
DNS
resolver
from
DHCP
as
an
IP
address,
with
no
indication
of
is
this
actually
DNS
over
port
53
or
port
853
or
doe,
or
some
future
thing,
so
how
to
identify
that
now?
What
we
will
have
actually
is
some
some
presentations
on.
Do
you
even
want
to
do
that?
B
Is
this
a
good
idea
or
not,
and
so
that
you
know
that's
one
of
the
ways
we'll
start
for
people
who
care
about
their
DNS
resolver
running
over
TLS
and
actually
wanted
authenticated
if
you've
gotten
an
IP
address.
Well,
then,
you're
gonna
hope
that
that
IP
address
is
in
the
certificate.
Does
that
work?
Now
we
don't
have
any
slides
on
that
today.
No
one
actually
wanted
step
up
to
that.
There
are
lots
of
ideas
in
that
area.
B
A
B
So
you
know
that
could
be
an
issue
but
again
not
an
issue
for
today,
but
if
this
is
something
that
interests
you
something
for
the
mailing
list,
because
we
do
actually
care
for
dns
over
TLS
and
well
I'll
take
go
off
for
a
moment.
How
do
you
authenticate
so
I've
just
mentioned
two
different
transports
for
DNS
port
53
port
853
with
TLS.
The
second
one
seems
to
have
some
security
properties
now
which
security
properties
it
has
for
you
as
an
end
user
is
up
to
you.
B
Although
in
the
IETF
we
tend
to
tell
people
what
they
think
the
security
properties
of
something
should
be
so,
do
we
want
to
tell
the
users
what
they
are?
Do
we
want
to
rank
them?
You
know
how.
How
does
this
happen
again?
No
slides
on
this
day,
although
sorry
might
deal
with
this
a
bit
if
we
get
to
her,
but
this
can
be
tricky
and
that's
I
thought
there
would
be
juice
in
this
that
didn't
come
up
on
the
mailing
list,
so
much
flipping
it
around.
B
How
can
a
resolver
that
is
sitting
out
there
say
I've
got
these
capabilities.
That
gets
even
trickier
again,
not
a
discussion
for
today,
but
many
people
had
expressed
interest
specifically
in
this
on
the
doe
mailing
list
before
probably
before
draft
for
or
so
this
fell
off.
But
it
is
something
that
what
might
be
nice
to
do
without
the
client,
just
Probie
and
I
believe
been.
The
android
client
goes
out
and
just
sort
of
probes
right.
B
B
Oh
right,
yes,
so
so,
and
we
also
I
mean
God
knows
that,
because
dough
allows
you
to
specify
the
endpoint
of
the
dough
server
with
the
URL,
someone
could
put
a
colon
eight
five
three
in
the
middle
there
and
make
everyone
one.
So
these
kinds
of
things,
though,
might
want
to
be
discussed
at
some
point
and
then
the
last
bullet
I
had
put
up
there.
I
thought
this
was
actually
really
interesting.
No
one
showed
any
interest
at
all
is
that
we
actually
have
a
DNS
URI
up.
B
I
saw
up
Ted,
yes,
Ted's
Ted's
out
there
cheering
with
me
hey.
This
is
like
we
have
a
URI
scheme.
If
someone
says
you
know,
what's
your
dough
server,
you
know
and
it
needs
to
be
URL.
We've
got
a
DNS
URI
for
the
other
things
right.
Is
this
useful?
Probably
not
so
that's
that's
the
topics
for
discussion
for
the
mailing
list
and
again
for
those
of
you
who
are
in
the
wrong
room
but
think
now
think
it's
interesting,
that's
how
you
can
get
on
the
mailing
list
and
but
for
the
session
today.
B
This
is
the
agenda
and
I
want
to
emphasize
that
these
are
maybe
related,
maybe
unrelated
talks.
This
wasn't
meant
to
be
a
grand
plan.
These
were
the
people
who
stepped
up
to
say
that
they
would
do
this.
So
any
questions
on
the
agenda:
cool,
okay,
Tom!
Why
don't
you
start
off?
Oh,
why
don't
I
make
it
so
you
can
start
off.
Oh
boy,
I.
H
B
I
Cool,
thank
you
all
right.
So
when
we,
when
Willem
and
I,
talked
about
doing
a
DHCP
option
for
secure
DNS
parameters,
Ted
lemon
challenged
us
to
you
know
think
about
the
threats
that
we
would
be
solving,
as
well
as
the
threats
that
we
would
be
creating,
and
so
we
decided
to
do
this
analysis
first.
Well,
probably
at
the
same
time
as
we
were
doing,
the
document.
I
I
used
the
there's,
a
modeling
of
threats
called
a
stride
method
and
that's
what
I
used
here.
It
doesn't
coincide
exactly
with
the
RFC
that
sarah
has
produced
the
talks
about
threats.
That
might
be
something
we
would
synchronize
in
the
future,
but
we
identified
these
threats:
disclosing
information
on
the
on
the
wire,
basically
of
packets
that
are
going
by
and
being
able
to
tie
them
to
a
client
on
the
resolver
itself
being
able
to
log
or
analyze
or
use
the
private
data.
I
The
queries
or
the
responses
could
be
tampered
with
either
on
the
way
out
or
on
the
way
in
there's,
not
a
lot.
You
can
do
to
the
query,
but
I
was
thinking.
There's
one
thing
you
could
do
is
maybe
if
you
changed
the
class
when
it
went
out
and
then
when
it
came
back
with
no
response,
then
you
know:
maybe
it
wouldn't.
The
software
wouldn't
check
that
the
class
didn't
match
or
something,
and
maybe
you
would
end
up
with
denial
of
service
there,
but
the
responses
could
be
modified.
I
I
You
know,
as
far
as
what
mitigations
are
available
for
these
threats.
There's
you
know
if
you
talk
about,
if
you
think
about
before
we
add
extra
parameters
to
DHCP,
what
can
we
do
today?
There's
nothing.
We
can
really
do
about
the
information
on
the
wire
there's,
nothing.
We
can
do
about
what
the
resolver
does
with
our
queries.
I
I
I
I
I
I
K
I
K
I
So
next,
if
we
add
the
ad
in
it
like
an
option,
DHCP
option
with
a
name
that
that
helps
us
here,
because
now
we
know
if
we
have
the
themes
that
extra
DHCP
server
options,
we
know
that
TLS
is
supporting
it
or
doe
is
supported
or
whatever.
So
we
can
go
right
to
that
on
that
port
number
and
don't
have
the
delay.
I
L
I
L
M
I
I
You
now
know
that
you're
talking
to
a
resolver,
that's
probably
if
it
has
a
TLS
a
record,
it's
somewhat
respectable,
it
may
not
be
may
still
be
doing
bad
things,
but
at
least
you
can
clearly
identify
it
and
I
think
that's
a
big
step
forward,
because
now
it
becomes
part
of
the
reputation
system
that
we
can
decide.
These
guys
really
are
these
guys
and
they're
doing
something
bad
as
opposed
to
someone
who's,
rogue.
I
I
The
the
server
that
Sarah
runs
up
unis
privacy
org
already
has
a
list
of
servers
that
have
that
are
reputable.
That
could
be
a
starting
point,
but
the
foundation
of
having
authenticated
servers
gives
us
the
ability
to
then
build
this
reputation
and
know
that
we're
talking
to
about
the
right
servers
that
we
that
are
that
are
authenticated.
I
So
summarize,
the
intersect
does
help
us
know
that
the
information
we're
getting
back
from
DNS
is
authentic,
whether
or
not
the
the
DHCP
server
sent
us
to
a
good
DNS
resolver
or
not.
If
we
can
verify
that
the
the
answers
are
correct
and
we
don't
care,
so
that's
an
important
important
part
of
the
integrity
of
the
answers,
but
it's
not
doesn't
get
us
everything
that
we
need
and
being
able
to
authenticate
the
server
itself.
Through
you
know,
the
certificates
of
over
dough
or
dot
helps
with
the
integrity
of
that
server.
I
N
Dickinson
I
just
wanted
to
just
clarify
slightly
the
list
of
servers.
We've
gotten
doing
this
previously
dog,
we're
quite
careful
to
say
that
we
can't
vouch
for
them
from
Martin
servers
that
we
get
in
SW
developers
run.
We
are
just
saying
what
we've
been
told
and
that's
one
of
the
issues
were
trying
to
solve
is
that
we
can't
verify
what
they
say
about
their
operations.
Sure.
N
I
I
So
one
of
the
problems
that
we
have
today
is
is
hard
to
deploy
deed,
see
it's
hard
to
get
DNS
SEC
deployed
everywhere,
because
of
all
the
middle
boxes
that
are
there
that
are
UDP
and
you
don't
know
they're
there
and
you
don't
know
how
they're
interfering
with
the
responses,
and
so
if
we
could
use
TLS
DNS
over
TLS
or
doe,
the
resolver
we
could
we'd
have
the
ability
to
get
DNS
SEC
responses
back,
probably
a
much
easier.
That's
what
they
found
in
stubby
and
I.
O
O
Doe
provider
or
a
DNS
over
TLS
provider,
and
you
have
some
basis
for
trusting
them.
You
have
some
kind
of
legal
agreement
with
them.
They
have
some
kind
of
fiduciary
responsibility
to
maintain
a
certain
set
of
agreed-upon
standards
as
to
how
they
deal
with
your
query,
data,
your
query,
data
stream
and
so
forth.
O
If
you
were
there,
there
are
a
variety
of
different
ways
that
you
could
get
the
information
about,
that
resolver
into
your
laptop
or
whatever.
It
is
that
you're
using
to
do
your
name
resolution
and
in
order
to
do
a
security
analysis
in
order
to
do
a
threat
analysis
of
this
sort
of
space,
you
need
to
start
at
that
level.
You
need
to
start
it.
How
does
that
information
get
into
the
resolver?
What
are
the
variety
of
different
ways
that
information
could
get
into
the
resolver?
O
What
are
the
attack
surfaces
that
are
present,
given
each
of
those
different
ways
that
the
resolver
could
be
configured?
And
then
you
can
start
talking
about?
You
know
the
next
layer
down,
but
right
now,
you're
talking
about
the
next
layer
down
and
that's
a
concern,
so
they
think
in
order
to
do
this
threat
analysis,
you
really
need
to
get
all
the
way
back
up
to
20,000
feet
and
look
at
the
various
different
ways.
You
can
do
this
and
not
just
not
just
talk
about
the
low
level
stuff.
Okay,.
G
Eric
claim
I'm
the
on
the
preview
slide.
I,
don't
want
to
start
a
whole
discussion,
but
I'm
a
good
day.
I
can
barely
spell
OCSP
but
and
I
don't
know
much
about
it
there
or.
What
is
why
would
the
reputation
service
need
to
be
different?
Is
there
like
a
two
line
summary
of
what
the
existing
stuff
wouldn't
work
so.
B
P
You
for
all
over
so
first
of
all,
yes
about
a
reputation
of
resolver
or
what
their
policies
is.
We
have
no
current
mechanism
other
proposed
or
talked
about
that
allows
resolver
state
their
policies.
We
have
no
enforcement
of
whether
the
stated
policies
are
true
and
addresses
that
are
handed
out
on
random
networks.
Have
absolutely
no
meaning
half
of
the
hotels
in
the
US
will
give
out
888
as
one
of
the
resolvers
you
are
using
if
you're
on
that
hotel
network
and
most
of
the
time
I
can
prove
that
those
responses
did
not
come
from
Google.
P
Tls,
either
yeah
TLS
is
sometimes
valuable
as
a
connection
mechanism
box,
and
sometimes
it's
not,
and
so
the
fundamental
question
we
have
to
ask.
Also
of
this
one
is:
what
role
does
a
network
provided
resolver
have
to
play
in
the
game?
Is
it
the
bootstrapping
mechanism
to
get
you
to
a
more
trustworthy
world?
Is
it
something
to
be
avoided
at
all
times
or
is
it
something
to
be
used
and
for
a
privacy
or
a
statement
about
service
levels
of
resolvers,
the
many
cases
the
edge
devices
wanna
offload
work?
D
N
B
O
I'm
here
to
talk
to
you
about
when
to
use
DHCP,
so
a
little
history,
DHCP
v
I've
been
around
the
DHCP
world
for
a
really
long
time.
So
my
starting
point
was
DHCP
before
the
idea
when
we
did
the
HTTP,
for
which
I
was
personally
not
involved
with
it
was
the
DHCP
v4
would
configure
everything
in
the
stack.
Ip
addresses
default
routes,
em
to
use
figure
your
dns
server
time
server.
Basically,
all
of
the
servers
that
were
available.
O
All
the
services
that
were
available
on
the
network
would
be
configured
using
DHCP
v4
and
it
would
even
actually
install
your
brain
for
you.
So
in
order
for
that
to
even
be
remotely
not
stupid,
there
were
some
assumptions.
First
of
all,
the
network
had
to
be
a
safe
place
and,
secondly,
the
hosts
probably
wasn't
moving
around
much.
If,
at
all,
the
host
moved
around,
you
probably
needed
a
drain
the
brain
transplant.
So
it
was
okay
that
it
was
getting.
O
So
when
we
did
the
HCV
v6,
which
I
was
involved
with,
we
decided
not
to
kitchen-sink
the
config
parameters,
so
there
are
config
parameters
for
things
we
thought
were
actually
necessary
and
nothing
else,
but
we
still
kind
of
had
the
same
idea
in
mind
that
there
was
the
network
was
relatively
safe
and
hosts
weren't
moving
around
cuz
I
mean
this
was
happening.
I,
remember
the
discussions
we
were
having
about
this
we're
at
an
IETF.
It
occurred
in
DC
in,
like
nineteen,
nine.
O
Yeah,
so
that
was
a
long
time
ago.
Things
have
really
changed
a
lot
since
1997,
so
there
have
been
efforts
to
attempt
to
secure
DHCP
over
time.
Since
then
many
efforts
they
have
all
failed.
Keating
is
hard
getting
a
threat
model
right
is
not
obvious,
and
nobody
really
cared
about
doing
it
enough
to
actually
do
it,
and
the
reason
why
that's
the
case
is
because
every
time
we
got
to
the
place
where
the
rubber
hits
the
road,
we
realized
that
actually
we
were
trying
to
do
something
stupid.
O
The
DHCP
is
actually
never
going
to
be
safe
and
so
trying
to
make
some
kind
of
band-aid
over
that
isn't
going
to
make
life
better.
So
let
me
talk
to
you
about
why
that's
the
case,
so
probably
all
of
you
already
are
familiar
with
these
things,
but
I'm
going
to
recite
them
anyway,
DHCP
happens
when
you
change
networks.
O
That
means
that
DHCP
configuration
information
has
to
do
with
your
network.
It
has
to
do
with
what
network
you're
connected
to
it
doesn't
make
sense
for
it
to
talk
about
things
other
than
that
services
that
you
want
to
use
independent
of
what
physical
network
you're
attached
to
are
not
services
that
change
every
time.
You
change
networks,
obviously
so,
for
example,
I'm
an
SMTP,
HTTP,
SSH
NFS
these
things,
if
you
were
to
configure
the
name
of
your
the
the
IP
address
of
your
SSH
server
using
DHCP.
O
That
would
be
ridiculous
so
and
also
DHCP
doesn't
give
you
the
ability
to
choose
services
so,
like
your
DHCP
server,
couldn't
give
you
a
list
of
SSH
servers
and
tell
you
which
ones
do
what
that's
just
not
in
there.
So
even
though
DHCP
has
the
ability
to
configure
your
LPR
server,
it
actually
really
doesn't
make
sense
to
do
that
anymore.
O
So
we
had
a
meeting
many
ITF,
segoe
I.
Think
I
was
an
area
director
at
the
time,
so
that
probably
dates
it
somewhat
like
probably
around
2010
or
there
abouts
and
the
the
meeting
happened,
because
:
was
working
on
some
some
sip
stuff
and
he
wanted
to
be
able
to
use
DHCP,
configure
it
and
I
was
dead,
set
against
having
that
happen,
for
the
reasons
that
I
just
explained,
and
so
we
had
a
big
Throwdown
and
it
was,
it
was
fairly
kind
of
interesting.
It
was.
O
So
so
the
argument
in
favor
was
that
we
needed
to
be
able
to
configure
sip
servers.
We
needed
something
to
configure
them
with.
Dhcp
is
something
where
there
wasn't
an
alternative
to
DHCP.
So
let's
use
DHCP
arguments
against
DHCP
provides
zero
authentication,
so
you're
configuring,
something
that
you're
gonna
like
make
phone
calls
that
might
actually
have
security
properties
on
and
you're,
not
authenticating
it
in
any
way.
O
So
do
we
want
host
to
use
the
SIP
server
on
the
local
network?
What's
the
trust
model
does
SIF
have
a
way
to
like?
Could
we
give
you
the
SIP
server
information
and
you
could
validate
it
somehow?
Is
there
a
general
principle
here
and
then
what
came
back
was
well,
let's
do
the
baby
duck
model.
This
is
you
know
we'll
look
at
the.
O
You
know
that
when,
when
you
have
when
you
plug
your
sip
phone
into
the
network
for
the
first
time,
it'll
do
DHCP
it'll
get
the
SIP
server
and
I'll
just
remember
that
forever
and
you
know
if
you
move
it
to
somewhere
else,
you
just
factory
reset
it.
Otherwise
it
never
gets
new
information
so
as
long
as
it
got
good
information,
the
first
time,
everything's
good.
Of
course,
we
now
have
a
wonderful
attack
surface
that
we've
created
a
and
B.
It's
like
really
not
using
the
DHCP
view.
The
DHCP
flow,
so
DHCP
is
about.
O
You
know
repeated
refreshes
of
information
and
that's
not
doing
repeated
refreshes
of
information.
So
having
a
dhcp
option
to
make
that
happen
is
the
wrong
thing.
What
you
really
want
is
a
service
that
actually
solves
your
problem,
not
try
and
shoehorn
it
into
dhcp,
because
dhcp
does
that
why?
So
so?
In
order
to
use
dhcp
safely,
there
has
to
be
a
trust
model
for
the
service.
O
Even
if
you
have
a
trust
model,
DHCP
doesn't
have
any
way
to
verify
it
and
so
using
it
to
configure
anything
that
isn't
just
like
you
need
this
to
use
the
local
network.
So
if
the
local
network
tells
you
this,
then
either
it
will
work
or
it
won't,
and
you
know
like:
what's
your
what's
your
default
router?
Well,
it
sort
of
makes
sense
to
configure
that
with
DHCP
because
of
the
network
wise
to
you
about
that
you're
just
screwed
anyway,
right
so.
O
O
If
we
actually
care
about
DNS
being
private
secure
any
of
those
things
if
you're
using
DNS
SEC
and
you
don't
care
about
privacy,
it's
probably
fine
to
use
DHCP
to
configure
your
server
because
you
have
you
have
backup.
Dns
SEC
protects
you,
but
if
you're,
if
you
actually
care
about
the
privacy
of
your
of
your
packets,
then
maybe
that's
not
the
thing
to
use.
So
that's
what
I
just
wanted
to
set
the
the
the
sort
of
background
about
DHCP.
B
R
Elissa
Cooper
at
well,
okay,
so
maybe
these
are
just
some
of
the
details
you
left
out,
but
actually
the
the
SIP
server
configuration
stuff
happened
way
earlier
right,
like
in
2002
or
something.
The
more
recent
debate
was
about
updating
the
document
that
specified
the
configuration
option
for
your
location
server.
So
this
is
like,
as
you
move
around
from
network
to
network,
you
need
your
local
location
server,
to
tell
you
so
that
you
can
put
it
in
a
difficult
to
an
emergency
responder
and
the
document
was
published
so.
Q
R
O
M
Lorenzo
Khalidi,
I,
think
I.
Think
the
answer
to
your
question
about
when
to
use
DHCP
is
not
anymore.
Now
everyone
probably
knew
I
was
gonna,
say
this,
but
what
one
thing
one
thing
that
you
left
out
is
in
general
in
DHCP:
it's
really
hard
to
change
anything
yeah
and
now
for
DNS.
That
may
not
be
a
problem,
but
generally
speaking
when
you're
trying
to
configure
the
network
information
networks
do
change,
and
so
yeah
I
just
next
time.
You
present
me
I
just
add
a
footnote,
so
I
never
change
anything
so
basically
Lorenzo.
M
More
usefully
could
say
here:
I
think,
is
that
in
parts
of
the
people
working
on
my
pv6
configuration
as
there's
battles
going
on
there,
but
there
is
a
contingent
that
would
like
to
use
our
A's
for
a
very,
very
minimal,
can't
get
it
wrong
sort
of
a
local
confirmation.
Information
like
addresses
and
routing
and
pvd's
for
everything
else
and
PVD
is
a
it's.
M
An
interior
go
read
the
draft,
it's
it's
essentially
Jason
and
it's
TLS,
authentic
it
and
so
on
so
I
think
to
some
degree,
what
we're
saying
here
is
that
there
are
things
that
are
specific
to
the
network
that
you're
on
and
you
don't
trust
them,
but
you
have
to
use
them
or
you
can
go
to
a
different
network
and
the
things
that
are
not
and
the
things
they're
not.
We
need
something
else.
Pvd
could
be
that
yeah.
B
Lorenzo,
since
I
I
actually
tried
to
set
up
a
ipv6,
Network,
don't
laugh,
and
so
as
I
was
going-
and
this
was
Greenfield
for
me.
Believe
me,
so
I
started
seeing
some
things
with
pvd's.
Can
you
talk
a
little
bit
because
this
group
might
believe
that
there's
a
network
other
than
just
v6
about
status
of
PVD
is
a
she.
M
M
The
PVD
is
defined
as
a
consistent
set
of
configuration
information
and
you
could
have
like
Comcast
and
AT&T
on
the
same
link
with
to
Reuters,
so
those
would
be
two
different
pvd's
you
can't
use
address
on.
You
can't
use
the
AT&T
ap
address
to
talk
to
Comcast
cos,
I'll
drop
it.
You
can't
use
the
Comcast
named
resolve
the
AT&T.
Only
specific
billing
gateway,
host
name
and
pvd's
are
a
way
to
separate
those
and
they're
identified
by
David
host
names
that
right
sort
of
nephew,
DNC.
Yes
and.
M
M
S
Sure
so
yeah
I
mean
ideally
I
would
prefer
not
to
get
my
security
stuff
handed
to
me
by
a
dhcp,
but
if
the
alternative
is
between
that
and
just
not
getting
it
at
all,
I
think
this
is
still
a
little
bit
safer
than
not
right.
S
Also
in
many
networks
like
the
network
were
currently
on,
it
has
to
be
somebody
who's
actually
in
control
of
the
network,
who's
able
to
send
DHCP
responses
like
most
switches
now,
you
can
easily
make
them
block
that
our
Wi-Fi
network,
for
example,
doesn't
that
you
send
DHCP
responses,
so
at
least
it
kind
of
somewhat
narrows
down
where
your,
where
your
attack
services,
and
even
if
I'm
kind
of
doing
trusts
on
first
use
so
opportunistic
at
least
there's
still
some
encryption,
and
so
the
dude.
Next
to
me,
fancy
me
so.
A
O
No,
the
point
that
I
have
is
that
actually
using
DHCP
to
configure
something
with
security
properties
that
you
care
about,
has
the
potential
to
create
a
new
attack
surface.
It's
not
merely
that
it
leaves
an
old
attack
surface.
It's
that
if
you
land
on
a
network
where,
for
some
reason
you
can't
get
to
the
the
DOE
server
that
you
normally
go
to
and
your
DHCP
server
gives
you
a
new
one.
You
definitely
shouldn't
use
that
network
yeah.
S
G
Eraklyon
that
is
kind
of
a
matter
of
policy,
though
right
so
sure,
if
you
had
no
other
options
in
order
to
use
a
different
DNS
server,
you
need
to
have
some
policy
that
says
to
prefer
something
else.
I
mean
by
default:
every
single
person's
unless
you've
manually
configured
some
override
or
you're
running
stubby
to
some
dedicated
service
you're,
just
going
to
use
the
name
servers
of
every
coffee
shop
you
ever
connecting.
G
He
so
I
mean
created
a
strict
mode
in
in
the
private
DNS
teacher
in
P,
where
you
specify
the
host
name
of
the
service.
You
want.
We
bootstrap
with
the
name
servers
on
the
network.
Just
like
you
would
use
the
name
servers
on
the
network
to
amazon.com.
We
would
strap
to
find
those
IP
addresses
talk
to
it.
Tls
validate
the
hostname
in
the
cert,
and
if
we
can't
do
that,
we
put
a
little
X
and
we
don't
move
the
users
traffic
over
there
right
at
all
yeah.
G
T
U
Yeah
Joel
yeagley,
so
I
find
it
interesting
that
I
have
to
sheepishly
explain
in
six-man,
v6,
ops,
ie
piggy
elsewhere.
Why
it
is
that
I?
Don't
trust
the
networks
enough
to
use
them
for
bootstrapping,
but
I.
You
know
I'm
directly
exposed
to
this
problem,
so
you
know
I,
don't
trust,
DHCP
I,
don't
trust
slack
I,
don't
trust
dhcpv6
and
the
vast
bulk
of
the
information
I
can
get
I
have
to
pass
the
upper
layer
protocols
after
I've
done
some
kind
of
minimal
trust
insertion,
typically
on
a
management
interface.
U
Q
Q
Oh
I'm
on
a
corporate
network,
I
need
to
authenticate
and
you
could
still
that's
work
from
inserting
the
USB
device.
That
was
actually
a
malicious
Network
and
you
can't
trust
the
network
at
all
and
I
think
it's
kind
of
the
problem
we're
dealing
with
and
like
in
quick.
Why
can't?
We
are
doth
entity
at
the
version
negotiation
because
we
have
no
shared
key
at
that
point
and
you're
in
kind
of
the
same
boat
with
DHCP.
Q
B
A
I
The
idea
I
mean
not
all
you
establish
trust
in
different
ways
with
different
people
and
not
all
all
the
time,
with
a
DHCP
option,
be
the
right
option.
If
you're
in
a
coffee
shop,
you
probably
want
to
ignore
it
if
you're
in
your
corporate
network-
and
they
want
you
to
use
internal
DNS,
because
internal
DNS
has
all
the
things
you
have
to
access
when
you're
inside
the
corporate
network,
you
are
going
to
use
the
internal
DNS
and
you
don't
have
an
option
and
if
that
they
can
make
that
be
encrypted.
Well,
that's
a
good
thing.
I
So
there
are.
There
are
times
when
it's
appropriate.
There
are
times
when
it's
not
appropriate.
If
you
want
to
do
it,
if
operating
system
vendors
say
you
know,
we
know
these
ten
public
resolvers
are
good
and
we're
going
to
put
those
in
the
operating
system
when
we
ship
it
as
a
whitelist
and
any
time
you
get
a
DHCP
our
soon
for
a
TLS
server,
DNS
TLS
server
and
it's
in
that
list
will
install
it
in
the
you
know
and
use
that
as
a
resolver
and
if
it's
not
in
the
whitelist,
we
won't.
I
So
there
are
ways
to
make
it
better
just
to
like
how
the
trust
that
you
have
in
it
can
be
increased
based
on
these
things,
if
you
have
a
certificate
that
you
verified
to
the
resolver,
if
you
have
a
TLS
a
record
for
that,
that's
DNS
SEC
verified,
and
that
says
they
won't.
You
know
you
went
a
lot
through
a
lot
of
trouble
to
make
that
resolver
seem
legitimate
and
depending
on
where
it
is
and
when
that
might
be
enough,
but
the
trust
is
different
in
in
different
environments.
So.
B
D
I
I
Okay,
I'll
do
this
quickly,
so
couple
just
warning:
we
did
beat
ipv6
because
we
want
to
add
more
flexible
option
space
and
we
wanted
to
try
to
come
up
with
a
best
solution.
We
could
we'll
plan
on
going
back
and
doing
before
if
this
is
something
people
want
we're,
not
you
know
Wed
to
this
idea
and
we
could
certainly
just
drop
it
and
delete
the
git
repository.
So
why
encapsulated
options
well,
they're
flexible
they.
I
So
a
question
I
have
is:
there
is
already
an
ipv6
address
option.
It
allows
you
to
have
a
list
of
addresses.
That's
nice.
We
probably
should
want
to
add
that
to
hours,
because
I
understand,
quad
9
has
a
list
of
addresses
for
a
single
name,
but
the
current
option
implies
order.
It
says
that
you
try
this
one,
then
this
one
then
this
one
and
we
don't
want
that
we
wanted
to
be
in
the
order
independence.
So
if
we
use
this
option,
are
we
implying
order?
I
I
You
might
ask
why
we
didn't
you
have
an
option
for
this
spki.
Well,
it's
the
trust
thing.
If
you
were
checking
the
certificate
with
the
same
person
who
sent
you
the
address,
then
it
doesn't
really
give
you
any
advantage,
and
we
there
was
questions
on
the
mailing
list
about
order
and
people
wanted
the
guy
who
responded,
wanted
order
and
just
from
Willems
experience
with
stubby.
I
They
would
like
the
flexibility
to
be
able
to
change,
try
different
servers
and
not
be
restricted
by
the
order
and
the
the
fact
that
you
can't
change
the
options
you
know,
but
maybe
once
a
day
or
whenever
you
get
a
new
update,
means
that
they're
essentially
static.
So
we
don't
want
the
that
to
be
in
plot
to
imply
anything,
it's
more
flexible
if
it
doesn't.
B
Let's
not
do
the
is
DHCP
a
good
idea,
one
again
now
with
by
the
way
it
looks
like
we'll
have
plenty
of
time
at
the
end
and
I'm
not
saying,
let's
put
a
kibosh
on
DHCP
discussions,
I
think
that
that's
central
to
one
of
the
reasons
why
the
Boff
happened
at
all,
but
maybe
we
can
collect
them
at
the
end,
especially
when
Sora
has
talked
to
us
about
security
stuff.
But
for
now
please
yep
hi.
V
Pat
McManus,
so
if
you're
gonna
do
DHCP
for
this,
we'll
just
leave
that
off
the
table,
I
read
it
with
respect
to
thinking
about
dough
seems
mostly
cool.
The
URI
option
should
probably
be
refactored
to
be
URI
template,
which
is
actually
the
configuration
primitive
of
dough,
and
then
you
can
remove
all
that
text
about
how
you
process
get
in
posts
and
just
leave
that
to
the
other
spec,
because
it's
so
it's
a
little
bit
wrong.
If
you
just
make
the
template,
the
DOS
spec
will
take
care
of
the
process
of
matter.
Okay,
thanks.
M
Laurence
acclivity
I
mean
I
know.
We
said
we're
not
going
to
bash
DHCP,
but
did
you
but
you're
at
the
mic.
A
M
But,
but
do
you
and
reg
have
ever
needing
to
change
this
so
like
to
change
the
IP
address
or
anything
else,
and
did
you
have
a
plan
for
that
because
my
depending
on
whether
it's
stateless
or
stateful
DHCP
there's?
No,
if
it's
tape,
if
it's
stateless,
HP
there's
not
even
a
server
push
mechanism
of
any
sort.
M
So
if
it's
stateful
DHCP
and
so
it's
tied
to
an
IP,
address
lease,
then
clients
might
support
reconfirm,
don't
think
any
do,
but
that
is
that
is
actually
operational
consideration
a
particularly
for
network
that,
where
your
upstream
is
moving
like,
if
you
have
a
hotspot,
you
have
to
change
your
DNS
server.
Ip
addresses
yep.
E
Parvati's
reddit
I
still
think
this
whole
problem.
Space
is
just
about
all
the
problems
of
the
captive
portal
and
getting
a
clean
network
and
watch
a
weekly
network.
You
have
you
know
and
trust
anchors
already.
You
have
clean
IP
two
words,
those
trust
anchors.
You
can
just
use
them
if
they're
giving
you
even
if
they
is
securely,
giving
you
a
a
privacy,
secure
server.
Why
should
I
believe
that
their
privacy
is
secure
if
I,
don't
trust
the
network?
So
I
don't
understand.
All
of
this
work
actually
yeah.
I
B
W
This
is
a
after
some
discussion
amongst
folks,
an
idea,
kind
of
emerged
and
I
wanted
to
walk
through
it
just
to
see
if
there
was
interest
in
pursuing
it,
I
will
say
right
up
front.
My
DNS
foo
is
fairly
weak,
so
please
don't
judge
me,
and
there
is
a
certain
amount
of
rapid
hand
waving
to
this.
But
it's
more
about.
Is
this
a
direction?
That's
interesting
to
go
in
then
about
the
particular
technical
details.
W
So
just
to
recap,
you
know
when
people
worked
on
looking
away
from
Mike
a
little
bit
when
people
worked
on
dough
the
goals,
at
least
for
a
lot
of
people
involved
or
to
improve
privacy
and
censorship
resistance,
you
know
you,
you
wanted
to
be
resistant
to
on
path
changes,
so
it's
encrypted.
You
also
want
to
make
it
so
that
it's
harder
to
discriminate
your
DNS
requests
traffic
from
other
traffic,
so
you
lump
it
in
with
a
bunch
of
HTTP
traffic
and
that
way
it's
harder
for
it
to
be
blocked.
W
And
so,
if
you're
looking
for
those
properties,
then
then
you
need
something
from
a
doe
server.
You
need
it
to
be
high
traffic,
so
it's
easier
to
hide
that
traffic.
Amongst
you
know
the
DNS
queries
amongst
other
things.
Ideally
you
want
to
be
popular
so
that
if,
if
someone
somewhere
does
want
to
block
it,
they
have
to
kind
of
think
about
it
before
they
do.
If
you
just
use
a
dedicated,
doe
connection,
you
know,
for
example,
then
you
just
block
that
and
that
you
can
discriminate
against
it.
W
But
if
it's
hidden
amongst
one
of
the
world's
most
popular
websites,
for
example,
then
that's
a
much
more
weighty
decision
to
block
it.
And
finally,
you
want
it
to
be
reasonable
distributed.
You
want
it
to
be
served
from
lots
of
places
so
that
it's
relatively
close
to
the
client
and
high
performance
and
so
forth,
and
so
on,
and
once
you
kind
of
say:
okay,
those
are
reasonable
things
to
look
for
in
a
doe
server.
It
becomes
pretty
obvious
that
you
want
to
collocate
your
doe
server
with
big
popular
websites
or
CD
ends.
W
W
W
When
you
think
about
it,
you
know
it's
not
a
one-way
street
serving
doe
doesn't
just
have
benefits
for
the
client.
It
also
can
have
benefits
for
the
server,
because
it
is
co-located
that
HTTP
traffic,
so
it
provides.
You
know
more
privacy
for
the
HTTP,
the
clients
of
that
with
the
website.
That's
serving
it
not
only
for
the
DNS
queries,
but
also
for
the
HTTP
queries,
because
there's
one
less
party
involved
in
communication.
You
know,
if
I'm
using
his
DNS
server
to
get
to
her
website.
W
Well,
that's
two
other
parties
that
are
involved
at
a
minimum
if
I
get
the
DNS
from
her
as
well.
It's
one
last
party,
that's
nice
and
I'll-
skip
down
to
the
bottom
here
that
likewise
has
a
reliability
impact.
If
there's
one
less
party
involved,
then
you
know
that's
one
less
dependency
that
we're
taking
and
depending
on
how
the
act,
the
architecture,
what
you're
actually
serving
that
can
increase
your
reliability.
W
There
was
an
interesting
paper
very
recently,
conveniently
published
for
the
purposes
of
this
talk,
although
I
didn't
publish
it,
which
explains
this,
how
you
can
have
you
know,
you
know
dependencies
for
CD
ends
and
DNS
providers
and
stuff.
You
know
it's
both
amongst
different
things
to
serve
a
website.
W
But
okay,
so
normal
HTTP,
you
know,
make
a
connection
to
a
website
based
on
you
know,
you're
doing
a
DNS
lookup
make
a
connection
and
you
go
off
and
you
get
whatever
you
want
to
get
on
that
connection,
HTTP
to
added
the
ability
to
coalesce
connections.
So
if
the
certificate
covers
two
different
origins-
and
you
have
a
connection
to
that
one,
you
know
the
IP
address
for
one
of
those
origins
open.
W
You
can
use
that
connection
according
to
a
set
of
rules
which
I
won't
get
into
now
for
the
other
origin,
for
example,
and
so
you're
now
putting
the
traffic
for
two
different
sites
under
one
connection,
which
has
the
benefits
in
setting
connector
avoiding
connection
setup.
That's
an
obvious
one,
although
it's
becoming
less
important
because
we're
starting
to
do
things
like
zero
round-trip,
but
less
obvious.
When
you
use
only
one
connection
or
a
fewer
number
of
connections
to
load
a
web
page,
you
have
a
nicer
time
with
congestion
control.
W
You
know
when
you're,
it's
very
common
on
the
web
today
to
open
15
or
20
or
30
or
50
connections
to
load
a
web
page,
and
you
have,
as
a
result
a
large
number
of
servers
slamming
data
down
at
you
all
at
the
same
time,
and
that
causes
congestion.
It
overcomes
TCPS
congestion,
control
mechanisms,
because
it's
uncoordinated,
if
you
do
it
over
fewer
connections.
That
means
that
it's
more
coordinated
and
you
have
a
better
time
from
a
congestion
standpoint.
W
So
this
is
a
very
desirable
property,
and
so,
if
you
want
those
performance
benefits,
you
need
a
way
to
get
all
of
those
different
diverse
connections.
Coalesce
down
secondary
certificates
is
one
way
to
do
this.
It
allows
a
server
to
push
a
certificate
or
proof
of
ownership,
of
a
certificate
down
to
the
client
and
the
client
can
use
that
to
say.
Okay
I
know
that
they
actually
are
authoritative.
For
this
particular
origin.
I
can
send
the
requests
on
this
existing
connection.
That
I
already
have
the
problem.
W
Well,
one
of
the
problems
with
the
secondary
certificates
is:
when
does
the
server
send
that
certificate
it
needs
some
information
about?
When
is
it
appropriate
to
send
a
certificate
that
I
hold
so
that
I
can?
Actually,
you
know,
get
some
performance
benefit
on
this
particular
connection?
There's
no
obvious
way
to
do
that
if
you're
also
the
DOE
server.
However,
for
that
origin
that
you
hold
that
certificate
for
the
DNS
request,
stream
becomes
a
perfect
hint.
For
that.
You
know
the
the
client
looks
up
a
particular
name.
W
The
DOE
server
gets
that
name,
and
it
says:
okay,
well,
here's
your
response
and
oh
I've
got
a
certificate
for
that.
A
and
here
you
go
and
now
you
can
use
this
connection
for
that
for
that
origin,
and
so
that's
that's
quite
interesting.
So
these
are
potential
benefits
that
a
server
might
want
to
think
about
when
it
thinks
about
hosting
a
doe
service.
W
The
only
way
that
you
can
configure
a
doe
server
is
to
do
it
in
the
client,
let's
say,
for
example,
a
web
browser
you
go
to
Firefox
and
you
select
yes,
I
want
to
use
now
and
you
configure
the
DOE
server
they've
put
in
one
that
they
suggest
I.
Don't
think
we
have
too
many
others
right
now
and
it
uses
that
doe
server
for
anything,
and
so
only
that
doe
server
gets
these
potential
benefits
that
we
talked
to
back
about
back
here.
W
It
would
be
nice
if
we
could
use
those
benefits
to
create
an
incentive
to
share
out
and
create
more
doe
servers.
If
you
can
select
the
appropriate
dose
server
for
a
given
piece
of
content,
then
you're
sharing
those
benefits
out
amongst
those
doe
servers,
and
now
you
know,
there's
an
incentive
to
create
more
doe
servers
in
the
ecosystem.
Ted.
Do
you
want
to
wait?
Are
you
want
to
talk?
You
seemed
very
pensive.
X
Terry
Google
two
questions
that
are
clarifying
and
then
I
probably
have
some
comments
later,
but
the
clarifying
question
is
historically
in
the
DNS.
We've
had
this
distinction
between
an
authoritative
server
and
recursive
resolver,
and
in
this
particular
case,
what
you
appear
to
be
heading
for
is
something
which
is
kind
of
neither
of
those
in
the
historic
sense,
because
what
you
want
to
say
is
this
is
willing
to
provide
information
on
a
set
of,
but
not
all
back,
end
things
and
so
I.
X
T
X
W
I,
don't
know
how
to
process
that
I'd
love
to
talk
to
you
about
it,
though.
So
one
way-
and
this
is
what
the
draft
goes
into-
one
way
that
you
might
address
this
problem
is
by
having
a
doe
client,
have
a
pre-existing
relationships:
okay
with
multiple
doe
servers,
so
right
now,
for
example,
Firefox
has
a
contractual
relationship
with
CloudFlare
and
says:
will
you
be
my
doe
server
and
they
agree
about
privacy?
Y
W
B
W
That
yeah
mark
why
a
bloom
filter,
so
why
a
bloom
filter?
Is
it
easy
just
to
go
around
the
room
and
Rose?
Why
a
bloom
filter,
because
somewhat
you
know,
you
could
say
well
just
send
all
the
host
names
that
this
doe
server's
interested
in,
but
some
of
the
use
cases,
for
example
large
CD
ends.
Aws
Google
have
a
large
number
of
host
names
and
it
doesn't
come
practical
to
shoot
those.
W
Doesn't
it
isn't
practical
to
send
those
lists
out
all
the
clients
every
day?
For
example,
you
need
the
update
period
to
be
frequent
because
you
need
to
accommodate
changes
and
there
are
potentially
a
large
number
of
clients
and
again
false
positives.
Are
okay
in
this
model
a
lot
of
open
questions
about
this?
W
Obviously,
you
know
I,
think
the
very
high
level
question
here
and
probably
the
most
important
one
for
the
people
so
thoughtfully
in
line
to
address
is
is
is,
is,
is
thinking
about
going
this
way,
a
good
thing
or
not,
you
know,
is
a
thank
you
wait.
Your
turn
is
prior
arrangement.
The
right
discovery
mechanism
is
a
bloom
filter.
The
right
protocol
element
to
be
using
for
this
situation.
You
know
lots
of
other
things
as
well.
X
X
X
This
is
this
is
the
the
set
of
things
which
are
globally
scoped,
and
you
can
talk
to
any
of
these
dos
servers
with
that.
That's
where
I
thought
you
were
going
so
I
looked
confused
in
part
because
I
completely
misread
your
document
and
so
I
apologize.
If
that
was
sort
of
a
an
upsetting
amount
of
like
rejiggering
my
world
view
as
I
look
to
your
site
and
heard
you
talk.
That
said,
I
think
this
is
a
terrible
idea
and
it
should
die
instantly
there.
You
go.
X
On
something
that
I,
don't
actually
think
are
necessarily
the
trust
relationships
that
relate
to
the
DNS
at
all.
What
I
think
we're
looking
for
in
this
case
is
actually
people
who
are
going
to
provide
answers
through
the
the
DNS
over
HTTP
to
a
full
spectrum
of
queries
and
which
are
then
checkable
right
that
they're
either
DNS
SEC
or
they're
to
a
trusted
party
party
and
you're
you're
chaining
that
trust
in
a
way
that
I
don't
think
we
have
any
experience
with
and
I
have
no
reason
to
believe
would
actually
work
and
worse.
X
There
is
a
real
risk
here
that
one
your
point
about
in
the
draft
you
know
discovery
of
how
to
get
the
first
of
these
digests
is
love,
is
a
recursion
to
the
reader
is,
is
realistically
a
problem
because
it's
a
way
of
directing
traffic
to
people
who
may
not
be
able
to
handle
it
or
willing
to
accept
it.
So
if
I
can
provide
a
digest,
that
says,
go
talk
to
those
people
and
ask
them
these
questions.
I
can
actually
flood
traffic
to
them
in
a
way.
That's
quite
seriously.
A
problem.
Sorry
can.
X
W
W
I
W
Right
and
okay
I'm
glad
we
got
here
so
right
now,
when
I
spool
up
DNS
I
trust
that
my
networks
gonna,
give
me
a
resolver
and
and
I'm
implicitly
trusting
it
right
and
when
Firefox
starts
up,
it's
a
wait,
wait
so
Mike
line
or
quiet
please,
it's
extremely
distracting.
I
trust.
My
network
with
DHCP
right
Firefox
right
now
is
trusting
CloudFlare
based
upon
a
contract.
If
we
want
something
else,
I'm
totally
on
board
with
that-
and
we
can
talk
about
that.
But
this
has
roughly
the
same
properties
as
those
do
and.
X
X
There's
a
basis
on
which
they've
done
at
the
moment
they
did
that
all
they
were
able
to
do
is,
as
was
pointed
out
by
the
line,
is
bring
traffic
to
themselves
and
that's
yes.
What
this
does,
yes
is
add
the
ability
to
move
from
bring
this
traffic
to
themselves
to
direct
traffic
to
any
place.
They
name
no
I'm.
A
X
W
X
At
the
moment,
sorry
I'm
gonna
get
out
of
loan
because
there's
a
lot
of
people
behind
me
barely
so
I
that
what
you,
what
you've
done
here
by
taking
the
first
discovery
mechanism
that
that's
prior
arrangement
to
a
single
host
and
expanded
it
is
to
enable
that
trust
relationship
from
I'm
gonna.
Send
you
DNS
query:
I'm
gonna,
send
you
I'm
gonna,
send
you
DNS
responses
and,
oh
by
the
way,
I
may
give
host
names
to
you
to
which
you
may
send
DNS
queries
and
that's
a
different
relationship
than
we
had
before.
B
B
B
We
have
another
presentation
from
Sarah
you're
up
which
will
come
soon
and
it
won't
come
soon
if
you're
online,
she
for
those
of
you
who
weren't
at
the
IDS
conference
last
Friday,
she
will
say
some
things
that
won't
be
quite
as
challenging
as
mark,
but
still
should
bring
up
interesting
issues.
We
can
keep
the
line
going
if
you
want
to
yell
at
mark.
Remember
this
is
not
a
working
group
farming
boss!
S
B
W
M
Very
discussion,
Lorenza
Colletti
prior
arrangement
between
who
I'm
the
user
of
this
thing
do
I
get
most.
This
know
say
like
my
browser,
so
so
in
and
and
I
think
no
sorry
Ted's
earlier
point.
If
I
can
prove
that
those
host
names
are
mine
and
you
would
have
hit
the
root
and
come
to
me
anyway
sure
anything
else.
Change
from
existing
behavior.
You
need
to
be
careful
about
privacy,
sure
agreed.
K
That's
warts,
so
yeah
I
think
this
is
a
pretty
cool
direction.
I
think
it's
an
I
think
it's
interesting
I
think
mostly
the
bloom
filters
confused
a
lot
of
people
and
and
I
think
it's
entirely
separable
I
think,
but
ultimately
you're
talking
about
connection
coalescing
heuristics,
which
already
exist,
and
this
bloom
filter
is
a
connection
that's
in
heuristic.
That
could
totally
be
addressed
as
a
separate
and
interesting
HTTP
concept.
W
Right
just
to
give
an
idea,
one
of
the
discussions
and
I
forget
who
suggested
this:
if
you're
in
the
room
put
your
hand
up,
someone
suggested
using
an
HTTP
response
header
from
the
server
to
say
this
is
my
doe
server.
That's
completely
different
mechanism
of
discovery
and
communication,
you're,
basing
it
on
the
authority
of
the
TLS
certificate,
I'm
open
to
a
lot
of
different
ways
to
do
this,
as
we
just
need
to
examine
the
properties
but
you're
right
that
the
bloom
filter
perhaps
is
a
bit
distracting.
W
AA
Er
Clarkson:
this
is
fascinating
technology,
but
I'm
actually
concerned
that
your
prior
arrangement
model
is
going
to
lead
into
undesirable
things
in
the
ecosystem
as
a
CEO.
So
we're
asking
about
that
and
I
not
sure
we're
gonna
have
like
five
hundred
thousand
different
servers,
but
rather
that
we
have
just
a
few
in
the
world
and
that
I
think
is,
is
a
harmful
direction
for
the
internet.
That's
why
I'm
concerned
I
had.
W
The
same
consolidation
thought
so,
let's
get
the
c-word
out
there
I
think
that
that
balancing
that
with
encouraging
these
very
large
high
traffic
networks
to
serve
doe
is
a
nice
privacy
benefit
and
I'm
a
bit
this
about
that
too,
and
that's
why
the
HTTP
header
one
was
so
intriguing
to
me,
because
it
kind
of
democratizes
it
so
that
any
site
could
serve
itself.
You
know
it's
undoh.
AA
Yeah
I
mean
this
is
worth
discussion.
David's
can
now
see.
Apple
I
wanted
to
start
off
by
saying
that
this
is
insane
except
I
like
insane,
because
this
might
actually
work.
My
main
problem
with
doe
in
general
is
right.
Now,
there's
this
massive
master
switch
where
I'm
user,
telling
everything
to
CloudFlare
I
need
a
complete
arrangement
with
them
or
I'm,
sending
it
over
the
regular
thing
which
works
better.
If
there
are
things
there,
but
it's
completely
insecure.
AA
V
Okay,
so
Lorenzo's
comment
about
user
config,
so
this
is
really
in
the
absence
of
user
configure.
I
mean
I.
Think
that's
like
a
first
order
item.
If
we
actually
get
input
of
someone
who
has
a
plan
who's
operating
the
application,
like
that's
awesome,
but
that,
like
never
ever
happens.
So
this
is
like
what
you
do
is
that
as
the
next
step
right,
when
we
talk
about
privacy
in
the
trust
models
here
right,
this
is
really
like
when
we
did
our
contract
with
CloudFlare.
A
really
reasonable
summary
of
that
is
online.
V
It
is
all
about
privacy
and
data
handling,
it's
not
about
them,
giving
correct
DNS
answers
because
they
are
a
recursive
resolver
and
it's
limited
in
scope
into
what
they
can
do.
But
our
trust
relationship
says
what
they're
going
to
do
with
our
users:
data,
which
is
absolutely
nothing
and
throw
it
away.
A
V
V
I
mean
I,
don't
like
the
centralization
of
the
way
we've
done
dough
to
start
with,
but
having
one
super
server
is
super
centralized
right
and
making
this
a
tiered
step
where
there's
a
set
of
them
is
a
direct,
great
step
forward
and
to
the
extent
where
we
could
get
into
a
lot
of
HTTP
to
inside
baseball
there.
In.
V
But
to
the
extent
where
that
stuff
works
you
keep
data
co-located
and
both
a
DNS
and
an
HTTP
level
with
the
same
servers
who
see
and
use
that
so
you're
not
spreading
this
information
throughout
the
network.
It's
also
a
truly
awesome
goal.
I
think
there's
some
things
you
can
do
around
hash
models
and
some
other
things
to
deal
with
default
cases
and
I
guess
the
last
thing
I'll
say
is:
there
are
actually
probably
policing
mechanisms.
V
If
you
have
a
trust
relationship
with
these
organizations,
you
can
get
like
a
balloon
filter,
for
example,
would
have
a
pretty
rate
of
false
positives
and
so
the
amount
of
times
they're
not
able
to
port,
far
provide
HTTP
level
attestation
of
an
origin.
If
that
does
not
correspond
with
your
rules
about
bloom
filters
could
be
like
a
an
input
to
policing.
So
there
are
some
interesting
records
to.
D
F
B
J
Erik
Niagara
knock
my
the
I
think
work
as
we've
seen
from
some
of
the
presentations
it
could
have
stuck
in
a
weird
situation
here
or
between.
We
don't
want
to
trust
the
local
networks,
DHCP
servers,
but
we
also
don't
want
to
go
to
a
point
where,
where
clients
just
go
and
pick
a
single
centralized
server,
because
then
we've
centralized
everything
or
we've
made
made
it
a
decision
that
that
is
entirely
up
to
the
people
right
in
that
client.
J
Software,
like
it
seems
like
one
of
the
properties
we'd
really
like
to
get
to
as
a
case
is
back
to
a
case
where
the
the
whoever
controls
the
domain
that
you're
looking
up
for
the
name
for
has
control
over
that
transaction
and
it's
responsible
for
providing
the
security
and
privacy
and
whatnot
properties
around.
That
seems
like
if
you
step
back
from
the
implementation
details
of
bloom
filters,
there
may
be
and
look
at
and
kind
of
step
back
to
a.
What
are
the
properties
we're
trying
to
get
here?
How
do
we
build
an
ecosystem?
J
You
could
see
things
in
an
ecosystem
where
which
has
properties
such
as
as
some
set
of
dough
servers
as
candidates
with
a
way
to
become
one
of
those
candidates
but
we'd
have
to,
but
where
there
might
be
some
common
agreed-upon
bars.
You
need
to
do
that
so,
for
example,
this
in
the
certificate
space-
it's
not
great,
but
we
have
a
a
if
you
want
to
be
a
certificate
authority,
there's
a
set
of
criteria
that
specifies
this
is
what
you
need
to
be
if
you
want
to
be
a
CA.
J
So
if
we
had
something
similar
for
what
you'd
need
to
be
become
a
doe
server
and
then
I
think
another
important
property
which
some
people
have
alluded
to
is
it
needs.
You
need
to
have
a
an
open,
transparent
and
scalable
way
to
add
yourself
to
that
list.
If
you,
if
you
have
a
domain
example.com
and
you
want
to
find
example.com
to
a
particular
one
of
these
trusted
those
services,
there
needs
to
be
some
way
to
do
that.
That's
under
your
control,
such
as
some
form
of
domain
validation
and
then
I,
think
a
big.
J
If
we
go
down
a
path
in
this
direction
than
a
lot
of
it
just
becomes
a
the
the
the
hard
problem
it
ends
up
becoming.
How
do
you
actually
scale
this
thing
in
a
way
like
bloom
filter
is
one
way
to
scale
it,
but
it
doesn't
really
scale.
It
has
some
property
of
its
own.
We
could
go
and
look
at
building
a
hierarchical
service
forest
for
managing
names
away.
We
do.
J
Q
W
I'll
push
back
a
little
bit,
I
mean
you
know.
If
there
were
multiple
dose
servers
out
there
right
now.
Firefox
is
consistent,
hash
all
of
them
out
and
we'd
be
done.
This
is
a
little
different
because
even
if
you
just
consistent
hash
them
out,
you'll
still
go
to
CloudFlare
for
one
that's
hosted
by
Akamai.
With
this
kind
of
approach,
you
go
to
Akamai
to
get
one
to
testify.
Akamai,
that's
the
big
improvement
for
privacy,
performances.
W
Q
AB
AB
A
AB
Course
that
centralizes
everything
so
like
that's
not
necessarily
ideal.
You
know,
please
the
compare
so
like
this.
It's
like
when
we
discussed
what
the
good
period
luck
does
a
little
turn.
It
is
like
idea
that.
AB
When
we
discuss
this
proposal,
we
have
to
compare
it
to
those
alternatives,
neither
of
which
is
like
entirely
ideal.
Yes,
so
I
mean
for
me,
will
I
invite
this
proposal.
This
isn't
about
FOMO
on
the
part
of
like
CloudFlare
competitors,
it's
about
like
what's
good,
for
you
know
we
have
users
or
Firefox
or
some
other
right
and
the
eye
in
the
ideal
world
right
on
the
did.
The
process
of
resolving
the
name
would
not
leak
any
more
information
than
using
the
name
itself,
and
so
and
I
do
a
world
either.
A
AB
Year,
information
or
I
would
get
that
information
from
exactly
the
person
who
I
was
doing
in
the
contact
right.
That
would
be
the
ideal
world,
and
so
how
do
we
get
close
to
approximating
that?
How
do
we
build
that?
You
know
that
Oracle.
So
sorry,
I
had
some
notes
here
so
I
mean
so
like
this
seems
like
an
attempt
to
get
near
that
on
the
you
know,
I,
don't
think
it's
a
perfect
attempt.
The
you
know,
I
think
I
think
that
maybe
it
may
be
worth
trying
to
distinguish
between
two
cases.
AB
Right
one
case
is
the
set
of
people
who
you
know
are
actually
the
sort
of
the
server
the
authoritative
server
for
the
domain.
They're
trying
to
reach
I
don't
use
the
forehead.
That's
a
technical
part,
the
people
that
are
like
really
eventually
gonna
end
up
going
for
the
tea
here
trying
to
reach,
and
then
people
who
you
otherwise
have
some
otherwise
are
just
serving.
Is
it
a
felt
back
up
right?
So
you
know
my
you
know.
AB
My
thing
is
so
student
dreamhost,
maybe
for
kosher
resolver,
so
I've
got
to
get
this
somewhere
right
and
that's
how
you
end
up
like
a
cloud
player
or
whatever
right.
So
you
know,
table
wins
worth
distinguish.
AB
Our
coupled
right
is
because
you're
trusting
the
is
to
some
degree
because
you're
trusting
these
people
must
a
lie
about
which
domains
are
assigned
to
them,
namely
you
can
imagine
a
world
in
which
I
had
a
list
of
you
know.
AB
These
are
the
exact
domains,
but
Akamai
hosts
his
ACTA
means
that
CloudFlare
hosts
and
and
then
my
backup
is
like
some
some
one
individual
right,
but
but
that
part
of
why
you're
like
I'd
respect
in
that
world
I,
wouldn't
need
any
kind
of
special
relationship
with
the
people
who
were
resolving
the
means
I
cared
about
because
they
they
wouldn't
because
I
know
for
a
fact.
We
they
weren't
right,
and
so
the
reason
why
you
need
the
relationship
is
good.
AB
You
want
to
trust
enough
to
lie
to
you
about
that
for
enforcement
purposes,
and
so
it's
probably
worth
dividing
those
things
up
a
little
bit
and
figure
out
what
our
threat
models.
These
people-
and
you
know
how
much
lying
there
do
and
how
much
we
expect
to
have
a
power
to
have
over
them
and
those
kinds
of
things.
That's
a
troubling
problem
for
IETF,
because
I
didn't
usually
have
those
kind
of
contractual
arrangements,
but
I
think
you're
right
to
think.
AB
If
that's
the,
where
it'll
have
to
go
to
make
this
viable,
but
I
think
the
way
I
think
about
this
problem
is
what
is
the
most
efficient
and
secure
way
to
promote
that
Oracle
question
and
that
that
box-
and
you
know,
and
that's
where
we
get
the
issue-
be
headers
versus
clean
filters
or
whatever.
But
I
certainly
think
it's
interesting
to
try
to
build
that
both
that,
if
we
and
if
we
can
build
it,
it
would
be.
AB
AB
It's
just
like
not
that
hard
to
get
the
enumeration
so
like
I
mean,
if,
like
it
may
be
the
case
that
you
know
I'm
concerned
about
that
for
accuracy
purposes,
but
I'm
like
if
I
had
build
a
system
that
first
ever
it
had
the
good
properties
were
talking
about,
and
the
only
negative
property
was
that
at
first,
like
everyone
wanted
to
play
to
disclose
the
domain
names
that
they
were
like
responsible
for,
like
that,
wouldn't
Bend
me
out
of
shape
in
any
way
right.
AB
W
AC
AD
AC
Yeah
has
there
ever
been
a
plank
that
comes
up
to
the
microphone?
Does
that
ever
been
a
thing?
You
now
say
actually
say
your
name,
who
my
majesty
I
did
again
those
fine
I
want
to
answer
your
original
question,
which
is
this
interesting
and
I,
want
to
do
it
by
amplifying
what
Ben
said,
which
is
there's
two
different
things
happening
here,
and
one
of
them
is
being
super
emphasized.
That's
not
surprising,
considering
the
room
and
that's
the
distribution
of
the
information.
AC
So
if
you
separate
the
distribution
of
the
information,
what's
actually
happening
technically
underneath,
which
is
a
content
distribution
network,
for
example,
is
getting
directly
asked.
The
DNS
question
from
the
client,
which
has
significant
performance
benefits
on
top
of
what
you
outlined
earlier.
We've
always
wanted
to
not
make
routing
decisions
based
on
a
resolver.
We've
always
wanted
to
make
decisions
based
on
the
client,
and
this
enables
that
so
that
part
of
it
is
super
super
interesting
and
I
would
imagine
that
all
the
other
CD
ends
in
the
room
are
saying
similar
things.
AC
The
distribution
model
obviously
needs
some
more
thought.
We
have
a
multi,
CDN
issue.
We
need
to
solve
to
put
this
to
happen,
but
at
the
core
there's
a
tech
there's
something
technically
there
to
continue
to
talk
about
so
I
think
there's
value
in
it.
We
should
definitely
figure
out
the
bits
and
pieces
and
definitely
we
think
the
distribution,
but
there's
definite
value
in
it.
That's
it
Thanks.
B
AD
Far
and
hopefully
nothing
I
say,
will
trigger
civil
langar,
so
one
of
the
other
aspects
which
I
didn't
see
being
brought
up
was
of
the
benefits
of
something
like
this
or
this
direction
as
the
incremental
deployment
nature
of
it.
So
some
services
would
want
to
run
the
DOE
server,
but
in
the
process
of
deploying
it
they
wanted
like
only
restricted
to
themselves
first,
so
they
have
the
time
to
build
it
out.
So
you'll
get
people
out
there
faster
at
least
having
DOE
deployments
the
other
question.
AD
The
other
aspect
of
this
was
that
we
are
having
some
of
these
trust
conversations
and
other
scenarios
as
well,
for
example,
origin
frame
and
secondary
certificates.
So
I
like
when
I
see
this
in
the
future,
envisioning
it
as
a
see
a
browser
forum,
kind
of
thing,
I'm,
very,
not
so
enthused
by
that
I
think.
AD
That's
probably
the
only
practical
way
to
do
this,
but
I'm
not
super
enthused
by
that
I
would
much
if
it
that's
the
only
way
that
that's
fine
but
I
would
much
rather
I
have
us
like
actually
make
decisions
hard
decisions
on
those
other
conversations.
So
we
can
feed
that
back
into
this
approach
and
say
we
have
as
clear-cut
set
of
rules
by
which
we
prove
ownership
of
the
domain
and
going
for
the
HTTP
header
route
of
like
each
domain
owns
its
own
own
resolvers,
and
so
thank
you.
Paul.
W
B
W
B
Have
the
dream
mailing
list
and
we
could
do
a
separate
one-
I
suspect
that
this
is
actually
still
conceptually
tied
to
some
of
the
earlier
discussions
of
getting
things
to
Daisy
P,
because
a
fair
number
of
people
in
line
said
well
in
the
DHCP
world,
blah
Tomaso
I,
think
they're
still
I
I
mean
given
that
it's
not
gonna,
be
a
working
group
or
if
it
is
somebody
better
tell
me
about
that.
But
I
would
say
we
could
keep
doing
this
Andreea
and
and
if
the
DHCP
conversation
starts
overloading
them.
B
Sorry,
and
and
and
mark
I
just
want
to
know
I
mean
you've
been
with
me
a
couple
of
times
this
week.
This
is
the
first
boss,
but
at
two
other
side
meetings
this
has
been
the
week
of
the
IETF
where
the
DNS
people
and
the
HTTP
people.
Finally,
like
came
together
and
said:
wow,
you
know
stuff,
we
don't
I,
don't
like
that,
I'm
learning
stuff
from
you.
This
is
really
difficult
mark.
You
have
brought
up
a
great
difficult
ending
for
the
week,
but
I
think
this
is
I
think
this
is.
B
Think
this
is
really
good,
and
so
I
would
like
to
keep
as
many
of
those
communities
on
one
list
as
possible
and
it
seems
like
the
dream
list
so
far
has
had
them
and
and
if
some
DHCP
stuff
pops
up
great
but
like
I,
agree
with
Tom
that
that
you
know
didn't,
have
a
very
warm
feeling
to
it
and
you
can
take
a
dhcp
there's
already
a
mailing
list
for
that.
So
are
you?
B
Okay,
I'm
fine
with
that,
as
long
as
nobody
and
we're
not
going
to
shut
down
the
nail
and
let
staff
the
boss
I
had
no
intention
of
it
and
I,
don't
even
remember
which
area
director
I
used
to
get
the
million
we're
not
gonna
shut
the
mailing
list
after
the
boss,
Warren
says
nope.
So,
okay,
thank
you!
Okay,
so
we
still
have
bits
of
time
here.
Let
me
go
back
to
the
slide
for
those
of
you
who
are
wondering
what
mailing
lists
are
we
talking
about?
B
B
B
S
N
Was
a
presentation
I
gave
on
Friday
at
the
I
Can
Dance
symposium,
and
what
I
tried
to
do
here
was
actually
look
at
this
from
a
user
perspective,
so
this
isn't
really
necessary.
A
protocol
talk
it's
trying
to
talk
about
how
the
user
experience
will
evolve.
If
many
of
the
things
that
we've
been
talking
about
come
to
pass
so
and
a
lot
of
this
kind
of
recap,
some
of
the
talk
we've
had
so
try
not
to
take
too
long.
N
So
we
see
a
lot
of
switch
to
encrypted
transports,
we're
seeing
switches
from
a
single
system-wide
resolver
configured
through
DHCP
to
potentially
per-app
extremely
granular
configuration.
So
what
we're
hearing
is
devices
are
going
to
switch
from
using
one
resolver
per
network
to
potentially
dozens,
possibly
hundreds.
Actually,
if
we
take
some
of
the
things
we've
heard
about
today
to
the
extreme,
so
I
will
skip
forward
to
all
the
good
stuff
about
what
all
this
can
do
for
you.
N
U
N
U
N
Let
me
skip
on
to
right
so,
as
we've
heard
today,
what's
happening
in
September
I
think
it
is,
Firefox
has
proposed
turning
go
and
by
default
CloudFlare,
and
we
know
that
in
the
short
term,
the
reality
is
that
these
contract
based
relationships
are
all
we
have,
because
we
have
absolutely
no
discovery
mechanism.
So
it
means
is
going
to
be
a
precedent
where
there's
a
period
of
time
where
that
is
what
is
happening
and
with
we're
struggling
here
to
figure
out
discovery,
mechanisms
and
ways
to
do
this
differently
and
right
now,
I.
N
N
So
we've
heard
that
the
browser
guys
are
going
that
way
and
if
you
want
to
think
about
what
that
means
for
your
end
device,
you
have
to
think
about
where
the
browser
fits
in
to
your
whole
experience
of
using
DNS,
how
much
of
your
cruise
go
through
the
browser?
How
much
goes
through
apps
and
that
could
be
different
on
a
different
device,
so
there's
a
whole
set
of
questions
around
what
the
browser's
do.
The
kind
of
models
we've
heard.
N
The
other
thing
that
I
want
to
raise
is
we're
kind
of
forgetting
all
the
rest
of
the
apps
here,
which
is
an
N
device,
isn't
just
a
browser.
There's
a
ton
of
stuff,
that's
going
on
there.
So
what
is
going
to
happen
in
that
space?
Are
they
likely
to
maintain
to
just
carry
on
using
the
system
resolver,
or
are
they
going
to
follow
the
browser's
and
go
down
that
same
route?
I?
Think
there
are
a
few
things
that
will
affect
that
decision.
N
One
is
is
that
if
native
implementations
of
encrypted
transports
in
system,
resolvers
and
system
libraries
is
slow
and
it
has
been
today-
we
sort
of
slow
within
a
sec.
We
see
it
slow
it
being
at
this.
So
with
that
being
the
case
and
privacy
being
a
strong
argument,
more
and
more
apps
are
going
to
consider
following
browsers
and
their
model.
We
do
see
an
increase
in
the
quality
in
the
range
of
libraries,
so
it's
going
to
get
easier
for
apps
to
make
this
choice.
N
N
So
you
could
say
if
all
the
apps
are
going
to
go
down
this
road,
you
could
ask
for
things
of
them
so
that
the
user
still
has
visibility.
What's
going
on,
you
could
ask
that
they
implement
various
transports,
including
transport
options
like
doing
a
sec,
but
that's
now
being
muddied
into
some
of
the
trust
models.
So
that's
an
open
question.
We
could
argue
that
apps
should,
unless
they
have
a
good
reason,
they
should
respect
the
system
as
over
and
again
this
comes
back
to
the
trust
models.
N
If
we
can
develop
good
trust
models
to
use
that's
better
if
we
can't
is
keeping
the
use
of
the
systems
over
better
because
at
least
that's
a
central
configuration
point
for
the
user,
which
I
caps
to
be
transparent
about
what
they're
doing
with
DNS
right
now
in
Firefox
I
can
see
a
very
high
level
result
of
the
dearness
query.
I
cannot
see
the
wire
format
anymore,
so
for
some
people,
that's
the
loss
of
transparency
and
visibility,
so
you
were
lying
on
each
individual
app
which
exposes
a
clue.
N
What's
going
on
and
I,
don't
know
I'd
like
to
think
we
can
assume
that
they
all
will,
because
none
of
this
can
be
enforced
in
the
app
it's
not
part
of
protocol.
It's
just
the
ecosystem
and
how
the
software
will
develop.
So
I
think
what's
becoming.
A
real
thought.
Now
is
that
DNS
is
no
longer
part
of
the
device
infrastructure
and
there
is
very
rapidly
going
to
be
no
single
point
of
configuration
for
an
end
user.
It's
probably
just
going
to
become
embedded
in
content
delivery.
N
N
Multiple
workers
will
see
a
shift
in
failure
modes
right
now,
for
better
or
worse,
we
have
the
all-or-nothing
model:
you're
Dennis
dies,
you're
stuck.
This
will
become
much
more
tied
to
the
content.
End
point
I'll
be
in
a
browser.
These
tabs
work
these
tabs.
Don't
this
that
works
this
one
doesn't
what
the
hell's
going
on.
How
do
I
D
bug
it?
How
do
I
even
start
so
and
you
may
have
the
reduced
capabilities
to
debug
in
each
of
those
contexts?
N
Well,
users,
notice
or
care,
probably
not
because
probably
I
mean
it
could
literally
be
that
happens
boom.
Your
your
DNS
queries
from
Firefox
are
all
going
to
CloudFlare,
for
example,
it
could
be
hey,
we're
doing
something
good
for
you.
Don't
worry
your
pretty
little
head
about
the
details
just
carry
on
or
it
could
be
that
they
actually
try
and
explain
what
the
heck
they're
doing
and
ironically,
this
could
be
really
confusing.
20
users
that
might
scare
them
and
they
might
go
just
I,
don't
know
what's
going
on
just
click
the
most
visible
button
I
see.
D
N
Yeah,
so
it's
they
so
yeah
in
one
just
very
very
quickly.
This
is
the
current
statement
they
pulled
from
one
of
the
firefox
blogs
and
I.
Think
we've
already
explored
the
fact
that
this
is
just.
We
already
have
a
really
implicit
consent
model
right
now
uses
just
log
into
a
network
and
log
onto
the
server,
and
what
we're
talking
about
and
sense
is
shifting
the
implicit
consent
to
a
given
application
from
the
network.
O
A
lot
so
listen
to
this
slide.
What
what
became
very
clear
to
me
is
that
we
really
need
to
specify
what
the
behavior
is
for
resolvers,
that
used
o
with
respect
to
locally
serve
domains,
because
otherwise
they're
just
gonna
break
yeah,
and
that
would
be
kind
of
a
bummer
because
we're
doing
a
lot
of
work
that
relies
on
them.
Yeah.
N
Say
because
I
think
I
think
I'm
right
in
saying
that
Firefox
has
a
fallback
mechanism
where,
if
it
just
absolutely
fails
to
resolve
it,
because,
obviously
until
names
of
a
can't,
it
will
fall
back
to
using
the
local
system
resolver
over
UDP,
which
should
then
resolve
you.
But
with
some
delay.
Is
that
right,
I,
like
Patrick?
Let's
speak
to
that.
V
Yeah,
there's
softball
that
for
all
those
things
that
locals
and
some
other
things,
they're
assumed
to
be
local,
addresses
and
DNS
things
aren't
hooked
up
in
ER
at
all
anything
that
looks
nineteen
eighteen
ish
that
comes
back
from
the
resolver,
the
results
thrown
away
and
you
do
the
fall
back.
There's
a
long
set
of
you
know
things
that
are
made
to
make
this
split
horizon
thing
work.
V
J
Eric
noggin
Akamai
any
to
other
risks.
I
didn't
see
called
out
here,
but
I
think
our
besides
a
split
horizon,
one
that
are
big
important
ones.
We
should
at
least
need
to
be
aware
of,
is
one
of
which
is
there
are
a
lot
of
services
out
there,
such
as
CD
ends
that
do
dns-based
mapping
and
where,
where
they
send
end
users
do
is
like
it
or
not.
A
result
of
that
where
the
DNS
lookup
is
coming
from,
and
today
they'll
be
kind
of
the
Assumption.
A
lot
of
those
systems
are
designed
with
our
users.
J
So
there
are
going
to
be
some
trade-offs
here
that
are
beyond
just
this.
On
the
other
thing
is
that
like
it
or
not,
unfortunately,
DNS
is
one
of
the
few
handles
that
ISPs
feel
they
have
to
control,
to
implement
mandates
that
come
in
Legally
from
their
governments
and
I.
I.
Think
that
it's
it's
going
to
be
important
for
us
to
what
are
gonna,
be
the
side
effects
if
we
take
that
handle
away
at
a
large
scale,
and
one
of
those
is
P
is
going
to
start
doing
it
doing.
N
J
P
All
over
okay
Sarah:
this
is
a
very
interesting
presentation.
The
thought-provoking
but
I
got
a
little
bit
annoyed
and
probably
not
in
a
way
you
expect
it.
You
are
assuming
that
the
state
that
we
were
in
and
would
say
last
year,
is
something
that
is
an
agreed
on
model.
No,
it
is
more
like
it
is
what
we
have
ended
up
with
through
a
small
step
of
incremental
steps
that
were
taken
because
of
convenience,
so.
P
P
Some
of
these
things
that
you
brought
up
there
like
multi
connectivity,
VPNs
welding,
is
stuff
that
we
argued
about
forever
in
the
myth
working
group
here
for
ATF
and
finally
had
to
give
up
on,
because
nobody
could
figure
out
exactly
what
was
going
on
because
we
are
model
in
the
beginning.
So
yes,
it's
good
it's
different,
but
this
also
is
a
big
opportunity.
We
can
now
actually
give
end-users
error
codes
that
make
a
meaning
to
them
that
we
don't
have
in
the
DNS
protocol
today,
because
it's
such
an
error
codes
did
I
say
that
yes,.
Q
P
So
we
should
think
of
this
as
a
part
we
have
to
think
of
it
about
as
a
positive
negative
and
where
we're
going
as
to
the
question
of
censorship,
etc.
That
is
both
goes
in.
Are
we
taking
the
censorship
away
from
the
enterprise?
Are
we
giving
to
the
censorship
to
now
a
central
authority
that
is
no
control
work?
These
are
all
open
questions
and
we
end
up
with
possibly
having
to
be
able
to
get
more
information
from
the
resolvers
about
what
they
are
doing.
N
I
think
anything
I'd
say
it's
we.
What
I'm
worried
about
is
that
we
will
be
tempted
to
solve
that
problem
from
a
protocol,
an
application
developer
perspective,
because
that's
the
people
in
the
room,
doing
the
design
and
looking
for
performance
games
and
optimizations
and
I'm
just
and
we
may
not
take
some
of
all
of
the
other
concerns
in
when
we
do
that.
Yes,.