►
From YouTube: IETF102-DNSOP-20180719-1810
Description
DNSOP meeting session at IETF102
2018/07/19 1810
https://datatracker.ietf.org/meeting/102/proceedings/
B
A
A
A
We
have
now
a
beautiful
large
room,
but
we
want
to
have
that
the
next
time.
Also
and
again
so,
what's
on
the
agenda,
we've
no
agenda,
Beijing
blue
sheets.
The
document
status
have
been
discussed
yesterday.
You
can
see
that
on
the
slides
but
presented
by
Tim
and
so
today's
pieces,
we
discussed
work
new
working
group
business.
So,
what's
on
the
previous
discuss
work,
it
will
be
the
large
response
by
a
Devi
presentation
and
three
new
working
Isis,
a
working
group
bringing
brought
to
the
working
group
by
vi
pointers
by
Tariq.
A
These
dinners
owned,
Isis
presented
by
West
and
seven
seven
hours,
six
bits
by
Paul
good,
any
other
things
agenda,
everything,
fine,
we
go
ahead,
okay
and
we
want
three
minutes
great,
so
I
want
to.
We
have
a
very
strict
time
schedule,
so
we
asked
all
the
presenters
to
keep
to
stay
within
10
minutes
and
five
minutes
for
the
audience
here
for
the
room
to
ask
questions.
We
really
want
to
stick
to
this
ten
five.
A
C
D
D
The
first
version
is
just
a
simple
improvement
on
the
sort
of
server
not
require
adding
work
to
the
reserve
side
and
as
an
experimental
document
and
I
updated
after
some
improved
and
comments
and
I
add
a
indicator
to
to
to
as
a
eighty
beating
the
idiot
arrow
OPD
header,
that
that
features
require
this
document
to
become
standard
document.
So
we
were
just
discuss
and
ask
discussed
later
whether
this
is
a
necessary
or
not.
Okay.
The
background
is
there
that
background.
Is
that
the
the
ipv6
difficulties
in
the
in
the
fragmentation
there?
D
D
We
call
a
singular
way:
they
did
not
not
work
together
and
some
publication
and
some
evidence
show
that
there
are
some
some
severe
package-
jobs,
I,
don't
I.
I
did
I,
don't
drop
Jamal
deep
into
this
discussion,
but
I
think
more
people
are
more
sorted
to
me
for
me,
I,
just
one
slice
to
introduce
the
ATR
mechanism.
D
The
intention
is
to
cover
the
DCP
for
back
and
the
EDS
zero
and
make
them
parallel
to
worked,
and
it
he
our
ads
function
as
a
module
function
into
the
the
response
process
in
sort
of
server
to
replay
I'll
respond,
another
response
with
the
truncated
bit
set.
So
it's
very
simple
and
intuitive
there.
There
note
that
there
are
two
parameter
in
need
to
be
pay
attention.
Why
is
that
payload,
size
and
another?
Is
the
ATR
timer
and
I
I
discussed
this
to
to
permit
in
the
operation
operational
Park
section?
D
Due
to
the
large
knee
response
issues,
I
mean
70%
of
the
user,
who
cannot
receive
the
fragmented
UDP
packet,
large
pocket.
So
that's
the
first
part
I
mean
that
there
are
there
a
version
of
that
draft.
Talking
about
and
a
second
version
that
I
mean
the
zero
one
version
is
to
introduce
80-odd
indicator.
D
The
intention
of
that
indicator
is
to
distinguish
the
ATR
responsiveness
in
a
way
for
an
ordinary
truncated
response,
because
some
servers
may
transmit
the
server
a
truncated
response
at
some
some
some
some
some
side
package
size
and
so
that
people
can
log
some
cases
where
the
ATR
response
received
without
the
ordinary,
large
or
UDP
packet.
So
some
problematic
name
servers
can
be
flagged
and
some
policy
or
some.
D
Some
some
tuning
can
be
done
on
the
sort
of
server
on
that
name
servers.
That's
the
intention
of
ATR,
so
I
introduced
180
flag
bit
in
the
extension
header
and
that
required
a
standard
chart
document
to
to
bring
this
dysfunction
in
the
in
the
document
more
discussion
area
at
it.
To
answer
some
questions
on
the
how
the
ATR
Tamara
beech,
oozed
and
also
the
ATR
payload
size.
What's
the
ATR
pillow
size
probe
is
proper.
D
Wait
for
the
use
and
also
some
comment
and
suggestions
and
to
me
about
to
reduce
the
prevalence
of
the
of
a
TIA
and
and
also
some
suggestions
in
suggest
means
that
a
tikka
are
can
implement
as
a
daemon,
not
as
part
of
also
the
server
but
another
threat.
Another
process
that
can
listen
to
that
the
packet
and
reply
independently,
so
I
do
not
apart
deeply,
you
can
refer
to
the
dropped
so
so
yeah
next
step.
It's
a
do
you
nitrate
yard,
or
do
you
knock
ATR
indicator
with
the
80
bit?
That's
the
question.
D
I
would
like
to
ask
you
and
right
now
it's
a
personal
rafter.
It's
not
be
long.
Current
label
on
the
assault
and
I'm
not
sure
it's
okay,
right
now
for
a
standard
shark,
but
I
think
that
the
necessity
of
Tantra
is
only
due
to
the
80
beat
involved.
So
I
personally
prefer
our
experimental
first,
because
these
have
already
done
in
in
in
my
lab
and
I,
also
a
picnic
lab.
So
that's
all
I
would
like
to
introduce
and
ask
you.
Thank
you.
D
And
another
adding
some
challenging
questions
about
the
security
issue,
because
ATR
response
additional
response
right.
My
quick
answer
is
that
are
only
a
few
of
the
type
of
queries,
mate,
regaliz
response,
and
that
is
not
why
I
mean
the
chart
post
the
traffic
and
the
type
is
specific.
We
can
limit
the
scope
and
to
adopt
some
policy
to
to
to
against
the
US
attack
for
the
photo
assertive
silver
as
a
reflection.
D
E
F
Geoff
Huston,
as
David
said,
I
actually
did
some
measurement
of
this
at
the
start
of
the
year.
I'm
like
it's,
the
resolvers
that
appeared
to
get
it
didn't,
have
a
problem,
though
either
got
the
original
frank,
fragmented
answer
or
they
reacted
in
TCP.
So
what
was
going
on
as
far
as
we
could
see
is
we're
not
confusing
anyone,
but
you
know
there's
pluses
and
minuses
here.
The
plus
is,
if
you
are
behind
network
infrastructure
that
drops
frags
this
immediately
cuts
in
TCP
quite
quickly.
That's
great,
the
downside
is
a
UDP.
F
Dns
saw
spoof
dos
attack
now
has
more
packets,
and
the
other
downside
is
that
trailing
UDP
responds
about
25%
at
the
time
generates
an
ICMP
that
ports
been
shut
down.
So
there's
a
certain
amount
of
back
traffic
that
comes
through
so
there's
no
free
lunch
here,
as
you
pointed
out
in
the
slide,
it
doesn't
do
everything
they're
a
folk
who
sit
behind
systems
that
contra
do
fragmented
IP
and
cannot
do
TCP
and
I
suppose
at
the
moment
they
just
don't
DNS
SEC
validates,
so
it
really
doesn't
matter.
So
it
is
a
mixed
bag.
F
I,
don't
see
any
point
in
the
80
bit
at
this
point,
I
think
if
the
working
group
was
going
to
do
anything,
no
there's
a
lot
more
judgment
to
go,
but
it
really
is
an
experiment
at
this
stage
and
should
be
looked
at
as
such
a
nothing
more.
We
need
to
gain
more
experience
in
understanding
how
we
handle
big
responses.
This
is
one
approach.
I
think
it's
actually
quite
good.
If
speed
is
what
you
want
and
if
you're
willing
to
live
with
that
slightly
higher
DDoS
component
Thanks.
Thank
you.
H
I
Shanker
I,
so
I
would
like
to
address
the
concern
that
Jeff
brought
up
about
extra
packets
being
sent,
so
the
additional
amplification,
the
extra
packet
that's
being
sent,
is
a
truncation
packet,
so
it's
quite
small,
so
I
I
realize
that
it
can
result
in
an
extra
packets
being
sent,
but
also
it's
in
the
case
where
you're
already
sending
truncated
packets
right.
So
it's
all.
This
is
only.
I
A
K
K
J
J
Ipv4
as
the
service
is
coming
to
us
all
very
soon,
if
me
it's
not
there
already.
J
We
should
be
consistent
about
the
size
they
were
using,
the
churn,
regardless
of
which
transport
were
using
because
you've
got
the
same
issue
driver
visa
for
as
the
service
as
in
tunnel
as
in
as
for
when
your
tongue,
tunneling,
ipv6
and
ipv4.
Essentially,
the
path,
MTU
discovery
issues,
all
reappear
for
ipv4
service.
D
Yes,
thank
you
and
the
wiring
is
that
III
view
the
idea
is
not
so
widespread.
Why
implement
deployment
for
also
sort
server
for
answers?
All
queries
I
think
it's
provide
space
for
the
operator
assertive
operator
to
to
to
to
do
some
policy
or
local
configuration
on
what
what
what
queries,
what
type
of
aquaria
see
it?
Well,
intriguer
the
that
the
date
here
thank.
L
A
L
L
One
comment
at
this
moment
is
that
I
gave
the
also
is
a
authoritative
server
implemented.
May
not,
if
particularly,
may,
not
the
idea
of
introducing
a
switch
to
50
milliseconds
delay,
because
it
will
make
the
you
hovering.
The
UDP
request
a
stateful
while
it's
currently
comparative
state
race.
So
again,
I
don't
know
whether
this
is
the
real
program
or
how
we
can
address
that.
But
I
think
that's
one
of
the
things
we
should
consider.
M
It's
Dan,
you
are
creel
aying
for
Peter.
Pan,
like
he
says,
is
a
couple
points.
180
are
changes
a
best
case
before
fragmentation
exchange
from
two
packets
in
a
legitimate
situation
into
five
packets.
In
an
attack
situation
point
two
I
did
not
verify
the
work
from
RFC
7870
to
the
AP
Nick
work
is
useless
because
the
experiment
ignored
the
e
DNS
buffer
size
from
the
resolver
client.
Thus
we
have
no
useful
numbers
on
how
much
h
ER
is
helping
end
point
3.
M
C
B
B
I
have
took
the
Google
example.
Aires,
it's
very
well
familiar
for
me
said
that
it
has
both
the
ipv4
and
ipv6
addresses
configured
on
it.
This
is
the
POC
is
just
collected
some
network
traffic
on
Wireshark.
Whenever
we
pass
a
qe4,
we
must
look
up
for
ipv4
to
resolve
a
quad,
a
record.
It
returns
sometimes
zero
answer
or
sometime.
It
comes
up
with
the
our
code.
Three
error,
two
main
non-existence:
this
is
a
simple
diagram.
B
I
have
duplicate,
so
the
this
is
if
manually,
a
service
is
written
for
client-side
and
it
wants
to
resolve
the
IP
for
an
ipv6
address
against
the
ipv4
address
or
ipv4
else
against
the
ipv6
address.
Then
the
stub
has
to
implement
this.
These
two
step
functionality.
First,
it
has
to
look
at
the
reverse
lookup
for
the
domain
name
and
then
forward
lookup
to
we
get
the
ipv6
address.
The
question
is
that
the
problem
is
by
doing
this
is
that
most
of
the
subdomain
levels
are
not
similar
for
ipv4
and
ipv6.
Actually,
they
are
different.
B
This
is
the
proposed
IP
IP
PTR,
and
it
increases
the
tristana's
because
it
works
on
reverse
lookup,
so
network,
especially
security,
guys
they
don't
trust
the
forward
lookup
domain
resolution
QD
resolution
process,
because
IP
IP
it
here
using
the
reverse
lookup
for
both
ipv4
ipv6,
will
increase
the
trust
in
your
DNS
infrastructure.
This
is
the
motivation
use
case,
motivating
use
case.
B
The
idea
behind
was
just
to
if
an
organization
that
has
decals
maturing
its
ipv4
security
rules
in
network
security,
components
and
its
decide
that
they
want
to
test
an
application
with
ipv6
or
they
have
just
enable
ipv6
in
their
network
so
and
any
automation
service
can
be
written
that
can
automate
the
security
rules,
deployment
for
ipv6
parallel
to
the
ipv4.
That
has
been
already
matured
enough
in
the
network.
B
So
this
is
this
was
the
motivating
use
case,
and
the
other
use
case
is
that
it
can
be
used
to
promote
the
usage
of
ipv6
as
if
somebody
access
FTP
is
served
using
ipv4
address,
it
can
be
translated
into
I,
agree
six
and
explicitly
connected
to
the
client
connect
the
client
to
over
the
ipv6.
Similarly,
some
commerce
customers,
debugging
utilities,
can
be
written
just
like
traceroute.
It
can
be
it
returns.
B
Look
up
the
IP
address
to
confirm
that
the
domain
claiming
the
IP
is
exactly
the
one
that
is
claiming
in
the
mail
so
similarly
for
ipv6
and
the
from
the
an
email
receive
on
ipv4
network
can
also
be
used
the
same
ip
to
check
the
ipv6
address
for
that
domain.
If
it
exists,
that
can
be
white
listed
earlier
before
receiving
any
email
from
that
server
on
ipv6
service,
and
this
is
just
the
terminologies
ideal
scenario.
Non-Ideal
scenarios
but
I
have
separated
the
labels
with
the
X
dot
example.com
and
exists.
B
X
X,
the
example.com
and
XX,
is
mapped
to
the
quad.
A
record
and
exists
map
to
the
a
record.
X
can
be
anything
before
the
main
domain
name
straight
to
the
IPA.
Ptr
will
be
in
the
reverse,
lookup
prefix
file,
and
it
will
be
just
like
it
will
be
just
like
this,
instead
of
pointing
to
the
IP
in
if
it
is
in
the
ipv4
prefix
before,
instead
of
pointing
to
the
PTR
the
ka'aba
VIP
for
labor's,
it
will
be
pointing
to
the
X
sixth
domain
level
as
a
target
and
similarly
ipv6.
B
B
So
this
is
the
actually
the
cue
the
resolution
process,
a
dissolving
ipv4
into
ipv6
and
similarly
for
ipv6
every
time
the
ipv6
address
in
in
a
form
that
in
a
compact
form,
actually
because
in
real
far
midfield,
which
is
so
long.
So
I
use
the
double
colon
notation
here
just
to
for
the
ease
of
saying
in
the
diagram
de.
So
these
are
the
to
use.
Qt
processing
use
cases
that
will
be
processing
through
this
new
IV
I
Peter
resource
record,
and
that's
it
I.
J
Miscibility
mckendree's
IC
0
people
implementing
this
in
practice
other
than
test
labs
and
things
like
that
you're
going
from
a
number
to
name.
Why
don't
you
start
with
names
if
you're
configuring
firewalls?
If
you
can
use
nine
base
lookups,
you
start
with
names
as
for
Miss
names
between
v4
and
v6.
That
is
a
short
time
short
term
as
in
right
now,.
J
G
Hi
this
is
Andre
and
I,
see
I
appreciate
you
taking
in
your
work
to
to
ITF
nearness
hope.
But
this
is
a
bad
idea.
You
are
pushing
provisioning
problems
into
DNS.
Your
example
was
complete
Stroman,
because
you
just
what
you
need
to
do
is
to
configure
the
same
name
for
the
a
and
quote
a,
and
this
should
not
be
adopted
by
the
working
group
or
any
working
group
and
in
DNS.
B
N
But
I
can
talk
really
fast
and
good.
Ok,
wesford
occur
is
I
I'm
here
to
talk
about
draft
DNS
zone,
digest
it's
in
the
repository,
and
we
are,
you
know
eventually
considering
it
for
adoption.
Ideally,
the
authors
list
isn't
on
there,
but
it's
authored
by
a
bunch
of
people
that
have
all
thought
of
this
idea
at
some
point
in
the
past,
and
we
got
together
and
thanks
in
large
part
to
doing
vessels
who
did
a
large
part
of
it,
pushing
it
forward,
including
making
most
of
this
presentation.
N
So
the
quick
to
long
didn't
you
know,
don't
read,
is
secure
zone
files,
it
it
adds
a
checksum
to
zone
files
as
they're
transferred
actually
ahead
of
time,
so
that
you
know
you
know
that
you
got
the
complete
set
and
that
nothing
about
it
has
been
altered
and
all
that
kind
of
stuff,
as
you
know,
glue,
is
not
currently
signed.
For
example,
it
basically
adds
a
cryptographic
digest
and
it
creates
a
new
zone.
Md
research
record
type,
preferably
secured
as
well
by
dns
sucker,
we'll
get
to
that
in
a
bit.
N
So
motivation,
motivations
and
use
cases
right
now,
root
zone
and
other
zones
for
that
matter
are
spreading
beyond
traditional
deployment.
Boundaries
are
being
spread
by
things
like
77064,
low,
latency
stuff
and
then
I
Ken's
been
using
the
word
hyperlocal
route.
A
lot
lately
lately
and
I
can't
circles
to
pre-populate
resolvers
with
with
route
zone
data,
my
local
route
project,
if
you
look
that
up
also
does
the
same
type
of
thing
and
we'd
certainly
make
use
of
this
some
non
use
cases.
N
We
are
not
recommending
trying
it
to
a
couple
of
things
in
particular
to
calm
it's
gigantic
and
changes
very
very
rapidly.
So
it's
both.
You
know
it's
very,
both
very
large
and
very
dynamic,
although
there's
quite
possibly
some
use
cases
for
some
zones
that
are
being
distributed
in
other
ways
such
as
through
I,
can
centralize
some
data
service.
N
So
why
not
use
you
know
some
other
signing
techniques?
Why
are
we
doing
something
in
band?
Well,
first
off
you
know,
PGP,
for
example,
detached
signatures
are
sort
of
a
pain
to
manage,
if
anybody's
tied,
to
try
to
manage
them,
sending
them
over.
How
would
you,
how
would
you
attach
a
PDP
signature
to
an
axfr,
for
example?
It
doesn't
work
very
well
attached
signatures,
sort
of
change,
the
file
format,
so
it's
no
longer
a
zone
file,
so
you'd
have
to
strip
it
out
before
loading
it
in
and
all
those
types
of
problems.
N
N
So
also
the
digest
is,
you
know,
marginally,
even
useful,
even
without
D
in
a
sec,
it's
also
a
checksum
that
ends
up
in
the
file,
so
that
you
know
that
no
bits
were
modified
by
accident,
which
actually
is
probably
more
likely
to
happen
than
attacking
a
lot
of
the
time,
and
it's
unlikely
that
nameservers
would
also
ever
include
PGP
directly
in
their
codebase,
where
they
already
have
the
NSF
already
deployed
in
the
in
the
nameservers
themselves.
Most
of
the
time.
So
here's
a
real
quick,
simple
example,
very
simple
example:
dot
dot
name.
N
N
You
can
use
it
for
things
like
on
for
offline
signing
and
you
can
use
it
for
things
like
online
signing,
but
every
time
a
change
is
made
to
the
zone,
it
would
have
to
completely
resigned
the
whole
the
whole
file.
We
are
not
proposing
a
way
to
say
you
know
incrementally
update
a
a
hash
that,
in
theory,
could
be
done
in
the
in
the
future,
but
we're
just
doing
a
hash
of
the
whole
thing.
N
So,
if
you
add
a
new
record,
you
have
to
resort
and
then
start
over
from
scratch
and
recreate
the
hash
in
terms
of
the
amount
of
time
it
takes
to
sign.
Excuse
me
not
to
create
a
sha-256
hash
of
a
given
zone.
Duane
has
produced
this
wonderful
graph,
which
is
in
log
scale
zone
size
on
the
bottom
and
time
and
seconds
on
the
top,
and
you
can
see
some
interesting
markers
along
the
way,
including
the
root
zone,
is
about
0.2
seconds.
Accountant
is
about
one
second
spaces.
N
N
6600
I'm,
sorry,
yes,
you're
right,
see,
I
told
you
I,
don't
read
it
well,
not
even
in
the
right
ballpark.
So
the
algorithm
is
fairly
simple.
You
create
the
zone,
MD
record
and
you
insert
it,
but
with
a
blank
digest
field,
you
sort
and
canonicalize
the
whole
list.
You
operationally
sign
it
with
the
in
a
sec,
and
then
you
put
the
zone
md
record
back
in
with
this,
with
the
zone
MD
or
sig
created
afterwards.
O
O
N
O
It's
the
reason
I'm
here
is
because
I
had
a
brain
fast
on
the
list
and
said
screw
this
stuff.
We
should
do
PGP
and
then
Dwayne
said
to
me:
dude
I
thought
you
were
a
friend.
Why
are
you
crapping
on
my
idea
and
we
actually
talked
about
this
and
I
kind
of
180?
You
know
I
want
to
walk
back,
I
really
like
this.
More
particularly
like
is.
We
now
have
to
count
and
binary
dos
implementations,
because
Shane,
who
is
a
genius,
wrote
one?
We
have
two
working
implementations
of
this
I
think.
O
Process
to
use
Colt
Veggie
file
rubbish.
Shell
script
check
see
it's
in
the
file.
It's
what
the
publisher,
who
has
authority
over
the
zsk,
it's
what
the
publisher
intends
is
the
canonical
state
and
file.
So
if
I
want
to
do
locally
run
root
bound
on
one
27001,
I've
got
an
out-of-band
mechanism
to
get
the
file
yep.
Do
it.
G
N
N
D
N
So
that's
kind
of
this
case,
which
is
that
if
you
use
it
outside,
then
you
have
to
have
a
way
to
distribute
it,
and
so
the
PGP
is
really
an
example.
But
external
signatures,
you
know,
are
a
possibility,
but
it
makes
it
harder
because
you
can't
do
things
like
zone
transfers
and
check
it
afterwards
and
keeping
it
in
zone
means
that
you
can
transfer
it
in
any
mechanism.
You
don't
have
to
keep
to
file
copies
and.
D
N
D
Okay,
it's
okay!
The
second
question
is
the
mo
harder
to
answer.
So
you
mentioned
that
in
encourage
more
widespread
of
the
zoom
right,
so
you
definitely
exclude
the
situation
that
people
are.
Some
organizations
want
to
set
up
its
own
route
service
system,
just
as
a
Yeti
demo
model,
so
I
think
this
Way's
just
add
a
copy
copy
right
to
the
root
zone
or
some
zone
itself
for
itself,
but
actually
all
the
other
work
have
been
down
by
the
exact
the
signature
already
down
this.
D
N
Yeah,
so
this
this
adds
a
checksum
on
whoever
created
the
entire
set
of
data.
This
is
this
is
a
checksum
across
all
of
the
data
that
went
into
you
know
their
distribution.
So
from
the
ini
perspective,
my
Ana
would
create
a
checksum
of
the
whole
thing
that
would
go
along
with
you
know
the
the
signature
it
would
be
probably
eventually
signed
by
Verisign.
You
know,
I
don't
do
we
talked
about
which
key
is
that
she
used
to
sign
it,
but
anyway
it
signs
everything
in
the
file.
N
D
R
R
R
N
J
N
K
Warrant
I
think
so:
Warren
re,
northa,
so
I
think
a
slight
clarification.
I
mean
I.
Don't
think
that
doing
this
for
highly
dynamic
zones
is
a
good
idea,
but
I
think
that
it's
not
you
need
to
do
it
on
every
update.
You
would
only
need
to
actually
recalculate
this
when
anybody
wants
to
write
it
to
disk
or
transfer
it.
Just
a
slight.
O
N
S
N
N
J
J
A
T
So
why
not
just
you?
Oh
no
sorry
hi,
so
I
am
Warren
and
Paul,
and
this
is
about
updating.
Rfc
7706,
which
we
just
heard
about
a
little
bit
before
this
is
7706,
is
about
slaving
the
root
zone
on
localhost
and
we're
talking
about
updating
that
document
that,
for
those
of
you
who
aren't
familiar
7706,
did
come
through
this
working
group.
Originally,
that's
why
we're
suggesting
that
this
document
come
to
the
working
group
as
well.
T
We
did
77060
a
while
ago,
as
you
can
tell,
because
we're
already
on
our
FC
8400,
something
and
there's
now
a
bunch
of
more
implementations.
So
that's
good.
We
would
like
to
document
some
of
how
the
implementations
happen
is
such
like
that
many
people
who
have
implemented
7706
didn't
implement
7706,
Wes
and,
and
others
and
they've
been
saying
7706
like
so
instead
of
saying
7706
like
because
that
has
a
lot
of
parameters.
We
can
either
document
them
and
say
where
there's
a
delta,
but
actually
many
of
them
really
did
take
the
spirit
of
7706.
T
But
we
do
need
to
stay
focused
on
the
goal,
which
is
that
the
the
root
zone
that
you
are
being
authoritative
for
can
only
be
seen
by
things
on
the
host
in
7706
that
we
said
it
had
to
be
running
on
the
local
host
that
turned
out.
There
were
implementations
that
didn't
do
that,
but
they
made
it
so
that
only
the
host
could
see
it.
T
T
So
what
we're
doing
we
have
a
draft
K
and
H
he's
K
I'm
H,
and
we
want
to
keep
this
so
7706
was
informational.
We
want
to
keep
it
informational.
This
is
sort
of
operational.
This
is
I,
mean
some
protocol
II
things
and
there's
certainly
some
RFC
2119
language,
but
in
fact
we
are
not
suggesting
that
this
is
a
standard,
so
keeping
keeping
it
informational
again.
T
We're
hoping
that
the
working
group
adopts
it
because
that,
if
not
it's
going
to
get
really
tricky
because
Warren
has
to
find
some
other
ad
sponsoring,
but
also
for
those
of
you
who
are
around
a
few
years
ago.
You'll
remember:
there
was
a
lot
of
really
good
discussion
for
7706
on
the
mailing
list.
It
wasn't
just
oh
yeah.
This
is
fine.
We
really
did
have
some
good
theoretical
discussions
of.
Why
are
we
doing
this?
Is
this
bad
and
such
and
with
us
possibly
expanding
the
scope
a
bit?
T
T
So
how
we're
doing
it
we've
already
put
out
the
o1
draft,
so
we
updated
the
requirements
from
marine
route.
Server
must
be
a
local
host
which
some
of
the
people
weren't
following
anyways.
They
were
being
7706
like,
and
we
said
the
current
wording
as
root
servers
must
only
be
available
to
resolvers
on
the
same
host,
so
that
is
an
actual
expansion
and
people
may
or
may
not
like
that.
What's
if
people
do
like
it,
one
of
the
things
we
absolutely
want
to
do
is
update
the
examples.
T
O
So,
let's
go
play,
imagine
imagine:
I
were
hunting
a
server
on
the
host
and
I.
Do
this
magic
trick,
mm-hm
and
then
I'm
multi
honed
I've
got
two
IPS
and
on
another
IP
that
I'm
not
banned
on
53
from
a
forwarding
only
resolver
that
forwards
to
this
one,
my
breaking
the
rules,
because
that
other
resolver
it's
an
open,
resolver
and
I'm
serving
the
world.
But
all
my
queries
go
to
the
other.
One
on
the
same
host
could
be
my
break
in
the
rules.
T
That's
a
that
is
a
question
for
the
doctor,
so
I
would
hope
that
the
answer
is
is
is
not
that
you're
breaking
the
rules,
but
don't
allow
that
really.
O
Sorry,
but
what
if
I
had
three
IPS
and
the
one
down
the
road
asked
questions
the
one
locally,
which
asks
the
questions
the
one
bound
on
the
host
so.
T
O
I
I
T
You've
asked
all
at
this
point
thousand
and
twenty
five.
However,
many
ask
questions
Wow
well,
but
but
again,
70
is
one
of
the
reasons
for
7706
at
all
was
to
preserve
privacy.
You
know
it's
not
it's
not
really,
it's
not
to
protect
the
root
zone
at
all.
It's
to
preserve
privacy,
keep
keep
questions
local,
and
so,
if
you
pull
the
root-
and
you
essentially
are
pre
loading-
your
cache
for
n
sec,
then
none
of
that
leaks
out
I.
U
Andrew
sullivan
same
thing,
you
know
whatever
they're,
probably
true
so
so
since
I
am
the
bad
idea,
fairy
I
just
I
got
up
here
because
I
don't
really
understand
why
we
care,
if
hoping
and
wishing
and
all
the
rest
of
it
isn't
gonna
happen
like
so.
You
document
that
the
technique
you
show
how
this
is
gonna
work
and
then,
if
people
do
weird
things
well,
the
notable
lack
of
you
know.
Protocol
police
once
again
comes
to
comes
to
our
assistance
right.
T
N
Okay,
so
Wes
vertigo
I,
say
the
purpose
of
the
IETF
is
to
document.
Is
one
of
the
purposes
is
to
document
what
people
do
on
the
Internet.
This
is
now
being
done.
Multiple
places
on
the
internet
as
7706
like
it's
sort
of
a
pain
in
the
neck,
for
those
of
us
doing
it
to
document
it,
because
we
have
nothing
else
to
reference,
so
it
would
be
better
if
we
had
a
standard
way
that
we
all
agreed
upon.
Therefore,
I
am
definitely
in
favor
that
this.
Thank
you.
V
Rave
Ellis
I
see
I,
actually
don't
care
and
slightest
about
that
restriction
on
it
being
the
same
host
only
loopback,
whatever
don't
care.
For
me,
the
important
thing
that
this
gives
is
validate
of
all
route
answers.
It
gives
ya
a
local
mirror
of
the
root
zone,
though
that
resolver
can
still
validate
and
get
back.
The
ad
bit
say:
I
know
that's,
because
anybody
can
mirror
the
route.
So
I
must
leave
the
root
zone
from
any
number
of
access
fast
servers.
V
T
V
G
With
Tim
I
close
the
clothesline,
this
is
unreal.
I
see
I
actually
feel
even
more
stronger
than
Andrew
and
Ray
I.
Don't
understand
why
it's
wrong!
You
don't
understand
why
it's
why
it's
wrong
to
I
provided
reason
to
divorce
because
it
it
wouldn't
be
queried
by
by
the
others
unless
specifically
configured
and
if
it's
DRC
validated
it.
It
will
like
give
the
correct
answer.
So
so,
what's
wrong
about
it?
Okay,.
M
P
When
I
just
wanted
to
comment
that
as
soon
as
you
have
a
local
copy
of
the
root
zone,
you
did
the
ad
bit
becomes
I
wouldn't
say
irrelevant,
but
but
it
it
becomes
questionable.
So
you'll
push
the
validation
on
to
the
end
system.
Somehow
you
can
replace
the
key
with
a
different
key
I'd
say
my
local
community
should
use
this
key
instead
and
then
you
can
also
modify
the
content
of
the
root
zone.
T
C
That
was
the
last
item
on
the
agenda.
We
want
to
say
thanks
everybody
for
the
discussion
and
for
the
presentations,
especially
for
trying
so
hard
to
keep
the
time.
We
really
appreciate
that
because
we
want
to
make
sure
everybody
gets
their
say,
we
will
take
further
discussion
back
to
the
mailing
list,
everybody
for
your
time
and
we'd
like
a
brief
round
of
applause
for
our
new
you,
our
new
working
of
Cherokee.