►
From YouTube: DNSOP WG Interim Meeting, 2020-04-14
Description
DNSOP WG Interim Meeting, 2020-04-14
A
A
A
C
C
C
C
Minimizations
query
to
medical
center
upstream
are
just
for
the
queue
type
and
the
queue
name
we
get
in
the
query
and
with
Kuna
and
minimization
enabled
we
will
send
out
a
query
words
to
name
just
one
label
more
than
what
we
know
the
server
is
authoritative
for
and
we
hide
the
queue
type
by
using
the
NS
and
to
type
for
the
outgun
queries
next
slide.
Please.
C
C
Right
data
from
some
measurements
we've
done
and
which
shows
that
from
the
resolvers
we
are
able
to
test
using
the
ripe,
Atlas
and
platform
that
sandy
that
47%
of
the
resolvers
already
have
q9
minimization
enabled
so
this,
and
even
though
this
platform
may
or
may
not
be
somewhat
biased.
It
shows
that
there
is
quite
a
lot
of
uptake
of
unionization,
so
I
think
it
also
is
Fela
to
move
this
to
standards
track
next
slide.
Please.
C
So
these
are
the
changes
we
made
since
we
brought
this
document
back
to
life.
So
what
we've
done?
We
change
the
algorithm
a
bit
to
include
references
to
RC
80/20,
so
there's
nothing
below
an
x-men
RC
and
we
made
it
more
clear
that
you
can.
In
some
cases
you
sketched
answers
to
prove
that
there's
no
delegation
so
limit
some
outgoing
queries.
We
added
some
text
to
make
sure
that
there
is
a
special
use
case
to
get
the
IDS
because
you
need
to
get
it
at
the
parent.
C
We
updated
the
examples
in
the
document
to
make
them
a
bit
easier
to
understand
and
we
started
the
effort
of
documenting
the
exact
ways
of
how
the
different
resolvers
did
implant
this
and
which
were
crowns
or
other
interesting
solutions.
They
used
so
I
already
edit.
This
for
inbound
and
I
am
reaching
out
to
other
implementers
in
order
to
get
this
information.
C
So
it's
not
finalized
yet,
but
we're
working
on
that
and
then
two
things
I
would
go
would
like
to
go
into
in
more
detail
which
are
the
proposal
to
relax
the
to
type
recommendation
and
a
some
text
that
we
added
about
the
increased
number
of
outgoing
queries.
I,
don't
see
much
slides
anymore,
I'm,
not
sure.
If
that's
just
me
and
they're
back,
oh
yes,
this
one
yeah,
we
can
go
to
the
next
slide.
Thank
you.
D
C
For
example,
it's
not
blocked
at
middleboxes
as
much
as
the
NS
q
type.
We
did
find
some
cases
that
lead
that
gave
us
issues
when
using
NS
q
type.
You
won't
have
a
diffuse
to
a
q
type.
It's
arguably
privacy,
wise
so
much
better,
because
you
now
do
not
see
anymore,
like
you're,
doing
to
name
minimization,
because
previously
nobody
was
sending
queries
with
the
NS
q
type,
and
now
you
suddenly
see
them
appearing.
You
don't
have
the
diffuse
to
aq
type
and
in
some
cases
you
will.
C
C
So
send
the
816
already
mentioned
that
the
number
of
outgoing
queries
can
be
increased
when
you
have
a
clear
name
with
a
lot
of
labels,
but
it
only
spoke
about
this
in
a
context
of
performance.
Your
performance
might
go
down
a
bit
because
you
send
out
more
queries,
but
what
it
did
not
cover
is
that
you
can
also
actively
abuse
this
in
the
u.s.
in
text.
C
Outgoing
and
if
you
then
randomize
one
of
the
labels,
you
basically
FD
random,
so
the
main
attack
within
like
under
times
and
bigger,
so
there's
some
text
product
to
the
document
to
describe
this
and
the
text
we
have.
There
now
says
that
resolvers
for
lacuna,
minimization
should
implement
and
mechanism
to
limit
the
number
of
bugs
and
queries.
C
C
That's
the
way
that
how
is
done
for
unbanned,
so
what
we
do
is
we
limit
the
number
of
QM
minimization
iterations
by
a
certain
number
and
then
divide
the
labels
by
this
number,
and
we
make
a
exception
for
the
first
in
our
case
for
queries,
because
we
expect
that
there
are,
the
delegations
are
for
just
a
small
number
of
labels
higher
up
in
the
in
the
DNS
hierarchy,
so
you
have
more
privacy
gain
there
and
next
slide.
Please
yeah!
C
This
is
one
thing
we
would
like
to
add
to
the
trust
and
would
like
input
from
the
working
group.
From
is
what
to
do
when
you
are
forwarding
your
courage.
Does
that
make
sense
Duke,
you
know
minimization
at
all,
Erica's
and
yen's.
The
fook
you
name
will
end
up
after
forward
or
anyway,
and
so
maybe
just
describing
that
you
don't
need
to
do.
Kuna
minimization
in
this
case
is
enough,
but
it's
something
that
we
would
like
to
cover
in
the
draft
and
with
that
I
am
interested
in
hearing
opinions.
E
Yeah,
well,
here's
some
comments
on
the
stuff.
You
know
overall
I
think
the
limitation
has
to
be
something
that
has
to
be
done.
Should
it's
okay,
I,
don't
I,
don't
think
we
should
recommend
such
kind
of
complex
mechanisms.
Some
people
might
want
to
do
them,
especially
if
you
are
in
a
setup
where
there's
lots
of
reverse
delegation,
but
others
could
just
implement
more
simple
stuff,
so
forwarding
it
just
doesn't
make
sense
to
minimize
one
problem
because,
as
you
said,
the
Curie
will
end
up
on
the
other
end
anyway,
and
you're.
C
F
I'd
say
so,
my
question
is
about
the
some
limited
number
of
queries
we
might
be
swine's.
The
document
raft
that
speaks
specific
cases
for
the
result
has
got
some
other
kind
of
appalling
knowledge
about
lesson
to
be
needle
stain,
create
a
tweety
me.
That's
got
the
last
levels
of
rebels
on
it
and
not
just
thinking
of
things.
I
can
reverse
ipv6
addresses,
but
many
things
that
why
these
are
possibly
non
delegations
source,
if
example,
take
the
case
of
Vietnam.
F
You
may
have
some
kind
of
idea
about
what
the
master
pill
form
of
impalas
so
that,
if
you
could
perhaps
split
up
between
each
based
on,
are
not
going
labels
that
reflects
seeing
and
the
EDI
could,
though,
maybe
that's
a
specific
example,
and
maybe
I'd
like
to
get
that
specific
detail,
but
maybe
some
language
around
that.
Maybe
something
helpful
as
another
instance
of
how
to
limit
the
number
of
treaties.
Islands
are
clearly
labeled
by
legal
or
setting
specific
cut-offs
or
the
number
of
rivers
by
the
deletions.
Just
a
thought.
C
G
Yeah
regarding
the
issue
of
the
number
of
requests
that
query
like
many
things,
including
minimization-
it's
not
necessary
for
interoperability.
It
can
be
using
that
there
was
decision.
So
in
that
case
the
goal
of
the
rule
out
limiting
the
number
of
outgoing
requests
is
to
protect
the
resolver,
but
it
does
not
have
consequences
for
interval
power
in
peril.
Probabilities
away,
so
I
think
that
food
is
reasonable.
In
that
case,.
F
H
C
H
H
H
It's
been
mentioned
certainly
has
a
valid
context
in
protecting
the
full
resolver,
where
this
logic
is
being
implemented,
and
it
also
has
implications
in
DDoS
amplification,
so
we've
already
seen
with
random
sub
domain
attacks
that
is
possible
to
for
an
attacker
to
do
less
work
than
the
intermediary
in
terms
of
delivering
unwanted
traffic
towards
some
victim.
This
is
a
new
way
to
do
that.
If
you
imagine
any
deep,
random
subdomain
could
end
up
causing.
H
C
H
I
So
we
have
one
example
right
now,
where
that's
not
true
and
I.
Take
responsibility
for
a
partial
alla
vodka
have
some
of
the
blame
for
any,
as
well
as
any
was
already
a
little
bit
different
anyway,
but
I
think
there's
a
risk
that
if
you
specify
that
any
P
type
is
possible
for
this,
then
you
are
in.
You
are
installing
assumptions
about
all
few
types
and
their
behavior
on
the
authority
server
which
might
make
it
difficult
in
the
future
to
install
some
tactical
defense
against
some
new
attack
that
it
concerns
just
one.
I
If
you
type
I
think
it
might
be
better
to
actually
specify
just
one.
So
if
we
were
going
to
choose
one
you
type,
then
we
already
have
one
to
type.
That's
special
in
the
sense
those
guaranteed
to
exist
in
any
zone
and
there's
also,
for
example,
appears
and
negative
responses,
which
is
SOA,
I.
Think
SOA
might
avoid
Paul's
concern
about
NS
records.
I
I
think
it
might
be
simpler
to
specify
just
one
an
SOA
I
think
is
unremarkable,
because
everyone
has
to
implement
SOA,
so
maybe
just
doing
the
opposite
of
what
you're
doing,
instead
of
instead
of
trying
to
free
this
up
and
make
it
easier
to
implement.
Whatever
kind
of
query
you
want
to
minimize
query:
go
to
an
upstream
authority
sort
of
specify
exactly
that
it
has
to
be
as
a
way
and
that
might
make
things
simpler
and
shouldn't
really
affect
security
at
all.
I
C
I
H
H
To
say
that
I
agree
with
Joe,
but
I
would
like
SOA
to
be
in
the
set
of
things
that
are
permitted
simply
because
you
would,
if,
if
a
full
resolver
implementer
as
a
good
use
to
make
of
those
SOA
records
in
terms
of
perhaps
delegation
revalidation,
then
I
would
like
SOA
to
be
an
available
choice
so
that
they
can
serve
two
purposes
with
one
roundtrip.
Thank
you.
K
In
terms
of
before
that,
setting
quit
minimize
queries
to
the
forwarder,
actually
forces
of
water
doesn't
do
in
a
minimization
to
be
too
q9
minimize
its
for
itself.
We
shouldn't
assume
nothing
is
humanly
upstream
to
doing
a
right
thing.
You
will
be
higher
if
we
have
to
cross
forward.
As
the
certain
example
Bailey
will
get
the
faulty
name,
but
we
don't
have
to
trust
the
tail
these
the
route,
everybody
else
in
terms
of
getting
the
DNA.
K
C
K
Poke
a
stub
resolver
can
cause
any
recursive
server
to
decay
in
a
minimization.
Let's
be
heart
just
by
doing
just
by
talking
to
the
sub
talking
to
the
recursive
server,
to
say
this
with
humane
minimize
it
with
a
queue,
Nate
minimize
series
of
queries.
The
same
applies
through
any
other
through
a
four.
L
So
can
someone
remind
me
why
we're
not
just
using
the
original
Q
type,
since,
if
you
do
that,
you're
not
going
to
require
an
extra
query
at
the
very
end
to
figure
out
the
actual
answer
indefinite
thing?
Is
you
potentially
lose
some
privacy
that
way
I,
don't
know
it's
a
big
privacy
leak
to
mention
that
you're
looking
up
an
MX
or
an
A
or
a
quad
a
or
what.
C
Well,
actually,
I
don't
think
you're
losing
privacy.
So
the
thing
is
that
if
you
get
a
query
for
the
a
and
you
use
a
s
to
hide
the
Q
type,
then
that's
basically
the
same
set
getting
the
original
query
and
the
and
Curie
where
you're
hiding
it
right.
So,
if
you
pick
the
Q
type
is
most
common
on
the
incoming
one,
then
you
don't
look
any
extra
information,
but
you
still
have
somewhat
less
Kersh
or
sending
out.
L
Yeah
yeah
I
think
it
excuse
whatever
the
original
queue
type
was.
It
should
save
you
an
extra
query
and
then
I'd
like
to
really
acti
this
get
deployed,
but
privacy
sharing
our
privacy
performance
is
also
important
to
some
folk.
So
if
we
make
it
as
performant
as
possible,
hopefully
we
can
get
this
deployed
wider
and
faster.
M
A
C
C
We
switch
from
NS
to
a
is
because
we
found
out
that
NS
queries
are
blocked
sometimes,
and
a
queries
are
not
that's.
The
reason
why
we
switched
and
then
turns
out
are
some
added
benefits
of
over
using
a
over
an
NS
and
that
it
doesn't
really
matter
for
action
and
minimization
case.
As
then,
you
get
the
delegation
whether
you
sent
a
a
query
or
whether
you
send
an
NS
clarity.
M
Of
the
Russians
rationale,
possibly
using
the
clients,
query
is
for
this:
a
versus
quad.
A
distinction
is
that
there
there
are
plenty
of
ipv6.
Only
networks
where
quad
a
is
the
dominant
query,
type
being
is
coming
from
them
and
a
is
going
to
actually
stick
out
more
and
if
you're,
looking
at
a
performance
perspective,
doing
the
quad
a
first
is
or
using
the
the
query
type
to
client
ask
like
the
quad
a
is
going
to
be
more
performant
there,
because
otherwise,
your
if
you
just
do
the
a
lookup,
then
you're
gonna,
have
to
wait.
A
C
A
F
J
Yes,
okay,
excellent,
please
you're
home
I'm,
Cosmo
village,
APRs,
Paul
vixie
under
I
submitted
the
drug
Fujiwara
dinosaur,
Baba
Yaga's
foundation,
403
rather
augmentation
avoidance
in
DNS,
and
this
is
the
summary
right
district
to
propose-
is
to
avoid
IP
fragmentation.
Indian
has
eat
the
proposes
to
set
I
peed
on
to
revulsion
to
UDP
DNA
CDP
responds
reply.
Packets
I
mean
two
idiots:
alien
0
DNS
UDP
response
size
and
encourages
small
response
size
and
Jesus.
These
very
shows
changing
from
grow
on
to
0-3.
We
change.
J
J
J
A
I
Go
ahead,
they're,
so
ugly,
here,
I
think
this
is
useful,
because
I
think
we
have
a
serious
problem
with
fragmentation
of
the
DNS
and
I
think
it
makes
sense
to
write
something
about
it.
I
think
some
of
the
things
in
this
document,
I,
like
the
misunderstanding
or
I,
think
might
need
some
more
thought
seems
to
propose
something
that
resembled
with
parkin
to
discovery
in
the
sending
of
responses,
but
I
think
in
practice.
I
I
B
Ever
see
it
start
thinking
as
a
chair
I
believe
this
is
one
of
the
drafts
that
we
were
going
to
send
out
a
call
for
adoption
on
and
really
look
for,
people
ain't,
positive
things
much
like
Joe
said
like
yes,
this
is
just
like
he's.
Why?
Let's
work
on
this,
and
so
while
will
sense
the
room
I
believe
this
will
be
one
of
those
that
you'll
see
an
email
about
this,
and
we
want
to
get
some
positive.
B
E
One
this
role
role,
Haven
yeah
I-
also
think
the
draft
is
useful
that
we
should
adopt
it.
Whether
it
got
to
show
my
reading
of
the
draft
was
that
a
lot
of
discussion
is
what
do
you
set
as
an
initial,
you
repeat
size
when
you
send
out
packets
and
then,
of
course,
if
you
don't
receive
anything
back,
you
have
to
do
something,
probably
switch
TCP
I,
don't
think
it
was
you
you
do.
You
am
path,
MTU
discovery
that
was
suggested.
H
The
there
is
not
an
intent
in
the
current
text
to
design
at
MTU
discovery.
It
is
meant
to
allow
someone
to
do
that
if
they
want
to
know
what
the
end-to-end
minimum
MTU
would
be,
but
also
just
recommends
some
defaults
that
can
be
determined
pretty
much,
knowing
only
your
own
local
M
to
you
without
any
discovery
process,
I've
made
no
secret
I
believe
that
we
will
need
an
area
path,
MTU
discovery
and
so
I
I
may
want
to
use
in
my
own
future
work.
H
A
Okay,
thank
you,
and
if
there
are
no
other
comments
or
feedback,
then
I
want
to
wrap
up
this
presentation,
so
do
expect
a
call
for
adoption
in
the
next
weeks
on
the
mailing
list,
send
positive
feedback
at
least
be
interactive
and
contribute.
If
you
think
this
should
be
working
group,
a
draft
document.
A
N
So
the
the
problem
this
is
solving,
is
actually
not
a
technical
problem.
It's
a
political
problem.
The
some
people
just
don't
want
to
trust
the
high
level
keys.
They
want
to
do
the
NSA
transparency
or
they
want
to
be
able
to
sort
of
try
to
force
those
keys
to
be
more
open
in
their
in
their
delegation
only
status
where
they
don't
try
to
take
over
their
own
child
domains,
and
this
is
specifically
important
for
the
root
and
the
TLD
software.
N
F
N
Dot
and
in
the
domain
iam
so
again,
this
would
be
for
the
route
or
TL
DS.
Mostly
in
this
example,
we
can
see
that
the
TLD
org
will
do
will
set
this
bit
and
saying
that
they
will
only
delegate
and
not
deep
link
and
then,
for
instance,
the
domain
ITF
tour
will
not
set
this
bit,
so
it
can
have
any
data
under
it
that
one's
like
data,
tracker,
www
any
other
thing.
N
So
it's
still
hard
to
read,
but
because
it's
encoded
as
a
DNS
key
flag,
what
what
it
means
is
that
it
is
actually
encoded
in
both
the
key
ID
tag,
but
also
in
the
DES
output
itself.
So
if
a
child
sets
this
flag
and
gives
it
the
S
to
the
parent
and
a
parent
or
publishes,
and
this
D
s
record
will
be
completely
different.
So
if,
at
some
point
someone
wants
to
undo
this
either
the
child
or
the
parent
maliciously,
then
this
would
be
visible
in
the
D
s
flag
and
as
all
so.
N
This
means
that
if
you
have
specific
out
of
bound
D
s
records
configured
for
your
enterprise,
that
would
also
be
visible
here.
So
it
gives
an
additional
layer
of
protection
against
abuse
by
the
parent
key,
and
so
even
if
the
child's
entire
zone
would
get
replaced
because
the
D
s
lives
at
the
parent,
it
would
still
be
evidence
at
the
higher
level
zone
next
night.
N
N
So,
just
just
adding
a
new
DNS
key
flag
break
anything
shouldn't.
We
tested
this
back
in
2018
with
the
dense
main
result.
First,
ever
out,
there
I
hacked
some
code
to
set
up
basically
a
reserved
flag,
and
this
Selatan
see
if
anyone
any
implementation
would
fail.
Everything
worked
fine,
so
I
think
we're
good,
but
we
could
also
ask
Jeff
usin
to
do
more
testing
next
slide
and
a
quick
overview
for
changes
since
I
first
introduced
this
a
couple
years
ago,
Wes.
G
N
A
co-author,
so
as
the
the
English
language
usage
got
improved
a
lot,
we
clarified
that
if
you
set
the
bit
that
you
also
expect
not
to
be
skipped
because
your
parent
is
still
in
theory,
skip
you
entirely,
but
there's
an
expectation
as
if
you
will
not
skip
your
children,
that
your
parent
roles
are
not
skip.
You,
the
I'd
already
talked
about
dynastic
transparency
that
it's
very
useful.
N
Just
that
the
root
Keys
already
treated
like
this,
so
it
doesn't
need
this
flag,
but
the
code
internally
would
treat
it
dislike.
If
it's
been
said
already,
because
the
root
zone
is
supposed
to
be
a
delegation
only
zone,
we
add
an
exception
for
underscore
labels,
because
those
really
are
not
zone
cuts.
N
They
really
refer
to
the
zone
itself
and
would
be
really
annoying
if
we
would
have
to
define
zone
cuts
and
DNS
keys
for
each
underscore
label
that
we
want
to
introduce
so
as
I
would
require
some
special
handling
and
the
resolvers,
and
we
add
a
bunch
of
operational
considerations.
We
discussed
migration
from
and
to
and
more
clearly
describe
the
problem
of,
signed
glue
data.
N
O
N
The
other
thing
is
that
if
you
are
using
your
name
server
records
in
your
own
zone,
so
let's
say
dot
CA
would
use
this
and
they
would
have
like
NS
1
dot,
CA,
and
then
it's
do
dot
CA.
Then
then,
then
that
would
be
problematic,
so
you
would
actually
have
to
create
a
special
subs
own
that
would
not
be
marked
with
this
bit
so
that
you
could
put
your
name
servers
in
there
I.
Did
it
a
quick
check
and
most
till
these
already
do
this
I?
G
N
G
N
Tld
or
something
like
that,
second-level
domains
that
usually
have
tip
there
and
has
records
as
part
of
their
zone
are
not
a
problem
because
they
do
not
set
this
so,
for
instance,
no-hassle
CA
would
not
set
this
because
good
I'm
not
delegating
any
authority
to
sub
zones
underneath
me.
So
there's
no
reason
for
me
to
set
this
bit
and
I
can
put
whatever
I
want
in
my
zone
as
I
currently
have
it.
I
already
talked
about
orphan
glue.
N
It
doesn't
protect
the
zone,
apex
data
itself
from
abuse,
but
usually
that's
not
a
problem,
because
there's
no
cryptographic
material
so
next
slide
and
then
its
next
episode
so
far,
I
try
to
start
the
discussion
once
and
only
Joe,
ably
replied
with
an
email
that
was
more
on
the
political
science
and
saying.
Why
do
we
need
this
bit?
It's
really
naive,
if
you
don't
trust,
I
can
on
this
set
on
this
setup.
A
N
While
I
agree
with
you,
this
is
specifically
targeting
those
people
that
do
not
agree
with
us.
That
think
that
you
know
there
should
be
more
transparency,
more
auditing
on
those
on
those
keys.
So
I
would
like
some
more
technical
discussion.
Did
we
overlook
something?
If
you
would
roll
this
out
or
not,
and
then
once
we
have,
this
I
think
people
like
TKG
and
me
are
really.
A
P
This
is
Ben
Schwartz,
I'm
I'm,
very
excited
about
the
NSF
transparency.
I
think
I
understand
why
we
need
zones
to
publish
a
commitment
to
to
be
delegation
only
I.
Don't
understand
why
that
commitment
has
to
be
machine
readable.
That
is
why
do
we
need
this
flag
in
the
DES
record?
Why
can't
we
just
have
the
zones
put
up
a
document
on
their
webpage
because
we
promise
not
to
we
promise
to
be
delegation
'el,
so.
N
N
N
P
A
Q
H
Q
Q
N
Q
G
P
E
Yeah
so,
as
usual,
the
poor
resolve,
as
do
all
the
hard
work
so
I
have
you
can
imagine
I,
don't
like
that
very
much
and
you're
having
a
you're
looking
for
a
technical
solution
to
a
political
problem
and
I?
Don't
think
that
this
is
actually
something
that
will
work
for
a
couple
of
weeds.
So
we
have
kill
these
out
there
that
actually
serve
authoritative
data.
E
I,
know
that,
like
a
teeny
bit
allow
customers
to
pay
premium,
gravel
attendee
zone
and
there's
not
tell
that
only
those
that
only
gives
out
sort
of
authoritative
data,
so
I
don't
think
that
it's
actually
applicable-
and
it's
has
been
said-
it's
a
political
problem.
Let
them
deal
politically
with
it
and
don't
put
more
stuff
on
an
already
complex
dns,
a
flotation
process.
N
So
yeah
you're
welcome,
of
course,
not
to
set
it
bit.
So
if
de
things
that
you
know
it's
current
model
isn't
compatible
with
that
bit
and
it
could
decide
not
to
offer
this
extra
protection
to
do
its
customers
right
or
to
to
to
fold
as
many
customers
into
their
own
zone
as
possible.
It
is.
It
is
very
much
an
outlier
compared
to
the
majority
of
theories,
though,.
P
I
Hi
Paul,
it's
Joe
ably
here
so
I'm,
not
simply
going
to
repeat
the
well
I,
can't
even
repeat
actually
I'm
going
to
repeat
my
apparently
non-technical
comment.
I
think
we
I
think
to
add
complexity
to
the
system
and,
in
particular,
adding
complexity.
The
validation,
a
you
said,
accommodate
the
extra
work
required
by
the
validator
was
small,
but
I.
Don't
know
that
that's
true
I
think
that's
a
I
of
the
beholder
sort
of
thing,
I!
Think.
I
N
No,
no,
let
me
clarify
this
a
bit
more.
Okay.
We
think
that
those
chances
are
pretty
low,
because
we
know
all
these
people
involved
in
running
the
root
entity
of
these
it
there's
a
large
subset,
and
that
is
very
loud
outside
of
our
community.
That
considers
this
is
like
a
deal
breaking
thing
to
ever
trust
the
in
a
state
that
is
the
argument
I'm
trying
to
remove.
It
is.
R
In
some,
so
I've
kind
of
the
same
reason
for
this
is
Wes.
Sorry,
the
co
other
one
of
the
same
reasons
that
people
want
DNS
SEC
transparency
is
because
they
don't
trust
people
to
use
in
a
Seco
type
really
because
they
don't
trust
the
ability
for
things
like
you
know,
a
parent
not
to
just
arbitrarily
insert
records.
You
know
on
behalf
of
the
child
and
take
them
over
there's
various
public
companies
that
I've
appreciate
said
that
they
would
never
do
need
DNS
SEC
at
IETF
microphones,
specifically
because
of
that
they
don't
trust
your
parent.
I
Okay,
I
mean
all
right,
so
I'll
set
aside
the
question.
I
do
think
there
are
a
lot
of
protections
around
that
I.
Think
business
models
of
everybody
who
runs
a
significant
TLD
depend
on
following
contracts
that
which,
when
it
comes
down
to
it
from
any
TLD
tzer's
they're,
only
the
only
significant
asset
and
their
only
reason
for
being
in
business,
so
I
think
there's
a
lot
of
pressure
outside
the
wire
protocol
already
ought
to
be
fairly
convincing
and
people
are
not
convinced
by
that
are
unlikely
to
be
convinced
by
anything.
I
However,
though,
that's
one
point
I
needed
to
make
there
is
less
layer,
nine,
which
is
that
I
suspect
I
could
cycle
my
own
own
perspective.
My
own
knowledge.
There
is
at
least
one
legacy
TLD
that
contains
records
from
a
long
time
ago
that
don't
necessarily
fit
an
elegant
schema.
So
I
suspect
this
is
probably
true
with
every
field
e
of
any
any
significant
age.
I
So
an
example
is
often
but
I
have
we
have
records
that
remain
in
the
zone
that
don't
correspond
to
registry
data
in
the
way
you
might
expect
and
can't
be
suppressed,
because
there
are
dependencies.
For
example,
to
other
domains,
I
think
there
is,
there
is
the
potential
for
operational
fallout
from
anybody
who
decided
that
everyone
at
every
TLD
zone
of
millions
of
records
was
completely
clean
and
there
was
never
an
example
of
a
response
where
you
do
get
an
RSA.
I
A
L
Warren
Kumari
so
I'm
feeling
dumb,
because
I
don't
really
tell
you
how
this
provides
any
real
protection,
then
I
can
see
that
it
prevents
a
parent
from
just
answering
with
a
different,
a
recording
directly.
You
know-
and
this
would
say
this
is
delegation
only,
but
what
I
don't
see
is
why
wouldn't
a
parent
just
answer
with
a
different
delegation
and
different
DS,
and
now
they
can
accomplish
the
exact
same
set
of
badness
or
a
tablet
sure
this
surface
into
a
delegation
one,
but.
N
L
N
N
They
would
do
it,
they
would
also
have
to
change
the
D
s
record
that
they
signed
for
the
child,
because
if
they
publicly
have
a
DSR
that
says
we
will
not
do
this.
They
would
not
only
have
to
put
to
change
the
child's
allegation,
but
also
their
own
D
s
record
to
the
root
saying
that
they
would
actually
and
not
do
this
delegation.
L
N
L
Know
they
know
they
wouldn't
write
for
low-head
CA.
You
gave
CA
a
set
of
NS
and
you
gave
them
some
things
that
they
have
a
D
s.
Why
wouldn't
a
if
they
wanted
a
poison,
no
headstock
PA
towards
me?
Why
wouldn't
they
just
hand
me
a
different
set
of
NS
records,
pointing
at
servers,
control
and
publish
a
different
D
s,
or
that
name
specifically
towards
me.
L
N
R
In
order
to
catch
a
fake,
a
record
or
a
fake
quad-a,
that's
you
know
three
levels
down
in
the
tree,
but
issued
by
a
parent
right.
The
parent
can
sign
anything
it
wants.
I
can
do
that.
You
end
up
having
to
log
everything
with
this
bit.
You
only
need
to
log
DS
records
with
two
degree
with
certificate
transparency
in
order
to
catch
these
types
of
problems,
because
you
trust
that
the
resolver
is
actually
checking
that
that
no.
O
R
A
A
A
A
A
A
S
Capable
from
Akamai
so
next
slide,
please
there
we
go
I
just
realized,
as
I
was
reviewing
it
to
get
ready
to
talk
about
it.
But
I
didn't
include
the
goals
of
this
draft
in
here.
The
this
started
out
of
a
bunch
of
conversations
about
how
could
we
support
a
secure
transport
between
a
resolver
and
an
authority
or
even
though
any
stuff,
that's
doing
full
resolving
for
the
client
and
trying
to
find
how
to
communicate
with
another
machine
over
which
particles
it
supports.
S
So
the
communication
establishment
between
nomes
cooperating
machines,
so
this
draft
proposes
two
new
RR
types
and
I'll
go
over.
Why
there
are
two
in
a
second
the
for
now
I've
just
been
calling
them
ns2
and
ns3,
and
this
it
builds
off
of
the
the
SVC
ve
draft
that
Ben
was
talking
about
earlier,
and
this
the
names
of
each
new
RR
types.
It's
a
way
for
it
now
allow
the
existing
NS
records
to
coexist
with
ns-two
ns-two
t
to
allow
for
resolvers
that
don't
support
these
new
records
to
continue
operating
as
normal.
Next.
L
S
S
So
it
examples
make
this
a
lot
easier.
At
the
bottom
of
the
record
or
the
response,
you
can
see
the
existing
record
and
the
new
records
that
go
along
with
it
and
then
there's
three
examples
of
an
NS
2
record
in
the,
and
this
is
the
service
form
where
you
can
have
a
list
of
different
priorities:
a
prioritized
list
of
different
name
servers
where
you
can
select,
which
transports
are
supported.
S
If
you
want
to
provide
FDA's
fingerprint
rather
than
using
the
PKI,
you
can
use
hitting
certificates
and
then
there's
also
other
parameters
defined
in
the
document
that
allow
for
alternate
parameters
around
each
of
the
different
protocols
that
are
currently
discussed.
So,
like
the
DOE
URI
template
exists
in
there
and
there's
notes
like
in
this
example.
It
doesn't
specify
that
the
delegated
server
name
so
be
in
the
third
example
dang,
where
it
says
NS
3
at
example.com
that
doesn't
have
to
match
the
host.
That's
in
the
URI
template
next
slide.
S
This
is
the
MS
cutie
in
the
draft
in
called
MS
to
target
where
this
is
a
record
that
doesn't
exist
to
the
zone,
cut
where
your,
if
your
that
provider,
that's
just
an
alias
to
you,
can
say
you
can
return
these
NS
to
T
records,
which
can
be
either
a
service
form
or
an
alias
form.
There
is
a
concern
about
loops
coming
up
with.
If
you
reuse,
the
alias
form
this
rough
text
in
there
about
how
to
prevent
or
how
to
detect
loops.
S
S
S
While
I
was
coming
up
with
this,
I
was
trying
to
reduce
the
number
of
career
that
have
to
go
to
the
authority.
At
the
same
time,
this
does
perhaps
a
concern
of
the
record
size,
ballooning
out
of
control
still
trying
to
find
which
way
to
go
with
that,
but
the
current
thinking
I
had
while
I
was
working
on
it
was
that
if
you're,
ideally,
if
the
parent
supports
and
encrypted
transport
over
TCP
or
so
if
you're,
using
DNS
over
TLS
or
Guinness
or
HTTPS,
the
you
can
do
larger
packets
more
easily.
S
So
this
draft
was
initially
written
before
I
went
on
leave
in
November
and
I
haven't
been
following
terribly
closely
with
the
DNSSEC,
be
updates
and
then
once
I
got
back
to
work.
The
world
was
to
replace
so
I
need
to
realign
with
all
of
that
work,
and
then
there
are
a
few
placeholder
sections
that
need
more
work
and
that
I
have
some
feedback
from
people.
That
I've
asked
the
draft
to
before
publishing
it
on
data
tracker
that
I
need
to
incorporate
back
in
and
then
I
think.
My
last
slide.
A
T
A
T
S
T
T
U
Oh
yeah,
that
I
was
going
to
I
guess
it's
related
to
what
Sam,
but
that
I
think
if,
if
we're
trying
to
look
at
redesigning
NS,
one
of
the
things
that
should
be
included
in
that
is
getting
rid
of
the
parent-child
ambiguity
that
we
currently
have
with
NS
there.
You
know
it
seems
to
be
a
little
bit
unclear,
which
one
is
actually
you
know
meant
to
be
trusted
and
in
what
situations?
U
U
You
know
Plus,
including
the
ability,
if,
if
they
were
separated
out
that
you
know
the
the
NS
said
at
the
pet
or
replacement
for
the
NS
set
at
the
parent
could
be
signed.
For
example,
if
there
was
no
ambiguity
about
whose
of
authoritative
for
that
data
yeah.
So
again,
it
seems
to
me
left
a
lot
more
needs
to
be
thought
about.
If
we're
going
to
try
and
redesign
how
NS
works.
I
Dad
Joe
Emily.
My
question
is
related
to
the
first
two
I
think,
which
is
that
it's
not
clear
to
me
and
maybe
I
missed
something
in
the
draft
is
to
how
a
resolver
finds
these
records
over
time
when
it
needs
to
know
them.
So,
for
example,
it's
not
obvious
whether
if
records
are
provided
in
a
parent
zone,
whether
they
are
going
to
be
returned
as
part
of
a
referral.
Q
Painful,
like
our
deenis
I
agree
with
everything
of
Sam
Matt
and
Joe
have
sat
besides,
that
I
have
read
the
draft
and
as
a
resolver
implementer.
This
scares
me
there's
so
much
complexity
here,
so
many
in
directions
that
could
cause
I
resolver
to
do
extra
work
on
the
OP
of
a
client's
potentials
for
loops,
etc.
D
I
think
I
also
wanted
to
sort
of
second
a
lot
of
the
comments
I
did.
Do
you
think,
though?
The
point
in
particular
about
referral
responses
is,
is
key
that
you
know
if
there
is
some
way
of
doing
this,
it's
important
that
it
be
present
in
some
way
in
the
parent
ideally
signed
over
I
recognize
the
complications
of
that
and
and
present
at
least
we
know
in
authority,
or
additional
section
you
know,
is
some
kind
of
glue
from
the
parent
and
referrals
you.
O
So
this
is,
and
all
the
questions
that
just
came
before
is
related
surprisingly
to
work.
That's
about
going
to
be
done
in
the
a
DD
Working
Group,
not
that
a
DD
is
dealing
with
authoritative
z--,
but
a
stub
resolver
talking
to
a
recursive
resolver
has
a
relationship
very
similar
to
a
recursive
resolver
talking
to
an
authoritative
one.
So
there's
the
question
of
discovery,
the
question
of
hint,
the
question
of
how
long
do
we
remember
a
authoritative
answers
and
such
like
that?
O
So
it
may
be
that
if
this
working
group
doesn't
take
this
on
immediately
that
it
could
come
on,
it
could
come
later
as
I
guess.
The
polite
way
for
me
saying
this
is
I.
Think
the
a
DD
working
group
is
about
to
grind
over
all
of
these
topics
yet
again,
but
on
at
least
in
a
working
group
sense
and
with
hopefully
a
draft
coming
out
soon
on.
F
A
E
Comment:
that's
more
yes,
more
more
common,
so
I
think
the
difference
between
a
DD
BIA
stop
to
resolve,
where
it's
quite
different
from
a
resolve
to
Authority,
where
we
already
have
sort
of
old
protocol
suite
laid
out
how
to
do
delegation.
One
of
things
that
I
mean
some
people
pointed
out
is
that
the
bootstrapping
is
a
problem.
E
If
you
put
NS
required
to
be
in
the
parent,
then
of
course
deployment
is
a
real
mess
and
there's
a
probably
something
gained
by
keeping
it
in
sort
of
the
ambiguous
form
we
have
currently
where
it's
in
the
parent
and
the
child
and
with
the
sort
of
but
allow
more
flexibility
in
the
rollout,
so
I
think
that's
one
of
the
motivations.
Why
did
the
current
draft
if
it
is?
E
P
A
A
Okay,
I
think
we're
fine
I
forgot
to
mention
one
last
thing
from
the
previous
presentation:
barbarous
in
the
power
power
bind
rod,
so
one
of
the
actions
was
a
call
for
adoption
or
not.
So
there
was
a
quite
a
lot
of
discussion.
Please
go
on
on
the
mailing
list
and
we
will
want
to
go
forward
at
least
with
the
process.
So
we
will
ask
call
and
call
for
a
doctor
will
send
out
the
call
of
up.
Does
she
call
for
adoption
to
the
mailing
list
and
Paul
health?
A
A
V
V
V
We
discuss
how
we
can
improve
on
things
and
those
operators
use
not
only
power
shop
but
also
a
lot
of
herbivores,
DNS
software,
and
they
do
this
forward
business
and
because
other
software
has
hopefully
different
books,
so
also
the
other
up
Shores,
the
nests
of
fairness,
discuss
or
meet
with
all
the
operates
at
conferences,
and
one
of
the
recurring
themes
during
our
discussions
with
operators
is
that
it
would
be
nice
if
there
would
be
a
cross
implementation,
solid
way
of
configuring.
All
the
different
DNS
software,
not
super
urgent.
V
So
at
some
point
they
thought
instead
of
having
all
those
individual
meetings
with
the
different
vendors
and
ask
them
to
cooperate.
Why
don't?
We
have
a
meeting
with
all
of
them
together,
and
so
they
organized
the
Dean
estimate
on
the
friday
preceding
the
IDF
105
in
moil,
with
an
L
medlabs,
IC
and
C's
ethnic
and
one
of
the
topics
was
standard
configuration
and
provision
in
management's
next
slide.
V
So
we
discussed
it
and
we
came
up
with
two
candidates:
Catholic
Jones,
which
is
a
convenient
provision
mechanism
for
existing
DNS
software,
because
the
configuration
is
in
a
normal
DNS
zone.
The
dissemination
of
configuration
is
fire
zone
transfers.
Also,
limitations
exist
and
there's
already
an
internet
draft
for
it.
The
altered
other
interesting
candidates
is
the
network
configuration
protocol
and
yang,
let's
confess,
successor
of
SN,
a
B
and
C's
a
lot
of
activity
and
development
at
the
IDF.
V
Unfortunately,
it's
a
complete
new
infrastructure
for
DNS,
but
fish
ethnic
and
power
dienes
are
currently
working
on
implementing
power.
Deenis
someone
from
power
D
has
told
me
that
they
have
a
working
test
setup
additional
advantage
from
that
one's
young
is
that
it
gives
you
feedback
on
the
things
you
configure.
V
So
we
decided
at
that
meeting
that
the
easiest
thing
for
cross
implementation
solution
lost
to
all
make
castle
exams
and
work
and
into
a
pub
all
that
the
excessive
exists,
a
draft
that
they
did
not
have
actual
configuration
properties
defined
algorithm,
are
so
better
from
C
technique.
Has
a
nice
idea
to
come
up
with
a
minimum
set
of
configuration
properties
for
John
provision
and
then
make
a
formal
definition
for
it
next
slide.
Please.
V
V
So
we
discussed
the
IDB
more
at
ITF
106
and
then
in
the
beginning
of
February.
I
was
at
fosston
2020
and
I
saw
a
presentation
from
leo
from
the
boustan
is
who
is
a
DNS
operator
using
multiple
DNS
software
from
multiple
vendors
and
he
presented
on
how
he
would
like
to
use
catholic
jones
to
profession,
this
infrastructure
and
how
it
didn't
quite
work
yet
with
almost
and
there,
and
then
we
had
to
be
presented
these
tips
of
all
the
vendors
and
yeah.
U
V
Started
the
initiative
to
move
along
with
our
idiqs,
and
so
with
the
support
from
of
andre.
We
picked
up
from
the
existing
expired
catalogs
on
draft
which,
before
had
only
I,
see
others
and
arranged
the
group
of
people
from
the
different
vendors
and
Lea
as
operate
or
I
just
want
to
pick
up
the
editor
ban
on
this
trust
and
turn
it
into
a
cross
implementation
supporters
for
nerds
next
slide.
Please.
V
V
So
simply
your
list
of
listed
in
the
catalog
zone
as
so-called
member
zones
slide,
is
an
example
showing
what
that
looks
like
that.
I
enumerated
this
uniquely
valued
labels
in
the
German
section
in
the
catalogs
around
as
a
pointer
records
and
the
picture
shelter
primarily
in
its
relationships
with
secondary,
so
the
Catholic
zone
is
distributed
along
these
relationships
and
from
the
catalog
zone.
The
secondaries
learn
that
they
should
serve
example.com
example
of
net
and
example,
or
in
this
specific
example.
Next,
like
this.
V
V
Furthermore,
there
could
be
it's
very
flexible.
That's
what
I
want
to
share
here.
It
could
be
a
kebab
zone
for
other
catalogs
arms,
helping
in
more
complexion
provisioning
management's
next
slide
is
so
today.
I
passes
a
new
version
of
the
draft,
with
all
the
things
that
we
have
discussed
so
far
with
the
new
edit
works
and
one
of
the
things
we
decided
is
to
leave
out
zone
properties
or
configuration
items
as
sketched
on
the
al
versions.
V
V
Sons
need
to
reduce
all
associated
state
on
an
authoritative
when
its
unique
ID
changes,
there's
a
need
to
raise
off
state.
For
example,
the
owner
of
the
domain
name
changes
the
extra
the
the
owner
that
pays
for
the
zone,
which
it
should
not
inherit
all
the
meta
data
from
the
previous
owner
or
the
insect's
stated
online
shining,
authoritative
and
simply
removing
and
adding
a
zone
is
in
reliable
because
a
secondary
might
be
down
or
miss
the
notifying
message.
Next,
slightly.
V
V
V
V
And
these
are
the
authors
from
the
different
vendors
cooperating
on
this
I'm
really
happy
to
have
Peter
on
this,
who
is
doing
the
net
kanji
yen
implementation
for
powdinet
and
also
a
lot
islas?
Is
the
authority
on
yang
I
think
so
that's
really
great
too.
So
the
current
draft
is
really
just
a
sketch.
There
are
many
things
wrong
with
it.
We
need
to
discuss
this
properly
with
the
experts
and
that
we
now
have
on
board
next
slide.
Please.
V
One
of
the
things
that
we
are
discussing
is
the
existing
legal
definition
in
the
ini
registry
could
see
you
some
improvement.
The
domain
name
is
not
perfect,
especially
not
with
if
it
allows
for
escaped
characters,
but
then
it
does
not
count.
Those
escapes
in
the
63
by
label
lengths,
for
example,
that
many
issues
with
it
so
next
slide.
Please
so.
V
O
R
R
O
R
Group
that
sub
good
working
group-
that
is,
that
that
tried
to
codify
what
would
it
actually
take
if
something
was
going
to
be
successful,
you
know
what
are
all
the
requirements
of
a
management
model
and
I
would
definitely
go.
Look
at
that
and
see
if
you're,
fitting,
all
those
holes
and
which
ones
are
not,
you
know
transferring
zones
was.
It
was
one
of
the
big
ones
that
was
listed
in
there
and
ironically,
it
was
actually
started
in
a
Vancouver
meeting
room
long
ago.
So
the
timing
is
perfect.
Okay,
interesting.
A
H
I
want
to
indicate
support
here.
I
did
something
like
this
called
meta
zones
about
15
years
ago,
which
was
not
really
meant
to
be
a
candidate
for
standardization
and
needed
a
bigger
team,
larger
perspective,
more
formal
model
we
now
have
those
things
and
I
will
be
very
happy
to
abandon
my
metas
own
configurations
in
favor
of
this
once
you
guys
get
it
done.
So.
Thank
you.
Okay,.
A
V
Think
I,
but
I
would
like
to
happen
now
is
that
the
Glock
draft
would
get
adopted
you
know,
I
will
change
it
to
the
announcement
it
lists
and
see.
If
there
is
enough
interesting
and
for
the
the
other
drafters
on
provisioning
definitions
in
yang,
we
still
need
to
work
on
that,
but
I
I
want
to
know
if
this
would
be
interesting
for
the
business
of
working
group
to
look
at
or
to
process
such
a.
A
A
Okay,
we'll
proceed
several.
We
will
turn
out
not
belabor
this
week
or
next
week.
You
want,
if
you
kind
of
face,
different
call
for
adoptions,
but
we
will
go
to
the
mailing
list
for
the
catalog
zone
for
call
for
adoption
and-
and
this
draft
will
be
the
last
draft
about
the
young
model.
The
dinner
zone.
Provisioning
will
see
another
iteration
ability
presented
next
ITF
or
when
work
has
been
done
and
any
other
things
to
be
mentioned.
At
the
end
of
the
working
group
meeting.
A
Okay,
so
just
after
this
meeting
our
sins
or
the
chairs
will
send
a
doodle
poll
to
the
mailing
list
to
selected
time
slots
for
the
next
working
group
meeting
it's
on
Thursday
April
Twitter,
but
we
haven't
selected
a
time
slot.
Yet
so,
please
fill
in
as
soon
as
possible,
and
we
want
to
close
a
time,
slow,
the
doodle,
Thursday
and
a
business
day
and
any
other
things.
I
should
mention
some
ethnicity
work.