►
From YouTube: DPRIVE Virtual Interim Meeting, 2020-04-08
Description
DPRIVE Virtual Interim Meeting, 2020-04-08
A
These
chair,
slides,
are
pretty
short,
that's
the
note.
Well,
y'all
have
seen
that
and
we
can
move
forward
that
should
be
fairly
straightforward.
The
blue
sheets,
it's
in
the
ether
pad
the
ether
pad
link
the
correct
ones
in
these
slides.
It's
also
in
the
agenda.
A
We
can
do
the
next
slide.
We
have
a
very
shortage
agenda,
mostly
there's
some
quick
updates
on
the
documents,
some
current
working
group
business
and
a
couple
and
a
new
document
coming
through
so
next
slide.
Eric
on
the
document
updates,
let's
go
to
one
more
slide:
7626
biz,
both
these
and
the
bcp,
have
both
sort
of
been
a
little
slow
moving
forward.
But
mostly
that's
because
primary
officer
has
been
tied
up
on
some
personal
stuff.
A
So
we've
been
slowly
working
through
that
and
there's
one
outstanding
item
in
7626
biz
that
she
is
trying
to
sort
out
with
the
isg
right
now,
and
I
believe
once
that
gets
done,
we'll
move
that
forward
and
because
that
document
is
enormous
into
the
bcp
op.
We've
sort
of
put
the
bcp
up
sort
of
second
and
it's
basically
ready
to
go
176
26
business
is
wrapped
up.
A
The
two
of
them
will
probably
slide
through
right
together
and
then
on
the
phase
two
brian
and
I've
talked
recently
and
I'm
gonna
sit
down
and
spend
some
some
extra
spare
time
with
alex
and
jason
and
benno
and
helping
them
sort
of
make
sure
we
get
all
the
issues
addressed
and
see
about
what
we
can
do
about
moving
forward.
If
actually
that
needs
to
be
done
so
I
said
they.
They
saw
an
email
from
yesterday.
So
then
the
x
rover,
tls
draft.
It's
been
pretty
quiet.
A
There's
I
think
they've
addressed
most
of
the
outstanding
issues,
there's
a
couple
of
items
from
bob
harrell
that
they
haven't
addressed
and
I'm
kind
of
waiting
to
see
the
next
version
of
that
from
the
author.
So
that's
a
little
slight
hint
to
sort
of
get
them
to
move
along
next
slide.
A
A
And
I
think
that's
I
think,
there's
one
before
that,
but
mostly
there's
three
things
on
the
agenda.
The
dinos
have
a
quick
discussion
with
christian
who's.
Next,
the
deprived
early
data
document,
which
is
very
short
and
we're
very
curious.
If
there's
some,
you
know,
we
think
it's
useful
and
we
have
some
interesting
brian
anderson
discussions
about
that,
and
then
daniel
got
something
to
sort
of
entertain
us
at
the
end
on
signaling
feet
during
policies.
A
So
with
that,
if
we
can
bring
up
christian
slides
and
we
can
get
right
to
christian
and
get
things
going,
so
thanks
for
being
patient
folks
and,
like
brian
said
well,
we
don't
think
we'll
take
the
full
90
minutes,
but
we're
not
going
to
rush
through
anything.
So
thanks
a
lot
christian.
B
C
C
Is
that
the
first
slide?
No?
No!
No!
No!
No!
Yes!
Okay!
So
what
are
we
speaking
about?
What
we
want
to
define
is
a
very
simple
mapping
of
dns,
of
a
quick
connection
that
just
does
dns
and
nothing
else,
and
the
principle
of
the
mapping
are
straightforward.
I
mean
we
used
a
quick
stream
to
isolate
connection
so
isolate
queries
and
responses.
C
C
There
is
a
specification
of
parallel
processing,
so
there
is
no
head
of
queue
blocking
and
that's
also
a
feature
of
quick
and
difference
with
tcp
is
that
if
there
are
several
several
queries
in
progress
and
one
of
the
packet
carrying
one
of
the
queries
is
lost
in
tcp,
you
will
get
head
of
q
blocking.
You
will
have
to
wait
until
that
missing
packet
has
been
corrected
to
process
all
the
other
packets
with
quick.
You
don't
have
to
do
that.
C
C
If
the
recursive
don't
know
with
certainty
that
this
server
supposed
supports
dns
over
quick,
then
they
are
going
to
do
a
dance
of
trying
and
then
failing
and
then
failing
over
to
dns
of
our
udp
or
dns
of
our
ls,
and
that
will
be
just
a
waste
of
time.
So
the
real
reason
to
not
do
stub
to
recursive
in
quick
right
now
is
because
we
are
waiting
for
the
discovery
dns
over
quick
operates
on
a
dedicated
port
which
is
to
be
allocated
by
ir.
It's
not
defined
yet
next
slide.
C
C
C
That
he
gets
the
what
we
call
the
one
rtt
key,
which
are
basically
the
data
encryption
key
for
the
data
session.
So
the
client
sends
an
unchecked
confirmation
and
then
sends
a
one
rtt
packet,
which
is
the
which
carries
the
dns
query.
B
F
C
So
basically,
what
we
say
is
that
if
we
restart
the
connection
by
opposition
to
starting
the
connection
from
zero,
the
response
can
come
immediately
without
waiting
with
an
additional
delay
and
that's
very
useful
for
connection
handling,
because
that
means
that
servers
can
have
a
pool
of
connections.
But
they
don't
have
to
have
that
pool
be
very
large.
I
mean
the
servers
and.
C
C
There
is
a
mechanism
in
quick
to
exercise
flow
control,
so
if
the
server
wants
to
it
can
limit
the
number
of
queries
that
the
client
can
send
on
a
connection
and
and
do
flow
control
to
limit
that,
but
I'm
not
showing
that
here
and
basically,
I'm
seeing
here
a
client
sending
two
queries
in
two
separate
streams:
stream,
4
on
stream
8
and
the
server
sending
back
responses
in
stream,
8
and
stream
4.
This
illustrate
the
fact
that
the
response
don't
have
to
be
sent
in
order
if
the
response
were
ready.
C
C
There
is
a
lot
of
similarity
between
dns
over
quick
and
dns
over
http
3.,
the
main
difference
being
that
we
don't
have
the
http
3
layer
and
so
on
one
hand
for
the
nf
of
hgv3
that
gives
to
dns
or
http
an
integration
with
the
web,
but
it
also
brings
all
the
web
implementation
into
the
protocol
which,
at
the
minimum
increase
the
complexity,
is
about.
Quick
does
not
need.
E
C
C
C
C
C
There
is
some
work
to
do
in
deep
five,
specifically
on
connection
management
on
the
details
of
the
dns
packet
mapping,
things
like
what
to
do
with
edns
what
to
do
with
packet
size.
What
to
do
with
packet.
Ids
specification
in
the
draft
we'll
get
a
better
specification
with
the
next
version,
because
we
got
some
feedback.
C
E
G
Thanks
christian
first
one
in
the
in
the
queue
is,
is
ecker.
D
Hi
erica
yeah,
I'm
sort
of
neutral
on
adopting
this.
I
I,
I
think,
you're
making
an
incredibly
persuasive
case
for
why
we
don't
just
do
d
dns
or
http
3,
but,
like
I'm
not
going
to
lie
down
the
root
over
it.
I
have
two
sort
of
technical
comments.
You
said
this
needs
is
his
own
port.
I
certainly
see
why
it
needs
his
own
port
as
opposed
to
port
53.
D
But
it's
not
clear
to
me
why
can't
running
on
on
on
udp
443,
because
the
lpm
lets
you
debunk
those
and
you
know
generally,
I
think
they.
D
You
know
it
opens
a
much
more
effective
mechanism
than
port
numbers
and
secondly,
on
this
on
this
question
about
esni
echo
and
alpn
filtering,
you
know,
while
a
huge
fan
of
echo,
I
think
it's
quite
probable
that
a
large
number
of
of
environments
will
basically
ban
echo
and
we'll
do
that
by
suppressing
by
suppressing
the
dns
queries.
D
You
need
to
retrieve
an
echo,
and
so,
in
those
cases
on
doe
three
will
look
at
the
file
much
better
than
on
the
queue.
Thank
you.
H
C
We
are
in
the
business
of
designing
the
best
viral
travel
source.
Then
addition
is
not
what
you
want
to
do
at
the
same
time.
What
you
said
about
dns
over
quick
could
just
as
well
be
said
about
dns
about
tls.
It's
exactly
the
same
reasoning.
I
agree,
and
so
I
mean
I,
I
don't
think
there
is
there's
a
new
debate
here.
It's
it's
a
it's
an
issue
on
one
hand
using
a
ddt
ticket
port,
make
it
easier
for
network
managers
to
see
what's
happening.
C
G
Okay,
next
up
jim
reed.
I
Thanks
guys,
christian,
I
think
this
is
a
good
idea
and
I
support
working
with
adoption.
I'm
just
curious
draft
mentions
that
the
dns
must
be
set
to
zero.
You
can't
explain
the
rationale
for
that.
It
doesn't
seem
sensible
to
you
thanks.
C
C
F
Group
all
right
next
up
is
ben
schwartz,
hi
ben
schwartz
here
to
jim's
point
I'll,
just
mention
that
dough
does
the
same
thing
says
the
query
id
to
zero.
F
I
wanted
to
say
something
somewhat
similar
to
what
ecker
said,
but
also
a
little
different.
I
think
that
echo
does
not
apply
at
least
as
currently
specified
to
dns
transports,
because
dns
transports
are
the
thing
that
you
use
to
get
your
dns
queries,
but
echo
requires
you
to
be
able
to
perform
a
dns
query
before
you
can
use
it.
F
So
if,
especially,
if
use
cases
that
don't
have
a
bootstrap
resolver
are
in
scope,
for
example,
cases
where
I
say:
okay,
here's
my
dns
over
quick
server
and
here's
its
the
name
that
you
should
validate
and
here's
the
ip
address.
Then
you
should
you
can
connect
directly,
but
you
can't
do
echo
overall.
My
my
thought
on
this
is
that
this
all
seems
like
it
will
absolutely
work
and
has
some
very
small
performance
advantage
over
dns
over
https.
F
C
Meaningful
well,
yes-
and
it's
indeed
I
mean
when
I
was
looking
at
that
my
personal
inclination
was
to
design
it
for
the
recursive
to
automatic
case.
But,
as
I
said,
we
can
only
do
that
after
we
have
solved
the
discovery
issues.
C
We
can
hear
your
question
okay,
so
so
I
think
ben
is
correct.
I
mean
first
on
the
esni
eco
point.
I
I
don't
want
to
handle
the
use
of
esi.
A
C
C
Second,
it
makes
a
lot
of
sense
to
have
a
lightweight
protocol
in
that
environment,
if
only
because
a
lightweight
protocol
has
a
much
smaller
attack
surface,
which
is
a
consideration,
that's
what
motivates
me
most,
but
then
we
have
to
get
experience
and
it's
much
easier
to
get
experience
in
the
in
this
top
to
recursive
mode,
because
you
can
always
configure
the
stub
to
use
exactly
this
recursive
with
that
protocol.
E
C
J
Thanks
this
is
ted
hardy
speaking
first,
I'm
strongly
in
favor
of
supporting
adoption.
I
think
that
this
is
a
a
very
good
use
of
of
quick,
and
I
think
that
it
will
get
deployment
and
some
of
the
use
cases
that
we're
currently
seeing
dns
for
tls
or
dns
or
gtls
suggested
because
it
has
the
head
of
one
locking
avoidance,
that
christian
outlined,
which
I
think
is,
is
a
very
useful
performance
improvement
over
dta
dot,
org
dtls.
J
I
also
agree
with
christian
that
there
there
is
an
advantage
here
for
an
eventual
recursive
to
authoritative,
especially
with
zero
rtt.
J
The
ability
to
to
go
back
to
an
authoritative
and
get
fresh
data
is
is
clearly
going
to
be
very
useful,
but
I
think
the
head-of-line
blocking
problem
in
the
study
to
recursive
is
is
actually
one
that
this
will
improve
a
good
bit
simply
because
you'll
you'll
end
up
in
situations
where
you
get
a
resource
say
a
web
page,
and
you
want
to
do
all
the
dns
lookups
in
it
at
once.
J
But
I
think
quick
is
a
very
useful
way
of
approaching
that
I
I
understand
people
may
want
to
do
doh
over
quick
as
well.
J
I
don't
think
that
that's
something
that
this
group
needs
to
to
take
up
or
block
it's
already
sort
of
handled
by
the
fact
that
two
different
versions
of
http
are
available,
but
I
do
think
that
the
the
caching
semantics
are
are
significantly
similar,
simpler
sorry
in
this,
and
I
I
personally
think
that
that
means
we
should
take
out
the
work
and
and
then
have
the
discussions
of
things
like
what
port
numbers
are
et
cetera
in
the
working.
G
And
christian
so
tim
and
I
are
going
to
take
an
action
item
to
actually
start
a
work
group.
Adoption
call
for
this,
so
that
you
should
see
that
on
the
mailing
list
in
the
next
day
or
so
so,
please,
chime
in
on
your
support
or
objections
to
to
us
taking
this
work
on.
G
L
Oh
hello,
can
you
hear
me
okay,
good,
so
hello,
I'm
alessandro,
I'm
gonna
give
a
quick
update
on
the
using
early
data
and
dns
overkill
as
dropped
next
slide.
Please.
L
Yeah
so
a
quick
recap:
first
tls
1.3
introduced
a
feature
called
zrt
session
resumption,
which
allows
a
client
to
send
application
data.
In
the
first
round
trip
of
the
n
check
this
data
being
called
early
data,
it
can
be
used
by
dns
the
last
clients
to
send
dns
queries
to
dns
over
tls
server,
without
having
to
wait
for
the
handshake
to
complete,
and
it
can
be
useful
in
cases
where
maintaining
a
long-lived
connection
to
a
dns
server
is
not
feasible.
L
For
example,
a
mobile
clients
connected
to
unstable
network,
the
tls
connection
to
a
server
might
need
to
be
re-established,
often
or
in
the
case
of
resolver,
to
authoritative
server.
The
resolver
might
decide
to
drop
some
connections
that
are
maybe
not
used
often
and
then
using
the
rtt.
They
can
reduce
the
cost
of
having
to
re-establish
the
connection
next
slide.
L
There
are
some
caveats
to
the
use
of
zeratity
and
early
data,
most
notably
the
fact
that
early
data
can
be
intercepted
by
onpath
attackers,
and
it
can
be
replayed
by
said
attackers
to
the
server.
So
if
the
early
data
as
causes
side
effects
to
the
tls
and
dns
server,
an
attacker
might
be
able
to
exploit
this
by
replaying
data
to
the
server
multiple
times.
L
For
this
reason,
application
protocols
that
want
to
use
zero,
rtt
and
early
data
need
to
define
a
policy
for
when
it
is
safe
to
do
so,
and
that's
what
this
document
is
trying
to
do
next
slide.
Please.
L
L
One
of
the
main
complaints
from
reviewers
was
that
the
language
around
which
dns
messages
should
be
allowed
in
early
data
and
which
should
not
be
allowed,
was
not
was
not
very
clear
and
it
could
be
improved.
So,
for
example,
the
original
drop
said
something
like
dns
updates
and
zone
transfer.
Messages
cannot
be
sent
over
early
data.
L
The
new
version
of
the
draft
weber
says
that
only
dns
messages
with
a
query
opcode
are
allowed,
so
that
also
removes
other
ed
cases
and
other
cases
that
were
not
previously
considered.
L
In
addition
to
that,
the
new
dropped
version
also
defines
a
white
list
of
rr
types
that
can
be
used
within
query
messages
within
early
data.
L
The
the
white
list
is
defined
as
a
an
ayanna
registry,
so
it
can
be
expanded
later
on.
However,
the
list
is
not
complete,
there's
a
lot
of
our
types
that
are
currently
defined
and
I
do
not
know
what
most
of
them
do.
So
I
only
added
a
few
entries
to
the
list,
but
if
the
draft
ends
up
being
adopted,
we
will
need
to
discuss
which
additional
error
types
need
to
be
added
to
the
list,
and
then
there
were
a
bunch
of
other
editorial
changes
to
clarify
language
that
reviewers
reported
next
slide.
Please.
L
So,
having
said
that,
I'm
not
a
hundred
percent
sure
we
actually
need
the
rr
type
white
list,
and
it
might
be
that
only
a
restricting
on
the
query.
Opcode
is
enough
to
achieve
the
goal
here,
which
is
only
allow
dns
messages
that
are
idempotent
again.
I
don't
know
what
a
lot
of
the
r
types
defined
do,
so
this
might
use
some
input
from
people
with
more
dns
experience
and
then,
if
we
decide
that
the
list
needs
to
remain,
we
will
need
to
discuss
which
are
our
types
to
add.
L
G
All
right,
it
looks
like
we
have
a
alumni
benz
here
so
first
in
the
queue
is
that
course.
M
M
So
you
can
disagree
if
he
wants
to,
but
I
think
that
it's
reasonable
to
have
the
white
list
both
for
the
query,
opcode
and
the
specific
r
types,
even
if
we
end
up
allowing
most
of
the
error
types
and
then
my
second
point
was
regarding
the
description
of
the
xero
tt
data
requests
as
meaning
to
be
item
potent.
I
think
it's
actually
a
little
bit
stronger
condition
than
that.
Because
item
potent
we
usually
think
of
as
just
sort
of
relating
to
the
same
query,
being
reordered
or
reapplied
with
itself.
M
But
I
think
we
actually
need
a
stronger
criterion
that
the
query
has
the
same
results
and
the
same
side
effect
when
reordered
with
other
queries.
That
might
be
happening
or
other
events
that
might
be
happening
on
the
server,
which
doesn't
necessarily
seem
like
a
problem
off
the
top
of
my
head.
But
I
just
wanted
to
point
out
that
it
is
a
stronger
condition.
We
have
to
consider.
L
Okay,
yeah,
that
makes
sense,
I'm
not
quite
sure
what
the
language
in
the
draft
is
right
now,
so
if
it
needs
to
be
clarified,
I'm
happy
to
do
that.
M
L
L
C
Yes,
well,
it's
it's
interesting
to
ask,
but
I
think
that
it
misses
one
of
the
points
that
dkg
has
been
making
about
replaying
of
zero
rtt.
The
problem
of
replaying.
The
rtt
is
that
if
a
client
sends
a
request
in
zero
rtt,
an
adversary
can
copy
that
and
repeat
it
and
look
at
the
side
effects
of
that
request
at
the
server,
for
example,
does
the
request
triggers
a
query
from
the
server
to
a
specific
name
server
on
the
other
side?
C
And
I
I
am
not
sure
I
didn't
see
that
in
alessandro's
presentation
I
didn't
see
this
issue
of
side
effects
and
how
side
effects
can
be
privacy
leaks.
I
think
that
should
be
discussed
and
the
best
way
would
be
to
go
to
dkg's
original
analysis
and
incorporate
it.
C
L
Right
so
to
to
the
point
of
dkg's
analysis,
the
draft
already
includes
some
security
considerations
around
at
least
one
specific
attack
that
was
identified
in
a
discussion
from
I
think
was
a
year
ago
or
a
couple
years
ago,
from
the
discussion
with
the
dkg,
and
it
might
be
that
we
also
need
to
add
something
around,
for
example,
caching,
but
yeah.
I
I'm
happy
to
to
add
some
language
there
or
accept
pr's
to
to
add
that.
G
Thanks
alessandra,
you
know
much
like
the
the
first
draft
tim
and
I
are
going
to
craft
a
call
for
adoption
and
we
encourage
everyone
to
voice
their
opinion
of
support
or
disagreement
with
taking
on
this
kind
of
work.
So
right
before
we
move
on
to
our
third
presentation
from
daniel.
I
just
want
to
encourage
everybody
who
has
not
signed
a
blue
sheet
to
go
to
the
ether
pad
and
sign
the
blue
sheet.
N
N
So
the
motivation
for
these
mechanisms
is
that
currently
filtering
policies
implemented
by
the
resolver
seems
an
important
things
to
know
in
order
to
proceed
to
a
potential
selection
of
a
resolver.
N
Currently
filtering
is
a
is
clearly
associated
to
parental
control
and
it's
being
performed
through
a
cannery
domain,
and
so
the
main
motivation
for
this
presentation
and
document
is
to
have
a
standard
mechanism
so
that
we
can
have
an
explicit
announcement
from
from
a
resolver
to
a
client
to
say
the
filtering
policy,
I'm
implementing,
as
well
as
a
standardized
mechanism
for
a
client
to
request
a
resolver
which
are
the
filtering
policies
and
posts
next
slide.
N
So
because
either
the
resolver
should
be
able
to
inform
the
dns
client
and
the
dns
client
should
be
able
to
request
a
resolver.
We
get
two
kind
of
different
mechanisms,
so
one
that's
where
the
resolver
can
inform
the
dns
client
and
another
one
when
the
dns
client
in
relation
with
the
resolver
can
request,
which
are
the
filtering
policy
put
in
place
next
slide.
N
So
communications
between
a
dns,
client
and
a
resolver
have
already
some
history
and
in
our
case
we
are
largely
inspired
by
the
communication
of
a
trust
anchor.
So
it's
somehow
different,
so
we're
using
an
ed
and
s0,
as
well
as
a
specific
dns
square.
Next
slide.
N
N
N
N
So
here
is
basically
how
the
data
is
is
built.
So
it's
it's
built.
We
basically
defined
some
some
filtering
categories
and
the
full
filtering
policies
is
an
aggregation
of
those
filtering
policies
which
assumes
that
in
this
case
it's
an
addition
of
all
of
those
I
mean
the
the
names,
so
the
names
of
the
filtering
policies
are
not,
I
mean,
have
to
be
standard
defined
through
the
aina.
Only
provided.
N
So
when
you
advertise
those,
I
mean
this
data
is
being
carried
through
edna
series
options
next
slide
and
when
the
dns
resolver
wants
to
actually
check
which
policies
are
being
enforced
by
the
resolver,
so
he
sends
a
specific
request.
N
Some
point
of
discussions-
probably
so
I
mean
that's
worth
being
mentioned-
edna
zero
is-
is
not
protected
via
dns
sec,
so
it
might
be
considered.
So
when
the
server
is
advertising
the
filtering
policies-
and
in
this
case
using
this
mechanism,
we
will
not
be
able
to
protect
that
using
the
nsx.
N
Why,
when
the
client
is
requesting
that
dnse
can
be
used-
and
there
is
also
the
case
of
when
I
have
a
resolver
that
is
depending
on
different
upstream
resolvers,
so
probably
all
these
filtering
policies
should
be
aggregated
and
it
to
the
dns
client.
N
Other
things
is
that
such
mechanisms
might
assume
that
we
have
one
policy
per
fqdn,
so
per
resolver,
which
is
a
little
bit
different
from
a
situation
where
different
policies
are
made
available
by
one
resolver
to
a
dns
client.
So
this
is
one
aspect
of
it
and
maybe
an
another
consideration.
Is
that
whether
we
should
support
different
characteristics
of
the
filtering
policies,
or
should
we
only
advertise?
G
Looks
like
we
got
a
couple
of
questions.
First
up
is.
O
Alex
thanks
for
the
presentation,
I
think
it's
it's
actually
an
interesting
idea.
I
see
actually
two
problems
with
that.
One
thing
is
with
the
with
the
table
of
the
possible
filtering
descriptions.
I
mean
illegal
caused
me
to
cringe
a
little
bit,
because
illegal
depends
on
the
on
the
jurisdiction.
O
Is
that
the
jurisdiction
of
the
server
is
that
the
jurisdiction
of
the
client
so
there's
all
kind
of
complications
to
that
to
the
very
table.
So
I
think
that
table
is
really
opening
the
can
of
worms.
I
I
don't
have
a
suggestion
how
to
improve
that,
though,
so
I
think
the
question
is
also.
Do
we
want
to
have
a
really
specific
indication
of
which
what
what
each
category
means
or
do
we
have
like
a
rough
indication
of
what
category
is
the
name
server
is
attacking
and
the
second
one
is.
O
O
So
I
don't
have
a
solution
to
that
at
the
moment,
but
I
don't
think
it's
very
elegant,
particularly
because
of
the
reverse,
resolving
of
the
resolver
name,
and
then
you
need
to
identify
what
is
actually
the
domain
name
of
the
resolver.
Do
we
want
to
apply
the
the
public
suffix
list
to
that
name?
After
we
have
reversed,
look
up,
looked
looked
up
and
so
on
and
forth.
So
so
these
are
the
two
things
that
I
think
we
need
more
work
on.
N
Okay,
so
well,
thank
you
for
the
suggestion.
N
Yes,
so
I
I
agree
with
you
that
if
we
have
to
define
some
categories,
we
might
go
into
unnecessary
debates
so
yeah,
so
that
this
is
actually
something
I'd
like
to
and
to
to
know
whether
people
are
more
in
favor
of
having
some
of
those
categories
or
none
of
those
we
may
simply
add
filtering
is
present,
I'm
funny
the
ways.
F
N
So
that's
it's
some
something
that
needs
to
be
discussed
and
agreed.
I
don't
have
a
strong
feeling
going
into
one
or
the
other
directions
either
also,
regarding
the
other
one.
N
Having
a
special
domain
name,
so
what
I
came
to
also
is,
if
only
the
problem
could
is,
is
due
to
the
reverse
resolution.
We
could
also
agree,
maybe
on
on
a
very
special
name,
like
we
have
unspecified
name
like
a
home.harper
that
are
not
valid
outside
the
home
network,
so
we
could
have
maybe
similar
names
that
won't
be
valid
outside
the
end
resolver.
N
So
maybe
we
can
come
with
those
things,
but
so
what
I
don't
know
is
that
is
that
the
pro
problem
due
to
the
reverse
resolution-
or
you
don't
want
this
to
be
addressed
through
a
dns
exchange.
O
O
Old
name
or
whatever,
okay.
O
N
Okay,
yeah.
Okay,
so
I
see
your
point.
Another
thing
that
was
also
being
mentioned
is
that
if
we
have
a
service
I
mean
a
resolver
discovery
protocol.
It's
also
something
you
could
learn
this
way.
For
example,
if
you
using
svcb
record,
you
could
have
that
as
an
a
key,
a
key
parameter,
a
key
value
that
specified
those
data
also,
so
that's
another
way
to
to
discover
that
which
is
complementary
to
the
mechanism
described
here.
I
think
so.
Thank
you.
Maybe
we
can
go
next
unless
you
have
something
to
add.
G
Thank
you
all
right.
Next,
in
the
queue
is
erica
scorla.
D
Hi
hi
daniel,
so
I
guess
my
question
is:
do
you
know
of
anyone
who
wants
to
consume
this
information
in
this
form?
Do
you
know,
do
you
know,
do
you
do
you
know
any
client
which
wants
to
consume
this
information.
N
So
one
of
those
client
could
be
the
client
using
the
the
canary
domain.
D
Yeah
so
yeah,
I
guess
my
question
is:
if
you
talk
to
anybody
who's,
doing
one
of
the
canary
domains
and
wants
to
do
this
so.
D
N
Yeah,
that's
so
that's
why
I'm
waiting
for
your
comment.
Oh.
D
Okay
yeah,
so
I
mean
so.
It
seems
to
me
that
there
are
two
things
that
make
this
proposal
not
like
super
awesome.
For
me,
the
first
is
that
having
it
stuffed
in
like
easy
and
s0
means
that
I
have
to
go
figure
out
whether
like
the
operating
system,
resolver
will.
Let
me
get
this
information
and
the
nice
thing
about
the
canary
domain,
or
something
like
it
is
that
I
can
like
guarantee.
D
Do
it
with,
like
the
queries
that
I
can
actually
make
out
of
the
operating
system,
resolver
for
basically
any
operating
system,
and
that's
like
a
pretty
hard
requirement,
because
if
on
my
my
own
resolver
pretty
much,
it
has
to
be
the
case
that,
if
you
can't
like
get
this
information
by
doing
like
get
adder
or
some
other
thing,
that
every
other
system
has
it's
like
kind
of
a
nonstartup
for
me.
The
second
is
that
this
sort
of
detailed
information
about
what
kind
of
filtering
policy
seems
to
create
like
a
lot
of
confusion.
D
Ambiguity
doesn't
actually
help
me
very
much,
because
the
only
thing
I'm
really
interested
in
and.
D
Is
their
policy
enforcement
on
this
resolver
or
not
because,
like
it's
just
too
hard
to
explain
to
the
user?
Well,
here
is
like
some
like
kind
of.
Maybe
you
set
up
for
policies
which
you
have
to
like
you
know.
Somehow
maybe
you
want
this.
Maybe
you
don't.
N
Okay,
so
let
me
rephrase
that
so
I
mean
I
I
heard
some
cut
during
the
response.
So
you
don't
do
you
don't
think
have
filtering
policies
is
a
good
thing.
It's
more
confusing
than
anything
else.
D
Mind
that,
like
what
firefox
does
now
when
it
says
they
can
hear
to
me,
it's
just
silently
disabled,
you
know,
we've
talked
about
having
it
be.
Like
you
know,
we've
been
told
to
disable
dough,
because
we
you
we
disable
like
flagging
into
the
user,
but,
like
I
just
don't
think
we've
liked
the
user.
It's
been.
It's
been
flagged
because
of
like
these
three
different
filtering
policies
but
defensively
your
network
enforces.
N
Okay,
that's
fine,
and
the
other
point
is
that
edna
zero
is
that
I
mean
you,
you
don't
like,
because,
because
of
middle
blocks
that
could
strip
the
daniel
zero.
D
No,
I
is,
will
the
operating
system
resolver
interface?
Let
me
get
it
okay
like
basically.
Basically
I
understand
that,
like
firefox
does
not
have
its
own
doe
53
resolver,
it
just
uses
the
it
just
uses
the
you
know
the
operating
system
resolver,
I
think
chrome-
has
his
own
deal,
53
resolver,
but
not
everybody
does,
and
so
in
that
case
you
want,
you
want
to
be
able
to
do
something.
You
can
do
an
operating
system
call
rather
than
rather
than
be
something
you
have
to
say.
N
N
Okay
right,
so,
if,
if
at
least
on
one
operating
system,
if
you
can't
have
access
to
data
information,
it's
I
mean
you,
you
won't
be
able
to
use
that.
So
that's
correct,
in
which
case
you
I
mean
so.
Would
you
suggest
that
we
only
focus
on
a
client
requesting
and
not
the
ed
nets
options.
D
D
N
Okay,
thank
you,
yeah,
I'm
fine
to
implement.
I
mean
to
update
the
document
with
your
inputs.
Well
yeah,
so
yeah,
I'm
fine
with
that.
I
mean
it
makes
sense
to
me.
H
Hello,
yes,
chris,
so
I
can
see
that
the
idea
of
learning
filtering
policies
is
useful.
H
So
when
I
work
into
a
hotel
and
connect
to
the
wi-fi,
it
may
be
useful
to
learn
what's
happening
in
that
resolver.
So
my
question
is:
could
you
clarify
how
you
see
this
relating
to
add?
Because
I
think
you
said
it
was
complementary
and,
to
my
mind,
add
is
charged
with
solving
the
problem
of
how
you
discover
which
results
are
available
and
and
selecting
from
them
and
as
part
of
the
selection
process.
You
might
want
to
learn
these
filtering
policies.
N
Yeah,
it's
it's
a
it's
a
good
question.
I
think
at
that
point,
so
I
mean
the
same
information
could
be
disclosed
through
a
specific
discovery.
Protocol.
N
N
N
It's
a
it's
a
different
way
to
discover
that
I
would
tend
to
say,
but
I
mean
suppose
we
have
a
lot
of
different.
N
Things
to
to
discover
we,
we
won't
be
able
to
add
those
all
those
all
those
keys
to
svc
svcb
record,
for
example.
N
G
All
right
next
in
the
queue
is
victoria.
K
K
It
will
to
be
more
newest
than
that
than
what
you
have
now,
but
then
I
too
complex
for
basically
being
useful.
So
perhaps
this
should
be
done
in
two
steps.
So,
first
maybe
we
should
agree
on
the
functional
requirements
so
which
kind
of
information
we
need
to
communicate
and
then
start
by
shedding
on
how
do
you
fit
this
data
into
a
dns
communication?
K
And
finally
I
mean
I
also
had
this
this
issue
about.
Where
does
this
fit
better?
If
it's
more
like
idd
draft,
I
mean,
I
know
that
there's
another
draft
there.
That
already
does
something
like
this.
I
think-
and
this
looks
more
like
I
mean
fit
in
the
second
point
in
the
led
chart,
so
I
don't
have
any
strong
view
and
fine
with
whatever,
but
at
least
we
should
make
sure
that
all
the
work
related
to
these
kind
of
things
goes
into
a
specific
working
group.
N
Okay,
so
yeah
so
I
mean
depending.
N
So
I
I
well
given
all
the
feedback.
I
I
think
everyone
agrees
that
we
should
not
have
a
detailed
filtering
policy
so
that
my
first
conclusion
of
all
the
things
that
come
I've
received
and
I'm
fine
with
that
now
related.
To
the
I
mean
the
relations
between
add,
I
mean
this
work,
I
mean
if
this
work
could
have
been
hosted
in
add
I
agree
it
could
have
been
host.
N
I
mean
on
my
point
of
view
it
could
have
been
hosted,
but
we
discussed
with
the
chair
and
the
add
chair
said
deprived
is
more
appropriate
for
that.
N
Could
it
be
discovered
through
a
discovery
protocol
provided
in
add
my
answer
is
yes,
we
can
still
have
a
svc
key
parameters,
saying
filtering
true
or
not,
and
that
could
be
advertised,
but
so
it's
a
different
way
to
advertise
a
parameter
outside
a
service
discovery
protocol.
N
I
N
I
don't
think
it's
a
conflictual
at
that
point,
but
it's
yeah.
We
should
not
have
a
overlaps
or
if
we
think
it's
a
conflictual.
F
F
F
Another
reason
that
I
think
we
need
to
be
combining
it
is
because
I
do
not
want
us
to
end
up
with
a
separate
discovery
mechanism
for
every
aspect
of
metadata
about
the
user's
resolver
resolution
path.
We
need
a
unified
metadata
scheme,
so
we
can't
invent
information,
discovery
mechanisms
for
each
piece
of
information,
we'd
like
to
learn.
We
need
a
general
information,
discovery
mechanism
and,
lastly,
on
the
particular
kind
of
information
that
is
proposed
to
be
discovered
here.
F
I
want
to
point
out
that,
in
my
view,
this
is
an
evil
bit,
which
is
to
say
that
it
is
a
a
claim
made
by
one
party
in
the
protocol
that
the
other
party
is
somehow
being
expected
to
use
but
cannot
verify,
and
that
actually
makes
it
very
different
from
the
canary
domain,
where
the
thing
that
the
client
checks
is
it
measures
a
behavior
of
its
resolver
and
so
in
effect,
it
verifies
the
property
that
it
is
attempting
to
measure.
N
So
the
first
comment.
N
Whether
it
should
be
only
well,
I
understand
that
the
first
comment
is
that
we
should
not
have
a
specific
discovery
mechanisms
outside
the
resolver
discovery
mechanisms.
So
I
don't
know
if
it's.
If
it's
it's
a
valid
comment,
if
people
agree
this
way,
I'm
fine
with
that.
N
It's
not
obvious
that
every
everyone
is
going
to
configure
and
to
adhere
to
the
discovery
mechanisms.
Also,
so
that's
the
thing
I'd
like
to
nuance,
and
this
is
a
something
that
could
be
immediately
actionable.
It
could
I
mean-
and
we
have
all
the
things
like
for
exa
if
you
want
to
know
which
ksk
is
being
used
by
the
resolver.
N
Is
that
something
that
should
be
discovered
by
the
dns
client,
or
should
it
be
advertised
to
generate
resolver
discovery
protocol?
So
I'm
not
sure
that
I
I
do
somehow
share
your
point,
but
I'm
not
sure
it's
we
could.
We
can
have
a
single
mechanism
for
everything
so.
F
In
case
that
wasn't
clear,
this
is
ben
schwartz.
I
just
want
to
clarify
that.
I'm
not
saying
that
this
all
needs
to
be
rolled
into
the
mechanism
by
which
you
learn
of
the
existence
of
a
resolver,
but
rather
that
all
of
the
metadata
about
a
resolver
that
you
might
want
to
know
should
be
discovered
through
a
single
mechanism
other
or
at
least
a
unified
framework.
Otherwise
we
end
up
with
a
a
novel
metadata
discovery
mechanism
for
every
piece
of
metadata
that
we
intend
to
learn.
N
Okay,
so
just
to
clarify
you
would
like
underscore
metadata
so
that
we
got
all
of
those
data
meter
instead
of
having
underscore
metadata
one
underscore
metadata
two
and
so
on.
F
Yeah
so
in
particular,
the
dns
op
working
group
already
has
an
adopted
draft
called
the
resolver
info,
rr
type
res
info,
which
proposes
a
unified
framework
for
learning
metadata
about
a
resolver.
F
I
don't
know
that
that
draft
is
the
final
perfect
answer
to
this
problem,
but
that's
the
architecture
that
I
think
we
should
be
aiming
for.
N
I,
if
you
could
point
this
exact
draft,
it
would
be
helpful,
but
this
is
also
something
I
thought
that
that
if
we
defined
something
it
could
be
extended
to,
it
should
not
be
only
about
filtering
services
which
could
be
extended
to
other
future.
N
Functionalities,
so
I
agree
with
that
now
I
I
think
you
mentioned
that
you
you
wanted
this
to
be
part
of
add
instead
of
this
deprived.
N
I
I
mean
to
me:
I'm
I
I
don't
care
which
working
group
it
is.
It
has
been
decided,
it
has
been
deprived.
I
mean
it
was
mostly
the
add
chairs
that
prefer
this
to
be
hosted
by
deprived.
So
I
mean
for
me,
I'm
equal
regarding
the
whether
it's
being
hosted.
L
N
It's
I
can,
but
so
well.
The
thing
is
what
I'd
like
to
clarify.
N
Is
I'm
fine
sending
that
to
add,
but
I
mean
do
we
think
it
has
no
places
no
working
group
or
do
we
think
add,
is
the
right
place.
G
So
daniel,
I
think
the
the
right
answer
here
is,
is,
I
think,
first
of
all
to
go
off
and
and
maybe
take
a
look
at
what
that
dns
opt
resolver
info
draft
says
and
whether
or
not
you
could
actually
incorporate
the
information
that
you
have
in
your
document
into
that
framework.
G
B
Brian,
this
is
barry
liba
responsible
ad
for
add,
remember
the
add,
has
a
very
tight
tightly
scoped
charter
right
now
and
that
I've,
given
the
I've,
asked
that
the
chairs
to
be
very
selective
about
what
they
accept
to
start
off
small.
It
may
be
daniel
that
what
you're
proposing
makes
sense
to
go
into
add
later,
and
it
may
just
make
sense
that
right
now
we
need
to
hold
off,
but
ryan's
suggestion
is
the
way
to
approach
it
right
now.
A
A
Ben
said
that
I
think
we
really
need
to
take
forward
is
we
need
a
common
framework,
a
unifying
metadata
framework,
and
I
think
that
you
know
a
lot
of
the
the
drafts
that
I
see
like
this
are
very
interesting,
but
they
all
have
their
own
way
of
sort
of
solving
the
same
problem
and-
and
I
think
pune
and
paul
have
a
draft
that
if
you
take
a
look
at
it,
hopefully
can
fit.
You
know
what
you're
doing
or
maybe
it
can
be
extended
right.
N
G
Move
on
to
the
cue
eric
klein
is.
C
G
G
All
right
we'll
see
if
he
can
circle
back
around
next
up,
is
benno
all
right.
Query.
E
From
the
jabber
room
question,
so
one
of
the
questions
was
already
answered
in
the
previous
discussion,
so
one
still
open
is:
why
do
you
use
of?
Can
you
use
also
a
bit
mask
instead
of
a
single
number
for
the
filtering
policies?
E
N
Yeah
so
well,
if
we
remove
the
filtering
policies,
we
don't
have
to
think.
N
Otherwise,
how
to
do
that,
but
yeah,
I
agree
it
could
have
been
implemented
with
a
bit
mask
thanks.
I
Because
I
think
that's
also
very
well
made
and
my
question
to
you
daniel,
is:
why
did
you
choose
to
go
from
a
dns
option
rather
than
a
dedicated
resource
circuit
type?
Would
that
not
be
a
better
option
all
around
assuming
this
needs
to
move
forward?
Maybe
that
results
I
could
type
might
be
the
best
info
thing.
N
So
the
question
to
why
did
I
use
the
edna
zero?
It's
well?
It
was
mostly
because
I
I
saw
that
a
lot
of
information
were
provided
through
edna
zero
option.
It's
not
that
I'm!
I
was
not
open
to
any
other
things.
I
I
thought
that
I
mean
we
had
already
experienced
in
that
field,
so
I
wanted
to
benefit
from
this
experience,
but
I'm
happy
to
to
take
other
means
more
appropriate.
I
G
Okay,
so
I
think
that's
it
for
this
queue
and
oh,
is
eric
back.
Q
Q
I
think
most
of
the
things
I
wanted
to
say
others
said
more
eloquently.
Q
I
just
wanted
to
also
note
that
I
I
I'm
a
little
skeptical
of
the
ultimate
usefulness
of
some
of
all
of
this,
because
I
think
we
could
easily
end
up
in
a
lot
of
different
scenarios,
one
of
which
is
where
all
resolvers
announce
that
they
do
filtering,
because
all
resolvers
and
all
clients
are
in
some
jurisdiction
somewhere
and
just
by
virtue
of
being
in
a
jurisdiction.
Q
Also
things
like
you
know:
if
somebody
passes
a
law
about
their
their
their
their
filtering
policies
apply
to
their
citizens
wherever
they
travel
throughout
the
world,
then
you
need
to
know
the
citizenship
of
the
person
who's,
making
the
query
or
who
owns
the
device.
N
So
I
do
understand,
there
are
two
things:
some
some
filter
I
mean,
and
it's
a
it
really
depends
what
we
want
to
advertise
or
the
meeting
the
meaning
of
that
bit
or
maybe
value
we
want
to
advertise.
N
But
it
it's
true
that
legal
enforcement
force
you
to
implement
some
kind
of
filtering
and
those
depends
to
the
generations.
The
resolver
is,
but
it's
it's
not
the
same
type
of
filtering
that
we
expect
for
when
we
subscribe
to
filtering
mechanisms
based
on
anti-malware,
deception,
detection
or
filtering
ideal
content,
so
yeah
so.
Q
N
N
So
it's
yeah,
it
really
depends
what
you
I
mean.
What
I
meant
meant
by
illegal
is
a
content
that
are
not
that
are
illegal,
but
initial
directions,
but
I
mean
the
words
behind
them.
N
I
mean
I,
I
I
mostly
wanted
to
express
some
different
ways
to
do
filtering
and
whether
it
might
be
useful
to
to
have
those
different
categories,
but
my
understanding
is
that
it
it's
not.
It's
not
useful
to
go
into
the
details.
So
having
a
single
bit
saying
we
do
filtering
and
in
which
case
it's
going
to
be
filtering
being
performed
by
the
resolver.
In
addition
to
what
is
jude
prediction
is
asking
to
do.
G
All
right,
thank
you,
daniel.
I
think
that
wraps
everything
up
for
for
this
session.
So
even
though
I
said
we
were,
I
thought
we
were
going
to
end
early.
We
are
basically
ending
on
time.
The
the
two
call
for
adoptions
are
out
on
the
mailing
list,
one
for
the
dns
over
quick
and
one
for
the
early
data
track.
G
So
please
voice
your
opinions
there
on
on
those
two
calls.
One
final
reminder
for
everyone
to
go
sign
the
blue
sheet.
The
link
is
both
in
the
jab
arrow
and
in
either
in
the
webex
chat.