►
From YouTube: Ambient WG meeting 2023 04 12
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
I,
ideally
DNS
is
secure
and
we
don't
have
to
deal
with
DNS
and,
and
there
are
apis
there.
What
kind
of
you
know
there
is
external
DNS
projects
that
synchronizes
services
to
the
real
DNS
they're,
all
kind
of
we're,
not
in
the
business
of
program
of
defining
EPS
for
DNS,
I
think
accidentally
with
service
entry
we
kind
of
are,
but
that's
something
that
we
can
address
to
other
means
too.
A
What
I
was
really
getting
at
was
like,
so
if
the
platform
is
providing
DNS,
then
that's
a
separate
thing
altogether
right
that
that's
like
I,
think
what
we
need
to
Define
here
is,
if
you
enable
like
ambient
mesh's
DNS.
This
is
what
we
do.
Otherwise,
you
know
the
platform
can
do
whatever
the
platform
does
right
and
we
we
don't
want
to
Define
that
that's
that's
up
to
the
platform.
B
A
It's
wonderful!
Well,
it's
it's
more
than
that,
though,
right
like
it's,
it's
yes,
security,
but
also,
you
know,
like
maybe
the
platform
doesn't
connect
all
the
communities
clusters
or
doesn't
doesn't
provide
VM
access
or
or
you
know,
we're
we're
meshifying
things
too
right.
So
you
know
potentially
that
meshification
could
be
done
by
the
platform
as
well.
Right,
like
maybe
like
Cloud
DNS,
just
knows
all
the
things,
and
so
so
all
that's
just
done
for
you
and
and
they've
they've
got
security
too
right
so
built
in.
A
So
we
can
just
turn
us
off
turn
our
DNS
off
and
just
use
theirs,
potentially
right.
So
so
that's
that's.
Why
I'm
trying
to
like
separate
these
two?
Maybe
deployment
models
like
Z
tunnel
and
ambient
mesh.
They
do
this
one
very
specific
thing,
but
you
can
always
disable
that
and
use
the
platform,
but
we're
not
going
to
dictate
what
the
platform
does
or
how
it
works
or
that
it
uses
XDS
or
anything
like
that.
Right,
yeah.
B
And
it's
not
a
bad
choice
to
say
it's
hey
platforms
when
we
we
rely
on
the
platform
but
and
and
the
security
provided
by
the
platform,
and
if
you
don't
have
a
platform,
I
mean
if
you
are
on
Prem
or
you
don't
have
a
secure
DNS
and
then
then
we
that's
that's
the
only
case.
Then
we
can
delay
it.
We
don't
have
to
do
it
now.
A
I
I'm
just
wondering
I
wasn't
following
all
the
the
text
on
the
side
there
I
don't
know.
Is
anyone
making
a
a
more
subtle
point
about
like
options
within
istio
DNS
or
is
it
just
on
or
off.
C
B
B
E
B
Yeah
and
so
recently
we
start
the
discussion
in
gamma
about
extending
MCS
service
exported
custom
domain
names
and
what
kind
of
discussion
I
mean?
John
probably
can
talk
more
about
it,
but
that
would
be
you
know,
synchronizing
service
entry
into
into
a
into
some
apis
where
we
can
interact
with
the
platform.
Dns
will
be
ideal
level.
C
A
Okay,
so
the
the
only
sounds
like
the
the
main
point
of
discussion
is
the
deployment
then,
whether
it's
cni,
whether
it's
built
in
Disney
Channel,
all
that
is
that
is
that
right,
constant
yeah.
B
And
I,
actually
I,
don't
think
it
should
be.
Is
that
cni
demon
said
because
super
high
permissions
and
that's
not
to
the
right
place,
I
think
thinking
cni
chart
because
you
know
I,
consider
DNS
to
be
a
platform
feature
and
cni
is
kind
of
an
extension
of
the
platform
cni
which
should
provide
DNS
too,
and
if
it's
replaced
by
by
a
vendor
like
serium
or
someone
else,
they
would
probably
provide
both
DNS
and
network
security
in
the
same
package.
B
That's
what
I
was
saying,
but
not
necessarily
in
the
same,
just
as
a
demon
demon
set
running
issue
agent
really
but
I'm
okay,
everyone
wants
to
put
it
in
in
you
know.
In.
D
C
B
C
B
Mean
we
are
I,
think
going
too
far,
I
mean
why
not
assembly-
and
you
know
it's
I
mean
it's.
C
Not
the
fact
that
it's
written
in
Rust
by
the
way,
it's
that
we
have
one
implementation
right.
If
you
have
two
containers-
and
we
have
two
images-
that
we
have
to
pull
they're
each
binary
is
like
50
megabytes.
If
you're
using
the
agent,
they
have
two
separate
XDS
streams.
They're
out
of
sync,
like
we
have
overlapping
data,
requested,
there's
more
load
on
the
control
plan
to
serve
that
like
Etc.
It's
is
it
that
high
of
the
concert?
It's
not
the
end
of
the
world.
A
Yeah
I
think
I
think
that's
I
agree
with
both
points.
To
be
honest,
I
mean
John,
I,
agree
with
what
you're
saying,
but
but
to
Constance
point
I
like
yeah
like
if,
if
maybe
people
use
it
for
a
little
while
and
then
they
just
realize.
Oh
the
you
know
why.
Why
are
we
doing
this?
Let's
just
use
the
platform.
A
G
A
Yeah
again,
I
I
think
I
was
conflating
two
things
all
over
again,
like
the
the
the
what
we
offer
for
Z
tunnel
and
hey.
If
you
want
to
use
the
platform
just
use
the
platform,
so
so
I'm
wondering
if
like
what
we're
trying
to
spec
out
here,
should
really
just
be
the
thing
we
Implement
in
Z
tunnel
like
whether
whether
or
not
it
ends
up
actually
being
part
of
like
the
rust
code
or
ends
up
being
some
kind
of
patched
together
thing
with
another
whole
process.
A
I.E
sdo
agent,
like
we
can
work
out
those
details,
but
but
I
think
fundamentally
it's
the
same
thing
right,
even
if
even
if
they're,
it's
really
two
processes.
So
so,
if
that's
you
know,
I
mean
that
could
be
the
thing
that
we
say
this
is
this
is
going
to
be
ambient
DNS.
If
you
don't
want
to
use
it,
don't
use
it.
You
know
we'll
we'll
just
take
DNS
from
the
platform.
A
Otherwise
we
need
to
have
that
discussion
of
like
exactly
how
do
we
and-
and
why
do
we
do
we
want
to
separate
it
out
if,
if
we're,
if
I
mean,
if
the
goal
is
to
of
separating
it
out
is
to
say
this,
this
is
actually
part
of
the
the
network
infrastructure,
and
this
is
part
of
Z
tunnel.
You
know
to
separate
those
two
things
out.
Then,
then,
why
are
we
doing
the
network
infrastructure
stuff
right?
You
know,
I
I,
don't
know
it's
it's.
A
If
those
are
two
different
teams,
then
we
should
only
be
doing
you
know
the
you
know
the
mesh
stuff
that
that
sits
on
top
I
don't
know,
does
any
of
that
make
sense
or
or
am
I
just
muddling
things
further.
G
A
E
Kevin
can
speak
to
some
of
this
because
he
has
opinions
but
I
think
we're
sort
of
aligned
in
that
we,
like
the
sidecar
thing,
seems
simplest
versus
another
Damon
set
I
do
agree
that
SEO
DNS
is
kind
of
heavy
right
and
has
its
own
workload,
API
and
state
and
crap
like
that
that
we
made
it
might
be
a
good
impetus
to
like
maybe
make
it
easier
to
just
use
the
DNS
component
and
maybe
ignore
some
of
that
other
stuff
right.
That
might
be.
E
It
might
be
a
good
push
to
do
that
generally,
but
yeah
I
do
agree.
That's
a
concern,
though,
but
I
think
it's
also
something
you
could
do
with
the
short
term,
pretty
simply
and
see
how
it
goes
and
I
do
believe
that
generally
we
want
people
to
use
the
platform
unless
their
platform
is
just
not
capable
of
doing
what
they
need
to
do.
A
Yeah
yeah
I
I
agree
with
that
too
I
think
separating
it
the
DNS
clearly
as
a
feature
throughout
the
whole.
You
know
product
would
probably
be
a
good
thing,
I'm,
not
sure
how
much
work
that
would
take
for
or
what
exactly
needs
to
be
done
there.
But
it's
I
mean
I
generally
agree
with
the
the
thought
there
yeah.
E
And
like
even
if
we
again
I
kind
of
don't
want
to
write
a
DNS
augmentation
in
Rust
and
and
put
it
in
Zito
right
if
the
outcome
of
that
is
like.
Oh,
we
need
to
separate
the
DNS
stuff
and
it's
like
a
standalone
rust
process,
and
we
maybe
put
it
at
next
Tuesday,
that's
whatever
we
could.
I,
don't
care
about
that,
but,
like
I,
don't
want
I
want
Z
tunnel
to
be
ignorant
of
doing
this
as
that
process
should
not
care
is
my
initial
thought
anyway,
keep.
C
In
mind
when
we
say
DNS
implementation,
we're
not
talking
about
low-level
implementations
right,
like
the
the
go
based
one
we
have
is
about
60
lines
right.
You
just
process
a
DNS
request
and
if
we
know
we
respond
with
the
record
and
if
we
don't,
we
forward
it.
So
it's
fairly
straightforward,
like
in
my
mind,
Z
tunnel
already
has
all
the
infrastructure
they
capture
users
traffic
and
get
it
to
Z
tunnel.
C
We
already
have
all
the
data
we
need
to
serve
DNS
because
we're
already
getting
it
for
XDS
for
other
reasons,
and
it's
already
deployed
in
a
manner
that
it's
highly
available
scaled
up
for
increasing
load
Etc,
that's
already
suitable
to
be
on
the
data
path.
So
to
me
it
feels
very
logical
to
put
it
there.
F
Okay,
so
it
sounds
like
there's:
there's
really
only
a
maintenance
concern
right
about
putting
it
in
Z
tunnel
or
not,
and
if
the
maintenance
concern
could
be
Mass
yeah,
then
it's
probably
reasonable.
It's
preferable
generally
to
have
a
single
Deployable
unit
and
a
single
testable
unit
then
type
multiple.
It.
F
D
B
F
C
A
Well,
I
I
would
even
I
would
even
say,
like
maybe
you
know
it
should
be
an
optional
component,
so
you
can
build
with
or
without
this
thing
right
I
mean.
That's.
That's
a
nice
feature
of
rest.
F
C
C
What's
up
it
looked
like
I,
don't
know,
Nate,
you
and
I
think
I
did
but
then
forgot
explored
the
libraries
out
there
and
it
was
a
pretty
good
one.
That's
backed
by
a
bunch
of
people
that
have
a
lot
of
money
like
Google
and
I.
Forget
who
else?
What's
a
proximo
proximos,
there's
some
company
that
kind
of
is
backing
a
lot
of
these
security
networking
things.
A
Also
is
like
the
I:
don't
think
it's
a
company
I
think
it's
like
a
an
overarching
effort
that
is
being
collaborated
on
to
build
out
a
bunch
of
things,
including
the
DNS
Roxy
I,
don't
I
I
think
it's
like
trust,
DNS
or
something
I
think
is
the
name
of
it.
Yeah.
C
B
Once
you
want
to
clarify
here,
you
know
I
think
you
you
mentioned
in
the
in
the
past,
in
in
istio
DNS.
Normally
today
we
have
this
split
Horizon
mode
where,
where,
depending
on
who's
asking,
you
may
get
different
answer,
because
it's
purple
and
I
I
I
think
we
are
agreeing
that
if
we
put
it
in
in
zitana,
then
we
are
not
going
to
have
this
functionality.
It
will
be
honest.
You
know
one
DNS
to
answer
all,
not
no,
no
overrides
or.
G
Yeah
I
remember
a
few
weeks
ago:
I
think
there
was
an
issue
that
discussed
in
this
meeting
right
about
getting
consistent
resolution,
regardless
which
cluster
you
are
in
I.
Think
there
is
a
flag
somebody
is
proposing
to
change
their
behavior.
What's
this
related
to
their
costume.
B
No,
no,
it
is
basically
if
you
are
in
namespace
one
and
you
have
a
destination
Rule
and
some
servicing.
You
know
import
export
whatever,
with
service
entries
and
a
different
name
space
same
name,
you
have
different
combination.
You
will
get
different
responses
to
DNS
lookup.
If
you
use
this
to
your
DNS,
but
with
Z
tunnel.
We
both
are
the
same
node
you'll
get
exactly
one
answer
and
it
will.
But
that's
Again
part
of
the
sanitization
of
of
this
API
surface
yeah.
G
That
makes
sense,
because
zetano
handles
more
than
one
workloads
right
for
all
the
co-located
parts
yeah.
So
it
doesn't
necessarily
know
the
differences
between
the
different
name
spaces
yeah.
It.
A
Does
the
I
I
forget
the
API
between
the
studio
agent
and
the
control
plane
is
our
our
hosts
and
and
their
endpoints
loaded
lazily.
C
A
G
C
We
can
implement
the
same
thing
with
the
workload
API,
not
the
one
that
we
have
today,
because
we
don't
have
those
names
actually,
but
I,
don't
know
if
you've
seen
we
have
kind
of
the
next
steps
for
that
API
and
I
believe
that
everything
in
there
should
meet
the
needs.
The
only
thing
that
I
think
might
be
I'm,
pretty
sure
we
can
figure
it
out
and
we've
just
made
me
a
slight
tweak
is
that
in
kubernetes
you
can
resolve
like
the
full
name
or
like
the
name.
D
C
Namespace,
like
there's
all
the
variants
so
I
think
I
know
we
have
some
support
for
that
in
the
current
DNS
API,
but
I
think
we
can
do
it,
but
we
have
so.
A
So,
just
to
be
clear,
you're
you're
saying
that
it
wouldn't
be
hard
to
implement
kind
of
like
an
on-demand
approach
to
Dina,
so
so
that
we
wouldn't
have
to
basically
download
the
entire
mesh.
C
B
C
C
G
So
we
used
to
have
it
in
the
zetano
I
think
the
discussion
has
been.
There
are
two
ways
right:
one
is
as
a
sidecar
as
a
standalone.
Is
your
DNS
container
and
running
as
a
psychology,
Channel
and
I
think
later
on?
The
discussion
has
shifted
to.
Why
are
we
not
implementing
that
functionality
in
Rust?
So
it
will
be
part
of
zetano
and
within
the
same
process
and
within
the
same
container?
Is
that.
A
Cool
so
I
I
assume
this
came
up
because
of
a
kind
of
a
preliminary
retirement
stock,
I
put
together
and
shared
with
John
and
costen
just
to
get
some
early
feedback.
I'll
I'll
kind
of
update
that,
based
on
this
conversation-
and
maybe
we
can
just
present
that
next
week
or
next
time.
B
Just
no
clarification,
I,
don't
know
if
my
point
about
the
MDS
replacement
is
clear
to
to
everyone.
B
So
we
discussed
many
some
time
ago,
we
discussed
about
zitanal
exposing
some
API
to
for
workloads
to
find
out
the
period
information,
because
the
scientific
need
is
lost
and
you
no
longer
know
if
you
are
a
workload
you
want
to
find
out
who
you
are
talking,
you
know
we
don't
have
something
and
don't
have
the
in
progress
PR,
which
I
don't
know.
What
is
the
status
to
expose
this
information
to
http,
but
if
we
implement
this
DNS
server,
this
allows
us
to
expose
it
through
the
DNS
protocol,
either
as
txt
records.
B
C
Yeah
I
guess
so
for
the
peer
info
I
think
I'd
like
do.
We
want
to
expose
arbitrary
info
about
like
there's
some
security
concern
to
exposing
BTR
right
like.
B
C
One
thing
to
say
this
peer
connected
to
me:
what's
their
identity,
which
we
could
kind
of
restrict
to
say,
you
can
only
query
things
that
are
connected
to
you
and
there's
another
like
we
may
want
to
allow
it,
but.
B
It
could
be,
txt
is
just
kind
of
an
example.
I
don't
mean
actual.
C
B
B
C
B
Only
to
local
you
know
local
node
and.
F
F
So
perhaps
my
earlier
statement
was
a
little
strong,
they
probably
shouldn't,
but
they
also
haven't
caught
up
to
that
best
practice,
and
it
would
be
hard
for
us
to
be
doing
anything
beyond
that
or
restricting
the
behavior
of
the
system
Beyond
those
expectations
anyway.
The
question
is
how
much
information
right
the
only
information
most
people
put
in
DNS
is
IP
addresses
and
names.
B
Yeah
in
gcp,
for
example,
there
is
a
PTR
that
you
give
an
IP.
You
can
find
out
the
hostname
for
a
gcp,
VM
I,
rarely
use
very
few
people,
know
about
it,
but
and
and
in
general,
because
there
are
some
products
where
PTR
requests
are
made,
part
of
their
application
for.
B
B
B
C
C
G
C
C
F
And
I
know
we
talked
about
this
before.
Are
we
going
to
start
this?
Like
the
obvious
one?
Is
some
metadata
server
right,
API,
that's
node
local
on
some
reserved,
endpoint
I
guess
we
could
start
designing
that
and.
C
C
Yeah,
let
me
try
and
find
it,
but
basically
at
a
high
level,
it
does
I
think
what
you
said
like
we.
We
already
redirect
all
traffic,
so
we
just
match
on
us
magic
IP,
and
then
we
forward
it
to
our
HTTP
server.
That
types
over
some
information
I
think
your
request
to
like
I
forgot
your
request
on
it
and.
D
B
No
I
was
just
thinking
that
sometimes
you
know
there's
some
existing
applications
that
are
actually
doing
this
guitar
look
up,
displays
accessible,
for
example,
Apache
or
old,
nginx
and
so
forth.
They
have
a
way
to
show
the
host
name
is
access
logs
and
it
is
based
by
doing
PPR
requests
because
once
the
internet,
you
sometimes
have
it.
B
C
C
C
G
C
At
the
what's
it
called
the
application
mesh
day,
which
I
don't
think
is
official,
there's
like,
but
that's
like
all
ambient
I
saw
at
Eastview
day,
I.
Think
there's
one
which
is
me
and
Christian
that's
called,
is
ambient
secure
I
saw,
which
the
answer
will
be
yes
and
go
into
more
detail
about.
Why
sorry,
to
spoil
day,
there's
a
very
humorous
title:
I
think
that's
like
ambient
match.
Just
not
secure
I,
don't
know
it
was
really
just
the
way
they
awarded
it.
C
I
thought
was
very
interesting,
but
it's
basically
like
an
anti-ambient
mesh
one.
If
you're
interested
in
that
I
think
that's
it
I,
don't
think
in
the
main.
Oh
actually
there's
a
panel
yeah
that
is
I,
think
the
title's,
something
like
sidecars
proxy.
Those
sidecar
lists
like
what
is
the
future.
G
Yeah
yeah,
and
also
the
Niraj,
has
a
maintain
that
session
right.
So
that's
also
going
to
talk
about
ambient
I.
Believe
somebody
from
solo
had
a
talk
accepted
right
before
the
panel
talk
about
developmental
model
for
ambient.
G
C
C
F
Yeah
I'm
just
wondering
not
so
much
stability,
but
if
the
people
are
going
to
go
through,
Tire
kicking
exercises
right
because
there's
now
Dock
and
they
build
that
will
be
publicly
released
with
Z
tunnel
in
it.
What
are
we
collectively
telling
people
to
be
looking
at
and
what
are
we
collectively
telling
them?
Don't
worry?
We
know
about
that.
We're
going
to
fix
it
later.
C
Yeah,
that's
a
good
question,
so
we
do
explicitly
tell
them.
I
think
how
to
get
the
alpha
build
so
that
they
can
yeah
actually
use
it.
And
we
do
say
that
this
is
Alpha
and
don't
actually
use
the
production
and
Etc.
But
we
don't
have
a
list
of
known
issues
that
they
should
ignore,
which
is
probably
a
good
idea.
C
Yeah
I
think
one
thing
that
could
be
useful
as
well
is
on.
We
have
like
a
getting
started
with
ambient
match
page
on
the
docs
now,
and
maybe
you
sort
of
put
like
a
survey
on
there
or
not,
not
necessarily
on
like
low
levels
like
I,
ran
to
a
bug
which
is
probably
just
GitHub
issue,
but
did
you
like
it?
Did
you
understand
it?
Does
it
useful,
or
you
know,
higher
level
things.
H
Do
this
like
Alpha
release,
thingy
singing
note
yep
and
basically,
you
can
register
to
their
beta
or
their
alpha
or
something
like
that
and.
H
H
F
Quite
quite
the
conceptual
solid,
which
is
not
what
we're
doing
so,
but
we
do
want
to
gather
some
feedback
so
like
we
can
tell
people
to
go
to
slack,
but
that's
probably
too
right
what
questions
would
we
like
them
to
answer
like?
Do
we
want
to
compare
them
to
compare
it
with
their
existing
Sileo
setup,
for
like
a
sample
workload
and
right
right?
What
was
there,
what
was
their
impression.
F
G
G
C
F
G
I
think
we're
already
doing
that
pretty
much
all
for
our
blogs.
We
have
like
a
get
involved
section
which
we
ask
them
to
join.
Our
last
live
Channel.
C
C
F
Yeah
I
mean
like
if
somebody
really
big,
is
this
I'm
trying
to
kick
the
tires
with
it.
That's
good,
that's
probably
going
to
be
good
information
coming
from
it.
We
can
ask
them
to
try
things
right,
like
AutoTrader
right
was
our
our
our
tester
of
like
releases
for
so
many
years.
Carl
did
such
an
amazing
job
and
it
really
helped
the
project.
Somebody
like
that
showing
up
on
me
and
said:
look
I
tested
it
for
my
real
production
environment,
and
it
here
was
here's
what
was
good
and
here's.
F
F
F
F
G
B
G
Oh
nice,
but
the
European
kubecon
I
think
it's
a
very
well
attended.
So
on
Friday
I
I'd
expect
still
a
good
crowd.
G
A
I
I
think
I'd
have
to
ask
Mitch
I
I
haven't
been
paying.