RIPE 81

Archives

Nathalie Trenaman
Hi everyone, I'm  Nathalie from the RIPE NCC. This chat panel is meant for discussion ONLY.  If you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window stating your name and affiliation. Otherwise, you can ask questions using the microphone icon.
(11:00:30)

Denesh Bhabuta
Morning all
(11:00:36)

Shane Kerr
Welcom everyone.
(11:00:40)

Vladislav Bidikov
unmute :D
(11:00:57)

Dmitry Serbulov
No sound
(11:01:09)

Hervé Clement
yes
(11:01:12)

Denesh Bhabuta
Yes
(11:01:12)

Dmitry Serbulov
Yes
(11:01:13)

Clément Cavadore
yes
(11:01:13)

Peter van Dijk
yes!
(11:01:13)

Vladislav Bidikov
Yup prfect
(11:01:13)

Will van Gulik
yep
(11:01:22)

Michael Daly
Morning... How are we all?
(11:01:32)

Aaron Hughes
yes
(11:03:20)

Vladislav Bidikov
perfectly :)
(11:03:21)

Denesh Bhabuta
Yes
(11:03:24)

Marc Groeneweg
hi all! hey, it seems to work with safari now
(11:03:39)

Denesh Bhabuta
@marc Meetecho with safari?
(11:04:03)

Oliver Payne
if it does work, great, but we can't recommend it right now because some of the WebRTC features in Safari are still experimental
(11:04:43)

Aaron Hughes
Anyone else see only a 1/2 screen shared?
(11:05:03)

Okke Timm
Firefox 81 seems to work fine
(11:05:05)

Jaap Akkerhuis
I used meetecho once with an OETF but the results were not stellar. Lot's of things dodnt work so I'm doing firefix now
(11:05:19)

Denesh Bhabuta
@aaron: fine for me
(11:05:19)

João Luis Silva Damas_655
see entire screen now but have had session where the window was cut off in half, yes
(11:05:29)

Marc Groeneweg
@denesh: yes (Safari 14.0 Version 14.0 (15610.1.28.1.9, 15610))
(11:05:49)

Aaron Hughes
shift-reload resolved. thx
(11:06:06)

Denesh Bhabuta
@marc: OK that is the build I have too.. it did nto work yesterday when tested it.. will try again later. I also tried it on Safari on an iPad but that did nto work.. audio wasn't coming through.
(11:07:34)

Tom Hill_828
Meetecho is really beginning to test my patience
(11:08:01)
"You're logged in elsewhere", no... no I'm not.
(11:08:15)

Marc Groeneweg
I had that yesterday
(11:08:18)

Tom Hill_828
Yesterday, and today
(11:08:42)

Denesh Bhabuta
@tom: that happens when you already have a session running and try and open up a new session - even on a different browser.
(11:08:47)
Well that is what happened to me.
(11:08:54)

Tom Hill_828
Denesh except that I haven't
(11:08:57)

João Luis Silva Damas_655
yes, sometimes it thinks you are connected elsewhere when in reality you closed all previous sessions
(11:09:21)

Tom Hill_828
The "trick" as I think I may have discovered, is not to have any other .ripe.net tab open (like the meeting agenda)
(11:09:21)
Yet I can open the meeting agenda after connecting to meetecho
(11:09:41)

Denesh Bhabuta
Ah!
(11:09:41)
fun fun fun with a new platform :)
(11:09:55)

Brian Nisbet
Incognito windows ftw.
(11:10:02)

Oliver Payne
thanks for this @Tom, I'll take note of that tidbit
(11:10:17)

Denesh Bhabuta
@Brian: I could not get meetecho work properly on chrome in incognito mode
(11:10:27)

Tom Hill_828
@Oliver, thank you
(11:10:32)

João Luis Silva Damas_655
well. I have the meetecho main screen, the detached chat window and I get the steno from the live broadcast with view turned off (that's 3 separate windows looking at the same info)
(11:10:42)

Ave Ozkal
That's weird
(11:10:49)

Olivier Benghozi
K-root! 🥕
(11:10:49)

Ave Ozkal
I have meeting plan and some other ripe tabs open without issues
(11:11:01)

Denesh Bhabuta
@oliver :-)
(11:11:01)

Alarig Le Lay
Telenor NO still sends queries to Stockolm :(
(11:12:12)

Gert Döring
compliments on the decision to run multiple different name server softwares
(11:13:09)

Jørgen Hovland
Alarig: Telenor doesn't have a open peering policy
(11:13:11)

Alarig Le Lay
Indeed
(11:13:22)

Marc Groeneweg
@Gert: it is a good practice
(11:13:28)

João Luis Silva Damas_655
anyone wanting to ask question using their own voice, please join the audio queue
(11:15:44)
if you just want us to read out the question then use "slido", the tab with the question mark on meetecho
(11:16:12)

Venu Gopal Kakarla
Google Chrome wont support DANE, until 1024-bit RSA (algorithm 8) records are eliminated
(11:18:31)

Peter van Dijk
Venu, but have they said they -will- support DANE after that? :)
(11:18:48)

Ondrej Caletka
Algorithm 8 does not mandate RSA key size.
(11:18:54)

Ave Ozkal
I see, thanks for the answer.
(11:19:08)

Venu Gopal Kakarla
@peter https://www.imperialviolet.org/2015/01/17/notdane.html
(11:19:12)

Gert Döring
that would certainly be a good incentive, if one of the browser vendors would *commit* to supporting DANE under some conditions
(11:19:20)

Jan Zorz
Vladislav Bidikov: I see Liman from NETNOD in participants list, why don't you talk to him directly?
(11:19:55)

Peter van Dijk
@Venu, so, no :>
(11:20:16)

Daniel Karrenberg
The root name server system consists of hundreds of servers. It is very very difficult to really analyse query rates without looking at the total picture.
(11:20:24)

Peter van Dijk
also the new SVCB/HTTPS records would make DANE in browsers even less likely I'd say
(11:20:28)

Venu Gopal Kakarla
If majority of TLD's resign to algorithm 13 or 14, we have some hope.
(11:20:57)

Jan Zorz
@Gert: they claim that DANE is too costly regarding additional queries :(
(11:21:05)

Daniel Karrenberg
The void behind Geoff looks slightly more black than yesterday ;-)
(11:21:30)

Leo Vegoda
Is Geoff showing slides?
(11:21:47)

Andreas Wittkemper_177
in the void
(11:21:52)

Peter van Dijk
I do not see slides
(11:21:54)

Muna Hemoudi
I cannot see the slides.
(11:21:58)

Tom Hill_471
Ditto
(11:21:58)

Daniel Stirnimann
I don't see any slides?
(11:22:02)

Jan Zorz
no slides
(11:22:02)

Sebastian Wiesinger
I think we should have slides
(11:22:04)

Leo Vegoda
OK. Not just me then
(11:22:04)

Denesh Bhabuta
no slides
(11:22:11)

Matthieu Herrb
no slides either here
(11:22:16)

Christian Bretterhofer
Does anybody have a list of TLDs supporting ALG 13?
(11:22:25)

Matthias Hudobnik
indeed no slides
(11:22:33)

Kurt Baumann
the same for me
(11:22:37)

Nicolai Leymann
same ehere
(11:22:43)

Michael Richardson
the slides were minimized.
(11:22:51)

Okke Timm
worked yesterday fine, indeed
(11:22:51)

Aaron Hughes
Now we have slides.
(11:22:54)

Leo Vegoda
good
(11:22:57)

Pieter de Boer
yes
(11:22:57)

A.J. Wolski_503
yes
(11:22:58)

Matthieu Herrb
o/
(11:22:58)

Nicolai Leymann
Yepp
(11:22:59)

Leonardo Arena
yup
(11:22:59)

Kurt Baumann
great
(11:22:59)

Ave Ozkal
Yep
(11:22:59)

Christian Petrasch
yes
(11:23:00)

Will van Gulik
yes
(11:23:01)

Muna Hemoudi
yes!
(11:23:04)

Olivier Benghozi
o/
(11:23:05)

Michael Daly
yay!
(11:23:05)

Michael Richardson
how many experiments has Geoff done with 1-pixel images?
(11:24:45)

Tom Hill_471
"horror year" ;D
(11:24:56)

Shane Kerr
I think someone is putting together some research about Geoff's 1-pixel experiments. Probably using Google ads to deliver the test....
(11:25:19)

Michael Richardson
Enterprises/Schools probably running older software?
(11:26:19)

Tom Hill_471
Oldskool telcos, terrified of "new" software? :)
(11:27:22)
*cough*
(11:27:28)

Michael Richardson
yup.
(11:27:36)

Jan Zorz
indeed ;)
(11:27:43)

Michael Richardson
Don't upgrade during a pandemic.
(11:27:47)

João Luis Silva Damas_655
oldskool telcos just dump all their queries to external third parties, same way they run their networks
(11:27:56)

Tom Hill_471
Oooo, meow
(11:28:10)

Amelia Andersdotter
it's a bit sad though that european telcos are so inactive'
(11:28:25)

João Luis Silva Damas_655
they are run by the finance people, what do you expect?
(11:28:42)

Shane Kerr
Inactive European telcos is why RIPE was created in the first place. ;-)
(11:28:45)

Willem Toorop
Google does qname min up to the 2nd level
(11:29:05)

Amelia Andersdotter
i don't think it's because they're ran by finance people at all. i think it's because it's too easy for them to get granted political favours.
(11:29:23)

Olivier Benghozi
Got many complaints from customers «it doesn't work anymore»: appears that there are plenty of dns just timeouting when querying a nonexistent NS record. some stuff behind akamai, some stuff behind braindead bank sites, and so on. Therefore, as you want stuff that works -> you end by disabling it...
(11:29:32)

Amelia Andersdotter
they basically never have to do anything well since nothing can harm them
(11:29:52)

Tom Hill_471
What have I done...
(11:30:09)

Shane Kerr
The timeouts for NS queries is why all of the resolvers have switched to using A (or AAAA) records in their QNAME minimized queries.
(11:30:10)

Andrew Campling
As stated above, they probably are minimising software upgrades at the moment
(11:30:38)

Tom Hill_471
Priorities certainly have shifted on DNS
(11:31:16)
Encrypted DNS happening at the same time everyone starts working from home simultaneously, will do that.
(11:32:06)

Olivier Benghozi
shane: same thing for nonexistent records anyway (A or NS), at various stupid banking DNS infras
(11:32:10)

Shane Kerr
Olivier: That's geniunely disappointing.
(11:32:28)

Olivier Benghozi
yes
(11:32:46)
it is
(11:32:49)

Daniel Karrenberg
><><><><
(11:33:15)

Ave Ozkal
clapclapclapclap
(11:33:33)

Christian Bretterhofer
clap
(11:33:37)

Ramses Rodenburg
awesome talk - thx Geoff! :)
(11:33:37)

Markus Winkler
thank you very much! :-)
(11:33:52)

Ave Ozkal
I still love how ads are utilized to do internet measuring
(11:34:18)

Olivier Benghozi
(shane: exemple was secure1.entreprises.net-srv2.bnpparibas.net)
(11:34:38)

João Luis Silva Damas_655
ads are pervasive so they are good for end user testing
(11:35:18)

Michael Richardson
comments on https://datatracker.ietf.org/doc/dr…-opsawg-mud-iot-dns-considerations/ would be appreciated, if you care about IoT devices and DNS.
(11:42:28)

Tom Hill_471
@Geoff - thank you, insightful as usual.
(11:43:18)

john bond
plug: We are experimenting with DoH at wikimedia public tracking task is avalible https://phabricator.wikimedia.org/T252132
(11:44:46)

Shane Kerr
@john bond: I'd be more interested in DNSSEC for wikimedia sites. ;-)
(11:46:37)

João Luis Silva Damas_655
@john bond you are writing your own resolver? really?
(11:47:00)

john bond
@shane https://phabricator.wikimedia.org/T26413
(11:47:11)

Peter van Dijk
Joao, all I see is puppet templates for dnsdist+pdns-recursor
(11:48:42)

john bond
peter yes exactly was just trying to find a link https://github.com/wikimedia/puppet…ules/profile/manifests/wikidough.pp
(11:49:27)

Nathalie Trenaman
gentle reminder: If you have any questions for Andrew, please write them in the Q&A or ask for the mic after his presentation
(11:49:34)

João Luis Silva Damas_655
phew!
(11:49:34)

Peter van Dijk
john, i see a pdns43 flag in there, note that 44 is out :)
(11:51:31)

john bond
peter act thanks ill let the engineer know.
(11:52:36)
@shane hadn't realised that task was from 10 years ago wasn't trolling there is some work to add DNSSEc at the moment but cant find the task.
(11:53:22)

Shane Kerr
hehe... no worries. The comment from December 2019 is clear and informative enough.
(11:54:17)

Hervé Clement
Thanks Andrew for this useful upddated state of discussions and actions on DoH
(11:55:13)

Jan Zorz
thank you for breaking DNS64 with this ;)
(11:55:45)

Gert Döring
DOH needs to die in flames
(11:57:28)

Eric van Uden
What about DoT implementations?
(11:57:29)

Gert Döring
and after it's dead, it needs to be poisoned to make sure it's not coming back
(11:57:54)

Peter van Dijk
basic DoT can be offered with something as simple as haproxy or stunnel; the mentioned software dnsdist also has some more complete DoT support
(11:57:57)

Gert Döring
DoT in unbound works out of the box and very nicely
(11:58:16)

Peter van Dijk
also that
(11:58:20)

Benno Overeinder
Also all Open Source Software developers have DoT support in their resolvers
(11:58:24)

Ave Ozkal
Any love for dnscrypt?
(11:58:34)

Gert Döring
Benno: do they? Last time I checked, pdns_recursor still needed a dnsdist frontend
(11:58:45)

Shane Kerr
Thank you everyone!
(11:58:58)

Peter van Dijk
'powerdns' DoT is in dnsdist, yes
(11:58:59)

Desiree Miloshevic
thanks all!
(11:58:59)

Peter van Dijk
might change in the future
(11:59:01)

Marc Groeneweg
bye all
(11:59:01)

Aaron Hughes
Thank you
(11:59:03)

Peter van Dijk
bye!
(11:59:03)

João Luis Silva Damas_655
thanks all!
(11:59:04)

Eric van Uden
Bye
(11:59:08)

Olivier Benghozi
when do we get doh over quic over udp
(11:59:13)

Ave Ozkal
bye
(11:59:14)

Christoph Berkemeier
Thanks and Bye.
(11:59:16)

Wendy Leedy
Thanks!
(11:59:20)

Tom Hill_471
Thank you¬
(11:59:37)

Nathalie Trenaman
This session has now ended, enjoy your lunch and see you at 13:00 CET for the Connect WG
(11:59:39)