Moritz Müller - 2025-10-23 10:52:55
Good morning everyone, welcome to the DNS-WG session
Hans Bakker - 2025-10-23 11:00:43
Hi everyone, I'm Hans Bakker from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want the session chair to read them out, please write them in the Q&A window, also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Hans Bakker - 2025-10-23 11:00:53
Please note that all chat transcripts will be archived and made available to the public at https://ripe91.ripe.net/. The RIPE Code of Conduct: https://www.ripe.net/publications/docs/ripe-766/.
Willem Toorop - 2025-10-23 11:20:21
@ralf Ulrich said it doesn't apply to all zones. Did that answer your question?
Petr Špaček - 2025-10-23 11:26:14
@Anand You assume that buggy operator would not have bugs in code to track RRSIG expiration :-)
Shane Kerr - 2025-10-23 11:28:35
Quis custodiet ipsos custodes, Petr?
Geoff Huston - 2025-10-23 11:29:25
canem meum
Shane Kerr - 2025-10-23 11:29:44
I though best practice for NSEC3 salt was to use an empty salt?
Petr Špaček - 2025-10-23 11:30:00
Indeed
Ralf Weber - 2025-10-23 11:30:15
Yes was already answered before @willem, but there was no way to retract the question
Petr Špaček - 2025-10-23 11:30:24
It brings no value, unless you rotate if faster than attacker is able to walk the zone.
Petr Špaček - 2025-10-23 11:30:41
* rotate it faster ...
Shane Kerr - 2025-10-23 11:32:43
Fallback to Do53 seems bad though.
Shane Kerr - 2025-10-23 11:32:51
I guess during an initial roll-out it makes sense.
Petr Špaček - 2025-10-23 11:36:33
We are happy to improve logging - please tell us what is missing. We don't know what we don't know, ya know.
Willem Toorop - 2025-10-23 11:37:15
@petr would you like to put that in as a question?
Shane Kerr - 2025-10-23 11:37:17
I'm pretty sure XoQ is covered in the existing RFC.
Sara Dickinson - 2025-10-23 11:37:24
The DoQ RFC9250 defines its use for zone transfer too
Moritz Müller - 2025-10-23 11:37:36
should we relay the comment @Sara?
Sara Dickinson - 2025-10-23 11:37:40
Please
Petr Špaček - 2025-10-23 11:38:02
@willem if you can give shout out like "please complain to ISC so they can fix it" it would be nice. Thank you!
Willem Toorop - 2025-10-23 11:38:15
@petr sure
Sara Dickinson - 2025-10-23 11:38:34
Not sure if implemented anywhere yet though.....
Petr Špaček - 2025-10-23 11:39:43
Yeah well. We have an engineer working on DoQ for BIND but he is based in Ukraine and is being a bit distracted with ... you know ... war going on.
Sara Dickinson - 2025-10-23 11:41:12
Ah - good to hear and.... understandable
Sara Dickinson - 2025-10-23 11:44:01
LOL - we have started using ADoX to mean ADoT/Q which would make the zone transfer equivalent XoX 😬
Shane Kerr - 2025-10-23 11:44:37
ADoX is where you publish the home address of the authoritative servers?
Petr Špaček - 2025-10-23 11:49:02
FTR Knot Resolver has minimum TTL of 5 seconds by default.
Petr Špaček - 2025-10-23 11:49:41
https://www.knot-resolver.cz/documentation/latest/config-cache.html#cmdoption-arg-cache-ttl-min
Peter van Dijk - 2025-10-23 11:55:23
old but fun read on what a second of TTL is https://00f.net/2011/11/17/how-long-does-a-dns-ttl-last/
Petr Špaček - 2025-10-23 11:57:00
BIND has default of 1 week: https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-max-cache-ttl
Peter van Dijk - 2025-10-23 12:04:12
powerdns defaults to 1 day
Willem Toorop - 2025-10-23 12:11:54
https://www.icann.org/en/system/files/files/reduced-risk-redirected-query-traffic-signed-root-name-server-data-22may24-en.pdf#id.1ixadzwxjobo
Keith Mitchell - 2025-10-23 12:21:04
"DSC Presenter is old" = understatement from Anand..
Petr Špaček - 2025-10-23 12:24:53
2003 ... could be worse :-)
Petr Špaček - 2025-10-23 12:26:23
Wasn't dnstap supposed to fix this? Half way?
Petr Špaček - 2025-10-23 12:26:46
Well not really, someone still needs to summarize dnstap into stats.
Simon Leinen - 2025-10-23 12:28:31
Ah, the two-step login... RIPE login is about the *only* remaining system in the world that doesn't allow me to have it "trust my device" for a while...
Hans Bakker - 2025-10-23 12:30:16
This session has now ended. Remember to vote for your favourite presentations by Monday, 27 October! Log in to your RIPE NCC Access account on the RIPE 91 website and visit the session pages. If you are logged in, you will see an icon next to a presentation to rate it. The next sessions are Address Policy and IoT and they will start at 14:00. More info on the RIPE 91 meeting plan: https://ripe91.ripe.net/programme/meeting-plan/
Eric Ziegast - 2025-10-23 12:35:55
mic can still be heard by remote attendees