15:05 < Anand_RIPENCC> if you have any questions or comments, please state your name and affiliation, and I will relay your question to the room
15:08 < dnshane> Is this presentation shocking? It seems shocking.
15:15 < Anand_RIPENCC> any questions for Xavier?
15:18 < Anand_RIPENCC> Willem Toorop is presenting "DNSSEC for legacy applications"
15:22 < dnshane> Ug. Wildcards.
15:25 < jelte> wut
15:32 < Anand_RIPENCC> Any questions for Willme?
15:46 < Habbie> hello; the powerdns geoipbackend most definitely supports edns-client-subnet
15:47 < Habbie> on a sidenote, could someone turn up the volume on the stream please?
15:47 < PieterLexis> to add to that: edns-subnet must be turned on in the config before it is processed
15:47 < Habbie> that's a fact
15:47 < jelte> do we have an assigned to-the-mic person in the room?
15:48 < jelte> otherwise i'll volunteer to make that comment 🙂
15:48 < Habbie> thanks jelte
15:49 < jelte> so the issue might be that it is not on by default or something?
15:49 < Habbie> yes
15:49 < Habbie> or jan is confused
15:49 < jelte> ok
15:49 < Habbie> i don't know how he checked
15:50 < Habbie> i also note that https://doc.powerdns.com/md/authoritative/backend-geoip/ does not mention edns-client-subnet at all
15:50 < Habbie> we should probably improve that
15:50 < Anand_RIPENCC1> Hi Habbie. I will relay your comment to the room
15:50 < Habbie> thanks Anand_RIPENCC1!
15:50 < jelte> ah 🙂
15:50 < jelte> race you to the mic?
15:50 < jelte> oh you are closer
15:53 < dnshane> Anand is the Official Microphone Relay Person. 😉
15:53 < Habbie> the omirp
15:53 < jelte> right 🙂
15:53 < dnshane> All HOWTO slides should end with Profit! 😛
15:54 < Anand_RIPENCC1> Any more questions to comments
15:55 < ripe966> Can the remote audio volume be increased?
15:56 < Anand_RIPENCC1> The presentation has ended
15:56 < dnshane> That was surprisingly interesting. 😛
15:56 < Anand_RIPENCC1> Jaap Akkerhuis is presenting about the root zone KSK roll-over
15:57 < jelte> anand is walking to audio people now
15:57 < matthijs> much better on the sound now btw
15:58 < ripe966> Thanks, better (volume) already
15:58 < Anand_RIPENCC1> ripe966: I've asked for more volume on the remote audio
15:58 < Habbie> this is somewhat better, thank you!
15:58 < matthijs> I still have the volume full up though
15:58 < jelte> set it to 11
15:58 < matthijs> but I can put my ears away from the speaker now 😉
15:59 < dnshane> Why don't you just make 10 louder?
15:59 < Habbie> i can now have system sounds happening in parallel with the stream without setting trees on fire
15:59 < amd2-ripe> pffft.. 10 ..
16:06 < dnshane> "Supporting secure DNS in glibc" on LWN.net... must be what Jelte was talking about. 🙂
16:07 < jelte> oh no you have found one of my sources!
16:08 < jelte> it also has the obligatory comment that it's not secure because there is no confidentiality
16:08 < dnshane> I am waiting for the "recommendations" part of the talk, since I know RFC 5011 more-or-less well. 😛
16:08 < dnshane> Reading LWN as one does every Thursday... 😉
16:09 < jelte> Do we need to make a series of videos "Does it Roll?"
16:10 < dnshane> Hm... interesting. We can use an Arduino device that moves a ball along as the trust anchor is updated.
16:10 < dnshane> And have it set on fire if it doesn't roll.
16:11 < matthijs> just when you think you understand 5011, you find something mind-boggling again
16:11 < matthijs> that's our experience with the dnssec key-timing stuff
16:12 < dnshane> I question the wisdom of the 30-day holddown timer, but we're stuck with it now.
16:12 < jelte> it seems weird that is is an STD already
16:13 < jelte> s/is/it/
16:13 < dnshane> Yeah.
16:16 < matthijs> the 30-day holddown is unfortunate yes
16:21 < matthijs> I love the idea playing with the missing state to keep the dnskey rrset small
16:22 < matthijs> I was thinking will this work with implementations that remove missing trust anchors after a period of time, and I think it does
16:23 < matthijs> if that happens, the key is not considered revoked but it doesn't matter since it has been removed already
16:23 < matthijs> hm
16:23 < matthijs> just one thing
16:23 < Anand_RIPENCC1> any comments for the room?
16:24 < matthijs> *if* something goes wrong and you want to restore the outgoing root key, you better do it before implementations have removed the missing key 🙂
16:24 < matthijs> bring that to the mic please Anand 🙂
16:24 < jelte> something for yeti to try out?
16:24 < Anand_RIPENCC1> ack matthijs
16:25 < matthijs> An addition: Unbound's default for this is 366 days. That seems safe. It might be worth checking what other implementations do
16:25 < ripe966> Matthijs - this is Ed (didn't use a cool handle when I tuned in) Lewis - can you send me an email so I have your current email. I'd like to follow up.
16:25 < matthijs> sure
16:27 < jelte> Ed 'no cool handle' Lewis
16:28 < matthijs> thanks Anand for the relay
16:29 < Anand_RIPENCC1> you're welcome Matthijs
16:31 < dnshane> My online banking uses 2-factor authentication. I'm not *that* worried. 😛
16:32 < dnshane> I love how Geoff is always saying "you" when talking to everyone on the Internet.
16:32 < keith_24865> 🙂
16:32 < jelte> especially as opposed to 'we' 🙂
16:33 < jelte> as in 'last year we won the world championship, but this year our team lost'
16:35 < matthijs> thanks peter!
16:35 < dnshane> Other working groups *DO* have votes.
16:35 < dnshane> Just sayin'.
16:35 < dnshane> But yes, thank you Peter! 🙂
16:36 < keith_24865> looks cabal-eligible to me...
16:36 < matthijs> more stuff to do, just what dave needs 😀
16:36 < matthijs> congrats dave!
16:37 < dnshane> I can't check that Dave knows the secret handshake, because I don't know it.
16:37 < dnshane> 😛