Dear all, 

  My apologies for sending the notes and action items for this call late. 

Steve

23 April 2015 RSSAC Caucus TTL WP Call

Participants: Duane Wessels (leader), Jaap Akkerhuis, John Bond, Joe Abley, Matt Thomas. Staff: Steve Sheng, Carlos Reyes, Barbara Roseman, Kathy Schnitt

Apologies: Brian Dickson, Warren Kumari

Action items: 

• Matt and Shumon to rerun the test measuring the DS and DNSKEY TTLS for TLDs with a more recent copy of the root zone file. Also perform the analysis to compare NS and DNSKEY on a per TLD basis to see if they are the same or different. 
• Jaap to continue the task of finding the recursive resolver application's TTL settings. Jaap to provide some text about measurements of TTL in relation to Warren’s contribution. 
• Each of the streams of work to provide an ETA for their efforts. 
• Duane to send an email to the WP regarding 6 May meeting time, if no objections the next meeting will be 6 May. 

Decision: 

• For next meeting, the working group will create the report document and puttings things together. 

Notes:

  Kathy Schnitt:Apology: Brian Dickson

  jaap akkerhuis:No sound no mike

  Kathy Schnitt:Japp sound on AC is working now

  Matt: Shumon and I measured the TTL of DS and DNSKEY of delegated TLDs, these came from root zone file in March

  the DS key TTL is uniform. There were some DS keys that are absent. The DNSKEY, there is a non-uniform TTL distribution. Majority is 86400. A large portion of them have smaller values, varing from TTLs in ccTLDs. We plan to rerun the test, as quite a few TLDs have been delegated.

  Duane: The graph you send are specific to DNSKEY TTLs, right?

  Duane: have you done work on NS TTLs?

  Duane: Matt is having some connectivity issues.

  Duane: This is good. One thing is compare to compare NS and DNSKEY on a per TLD basis.

  Duane: To see if they are the same or they are different.

  Matt: Sure.

  ACTION ITEM: Matt to compare NS and DNSKEY TTL for the root zone.

  ACTION: With new zone file.

  Jaap: It is too early to draw conclusions.

  Duane: Yes, I agree. Since most of the TTL is one day.

  Matt: Duane and I are doing some analysis on the DITL data.

  Matt: As it stand, we are about half way done.

  Matt: We use the root zone file to determine delegated TLDs.

  Matt: We calculate, minimum, maximum, mean, median time delta of the queries.

  Kathy Schnitt:Warren is unable to make the call today.

  Matt: This graph shows the distribution of the queries by TLD.

  Matt: The number of requests measured by IP.

  Duane: As we are writing the report on TTL, we need to think about what group of users are most important.

  Duane: One thing is to profile the IP by query types.

  Duane: To identify recursive resolvers.

  Duane: The problem of identifying typical is that they are all over the map.

  Duane: It is difficult to define normal vs. abnormal.

  John: Looking at that, it seems there is no impact if changing TTL from 2 day to 1 day.

  Duane: That seems to be my understanding, but this affect clients, we need to see how many queries are affected.

  Duane: Jaap, do you have any news for us?

  Jaap: I looked at warren's measurements, but I think some of it may not be measuring the right thing.

  Jaap: [not captured]

  Duane: It would be good to document this behavior.

  ACTION: Jaap to continue the task on the recursive resolver application TTL.

  Jaap: Also Peter Koch did not respond to my requests for root zone's prior 1999.

  Duane: Let's look at SOA.

  John: I have put my contribution in the email, my recommendation is change some values.

  Duane: I tend to agree.

  Duane: One way is to lower the zone expiry time from 7 days to 3 days at least to solve this problem.

  Duane: The other to increase the validity period to 20 days.

  Duane: The other option is to generate more signatures more frequently.

  John: My gut feeling here is changing the expiray in SOA seem to make the most sense.

  That value seems a little bit too high, I woudl prefer root zone to expire their data earlier than 7 days.

  The root server operators should ensure their servers much earlier than expiry period.

  Joe: There is also a large part of the population not validating DNSSEC.

  Duane: I have some experience with this kind of thing, the tool is designed to tell whether you were using a validating recusive name server. The first time you query it, it responded with bad response, and expected you to try again.

  Duane: This works great for BIND. It works just ok for UNBOUND. It works terribly for Nominom's implementation.

  as they only tried once.

  Duane: I think there is nothing in the protocol that mandates retrial numbers.

  Duane: I suspect we will need RSSAC to choose.

  Duane: Are there any last minute things to talk about.

  Duane: I will send out a message to the list. For each item, let's get an update progress and ETA. I think maybe in about 2 weeks we should start creating the report document and puttings things together. That would give us three weeks before our deadline.

  John: My item is complete, but Joe raised a good point. How caching resolvers respond when they get an expired response.

  Duane: One administrivia in two weeks, I will be heading to OARC meeting. Can we reschedule that.

  to the day before?

  ACTION: Duane to send a note asking people's flexibility on Wed 6 May.

  jabley:thanks!

  jaap akkerhuis:Later!