Monday

1. Signalling and Traversing

Tested with these resolvers
1 R9
2 R10
3 R4
4 R2 / R3
5 R1
6 R11
7 R8
8 R7

With an A4 - No surprises.
With A1 server - ?


2. Rolling from NSEC to NSEC3 and vice versa
Note - Did not flush caches between steps
TTL set to 90sec.
rolled from nsec to nsec3 and everything was ok.

3. Discussion
Questions
How do we signal desire to create or delete nsec3 chain.
Can we use dynamic updates for NSEC3? The server maintains the nsec3 chain.
Can we update NSEC3-PARAM? Should NSEC3-PARAM have a complete flag to allow the server to build the chain and then set the complete flag.
Comments
What problem does it solve?
This would be the only example of controlling the server via dynamic updates should use rndc
It would be vendor independant
At the moment you have to maintain all the chains but have no way to find out which chains exist.
Put it in the config
Is this something peoople want to do?
Bring issue up on namedroppers
just dont make nsec3-param visible until chain is complete.

Tuesday
Zone signing, loading and transfer
We have the following signers
1. S1
2. S3
3. S4
4. S2

we had a normalizer to allow us to compare zones.

Obtained the same results from S2 and the S1. There were understood issues with the other 2. 

Tested AXFR down this chain
1. A1
2. A2
3. A3
4. A4
5. A5
6. A1

Both the empty and full zones distributed through the chain with no problems.

Broken packets
Used the same set of resolvers as yesterday.
Some issues with implementations - will discuss tomorrow morning.
Note - When there is no CE the correct answer is no CE and not no wildcard encloser.

Wed.
Continued with broken packets
Geoff and Mark - R1 with TA
Suzanne - R1 without TA
David and Scott - R7 with TA
Wouter - R4
John - R8 and R7 with TA
Matt - R7 without TA

There were problems with case f. This is left pending.

Discussion
issue 9, 10, 22, 18, 19, 22, 23 and 24 were reviewed and comments added to the issue tracking system. 
Roy will provide suggested text on issue 24 to list.

new issues 
 - closest encloser being only name of the zone. can not work. closed.
 - nsec3 and dname at zone apex. The nsec3 ownername would be below the DNAME. The draft just need to mention this and allow the exception.
 - checking for CNAME in no data proof. When validating a NODATA in addition to checkikng that qtype doesn't exist one must check a CNAME doesn't exist with the exception of some types that can coexist with CNAME. 
 - discussion on allowing flags for future use. Create flag octet and reduce iterations to two octets. One flag bit is opt out and the rest are reserved. Dave to write up.

 

And here are the MondayJabberLogs.