Re: [DNSOP] dnssec-kskroll-sentinel-06 clarifications

Geoff Huston <gih@apnic.net> Tue, 27 March 2018 23:19 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5657F124B18 for <dnsop@ietfa.amsl.com>; Tue, 27 Mar 2018 16:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DrBCzBNqcDSY for <dnsop@ietfa.amsl.com>; Tue, 27 Mar 2018 16:18:59 -0700 (PDT)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0055.outbound.protection.outlook.com [104.47.126.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C1F41200C1 for <dnsop@ietf.org>; Tue, 27 Mar 2018 16:18:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xZHdH/ecbTUfn1/NS4qG/CteNAO0TDxv8Y4jTJe82Ds=; b=BmXkdu3uifTG+LDkTcMQlgStwV0H6+VTLGQpxI+JoJbYApghtt1brOzygg7b4EFsGwL5s+cvoVjy+ta3XRBtF13LQdNTd+HaYyaC18L2YEShkEFajghA34il4354GpM+6/zdK0KG0LePm/mAih2BWMGpRWoKN8WoPKJIdNrZ030=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from [IPv6:2001:388:1000:110:6895:64b5:eda:ce1b] (2001:388:1000:110:6895:64b5:eda:ce1b) by SG2PR04MB0696.apcprd04.prod.outlook.com (2a01:111:e400:5209::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10; Tue, 27 Mar 2018 23:18:53 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <dfb0182f-fada-c1ea-93fc-4f8c29046725@nic.cz>
Date: Wed, 28 Mar 2018 10:18:43 +1100
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F3995DA1-2BDB-4576-B1F7-0EC40EB5D77F@apnic.net>
References: <dfb0182f-fada-c1ea-93fc-4f8c29046725@nic.cz>
To: Petr Špaček <petr.spacek@nic.cz>
X-Mailer: Apple Mail (2.3445.5.20)
X-Originating-IP: [2001:388:1000:110:6895:64b5:eda:ce1b]
X-ClientProxiedBy: HK2PR02CA0142.apcprd02.prod.outlook.com (2603:1096:202:16::26) To SG2PR04MB0696.apcprd04.prod.outlook.com (2a01:111:e400:5209::15)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a56d5ee9-f266-4734-6bbd-08d594391bc5
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:SG2PR04MB0696;
X-Microsoft-Exchange-Diagnostics: 1; SG2PR04MB0696; 3:Tbu9w4Ng3ZKLXrqsIPkN6mRPo3kWglrqkSkP1yuB/tyOgb1bw3OGePQGDq7WdYhIAS+FJIBuDUni+lsCf77rl8CstmOxL5M3kwNtk9I4fb4rEr6Ci5lV9kJWqLHzx7KiMJM/TOItqd3LbHOvo1RwdD8wdJ/IYBHj0k/r/GLQldLL+hGW2y3x6tdBVlKLvDA2PLbaRK/x+cK4gicpmrRB51DHSPxRyk8a/lc3N9b5AxoC4kqDOYM0iwTtCESuVQOe; 25:Hm+fHkTlr7uzLbLl0+HigQ2mgmF4qJwkj0gIoNK16dV2uWny8duBdjDsaiGG7sZSTY4i23d/pFcPot/KS9kWpkxuVGAG8KfTAVPMyWRePR9p0kHtbF6zQftuZyX6pdBrLZMlazYVDyHIDdVyccKPbUM1aL6GXLHSeuZ2y71aIkSphkFa/xpYBR1tnenuoIxb+lWm0DNeL8GVoFlmwh6zyghc2k38sZCJ0SsYMDuiJuboKv0c1YfUe/JLipoqcgqCIVjWXm5+ecvdsaLk8ZJWvqwImaH1fQVEvtR+TyfxWawxfm+WWRtQ4ZNAXG+DKpgx0g4RvzOD0R65OA7Zjj2PHpYebgyL7zie2CGwfyRt5Vs=; 31:N1ABL4z6uVQ7llsYifj0eEUN65EZ0z4eNu1eSjBFDa/OPtq2R7J4KWbZC/IdRIECkFxISiqS6dkpfVkAcd7ijW8G6UN9mXckQlHpEY+YI6bIpyifBxFzhxqmYmA2LM4pxA9HpzzS//+baVuM6PC40TFjDr7Zj6ejX0OR8JOSkqWdNJrl5vRXsudVYHl9SAvvZSvXVOclFb86YgsgjiDiJn8CmvLvoCd3Gt6ccgZQ9g4=
X-MS-TrafficTypeDiagnostic: SG2PR04MB0696:
X-Microsoft-Exchange-Diagnostics: 1; SG2PR04MB0696; 20:PO+i/DazJxg46/8NKmD07UvWkChIE4RUfCbpDpEOyj1ANrfgK72188bZ3jqCL1zj0PfzSx/ZQLMaCwI3cVf3g9qU9Q+3uj33Li+jDJMmkcD8pG/vD2HwYoVVFdY6xndDEe9ZQwqupvTPwaYPQZDOmm6aYK4mjUa71r4S3rK5ZDr1g4CbNy+0v0LQ2MIfLw9zD+OAzBcgWKP+gkPqpL87zDzliuzTKGS5Ia3kW/ZY6MuwS6d4yHvpswSgb1LKD0xH; 4:p/aYPFwYJwhr0OZtophqalBmr1+QPI7Pit3E4sKsa8J9OSimBBUN9+gf5XgRv8iHX0faRs1wmPb5InEgvxAp07zTvMwL3wf5T25oqr8zpjtNyLpKvctZgPaGN0BrrPn3yDKdnJyxgCeh3j/HpKKemRoDNcxvI7JRHGNGQbZF8A+0Lu6C9KIr2fZBMC2xBPFZiWTzNcM22nrJgk9xQuHDarmSpQmH6piOu3xIRN2izsdQjVyURnKFcc3eIsbuZAbmT1Nvs7da8Jg3CTOviONd2InX9Avx4lHbRpvZKglSfNoZws+FZdRAGxPTPQDXvcNJ
X-Microsoft-Antispam-PRVS: <SG2PR04MB0696C42B15514E46C4AC865CB8AC0@SG2PR04MB0696.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231221)(944501327)(52105095)(3002001)(93006095)(93001095)(10201501046)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123564045)(6072148)(201708071742011); SRVR:SG2PR04MB0696; BCL:0; PCL:0; RULEID:; SRVR:SG2PR04MB0696;
X-Forefront-PRVS: 0624A2429E
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(376002)(366004)(396003)(346002)(39840400004)(39380400002)(199004)(189003)(8676002)(478600001)(8746002)(4326008)(46003)(57306001)(81156014)(97736004)(82746002)(6916009)(8936002)(476003)(6486002)(59450400001)(25786009)(68736007)(36756003)(316002)(33656002)(6666003)(561944003)(81166006)(386003)(16526019)(47776003)(86362001)(1706002)(2906002)(83716003)(53936002)(11346002)(50226002)(50466002)(5660300001)(305945005)(2616005)(7736002)(229853002)(52116002)(6116002)(52396003)(23676004)(76176011)(446003)(2486003)(106356001)(105586002)(52146003)(6246003)(186003)(486005)(486005)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:SG2PR04MB0696; H:[IPv6:2001:388:1000:110:6895:64b5:eda:ce1b]; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;SG2PR04MB0696;23:9OTbn3PsoLsDmwcUxyMfsphFf97/SrKnFx9PuvEPO1PYyzTD9a7NA79hhL9Un1jFy/Ex8kKSEmwSSW3jPppqj1XRjWc8D6RfknvLQWDxqqpzoxm40T2sNK5CFRf1r6gRpEt/D1xrKoKK6/KLPqUz8D2uleaiV++xGwjC3NBf/trF49iggnleDHfg9gNJHUL3kRzE+VHJgJH49Zet7fgwLBp4iXWWxl6WgVX4WsNjEay8kpkhypqHHyGP+FpUcPDUBvI2GkUFb85hK6PDT7QNkXakq4sc7mHSFpwW5Zi0LkUkusqiu3FklvlCBKny8nLpqjgmrZMFjcp7Too6VNGoiZj7zoXdvASb9G6dy2dxNu+mTmBap3Zo9zYyk3ZTptAFY+d3GWshCcm7aaWY20nFRSAbuZdEfKCruRStM2JZLW6eYamH6I1/1epuWiWPrYL0e6eWuJLKQWCf4cUFKLfSzLZETBEQHUkQO6daDDIN7YlZudekeAkOk3rwkjLJUmSV5mI9z+i6TjYVH72ZkEs6g0VZvyoq8AnxjKFkE5/40ZlF2SLhi5VziGAgd6mmIAS3tbJXdMsZ+vI/J/KIhRvr8zNV9n0K89otL7p2m7P7TmfeKBN9HRjqqRWRomtb750RfgSs0zdNzqrE/dJBInBekhvHzGFOe91+03BYvpch64qqA4EoXEZXSfODA2HLRS5eRY0eWAZdm5I633gZr2GoP0k5eFXvxSDXeyy2tbpwqVbYDVSUyovlufsXv543bh4JEvmj/++H7CVaa5PVdKSoN+pEjiR+MOWrXoAvqXVPQST40DbxjfuX9wpcDOSePatNFvDak3uV4kTIeC/1jbPzb2ucPghh4cMmbQrynbtyJ6YMlKAfKPFQhEOEKk6ynAEhC77kRWbB/jCvTjNtw4MTI0MrS7Hoxhxq6n5E3ov0hwnGNCb7tTV+te9TxT0IrXwBsjN8XUZ38vJuRsM6HCBShf4D+HjbJgFXHFFpnID00NdxZUZyw8BEkWMfoAlMd9HJQSGBJ/d9v54hqGEnXH8skVeLAW41WHF56pGqqSje/m4LFWnOObflMycYhH63LyE2kRp7Y4m5vcn/zIi+Wmq+5pUHL3rtM/kTp/0bHWTWpIMLyxhWV1F+pSYUX8SNQAFOnyv/oRSoVxcU2F4eV4EXM62GYC59qbM4lCkAMUjVeD5tHM+oXe64mpYyUV3/Hz6JDbbohk2b8jhqvxU/Pdy7oNm5cJbl1AraZoQmHfQIBCH/BSRSLwbeug0ubKe1B4aIfcraP74Zi7BdnEDUvHjd+KFqPBCpOI/nSzL+0imzWNK/yCaHOB0aI8NVFHqKgjTHrWMfGc7LJJuteR+ePWaMCA==
X-Microsoft-Antispam-Message-Info: Nr2jtLNeZTGXOMYYsQmwUaHwLQh9SmSzZ0Hjsq9/wgVzGimch8l6UpMrCYPishnVoIbnrxCeQ9EiHB/3Sdya4qNuxCvUAE2uIo0u5qqnWJYLgIJykjO/13qUCx9x+knNAy05iSqC9D5FVR4HqzI4yaC2KK6CselbO+unSY4D7GDmEhgm5LBxX8P7PU7wegRL
X-Microsoft-Exchange-Diagnostics: 1; SG2PR04MB0696; 6:rNMejWSjKsW/9ktp5tL2hcXUQ0IikUndih9XLwDUxnAa8n0oYWwiI9JTIGi6IyjI6mMcm6hFDfbLtuGASz398QvcKIbmXgqgIT8G7jZvVa3y06eKbaBeWQF8xJfKa8fYXAKFLu89TfIkSodRaYTl+xeMgkMK8JQd4y9Brn5/BHaVrH1+jbBaWodKIM/4miu1V0npViILWMjhB68GWPCmOKxBbOFuv3edEjCQ21DiRItCPOuxtVI1PzknQFaJBQ7Y32givDlhmhguyxN2X9smMcj0PAps1vnn63ehqG5+Wn5gykpyWvmG78vjLeYBKmhDu1vlWjjvmkL47eGiCKBbBojAKG3DrLLptaH4TRDzHMG3PcJc+7XP4nuZNJhDet7KICnz1YeXyEtMJkR30zdVwULmEEJgbUEWYfVU3riHNOb0qzqb8bbOWVHrnV5uOsnrrpTsHIA/xRtuLYJZXFb7bg==; 5:DcvVbX79ATTAhXJ8XVG97bMTcD6Depg+Q6uh2QHH8Etw4+Xq7ij0hXhDs9/yDyFCFaBiUWxVH4XJqsAPxjzwkIki3vfF5trjKIn9BQMQq4fz/AFN7SuI2n9Qugy/7/W688t5uWWrQ6XVVgrcSZRIJNRFv/77BshISHT8T729W58=; 24:+be2S1ufhsj1EtCp7N1h3JTUcbKhIPDk6NtjlS+Ysl0jRsjqmMtZMxvPvd031NXvU0qVD4jwfKg2IbCnowCySb/oWZDwa+c7PiMFASQkH5k=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; SG2PR04MB0696; 7:jqs0qGw3jofCL1Hno8Lx8MgrtrNdK68LlOyiISwoNH9PvdqKJUJdDmrm+WreS1ExeluYMiXmbShAzEpber5EcZRsvgnu4rfTHNMpiHF/Hnf2DJqifM2MV2HQTXuR9Ay9KXmxYi6y+MQCr3148uTbzmTHnUTcwSQq0y5f1y69ytJXOfiOIeOjNGAZ8vKM58GGbZk2Bp6hDTsVKSJZhe2t8y7jeSh2XOAHoU2mBMqS31xB/cSaRNaUKwfZULCGSkyU
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Mar 2018 23:18:53.6509 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a56d5ee9-f266-4734-6bbd-08d594391bc5
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2PR04MB0696
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2le-siFKgLXR2acimBB92G4fbug>
Subject: Re: [DNSOP] dnssec-kskroll-sentinel-06 clarifications
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 23:19:02 -0000

> 
> 
> 3rd proposal
> ============
> We have one more thing which needs more manpower to be verified. Right
> now, the section 3.1.  Preconditions is:
> 
>> 3.1.  Preconditions
>> 
>>   All of the following conditions must be met to trigger special
>>   processing inside resolver code:
>> 
>>   o  The DNS response is DNSSEC validated and result of validation is
>>      "Secure"
>> 
>>   o  The QTYPE is either A or AAAA (Query Type value 1 or 28)
>> 
>>   o  The OPCODE is QUERY
>> 
>>   o  The leftmost label of the QNAME is either "kskroll-sentinel-is-ta-
>>      <key-tag>" or "kskroll-sentinel-not-ta-<key-tag>"
>> 
>>   If any one of the preconditions is not met, the resolver MUST NOT
>>   alter the DNS response based on the mechanism in this document.
> 
> and later 5.  Sentinel Test Result Considerations discusses how to
> interpret results, including considerations for CD bit handling between
> recursor and forwarder (we are not speaking about stubs here!).
> 
> The current text in section 5 is written with an assumption that query
> with +CD bit cannot result in "Secure" status and thus cannot trigger
> sentinel processing, but this depends on implementation.
> 
> E.g. Knot Resolver stores RRs in cache along with their validation
> status, so if a client(s) send query *without* CD bit, the RRs will be
> validated and then stored into cache along with its state, e.g. Secure.
> Later, when another client asks the same query but with +CD bit, the RR
> will be read from cache and its state will be Secure despite of the CD bit.
> 
> 
> Now, if we were literally following the version 06 of this draft, we
> would trigger the sentinel processing despite the CD bit because the
> state is Secure (as cached from a previous query). I suspect that this
> is not what authors of text in section 5 expect ...
> 
> To counter this I propose to add another precondition:
> - CD bit in the query is not set
> 
> IMHO it should solve the problem with implementation-specific cache
> behavior.
> 
> Does anyone see a problem with this addition? What did I miss?

I think this is correct Petr - i.e.I agree that it would be clear to add
a further precondition that the CD bit in the query is _not_ set.

I was VERY surprised to see the opposite text sneak its way into 
a pull request, and equally surprised that a co-author of the draft
approved the request and pushed the -09 version without raising this
on the mailing list, particularly as it directly contradicts your 
message here.

The current text in -09 reads: 

   The DNS response is DNSSEC validated, regardless of whether	
   DNSSSEC validation was requested, and result of validation is	
   “Secure"

I believe this text in the current draft is incorrect and leads to
the wrong behaviour. The idea is for the resolver to act in a manner 
that is consistent with the way it would behave in a hypothetical key
roll scenario - and if the query has the CD bit set the resolver would 
return the response without this special process.


Geoff