IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel

Matthew Pounsett <matt@conundrum.com> Thu, 16 November 2017 17:58 UTC

Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F682129329 for <dnsop@ietfa.amsl.com>; Thu, 16 Nov 2017 09:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lfU8rIzC_2Z for <dnsop@ietfa.amsl.com>; Thu, 16 Nov 2017 09:58:02 -0800 (PST)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 681B61205F1 for <dnsop@ietf.org>; Thu, 16 Nov 2017 09:58:02 -0800 (PST)
Received: by mail-it0-x22c.google.com with SMTP id x28so1013718ita.0 for <dnsop@ietf.org>; Thu, 16 Nov 2017 09:58:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=dO/j/fw42ejG1F5MtCruLDagxUyWt+FI1wGc6wdXhB8=; b=NN1q7XK5lAiKD8P2Mr+kyUU4K4O0pJ4V+8hoNHC65eDtLkqkPqHgEILm6T3/GxraiL l+KCu0rkK5L6NCZOqniFqFMWrhLxBhLHHOj5XOx3zpwCxAWOj5mjpFBTZGvdRD6SDgls eDdMOor73riXd0ZiD8hyahyoEagZ2k4b2z6TX55WlBhL1zasVUg4AFPUaH+EtV0UCTY+ dqPOA/K7uJh6tKsiDej5JKjhKYW6H5ymcN8nEVNFEE6MkOFJi/l5XyecPNuYeLhhZJEa /6z8+tzw38FXqQbF6aIgVFYoeDuttpmo/LOhfWK/E3vEs0Z1c62TSUxwDo0AJJ9rXM/D yESw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=dO/j/fw42ejG1F5MtCruLDagxUyWt+FI1wGc6wdXhB8=; b=fFLau+Ksr/IsqhQbQeHbGc0Nl2KvC4Nz2SCRllht9ZxaEshmtPxv39NCO3G40JGZlY 3kBy7oYO6zwuiNeWbkjE55hTH5B8pgFapBu/tNPV2j36gp9C0i+k5mza75FNVn/+F46K GBbY4kJSqb9TsJ2efvb7bkBNnS0T/mhwFzw1nMwITNwNqBaSz70JyVnxAostBZBcum+5 I1VNaWvodLvbb3KgnZgtydAx+YMfCwGLIkpS1zThux/IigdRD8KD6LGNmIN4L2yQqxFe 3OAdlsXJYW4xJ4f0KP8w+VR4y3bqUahxUSPDFpPynTn4aESJpv7f5eSUwKAbY5XsBZW4 38DA==
X-Gm-Message-State: AJaThX5zlgYykaGKgySq6V+xEZonLLjHbTnDkeppa/7mZv5YvNdj1CU0 AZj6Hr31ovV+gIqZGVGdfSKhFj8CQuh2jbjE6StxkJjq/jI=
X-Google-Smtp-Source: AGs4zMZ0Rg7GKIz8KFmQb8jcj/0OvB+47k/kGYLaEai6OL/LdH41Hrf0nVirlPJwjSW7Mzs6X95prUQrtEeiegHjVpE=
X-Received: by 10.36.98.20 with SMTP id d20mr3228939itc.110.1510855081296; Thu, 16 Nov 2017 09:58:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.155.47 with HTTP; Thu, 16 Nov 2017 09:58:00 -0800 (PST)
In-Reply-To: <CADyWQ+Fhzybt-aNNF+yJxQfWDM56W+rzWxZ2YB3yf6wy4m_uxA@mail.gmail.com>
References: <CADyWQ+Fhzybt-aNNF+yJxQfWDM56W+rzWxZ2YB3yf6wy4m_uxA@mail.gmail.com>
From: Matthew Pounsett <matt@conundrum.com>
Date: Thu, 16 Nov 2017 09:58:00 -0800
Message-ID: <CAAiTEH-d8gcPZ2VOCDP7CheLQC92SrS71NcDxR2aYMgKCJ06BA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f80926dbe05055e1d5cfe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3AaXyA0DKcOhoQgEkT0ktttpRio>
Subject: Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 17:58:04 -0000

On 16 November 2017 at 00:23, tjw ietf <tjw.ietf@gmail.com> wrote:

> All
>
> The author has rolled out a new version addressing comments from the
> meeting on Monday, and we feel it’s ready to move this along.
>
> This starts a Call for Adoption for draft-huston-kskroll-sentinel
>
>
I support adoption, and I'm willing to review.  This seems like an
incredible valuable mechanism.

In fact, I already have some comments/questions:

In the last paragraph of section 2,
"This mechanism is to be applied only by resolvers that perform DNSSEC
validation ..."
I seem to recall there was some ambiguity in the signal from RFC 8145
validators caused by some implementations that might send a signal even if
they weren't actively validating.  I think it would be worthwhile to make
this statement stronger and more explicit that an implementation should
only enable this mechanism if it is actually configured to validate, and
not simply capable of validation.

The records being queried seem to be anchored at the root. Given that a
server in state Vleg is expected to return A responses that implies that
the root zone needs to include these records, but I don't see that stated
anywhere.. perhaps I just missed it?

At the bottom of section 3, the document gives two definitions for a Vleg
response.  One seems to be a typo and should be Vold.
"A Vleg response pattern says that the nominated key is not yet trusted by
the resolver in its own right."

v2.23.0 | Report a Bug | By Email