IETF Logo Mail Archive

Re: [DNSOP] kskroll-sentinel responses

Geoff Huston <gih@apnic.net> Wed, 03 January 2018 02:55 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8EC21242EA for <dnsop@ietfa.amsl.com>; Tue, 2 Jan 2018 18:55:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MT3jnGalSUDx for <dnsop@ietfa.amsl.com>; Tue, 2 Jan 2018 18:55:48 -0800 (PST)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-hk2apc01on0050.outbound.protection.outlook.com [104.47.124.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3E9812426E for <dnsop@ietf.org>; Tue, 2 Jan 2018 18:55:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AQLbX48aAAQyLF3nPILY0VWuNThE14VfgqOmlVuwar8=; b=RjxX3AVKfoLNChY2hY+8sVI7UXwbouV32gwtwqHx7xFTgRHhOcW9JWZYELlkjQwb/DY3/K/ruUASlonaixdsr5wI9seQZCwF9NJqy2y0NqCEQO7Afhg75SZ61vaLSHXvRCV6CimIhAUmeChqYGxblAJsMbyzFCNdNMemf44grOs=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from [IPv6:2001:388:1000:110:5570:67e9:b47e:4267] (2001:388:1000:110:5570:67e9:b47e:4267) by HK2PR04MB0690.apcprd04.prod.outlook.com (2a01:111:e400:5892::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Wed, 3 Jan 2018 02:55:43 +0000
From: Geoff Huston <gih@apnic.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Wed, 03 Jan 2018 13:55:30 +1100
References: <20171221103623.045eed5e@titan.int.futz.org> <df3a8c29-38ea-6dd0-db4d-f8562653dd69@bellis.me.uk> <C79FED8F-91A7-41C9-A1D6-7DC290B8B938@apnic.net> <EFEEB8B3-EE5D-46D0-852C-E95ABBD69109@vpnc.org> <DF76BE23-94E3-4B1D-9016-823581242F2F@apnic.net>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <DF76BE23-94E3-4B1D-9016-823581242F2F@apnic.net>
Message-Id: <73F49A10-2BE3-4CD3-AAA1-C41A41A83566@apnic.net>
X-Mailer: Apple Mail (2.3445.5.20)
X-Originating-IP: [2001:388:1000:110:5570:67e9:b47e:4267]
X-ClientProxiedBy: HK2PR02CA0163.apcprd02.prod.outlook.com (2603:1096:201:1f::23) To HK2PR04MB0690.apcprd04.prod.outlook.com (2a01:111:e400:5892::20)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bf4b9107-4668-43a9-168d-08d552557b61
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(5600026)(4604075)(2017052603307)(7153060); SRVR:HK2PR04MB0690;
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB0690; 3:feI04Y7DTFY1YWJgo5A/WF5VqzrSKbDxfdZLgB49cWY8PWpPisPaq1PWFVbS5zxhvWSVuclYlebeNr/6hP0fHCw3SOsQhZ7loprpVV56pvXlz9Cq/532AIC6klYjEZAYYmWVjvUKeYcq3/lvYvcQuA3OoBozxWZn+kexK77oTFBkjmR8qOBIeR5D1FSbo4Pgd1UmuOkHNmexTFHaiFc6hUqT49np8Iob7nl4FXv/ZXnj9rmyiZHZu4HYxbTgli6Y; 25:+EOS1YRBLzy3ODebGbLeYe3T/1tNyjp61a51qRnL6iO5bTQg6HehMJ/qLuQx3+C0533rjH9UhnWdZEfNsVlzhgMK/26EW0SuEtme7NPLduMjYWscb7qpnTP0+rZA+4ANNP4Wzpk/TCj38krtP2BJJieLqG/RdcpkSSte1PgnDZdWlzVr2jF7QRGUGyTaqSYcF/EOznYBIjpAfUyjXOttSXNPTTKW8Kv26IBdXYPTAo0VKpEPFbSw3Hk6wADDfyT/CilPfh+w8csL64YyMr5TB0jjAO7hVMmu7BpaZjpfuirg0GPjqjIylbCbrUqK30BVHMcsEvtUH1+JuCgIjSrKGQ==; 31:sN2Gkt1UW0SOudGGbRzw/aUjfeaX2kf5eoppW7Ps/pA1u60EYB9XuIpwKVC+1VG2zyLqppwjXFw7GEBhFKV/cDxBsa37ZwiYrrgnkQ0WGFc+/ZtikIe7f1aJaoFLW3b8LiNb5WdZlO6phT4agWKeTHmjaEYxwFOLVC2GZG861vqqxkmOOM4mA1/RIBB3Te1lBMykbLtWkC3wAjeKmjU7BkoDgWOawzujPHHeK/ziFkY=
X-MS-TrafficTypeDiagnostic: HK2PR04MB0690:
X-Microsoft-Antispam-PRVS: <HK2PR04MB0690AC53324CE727B8771A4BB81E0@HK2PR04MB0690.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(209352067349851);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231023)(944501075)(3002001)(6041268)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011); SRVR:HK2PR04MB0690; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:HK2PR04MB0690;
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB0690; 4:3CeS+d/KD3PidzW6w0tlJZ8Vz7NuPNZ7BndU/ZP8AmW4etQ13HoR89P4K8m6IfYUojJHgirTFhXxfV7ojkFCrx8aLudTvDxkoGV71KMuIyIINPdEQaXswABv0WxTG6ipgCnUv9JABGqoOflf2sUbUaAKRxsSB1xJlyO9GjhDzTBU8chKvI7CbiPFdjZp5BXXCrphHgP1WZsPIyDb/uFyAoltSE0Ryr2UkBzKlIUqt/kVadOnektZxMJ6KLmQ6J5sn/qfUinadzOQiR9NXUoO1PJj3ZaugOVxxU3EUPV1Hoyo56dv2/DOpAjA5mt5BWQIGn3r67tgRZ05ba0S9e0vnoomY3J+kgXsI4fii85J43o=
X-Forefront-PRVS: 0541031FF6
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(376002)(346002)(366004)(39380400002)(39840400004)(396003)(24454002)(199004)(189003)(8936002)(7736002)(82746002)(229853002)(68736007)(86362001)(6486002)(8676002)(105586002)(5660300001)(8746002)(106356001)(81156014)(305945005)(478600001)(81166006)(25786009)(50226002)(6666003)(6916009)(97736004)(2486003)(23676004)(52396003)(33656002)(52116002)(52146003)(2950100002)(59450400001)(50466002)(47776003)(76176011)(1706002)(6116002)(57306001)(53546011)(93886005)(6246003)(316002)(386003)(2906002)(83716003)(53936002)(36756003)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:HK2PR04MB0690; H:[IPv6:2001:388:1000:110:5570:67e9:b47e:4267]; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;HK2PR04MB0690;23:BeRHab86Bzu6DaYhDYUrC/KnDbl/xnvvG8YruoUty+ZWsbjT4lz4X9sYOcEGjb/D+A0LS9+HTntTazsK1LapNKo5qFVmosQOVu5iMwFT2PH6iZViEK+9XWKo1N/57Gxxdom6X+v8Ycf//EhrqPIL51TCxa5PUG9+EpG4CypkMyrN59iYQiYxTBzL8wZJGoPFa61yhpLfq82mADrMDflXccJL6ZRb0FRe3zwvOwpfGEL4p659NyRW+Af97AVy21F31fUxJo8+vBLQJL3q65OELkGJo8AbIDZN/Ll/2ibMaa80OZGMDDFjBmNwcbSi03btDuxGOfPoHQTruQayh81ExvID2roqNi77HdXRDygCv6PthQhoEQkLL1ZiDWaAwyN8isqJ2JkWHujSyROGzXiyPcY+DpkIp6oI4oBT7vRJfyR29J+GTjhSxi9cylvmsgWcrZ97760daB/eB1IXxaZXuUpKOOBbr62Z//pi5bZp4q0y/7XTJ089u4m6UcwH7Z7HQxQ36t2I7zNQT6RkTg5zYuIWwidezJ+Js8oQrs8CUsOr34hQmuBDURdURKH6KDi4248FYz+7Mkz+XrLjR57gRRtCIKcRGxD+ep1SGwHwdv7qTEgYTpl/i8lv84MIRQtOsooCFLvEbRcYrft2oLOK/Oi7bkPUg/nRs1JLxeQGi58jODBqLmZI9oe0l409zuBK15loxdVUUn0msjgFX4POqJJgu5FO7iw1eFoKpMZgtr0WFpNjVy6khvuPcC8tSNA0FFqkYRje8D8rb71T1V77ucwYrlK5FrAhzK/Xn3yCDKT7HQRqsQ9zTv/wWFB1AITFIQMC9MDvfB/a2+85APNF3uEK+GLj6e7uKLB6gWQNI30uDYDFp7updpmkVvaPUZy9khtJhywWqz8pIDYGsDX5t2US5HGO60yUaPFFt9+PjzLJNzAWsWD3GlW2R+5FCool2RnjXW6ZMQiX7i2gCsI28OjkbxGbimxtNl1q93rzI1F62J2ilvHf6O470C4ibVU2JOg7WQk6qG8xKV0qY0atvdQ8gBJljDXQnBvLmcdbXV9OwQJbZQGiTUVwH+V11oZqpsifnp1yJAZsI+vAra7R1HC87L9Aq7/lNonnlFilrKgTGuvXWWdC0WBU+leeF9DjgSmgRQlfnsjRkKVEMyH/fA6gDRsL3RPGptv5F2qIuVaynYQl3IJlEDwd478ggrIbtkWbmSpfOgc4Ve48ZPBAHF2EbEjkTvgJd8cHfaV02IY=
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB0690; 6:vPeVvHTAQESbms3+AUoRclE4JvLQDKj7KqaC7EMcorrFjpsI1F7VYL3rToOjrArBHbWnOKvN10t9UjbMkbQ/LkxrftRfZ4hraxSyN/SFgl4U1tn9qij0ALSNdiMR3EthIWQWzMYfi93wVwb9M6Gj32gYkcu+E/LEdmD7UZjRLx7PniqEes37N7LOqixX+HScgj6uCMXEg7tod7Ts0tbKynyQTLIU6a3JxBh6C5PXtg5DMgZ80oV8kCNNLmPBwv6wikOB5GkruV+E+H5DWkT729HAqFj4kgSDpfEfh09Y8y5a9O4JoMS7+/OGSeeOWLEHyFIZHazkPG+oJVcJdBIxHBi2vFDD/fBBF9SJ4oFcZd4=; 5:HZeRRPSYduOifCyL63tvll+JTjL3ADIiWUECXq2quvFeDeeJhFkWsNc/mhhW+s38RadNormvAo89wvWe+kicVudBM/gGT0rpI5dF+Yc8NqYYtp2W2fG17nTEL4Yfp1Qpiv0aqlgA7avL2EUSStcwXt7IPaSgv8mvfdESPmm1d3E=; 24:f+F+kt8Ju/kOl4bv9tc36Ei1MvPA62/YtRKNVKuK4KxhdXigHPDCBwxz7LpYuDZBRax7AQkT7VFJFCi5ACiTVoYabmSUvk4nT3IdyVrIJDo=; 7:CNj9/zRRLBXCwCBJIdANzQqrPh0Vxi+UeRLspY6m6xyJFMwJUju6igCdU6vR8dbBjijrBETyMW6AxzKqmhkZU52sCKPAu0evDW0qUcm6ZU/KBth22dmFWbvAhoHbRAXUbJSlx6/pR8wIvN+FtcLum5pewm29hJvwJSMSMxBohVHQ/5aUGe1r99Zpehr6JUlA4D1GwiJd9ALyoiZGNg5ZktwAINvGlSstueMdgXBNLeNRaegf70NJSBBehrzNOdqF
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jan 2018 02:55:43.3919 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bf4b9107-4668-43a9-168d-08d552557b61
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2PR04MB0690
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3Cswv4EzJrcKq_H--FzTOOsAnD4>
Subject: Re: [DNSOP] kskroll-sentinel responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 02:55:51 -0000


> On 3 Jan 2018, at 1:33 pm, Geoff Huston <gih@apnic.net> wrote:
> 
>> This answer doesn't seem to fully address Robert's and Ray's questions. Why use an A/AAAA query if you aren't going to do anything with the result? If you are going to use A/AAAA, you have to tell resolvers what to return in the results. Using a new RRtype would have clearer semantics.
> 
> 
> The motivation behind this draft is to be able to perform a large scale measurement of the readiness of users for a pending roll of the KSK, or the measurement of the extent to which users are using a DNS environment that is NOT ready for a KSK roll.
> 
> Large scale user measurement is not easy - small scale measurements tend to have a problem in measurement bias, so if we are looking for some random selection mechanism that can measurement in the order of millions of sample points each day then either one would need to place the test on a very popular web site used across the entire Internet, or use online ads.
> 
> In both cases the measurement uses a browser to perform the text, scripting the test using HTML5. The simplest form of such a test is to GET a URL - if the client contacts the http(s) server then as long as the DNS name is suitably unique, we have a decent signal that the client’s DNS was able to resolver the DNS name. But in a browser you cannot perform an arbitrary DNS query - the DNS query made by the browser is the side-effect of a GET and therefore the query is for an A or AAAA record.
> 
> To keep things simple we look for the outcome of the DNS by implication: if the client contacts the HTTP(s) server then we can infer that the client’s DNS resolved correctly.
> 

I have been asked off-list the question: “Which HTTP(s) server are you referring to here?”

At the risk of heading waaaay down potentially spurious ratholes here let me quickly explain what I meant. Within the structure of a browser-based scripted test, such as you might find in an online ad script, the common operation within the script is to perform a GET of a URL. A common approach in measurements of this form is to direct all the GET operations to a server that is part of the experiment rig. That way you don;t need the client running the measurement script to report its own results - the results can be constructed from  analysis of the logs of the HTTP(s) servers. An examination of the HTTP log files can reveal which URL name was used to retrieve a named URL web object, and if the experiment is careful to present a uniquely-named DNS name within each URL, then the URL names collected by the experiment’s servers can infer which clients were able to successfully resolve the corresponding DNS names.

v2.23.0 | Report a Bug | By Email