Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Wed, 26 September 2018 23:36 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05118128CFD for <dnsop@ietfa.amsl.com>; Wed, 26 Sep 2018 16:36:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7ODvFkML4pa for <dnsop@ietfa.amsl.com>; Wed, 26 Sep 2018 16:36:39 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47D67130DCE for <dnsop@ietf.org>; Wed, 26 Sep 2018 16:36:39 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id j8-v6so609812wrw.5 for <dnsop@ietf.org>; Wed, 26 Sep 2018 16:36:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5tlK6tjgmJNTlstQKg5cYPRKr2NUCIqryY2kH1spyxI=; b=wolZC0HiYrI0c9NZe53zIavDjnfk4YGoy1tCHrLFbEABDe4eiZ3dmO/3Ho2wKUOruU kNQi8qS6AXgHrcO1AxnZebbb+wi+PN31YBst0nqzy9eU1tIVvsirfBwRFzwk15dncYPj KznXLz5WrcUvm0a9jVHZvQL2HkEC7fFR8VxAZxx5LQFPqkDoouzF0y80RtF8tj1oSDvs LgDtmiiNjHyzV/skoJ/V65teXwEvlZvnlByv3wE2jZcUWIADAnjyT/HrFGzjHzkJOYl/ wOOybe8ULmON3qbo0WIayR+XAdZZO3tKUpRNN1W8riQF/yCLG9kWiUXy2Ad5awKyRuaF flwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5tlK6tjgmJNTlstQKg5cYPRKr2NUCIqryY2kH1spyxI=; b=Qry6/d3FxpwBdqnfacio6MttW+gNTOM3dP2eCL3sG3a4HxIyEAnb2FbHvI5e8CMHsZ vbUiIaKv/lAl3DbvSinSGGYTvHpVLZ4UFs0jUmCC8Nz5tRGLr/ZrJX6JC2lKSJnz/825 LeUaOTZNefIzb43/TiphIs/qlsBDrW7bsiWbXz8JGliDkNaFduM41O9SUIJF97/QQLXL 8ucdqVyu69tnnx96nQqXuHOJRL7MwPRj/N/O7QuuTywZKyC9ctSWkv9wSPg3nw3W84EL uzjBHJmLjrmz3CkIvrW/8ejzhd3tcKiODhSD/sOPAmfrZjze2pTyOzg2mJEXjq767khh Zuzg==
X-Gm-Message-State: ABuFfog4ENajUpedu43g4ZUMXKqFpUr9LgpumrmB6re1gjqkFjsmHSUT BQrMR+mQn8cNA3r8I9CEM5dud2cY/WB7XCcA1zociw==
X-Google-Smtp-Source: ACcGV61CiHCbRW51YsETYYwcH34+5rpYx8nfC81tabZm5ys6AS+JcjVBGFwRkwmIS/XE19xw12WahlT3PX3qr3GHDOU=
X-Received: by 2002:adf:8523:: with SMTP id 32-v6mr6441349wrh.72.1538004997387; Wed, 26 Sep 2018 16:36:37 -0700 (PDT)
MIME-Version: 1.0
References: <153797498435.21672.17709898221650275799.idtracker@ietfa.amsl.com> <CAHw9_i+Dm7VHAi8eJjhDyGacCwxigeEZv8tSiGT+ZrW+vxu+oA@mail.gmail.com> <20180926181646.GM24695@kduck.kaduk.org> <CAHw9_i+MRJUfiZPBCNiFfio=VetCNXkHwW4Nw=WQa+z0dRWoWw@mail.gmail.com> <FFA0F591-9EC2-4B8E-AB0F-F0B496E8FAFA@vpnc.org> <CAHw9_iLRj9JOL0DU=ztNnrgyFk4VfQCY3pSnq+BEhp6P9ndOXg@mail.gmail.com> <03B733D9-5640-44A7-BEC0-A563ED24DAB1@vpnc.org>
In-Reply-To: <03B733D9-5640-44A7-BEC0-A563ED24DAB1@vpnc.org>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 26 Sep 2018 16:35:58 -0700
Message-ID: <CAHw9_i+oQ4HPeZmzKYk=aPn8UcMURmnghWK-sBEzi3FA=L+x1A@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, draft-ietf-dnsop-kskroll-sentinel@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, Benno Overeinder <benno@nlnetlabs.nl>, DNSOP Chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008851070576ceb1c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3_TpNKDwSuMpE9YuPx2g_9fz53o>
Subject: Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 23:36:43 -0000

Thank you for providing text. I put that in the GitHub version.


W

On Wed, Sep 26, 2018 at 3:13 PM Paul Hoffman <paul.hoffman@vpnc.org>; wrote:

> On 26 Sep 2018, at 14:30, Warren Kumari wrote:
>
> > On Wed, Sep 26, 2018 at 12:40 PM Paul Hoffman <paul.hoffman@vpnc.org>;
> > wrote:
> >
> >> On 26 Sep 2018, at 12:07, Warren Kumari wrote:
> >>
> >>> On Wed, Sep 26, 2018 at 11:16 AM Benjamin Kaduk <kaduk@mit.edu>;
> >>> wrote:
> >>>
> >>>> On Wed, Sep 26, 2018 at 10:12:08AM -0700, Warren Kumari wrote:
> >>>>> On Wed, Sep 26, 2018 at 8:16 AM Benjamin Kaduk <kaduk@mit.edu>;
> >>>>> wrote:
> >>>>>
> >>>>>> Benjamin Kaduk has entered the following ballot position for
> >>>>>> draft-ietf-dnsop-kskroll-sentinel-15: Discuss
> >>>>>>
> >>>>>> When responding, please keep the subject line intact and reply to
> >>>>>> all
> >>>>>> email addresses included in the To and CC lines. (Feel free to
> >>>>>> cut
> >>>>>> this
> >>>>>> introductory paragraph, however.)
> >>>>>>
> >>>>>>
> >>>>>> Please refer to
> >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
> >>>>>> for more information about IESG DISCUSS and COMMENT positions.
> >>>>>>
> >>>>>>
> >>>>>> The document, along with other ballot positions, can be found
> >>>>>> here:
> >>>>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> ----------------------------------------------------------------------
> >>>>>> DISCUSS:
> >>>>>>
> ----------------------------------------------------------------------
> >>>>>>
> >>>>>> Thanks for preparing this document and mechanism; it is good to
> >>>>>> have
> >>>> more
> >>>>>> data about the expected impact of the root KSK roll.  That said,
> >>>>>> I
> >>>> have two
> >>>>>> Discuss-worthy points, albeit both fairly minor.
> >>>>>>
> >>>>>> The first one may just be something that I missed, but does this
> >>>> document
> >>>>>> actually say anywhere that there needs to be a real zone with
> >>>>>> real
> >>>>>> configured A and/or AAAA records for the query names used for
> >>>>>> these
> >>>> tests?
> >>>>>> The Appendix sort-of-mentions it, but I feel like there needs to
> >>>>>> be
> >>>>>> a
> >>>>>> mention in the main body text.
> >>>>>>
> >>>>>>
> >>>>> No hats (OMG, everyone will see I'm going bald...)
> >>>>>
> >>>>> Ok, fair. This was actually a source of confusion when we first
> >>>>> started
> >>>>> discussing the document -- we explained it on-list / at mics / in
> >>>>> person,
> >>>>> but it became so well understood that we didn't notice that it is
> >>>>> not
> >>>>> actually specified in the document. I'll try figure out text.
> >>>>
> >>>> Thanks.
> >>>>
> >>>> It eventually became pretty clear to me from things like "return
> >>>> the
> >>>> A or
> >>>> AAAA response unchanged" that there was supposed to be a valid
> >>>> response
> >>>> provisioned so that it could be returned, but I don't want to rely
> >>>> on
> >>>> all
> >>>> readers making the same inference.
> >>>>
> >>>>
> >>> So I opened my editor to add text, and scrolled down to try figure
> >>> out
> >>> where to add this.
> >>> "Section 4.3 - Test Procedure" seemed like a good spot -- and it
> >>> already
> >>> has this text:
> >>>
> >>> A query name containing the left-most label
> >>> "root-key-sentinel-not-ta-<key-tag-of-KSK-current>". This name MUST
> >>> be
> >>> a
> >>> validly-signed. ***Any validly-signed DNS zone can be used for this
> >>> test.***
> >>> A query name containing the left-most label
> >>> "root-key-sentinel-is-ta-<key-tag-of-KSK-new>". This name MUST be a
> >>> validly-signed. ***Any validly-signed DNS zone can be used for this
> >>> test.***
> >>>
> >>> (emphasis mine).
> >>>
> >>> Does this perhaps address your concerns?
> >>
> >> It should not: Section 2.1 specifically says that the query must be
> >> for
> >> A or AAAA.
> >>
> >>
> > Ah, I think I'm starting to understand...
> >
> > A query name containing the left-most label
> > "root-key-sentinel-not-ta-<key-tag-of-KSK-current". This name MUST be
> > a
> > validly-signed name." cover it?
> > I'd tried putting in stuff like "in a public zone" (but this isn't
> > actually
> > true, I could do this entirely in a private namespace if I only wanted
> > to
> > test a closed network).
> > Or perhaps: "This name MUST be a validly-signed name in a validly
> > signed
> > zone"? (which is somewhat redundant, but makes it clearer)?
> >
> > Any suggestions?
>
> Ben asked for the text to appear early, so I think that putting it in
> the last section before the Security Considerations doesn't really
> count. :-)
>
> How about in Section 2.2 where the document defines the special
> processing. Adding a last sentence to the last paragraph might clear
> things up:
>     The answer for the A or AAAA query is sent on to the client.
>
> --Paul Hoffman
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf