Re: [DNSOP] Stephen Farrell's Discuss on draft-ietf-dnsop-dnssec-roadblock-avoidance-04: (with DISCUSS and COMMENT)
Wes Hardaker <wjhns1@hardakers.net> Fri, 05 August 2016 21:18 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B5BA12D741; Fri, 5 Aug 2016 14:18:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level:
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id StUW48n6OtU1; Fri, 5 Aug 2016 14:18:49 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.236.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AD1B12D74A; Fri, 5 Aug 2016 14:18:48 -0700 (PDT)
Received: from localhost (50-1-20-198.dsl.static.fusionbroadband.com [50.1.20.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id CCB96220E9; Fri, 5 Aug 2016 14:18:47 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <20160704231646.2555.84849.idtracker@ietfa.amsl.com>
Date: Fri, 05 Aug 2016 14:18:45 -0700
In-Reply-To: <20160704231646.2555.84849.idtracker@ietfa.amsl.com> (Stephen Farrell's message of "Mon, 04 Jul 2016 16:16:46 -0700")
Message-ID: <0l60re29u2.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3lYRImQTvCkyr-yf1D7NiG8ABEo>
Cc: tjw.ietf@gmail.com, dnsop@ietf.org, draft-ietf-dnsop-dnssec-roadblock-avoidance@ietf.org, dnsop-chairs@ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [DNSOP] Stephen Farrell's Discuss on draft-ietf-dnsop-dnssec-roadblock-avoidance-04: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2016 21:18:50 -0000
"Stephen Farrell" <stephen.farrell@cs.tcd.ie> writes: > Why omit sha256 (in particular Alg = 8) from this? That > seems like a quite bad plan and *not* a BCP given our > current knowledge of hash functions. I've changed the text to test for both. I think that's a good suggestion. > general, mostly 3.x.y: it'd have been nice to include a > dig command line for each of these tests - that'd save the > non-expert reader some time and allow easy scripting of > most of this BCP. I thought about that, but it would require significant explanation and not all of the tests (I think) have behavior which is observable by dig. Plus, dig is but one of many software tools and would seem to bias the document toward ISC's version. > general: Why not say to include a test with a known, but > not well-known, public key (or DS) to check if anyone on > the path is fibbing? E.g. a tester could remember a few > public keys and check that they've not changed in a new > location. While that may only catch out a cheating real > parent, did you consider including such a test? No, because that game is cat and mouse just like most other security detection problems. There is no way to define a conclusive test that can't be fooled by someone on the wire [for once the attacker learns once, he'll know the second time to behave differently]. > - 3.1.4: How is a "recently defined type" a reasonable > thing to check for in a BCP? Seems odd anyway. I'd think software implementations, as they rolled out, would update their test to use the latest assigned type code. I had an equally hard time with that question, but it does provide valuable input though it's not easy to adequately describe. > - 6.1: what if there is no user? Why not recommend telling > some network observatory? Aren't there some for DNSSEC? There aren't any. We do mention logging the results in section 6 though. -- Wes Hardaker Parsons
- [DNSOP] Stephen Farrell's Discuss on draft-ietf-d… Stephen Farrell
- Re: [DNSOP] Stephen Farrell's Discuss on draft-ie… Wes Hardaker
- Re: [DNSOP] Stephen Farrell's Discuss on draft-ie… Stephen Farrell
- Re: [DNSOP] Stephen Farrell's Discuss on draft-ie… Wes Hardaker