Re: [DNSOP] Updated KSK Sentinel document
神明達哉 <jinmei@wide.ad.jp> Wed, 14 February 2018 22:05 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4320012426E for <dnsop@ietfa.amsl.com>; Wed, 14 Feb 2018 14:05:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drGDLQmQ3qV5 for <dnsop@ietfa.amsl.com>; Wed, 14 Feb 2018 14:05:11 -0800 (PST)
Received: from mail-wr0-x22a.google.com (mail-wr0-x22a.google.com [IPv6:2a00:1450:400c:c0c::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8E691201FA for <dnsop@ietf.org>; Wed, 14 Feb 2018 14:05:11 -0800 (PST)
Received: by mail-wr0-x22a.google.com with SMTP id v65so1444432wrc.11 for <dnsop@ietf.org>; Wed, 14 Feb 2018 14:05:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=JIQXNJS+ggcxoyRdTtLpAsiEm318NYM4NHacdA4oWI4=; b=lkjLaT2dsDUpp4QqUnYUhzOoBjHF1iwkNKSQpuz8VNa4ctz21eKYe88o+sOxXCmZ6V xZcFgqkCwp5z6vOtq7BqoVtNLgHjUK48eJdgVAGiCUDnZ2NMBxPRsDSoEAzZyAR5ycmS msf1uNhpXio8OCT6kTTMjynjLdZJ/nzs/ryjlyqN7Rm8IrcbeWzDdu+YMx6xUkuvRvhI fEVJ+U0nK0qg7lS5w0qc7PgCTsVOaQO7zXGd+In6L/nYVlJ5srcnkDWEvxfgFeSbxLxZ rmunNaFLimcGYxpnqt2NE9lqNHpsKXQZ1kDMoQj+oVpkQ7uVAg/wrZE5mXKffq6EBF2l B9Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=JIQXNJS+ggcxoyRdTtLpAsiEm318NYM4NHacdA4oWI4=; b=eDUWmfUCWT+kBSF6DRPh9tC5ENt4obRdqLco0Rnu5LL9BoD/WJXpeDpTMdkb9D1smf MByUF8heuNCMK9wLroKS9ED8+lhEEPPcDIhnE6PomdHlkWntbmf2Ni+6yYob6YL6BhC1 554k+iig29cmePa5/T2yza41RUv2jnKPh5fzQ8cW7okd5BvXPgAZyxUSuS4QpHovfG1+ IED6iSXy4XtnRz4p528uaRF+oTi81Fc67AlLKWeN3l25uaMAN0Gvw6G3JJeIYAAuPDsC 5azFVtbWSponYc7mPQgrn7+nWVm+P+eAM+3Hv3x265Na6CL0hEd1WkKdMS5rwxLnNREn 4Gpg==
X-Gm-Message-State: APf1xPAhIgfQyMFAsv5DZEiKkqz8bsiBWp/IXnrYfM6lodpViqIIZbZO NzbRwaG/K/UtWFaabZkEPlkZxOWH4xhnAUjXPkBC+IvN
X-Google-Smtp-Source: AH8x225ifeAxLE9ITVTL8tbOBs0/91JaRmiCWv78EDh6bYPJx2dB+Bfi+rCPIXi+jR3H1YI5PxnT4/NgTASrO5NNLPg=
X-Received: by 10.223.168.111 with SMTP id l102mr633685wrc.84.1518645909793; Wed, 14 Feb 2018 14:05:09 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.223.184.114 with HTTP; Wed, 14 Feb 2018 14:05:09 -0800 (PST)
In-Reply-To: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Wed, 14 Feb 2018 14:05:09 -0800
X-Google-Sender-Auth: xVpquUiMRMShnkMx4EaoOeGOGCw
Message-ID: <CAJE_bqeTyiotHcnuQ69=dF+MWXwztNNqamRf5BCOj04hhVGrgA@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3xhZj7LtTy2qZJzNH3M-K7VHix0>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2018 22:05:13 -0000
At Mon, 12 Feb 2018 15:28:50 -0500, Warren Kumari <warren@kumari.net> wrote: > Anyway, we've finally posted an updated version - > https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/ I've read draft-ietf-dnsop-kskroll-sentinel-01 (this is my first careful read of this draft) and found it generally well-written. I have some comments on 01. These are basically editorial. - General I think it's worth pointing out that SERVFAIL can be returned for various other reasons and the detection mechanism relying on it isn't reliable. This is probably okay given the purpose of this detection, but I think it's better to note it explicitly. - Section 1.1 Address Record: Throughout this document we use the term Address Record (AR) to mean an A or AAAA record. [...] I actually didn't find this term other than here and Section 9 (change log). - Section 1.1 and throughout the draft AAAA records and the IPv6 documentation prefix (2001:DB8::/32) as I'd suggest using lower-case letters to show IPv6 addresses and prefixes, following the recommendation of RFC5952. It's not a big deal but it would be better if we can be more consistent on the choice of letter case in RFCs. - Section 2 Charlie's resolvers are validating, but they have not been upgraded [...] resolve it). He is able to fetch both of the other resources - from this he knows (see the logic below) that he is using legacy, non- validating resolvers. [...] Do you mean "he is using legacy validating resolvers"? If it's not a typo, the behind logic isn't obvious to me and it would help if you explain it in more detail (instead of just referring to 'below'). - Section 3 [...] Note that the test is "Is there a key with this KeyID in the resolver's current trust store for the DNS root", not "Is there any key with this KeyID in the trust store", nor "Was a key with this KeyID used to validate this query?". Unless I miss something, the draft doesn't clarify its use is limited to root KSK until the next paragraph of this, so I suspect this statement will confuse a fresh reader who reads this doc from top to bottom without a particular knowledge of background discussion. I'd suggest noting it somewhere before this part, perhaps in the introduction (and maybe also in abstract). - Section 3 [...] Note that the <tag-index> is specified in the DNS label using hexadecimal notation. I suggest clarifying whether '<tag-index>' contains leading 0s somewhere in the document (this may not be the best place to do so, but this is the first reference to 'tag-index' that made the question occur to me). - Section 3 If the resolver has not placed a Root Zone Key Signing Key with tag index value matching the value specified in the query into the local resolver's store of trusted keys, then the resolver should return a response indicating that the response contains authenticated data according to section 5.8 of [RFC6840]. Should we perhaps define "store of trusted keys" more precisely? For example, if a key is in the "AddPend" status (per RFC5011) for the resolver, should it be considered in the "store of trusted keys"? - Section 3 This mechanism is to be applied only by resolvers that are performing DNSSEC validation, and applies only to RRset responses to an A or AAAA query (Query Type value 1 or 28) where the resolver has authenticated the response RRset according to the DNSSEC validation process and where the query name contains either of the labels described in this section as its left-most label. Is the RRset in 'response RRset' intentionally added (or in other words can't it just be 'response')? Perhaps is the intent to exclude negative responses? In any case I think the intent should be clearer here. And if a mere 'response' suffices it's probably less confusing to just say so. BTW, you might want to say 'a query for an Address Record' or 'an Address Record query' instead of 'an A or AAAA query' (I guess that's the intent of the introduction of this term. See also my first comment on Section 1.1 above). - Section 4 o Vleg: A DNSSEC-Validating resolver that does not implement this mechanism will respond with an A or AAAA RRSET response for "kskroll-sentinel-is-ta", an A record response for "kskroll- sentinel-not-ta" and SERVFAIL for the invalid name. + s/RRSET/RRset/? + 'an A record response' should be 'an A or AAAA record response' or it's revised using the "Address Record" term. Same comment applies to other part of this section including the table. -- JINMEI, Tatuya
- [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Bob Harold
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document Joe Abley
- Re: [DNSOP] Updated KSK Sentinel document Wessels, Duane
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Geoff Huston
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Paul Hoffman