IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel

Richard Barnes <rlb@ipv.sx> Mon, 27 November 2017 18:36 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E162128D6F for <dnsop@ietfa.amsl.com>; Mon, 27 Nov 2017 10:36:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfJtAgA8HV6E for <dnsop@ietfa.amsl.com>; Mon, 27 Nov 2017 10:36:20 -0800 (PST)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78392126CBF for <dnsop@ietf.org>; Mon, 27 Nov 2017 10:36:19 -0800 (PST)
Received: by mail-wr0-x233.google.com with SMTP id s41so21964053wrc.7 for <dnsop@ietf.org>; Mon, 27 Nov 2017 10:36:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/EnVLIZFHfdwQjO3TFRFAxpoDZ5kc64t/CIKdY7cML4=; b=OFnpQA1p3PYYLV1OEpZu6twfObUv7vJp/Px3BNc59PCkNi4SHRypfCdf74ElWLOcF1 4mg0Noo/3ivFoB0UloFOCQZALuowGkbgUPV6MCTRjHmUo/TfgFVdDqtlr/BEU4YSNdqY pSMwn5HNvUO2GeB+3g3oDzKik4frmQWsLt+mMNqMFjRdQo7tyQ4fa/xg9KFmp3ao0Gi6 kHN8mLV2MJApEWUKJXrzBjbqo/znXGD+LbDyJRR9d41zQCWxDIntQbtX9NY68BpH2B/R kVazcQbIGsnvuWqDLtwecMc+IdCQdNvriwokL72DzIMtq/VCNnK1wUjuBgI9oHyYi6Dq /LLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/EnVLIZFHfdwQjO3TFRFAxpoDZ5kc64t/CIKdY7cML4=; b=jK7LJRmPTx1ep5AvnHcJTRuUdWbI0xjAj4DXB6H7LUlblID/ohkBzzavpqtUeCnQZs VHjkSncEhx/N+7p2ajEBMkKtoL15WXcoKBGs4WTd9zQlxFTrJpLV4l90PO7V9tf4P/9P tQ4867HePf06q71gEKgT341ybgv4vLBMy6A13zVo1aveVLjqcqFe0igDn+8gryPwivjY RgPPEcgwP5MtfUAE56pdXwWe1xRzMHG0ZZ11iZycxldd5Mc3Ed5ab9Co2lde+E3ysxS5 xIk6W3D76SgnIXS+KWTNC660Le3bjC//AHsBwNw4XH+gDBWoDuoHctkrq++zWgg/T3D7 seBQ==
X-Gm-Message-State: AJaThX641nShkNdKwKDgfjDcBAxyE7kq3Oyd4wPMG/ukBPkjFxvDtQXp YP1/OtCW61WFw129KjdJKE6snmJpVEiQ0FPbMM4akw==
X-Google-Smtp-Source: AGs4zMaBX+FOtdHbK9OEDl/z7Ws1nXK1Il2GJPqd3aFKdhZ+QBC88M0CJQ/+M4U8+Bjoz3su9lioPKAizZpqC23WwVs=
X-Received: by 10.223.141.134 with SMTP id o6mr31248513wrb.95.1511807777893; Mon, 27 Nov 2017 10:36:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.167.74 with HTTP; Mon, 27 Nov 2017 10:36:17 -0800 (PST)
In-Reply-To: <CAL02cgTZq2+F5Ki6B-042oBdng=tn3jZagb_EKUNFpS7XYgXbQ@mail.gmail.com>
References: <CADyWQ+Fhzybt-aNNF+yJxQfWDM56W+rzWxZ2YB3yf6wy4m_uxA@mail.gmail.com> <CAKr6gn07V7s0Q8czQR3v6uAujj4t1-SRt7xqi=zDNVpsryXhVQ@mail.gmail.com> <CAL02cgTZq2+F5Ki6B-042oBdng=tn3jZagb_EKUNFpS7XYgXbQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 27 Nov 2017 13:36:17 -0500
Message-ID: <CAL02cgTawPPjWRZ=iMHQOyT+N_cU1r74N+Cp2+Fxn_qLoMh7cQ@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
Cc: tjw ietf <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f569a9202c4055efb2d98"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4a_UIH_IZnURvEnLee6azBc07wg>
Subject: Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2017 18:36:21 -0000

Well, that's what I get for providing drive-by feedback.  Someone pointed
me off-list to RFC 8145 and the operational issues with that.  I still
think that that calls for a better authoritative/resolver telemetry
interface, not some client-side thing.

On Mon, Nov 27, 2017 at 1:10 PM, Richard Barnes <rlb@ipv.sx> wrote:

> George, you should know better than to claim that a mechanism that
> requires resolver updates will have "immediate benefit" :)
>
> I do not find this mechanism terribly compelling.  It is not useful in the
> short run, as noted above.  And it has the wrong architecture for the long
> run.
>
> What zone operators need, for KSK roll-overs and other evolution
> decisions, is telemetry about the capabilities of the resolvers they
> serve.  In order for an approach like this to provide that telemetry, one
> would need a broad-scale client-side measurement system.  While such
> systems exist (Geoff and George being expert practitioners), they have a
> lot of problems -- they're expensive to operate at scale; they're extremely
> limited in terms of what they can measure and how reliably; and they impose
> much more overhead than is needed here.  We shouldn't be building a
> telemetry system for the DNS that has hard-coded assumptions about web ads
> or dedicated probes.
>
> It would be far better to build a telemetry mechanism that operated
> directly between resolvers and authoritative servers.  There are a variety
> of ways you could do this.  In today's world, you could have some record by
> which an authoritative server could advertise a telemetry submission
> point.  In a DOH world, you could have the resolver provide a Link header
> telling the authoritative server where it could pick up information about
> resolver capabilities.  None of these are hard to build (and they don't
> interfere with the "fast path" of the resolver) and they provide much more
> high quality information.
>
> If you need data for the KSK roll that we're already a decade late for,
> gather it in a way that doesn't require a resolver upgrade.  (Deploy a
> dedicated temporary TLD if you need to.)  If you're trying to solve the
> long-run telemetry problem, then build it properly.
>
> --Richard
>
>
> On Thu, Nov 16, 2017 at 3:34 AM, George Michaelson <ggm@algebras.org>
> wrote:
>
>> I support adoption of this work. Its a sensible, simple proposal which
>> has immediate benefit, and can be used by anyone to test the ability
>> of their nominated resolver to recognise specific keys, and their
>> trust state.
>>
>> I believe as a community, at large,  we need code deployed into the
>> resolvers in the wild, and we need a document specifying the behaviour
>> we need deployed into those resolvers. We can use this to inform
>> ourselves of operational risk under keychange. We can know as
>> individuals, as organizations what we will see, if keys change. I
>> think this is quite powerful. compared to measurement of what
>> resolvers see, or what authoritatives or roots see, going back to
>> these service-providers themselves. This method informs the client
>> side of the transaction. Thats big.
>>
>> I'm not saying we shouldn't do other things, or measure. I'm saying
>> that this proposal has a qualitative aspect which I think is
>> different, and good.
>>
>> -George
>>
>> On Thu, Nov 16, 2017 at 4:23 PM, tjw ietf <tjw.ietf@gmail.com> wrote:
>> > All
>> >
>> > The author has rolled out a new version addressing comments from the
>> meeting
>> > on Monday, and we feel it’s ready to move this along.
>> >
>> > This starts a Call for Adoption for draft-huston-kskroll-sentinel
>> >
>> > The draft is available here:
>> > https://datatracker.ietf.org/doc/draft-huston-kskroll-sentinel/
>> >
>> > Please review this draft to see if you think it is suitable for
>> adoption by
>> > DNSOP, and comments to the list, clearly stating your view.
>> >
>> > Please also indicate if you are willing to contribute text, review, etc.
>> >
>> > This call for adoption ends: 30 November 2017 23:59
>> >
>> > Thanks,
>> > tim wicinski
>> > DNSOP co-chair
>> >
>> > _______________________________________________
>> > DNSOP mailing list
>> > DNSOP@ietf.org
>> > https://www.ietf.org/mailman/listinfo/dnsop
>> >
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
>

v2.23.0 | Report a Bug | By Email