Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel
Richard Barnes <rlb@ipv.sx> Mon, 27 November 2017 18:36 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E162128D6F for <dnsop@ietfa.amsl.com>; Mon, 27 Nov 2017 10:36:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfJtAgA8HV6E for <dnsop@ietfa.amsl.com>; Mon, 27 Nov 2017 10:36:20 -0800 (PST)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78392126CBF for <dnsop@ietf.org>; Mon, 27 Nov 2017 10:36:19 -0800 (PST)
Received: by mail-wr0-x233.google.com with SMTP id s41so21964053wrc.7 for <dnsop@ietf.org>; Mon, 27 Nov 2017 10:36:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/EnVLIZFHfdwQjO3TFRFAxpoDZ5kc64t/CIKdY7cML4=; b=OFnpQA1p3PYYLV1OEpZu6twfObUv7vJp/Px3BNc59PCkNi4SHRypfCdf74ElWLOcF1 4mg0Noo/3ivFoB0UloFOCQZALuowGkbgUPV6MCTRjHmUo/TfgFVdDqtlr/BEU4YSNdqY pSMwn5HNvUO2GeB+3g3oDzKik4frmQWsLt+mMNqMFjRdQo7tyQ4fa/xg9KFmp3ao0Gi6 kHN8mLV2MJApEWUKJXrzBjbqo/znXGD+LbDyJRR9d41zQCWxDIntQbtX9NY68BpH2B/R kVazcQbIGsnvuWqDLtwecMc+IdCQdNvriwokL72DzIMtq/VCNnK1wUjuBgI9oHyYi6Dq /LLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/EnVLIZFHfdwQjO3TFRFAxpoDZ5kc64t/CIKdY7cML4=; b=jK7LJRmPTx1ep5AvnHcJTRuUdWbI0xjAj4DXB6H7LUlblID/ohkBzzavpqtUeCnQZs VHjkSncEhx/N+7p2ajEBMkKtoL15WXcoKBGs4WTd9zQlxFTrJpLV4l90PO7V9tf4P/9P tQ4867HePf06q71gEKgT341ybgv4vLBMy6A13zVo1aveVLjqcqFe0igDn+8gryPwivjY RgPPEcgwP5MtfUAE56pdXwWe1xRzMHG0ZZ11iZycxldd5Mc3Ed5ab9Co2lde+E3ysxS5 xIk6W3D76SgnIXS+KWTNC660Le3bjC//AHsBwNw4XH+gDBWoDuoHctkrq++zWgg/T3D7 seBQ==
X-Gm-Message-State: AJaThX641nShkNdKwKDgfjDcBAxyE7kq3Oyd4wPMG/ukBPkjFxvDtQXp YP1/OtCW61WFw129KjdJKE6snmJpVEiQ0FPbMM4akw==
X-Google-Smtp-Source: AGs4zMaBX+FOtdHbK9OEDl/z7Ws1nXK1Il2GJPqd3aFKdhZ+QBC88M0CJQ/+M4U8+Bjoz3su9lioPKAizZpqC23WwVs=
X-Received: by 10.223.141.134 with SMTP id o6mr31248513wrb.95.1511807777893; Mon, 27 Nov 2017 10:36:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.167.74 with HTTP; Mon, 27 Nov 2017 10:36:17 -0800 (PST)
In-Reply-To: <CAL02cgTZq2+F5Ki6B-042oBdng=tn3jZagb_EKUNFpS7XYgXbQ@mail.gmail.com>
References: <CADyWQ+Fhzybt-aNNF+yJxQfWDM56W+rzWxZ2YB3yf6wy4m_uxA@mail.gmail.com> <CAKr6gn07V7s0Q8czQR3v6uAujj4t1-SRt7xqi=zDNVpsryXhVQ@mail.gmail.com> <CAL02cgTZq2+F5Ki6B-042oBdng=tn3jZagb_EKUNFpS7XYgXbQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 27 Nov 2017 13:36:17 -0500
Message-ID: <CAL02cgTawPPjWRZ=iMHQOyT+N_cU1r74N+Cp2+Fxn_qLoMh7cQ@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
Cc: tjw ietf <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f569a9202c4055efb2d98"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4a_UIH_IZnURvEnLee6azBc07wg>
Subject: Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2017 18:36:21 -0000
Well, that's what I get for providing drive-by feedback. Someone pointed me off-list to RFC 8145 and the operational issues with that. I still think that that calls for a better authoritative/resolver telemetry interface, not some client-side thing. On Mon, Nov 27, 2017 at 1:10 PM, Richard Barnes <rlb@ipv.sx> wrote: > George, you should know better than to claim that a mechanism that > requires resolver updates will have "immediate benefit" :) > > I do not find this mechanism terribly compelling. It is not useful in the > short run, as noted above. And it has the wrong architecture for the long > run. > > What zone operators need, for KSK roll-overs and other evolution > decisions, is telemetry about the capabilities of the resolvers they > serve. In order for an approach like this to provide that telemetry, one > would need a broad-scale client-side measurement system. While such > systems exist (Geoff and George being expert practitioners), they have a > lot of problems -- they're expensive to operate at scale; they're extremely > limited in terms of what they can measure and how reliably; and they impose > much more overhead than is needed here. We shouldn't be building a > telemetry system for the DNS that has hard-coded assumptions about web ads > or dedicated probes. > > It would be far better to build a telemetry mechanism that operated > directly between resolvers and authoritative servers. There are a variety > of ways you could do this. In today's world, you could have some record by > which an authoritative server could advertise a telemetry submission > point. In a DOH world, you could have the resolver provide a Link header > telling the authoritative server where it could pick up information about > resolver capabilities. None of these are hard to build (and they don't > interfere with the "fast path" of the resolver) and they provide much more > high quality information. > > If you need data for the KSK roll that we're already a decade late for, > gather it in a way that doesn't require a resolver upgrade. (Deploy a > dedicated temporary TLD if you need to.) If you're trying to solve the > long-run telemetry problem, then build it properly. > > --Richard > > > On Thu, Nov 16, 2017 at 3:34 AM, George Michaelson <ggm@algebras.org> > wrote: > >> I support adoption of this work. Its a sensible, simple proposal which >> has immediate benefit, and can be used by anyone to test the ability >> of their nominated resolver to recognise specific keys, and their >> trust state. >> >> I believe as a community, at large, we need code deployed into the >> resolvers in the wild, and we need a document specifying the behaviour >> we need deployed into those resolvers. We can use this to inform >> ourselves of operational risk under keychange. We can know as >> individuals, as organizations what we will see, if keys change. I >> think this is quite powerful. compared to measurement of what >> resolvers see, or what authoritatives or roots see, going back to >> these service-providers themselves. This method informs the client >> side of the transaction. Thats big. >> >> I'm not saying we shouldn't do other things, or measure. I'm saying >> that this proposal has a qualitative aspect which I think is >> different, and good. >> >> -George >> >> On Thu, Nov 16, 2017 at 4:23 PM, tjw ietf <tjw.ietf@gmail.com> wrote: >> > All >> > >> > The author has rolled out a new version addressing comments from the >> meeting >> > on Monday, and we feel it’s ready to move this along. >> > >> > This starts a Call for Adoption for draft-huston-kskroll-sentinel >> > >> > The draft is available here: >> > https://datatracker.ietf.org/doc/draft-huston-kskroll-sentinel/ >> > >> > Please review this draft to see if you think it is suitable for >> adoption by >> > DNSOP, and comments to the list, clearly stating your view. >> > >> > Please also indicate if you are willing to contribute text, review, etc. >> > >> > This call for adoption ends: 30 November 2017 23:59 >> > >> > Thanks, >> > tim wicinski >> > DNSOP co-chair >> > >> > _______________________________________________ >> > DNSOP mailing list >> > DNSOP@ietf.org >> > https://www.ietf.org/mailman/listinfo/dnsop >> > >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > >
- [DNSOP] Call for Adoption: draft-huston-kskroll-s… tjw ietf
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… George Michaelson
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Petr Špaček
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… A. Schulze
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… manu tman
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Matthew Pounsett
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Benno Overeinder
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Paul Hoffman
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… tjw ietf
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Daniel Shaw
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Richard Barnes
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Richard Barnes
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Richard Barnes
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Wessels, Duane
- Re: [DNSOP] [Ext] Re: Call for Adoption: draft-hu… Edward Lewis
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Wes Hardaker
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… David Conrad
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Matt Larson
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… tjw ietf
- Re: [DNSOP] Call for Adoption: draft-huston-kskro… Mehmet Akcin