IETF Logo Mail Archive

Re: [DNSOP] kskroll-sentinel responses

Geoff Huston <gih@apnic.net> Sat, 23 December 2017 19:59 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855F412025C for <dnsop@ietfa.amsl.com>; Sat, 23 Dec 2017 11:59:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id luGlqLVjgxan for <dnsop@ietfa.amsl.com>; Sat, 23 Dec 2017 11:59:41 -0800 (PST)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0074.outbound.protection.outlook.com [104.47.126.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3F1C1200F3 for <dnsop@ietf.org>; Sat, 23 Dec 2017 11:59:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AKQ5W+vbIrJlzcqywWWaFrVCogl5XgDM8oI/zpfPdV0=; b=UvXG9aYf+wwZMHsPqBMZ7wKL9nmQi99dT1g9/Ye1pNnLlutNi8IwYJj8ZmjTw2cCWzJHk9L9Gg4ZqkVRLsgCw6K6qVEsZaGrZNa+sVulnW7nIFy/+uprMOz0V3FRfgQApgikxKmL3EbLQq0lvs+5tL58VZ97aFI8g3yBOksoEf4=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from 2001-44b8-1121-1a00-69be-0484-4d13-76fc.static.ipv6.internode.on.net (2001:44b8:1121:1a00:69be:484:4d13:76fc) by SIXPR04MB0698.apcprd04.prod.outlook.com (2a01:111:e400:51ee::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Sat, 23 Dec 2017 19:59:32 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <df3a8c29-38ea-6dd0-db4d-f8562653dd69@bellis.me.uk>
Date: Sun, 24 Dec 2017 06:59:19 +1100
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C79FED8F-91A7-41C9-A1D6-7DC290B8B938@apnic.net>
References: <20171221103623.045eed5e@titan.int.futz.org> <df3a8c29-38ea-6dd0-db4d-f8562653dd69@bellis.me.uk>
To: Ray Bellis <ray@bellis.me.uk>
X-Mailer: Apple Mail (2.3445.5.20)
X-Originating-IP: [2001:44b8:1121:1a00:69be:484:4d13:76fc]
X-ClientProxiedBy: HK2PR0302CA0022.apcprd03.prod.outlook.com (2603:1096:202::32) To SIXPR04MB0698.apcprd04.prod.outlook.com (2a01:111:e400:51ee::21)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6a030553-6d91-4a84-cdd5-08d54a3fb0bb
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307)(7153060); SRVR:SIXPR04MB0698;
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0698; 3:3gIkRcIpG6CN2DjE00bYzB+TE8dckrHV3ISPiBg9cJkPq+v9A1y+V9ywrZqLSrxSdEMaVfLSALW+3TSrFtFNMZzzMRuKgxNMx8OI/7YPvaR7oHW4QT4Vt+t6pXGtZ11Dri7WpsF+yVs6qkXhd1FMeWi3iVsM88cc/1nyUjo/dGmJpm5o5P6QsRwk7xUut3IUERkZkuYVF+rFX8v0J8J2s+kl8TH/resIr5Hft+aWpTRNIMbWhCEEyLoeP/DypzaR; 25:UpkZOVgfr8n5rQHVI3nFzeIMdpPQHAbqzOZZEliFSTiXrQlhXLbm7NkEkmiYcnrUpy2elmTeZe8N3Me/ajSi3dDFwbquHDNsgnJw7K7m909sF9nSkhwLFJN9BqoZ7WZbW/udhwv6LsKm5Aq9PtcuKGET7XN5dUNKtSiY4O4z9Qffpi4gGC2rm91C3LoJ7KiPfS05UsUw14DXlg+OXEbcraqB5b3wZ5q6OjZBTl/TyAVx0BPHHyBny0FlMvAnDeImkqkcXVWVaEfTCrlVYo/dQ0HRLCRE8fL1Ma43Xa9uFI+Jt60m9hswidAQsRMEwqS1wcqUUMMMpU4Hd6UYrERtSLt989MA7eFHVzSl4yeoNcA=; 31:JjEURYeI0dCZ0inbJQ36FJnwUQg44BXiEQZKZB6Zaurw6cTXwz90loVpJxOl1fl39JTHy0H/1O3VMFRYCxRU8tjya7UPw5BMznYPXfdbwrjLhsyd37LISesGCn6hmEAuJnB2r0coOrXYf1tQsI5Xojpnhyu5MGWLi6+vEpRYe2Ftmq9nH+ecsNbUuIc8RYpPcsElr615DVpCXIDMSRQStfuuTB3rVLELWVffnAFKBOA=
X-MS-TrafficTypeDiagnostic: SIXPR04MB0698:
X-Microsoft-Antispam-PRVS: <SIXPR04MB06988399582AFA4C206D55C5B8030@SIXPR04MB0698.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(8121501046)(5005006)(10201501046)(3231023)(93006095)(93001095)(3002001)(6041268)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(6072148)(201708071742011); SRVR:SIXPR04MB0698; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SIXPR04MB0698;
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0698; 4:1zYWw/K3upbh/YgMaxqnptWhpJThpZQShJ2hODBS7wihLZ/Xr29RhDMI0+LhMqBjxHEmhmzZEjwHsfoyqEWC+QJCy++RgYLNGE6CIe27WwMNT5uXh9xbiBNXQ8ikkqnipW/zp+ZlFopkNg8gUQoDmcr6PgZ99Z9tFaRSivZNcqmaN5YeuPrEWGO2Dq51fEclx7p+X7yHw29wef5HuYHtNyqAsRG7zG3UHK5jIhJ84s0tbnBpKLKww1epsp4zH6Pn9RBfw0y3WzG2oTzeA5P6Aw==
X-Forefront-PRVS: 0530FCB552
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(366004)(39380400002)(396003)(376002)(39830400003)(346002)(199004)(24454002)(189003)(2950100002)(36756003)(52116002)(50466002)(6506007)(2486003)(52396003)(83716003)(386003)(8936002)(57306001)(4326008)(53546011)(316002)(59450400001)(23676004)(52146003)(97736004)(76176011)(6666003)(50226002)(47776003)(6916009)(105586002)(68736007)(6246003)(2906002)(86362001)(305945005)(8676002)(81166006)(33656002)(478600001)(106356001)(6512007)(53936002)(229853002)(5660300001)(81156014)(6486002)(6116002)(8746002)(25786009)(82746002)(7736002)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:SIXPR04MB0698; H:2001-44b8-1121-1a00-69be-0484-4d13-76fc.static.ipv6.internode.on.net; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;SIXPR04MB0698;23:eatXjrb6hPtxTrh7pSIwtj77QU0+8lpyim8iLF02+XpFVKuTv5rYTF+Mx3olGLEQfnl9FMVnkuAaitYKAuYvMXfVy7yyamjQzd8Kvk02pp1pd0Ey8jfHNyUbaaA51wZXa2kVN+PZcMYGWqYQxK/+vkIPMvx/hvvrlA/Vx6RkR6PgYZBl/gTvm9gqb2tj5UNsaH8iFZ5XdHoOjU8WnkwffKuEfwnOCDL5BO1Ha2U7zCnDHulks+77vx3cov9Dh8KYUMNt/W7JB7aiI9RFY+PkqQwePi54Hp1iNwAHJfmgBkjdIDM1/kC/HrXg8GM4evv2g3TsiCVRUVrxrEt6Cpi87LqyKrw8uLCxoIfPw8qDNei6dq4mgAM/OI/lDqo/d6iEv75bITEzDqGbQNoiDQF4salMJ8OkuwqDjpkx8PvirsWm2PmGTU5BFoA0AkJRCjWEjmyKMb0J/M1E2jgeL9gdAc49ZejrMsiqU9d9rrXfWfzx7LWzdmY1Yu3ejHyW/VFWuDs7x6pNIHTkniJrFZUPdeT1RYK0ut/W/CVI2dXastWBTdw1EAMTokCH0VGEvFn4O/Ozif5W877lkKjaD3CABehUgpc07nO39Z0jMN/Wmj5WZXSjgmQIawaS4fJ4udMWjug5FIlV6+nLFa6hHnBk5t38H2fSOGOqZu5hmXGZ8qPVQo8xq006eiFEcHC7DjKITt6LkdOvssNtSqk4ciBFdQLzDtHeCW0P43RBPYC88q5rOboCwhQpuFpdiIYD/Pf/+LUetpFlwlJRdptU5MGFz5gNRWlVicDiCSxKeBujD0Ozap9EoaR0ILOg3Bp/4TGsftGImZ2qugxPLe0XGQBpTPSerKUKLgn8BmEtxMQW6EYrESoW/x6gLBM5xb6IVEcllzplj86kCULNFt7uslvT9dZvOpH8XZetIiNJhC1ieZChYKdcGjoCiRnxvoCQykJO8/kfSSYQYxsSOJ/vr/vqeYjVUp1p4XxKS4Kc9pJvP651eaxv7HiJO/WXqMNVr2u4jRnUVYUaEviMG5kVJ2Hi4JVNtRkO5m054+VkxDAGhSVUiwUA7E2+PV4/mYWhFFJEprhxtUDd0uvS3OmWyqgCK/8HAdgijnzOsKgrevUWsLhJyUDHu16nsZbZFNb65zA3YaJV9NxBQQf00/Ax0uEJ4t1qSyuMvhk0ial0v4FT7rTE4WIFWfBn4vK5bLlCN6DLfiALBcRIMUUmvur8VTLYBlxONojJrpynxTu6YNVuW1jfWR26TjDBFo9HxvRrQYE3
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0698; 6:9bvG3b96EJZhnZbpc/hgbUmk4Kj397ebu4vh6zpbeyo86yNbqCvAhgDQ3cgRYc4O7EhRZ0f8fCpI4jx5qq3YkGiaqB+HGuW4x58GKB7F46FSKIyJrwd0uNGomM8PGaptkkEPMxzF+NHNEXEJYv5szF2gAvk6ymUx3IWbm6iZvgAIuulhbuDtlKzqbhcwKXuSCgXk5+HOasoB77V3GRJXsImXAQ5zCpbiyKk6SyGxb4LkCS2CNPhVY9WRxZwhOU30J1bW6cB7DpVgrdW/WZPAEqi/8HuFqiC5RJMXU4aHngoBjmgP1xrQjJpCMta2+J1FLlDZ7/Jj+/dC/aG+su+BD3ZtnDkpLodIVTDUNtjlAgo=; 5:PKPUeJSH1LlD+ozBNnp5aserEdqcMwZb5vUtoWskWyj93V923t68WZuwjiy6C+LOo40fp8O62yHTPHgV5KwAymJh+uplAJtH1Asv+ZHEmjnktiZAKsZPzM3EQa6uhmXlQLekyXPQJO/w1T5e30KkJIiCkz/CZ8wnKLwrgZN/37c=; 24:sGef5yjMI18ZawdkmpfsVZ6g9ZE2jVeOsIc0WrGyjC9EetaFVlJi7dstwNswjKamRgWykcxz1GbABQMk+H+p7cpRikAyTDh/+y0tBWMfFmo=; 7:7YdBZg7eHi50TzB3Ur/y2R/FwE2J0Rs6Gy8acuNcS3SE8ELLkkPJL/VU6AVxm+cqAq6+zhDr7hcCrCctA8B+mvGutfilY8DRtvvwHk4yLWrP4q0ZX1VHv0DGW+/TfAKOKAGdnywxZHA6AtrpRb23c87BdKPfosYgwzk8jP3grw6z2PuQtG9D6ovtSWpHeSbx534Fji2fpM+2nZqgnG06z+y432QgeQHTpFpypReiQwb73BrJr3HqV27Q65Kwj2M/
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Dec 2017 19:59:32.2691 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6a030553-6d91-4a84-cdd5-08d54a3fb0bb
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SIXPR04MB0698
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8JDR_hpyyfG7uSBSNpB5ShXOvY8>
Subject: Re: [DNSOP] kskroll-sentinel responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Dec 2017 19:59:45 -0000


> On 22 Dec 2017, at 8:44 am, Ray Bellis <ray@bellis.me.uk> wrote:
> 
> 
> 
> On 21/12/2017 15:36, Robert Story wrote:
>> I reread the draft today, and noticed that two things aren't specified.
>> The first is the contents of the A/AAAA RRSET returned, and the second
>> is the TTL for the records.
>> 
>> Maybe the A/AAAA record values could be used to return additional
>> details? For example, whether or not the key is part of static
>> configuration, or learned via 5011.
> 
> I had also wondered about this.
> 
> A browser-based system for triggering these queries can't do so without
> also then attempting a download of some resource via whatever IP address
> is returned.
> 
> (in other words, you can't make a browser "just" do a DNS lookup, the
> DNS lookup is a side effect of attempting to access a URL)
> 

As Ray points out, if a browser is conducting the experiment, and the
only visible indication of successful resolution is the retrieval of the
named object, then a reasonable test would use some sentinel object as
the named target (a 1x1 pixel gif is conventional in these
circumstances). In this case the TTL of the DNS record is not directly
visible to the browser.

In situations where a client may have multiple resolvers in their local 
/etc/resolv.conf configuration, and recursive resolvers may themselves
/use forwarders, it is not immediately obvious which resolver
generated the response, so I’m unsure of the interpretation of any
attempt to embed some form of additional information into either the IP
address of the named object.

The intent of the test is to establish a usable test along the lines of
"If you can retrieve this named object you are ready for a Root Zone KSK
roll" The issues around the diversity of behaviours in the DNS turn this
dsimple songle fetch into a compound fetch of three named objects, but
the semantic intent is the same. That is: "From the pattern of the
results of performing these three tests we can compute a likelihood of
concluding whether or not, you, the end user, will, or will not, be
affected by a pending KSK roll. From a large enough sample of users was
can then estimate the 'impact' of a KSK roll on the total user
population.

Note that the intent is not to try and isolate the behaviour of a single
resolver, nor to attempt to diagnose the reasons for that behaviour. The
intent is to look at the user and the set of resolvers that the user's
DNS is configured to use, and determine if the user's DNS will be
"stranded" in the even of a KSK roll.

v2.23.0 | Report a Bug | By Email