Re: [DNSOP] I-D Action: draft-huston-kskroll-sentinel-04.txt

Bob Harold <rharolde@umich.edu> Fri, 17 November 2017 13:11 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C627127058 for <dnsop@ietfa.amsl.com>; Fri, 17 Nov 2017 05:11:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Xbdj5kPqsNs for <dnsop@ietfa.amsl.com>; Fri, 17 Nov 2017 05:11:22 -0800 (PST)
Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com [IPv6:2607:f8b0:400e:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0585E126CB6 for <dnsop@ietf.org>; Fri, 17 Nov 2017 05:11:21 -0800 (PST)
Received: by mail-pg0-x22a.google.com with SMTP id o7so1946801pgc.4 for <dnsop@ietf.org>; Fri, 17 Nov 2017 05:11:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NQtJEnIGxKL7uuPMcJq09SXytZFEhYIqFb9GmfAppbA=; b=kliAdrRfzeHt3eSLkT2isxIPrM7g/qccpzGgotZmFfH+JUCplojqXORy6KVzYNqZlq 3BLw7fBUvivg6aDXusoGi1EC9x5FsZPrr52hKsLkxoT09hUQvM1hnBHedJZIQOxwn2m3 AH+UEIVG7wPUHaExgvIMx8UesrWsdKm9KXxttDLhUgv3KRV358xwK3/w6aUnklnGRd9P a6RTwaT4WaQNUQ7dfLqrRWCrBN3upJ840Y1UbBCkC2wzUy4Iakf+6v8gi/coUsTL/onS xK5FyWW0fh9P9qZ2dLn4dZ7YbPEZWvPvZgeR/t8BEeilGvyhMF6j09/WDTAFOpUGrXZG PqmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NQtJEnIGxKL7uuPMcJq09SXytZFEhYIqFb9GmfAppbA=; b=uTji/P5poFOVH7UfSkMSZOXB471H+HKia2K1xmq0InzxcKt8Rno9FyaEZDC3UML2yb C++1tIycTMHdAuffpN79pYwR3I6cK8rOimrNrrj461dx8QZX+uQ+wE31tDRzHT/yoRxJ bu+cvN0wIQ+rapP/nRcBT7Ic9LMMu/f/gz1gQ+7VnvPA5dGvALYhHOg8HGAgbzan+WDa K2b82pyivzOq+ouGEl74QANidXgkaRSyMvEgmPbK8Fw3YI2/+IHmiRJyJV2zHQi1FH1R 6vdRBIZlnj4i+PDBMOhvShVoxqErflhy3KM6tolxTYItz35vX9gyqnneig0D8f8S7zqg Q8qQ==
X-Gm-Message-State: AJaThX5D/j15TVzxFwLw3lkhT+rvafvlETGV1kmihfE7Ld+NYi9JjxCK YlRDhCd5X86nr6I9vkiSscRDPMVS3ACqX+NnpDLNlw==
X-Google-Smtp-Source: AGs4zMb/uFMZE0TMjBo/Mng9n+LY/WgfCslxkcYDkUF6fVv2qA22R6B7P4oRGHiw8q2TcdcYiqwV5RrjyAfAtyGsZsw=
X-Received: by 10.84.239.8 with SMTP id w8mr1241212plk.46.1510924281231; Fri, 17 Nov 2017 05:11:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.171.6 with HTTP; Fri, 17 Nov 2017 05:11:20 -0800 (PST)
In-Reply-To: <CAHw9_iJfa-LOcgy=5hEFLvEHVGEVa0prMgwJVRR2ifxzMtPrLg@mail.gmail.com>
References: <151062636258.5917.14497839377888768972@ietfa.amsl.com> <CA+nkc8CQPe6eT6QGWmO30Cn1ik5oaGUxS_GQg0BproCPSu-U6Q@mail.gmail.com> <7572271693475788861@unknownmsgid> <CAHw9_iJfa-LOcgy=5hEFLvEHVGEVa0prMgwJVRR2ifxzMtPrLg@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
Date: Fri, 17 Nov 2017 08:11:20 -0500
Message-ID: <CA+nkc8AMwy4QkuTNmzfv5MQ9QLtnwFAXVbNHoUaLu6Ybhe8KCQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: Joe Abley <jabley@hopcount.ca>, IETF DNSOP WG <dnsop@ietf.org>, "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Content-Type: multipart/alternative; boundary="f4030436049210d054055e2d7990"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Br8H8C5oKktS0qWHWLNmCgpElh8>
Subject: Re: [DNSOP] I-D Action: draft-huston-kskroll-sentinel-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 13:11:24 -0000

On Wed, Nov 15, 2017 at 1:38 AM, Warren Kumari <warren@kumari.net> wrote:

> On Wed, Nov 15, 2017 at 9:45 AM, Joe Abley <jabley@hopcount.ca> wrote:
> > Hi Bob,
> >
> > On Nov 15, 2017, at 00:23, Bob Harold <rharolde@umich.edu> wrote:
> >
> > If I have to add those entries to each zone, I worry that the automated
> DNS
> > appliance that I use might not be able to create the broken records
> > required.
> >
> > Since the implementation of the mechanism requires special handling of
> > queries whose QNAMEs contain the special labels, I don't see why you
> would
> > ever need to add anything to any zone.
> >
> > The point of this mechanism is to require no administrator action and to
> be
> > on by default, I think.
>
> Yup, *you* should not need to create these records, as long as someone
> does the testing will work -- e.g if example.com publishes:
> _is-ta-4f66.example.com
> _not-ta-4f66.example.com
> badlysigned.example.com
>
> and you can resolve things in example.com you can do the testing. If
> your appliance has not been upgraded to know about this new technique
> the result will correctly be "unknown / indeterminate" (Vleg[0])
>
> W
>
> [0]: Vleg: A DNSSEC-Validating resolver that does not include this
>       mechanism will respond with an A record response for "_is-ta", an
>       A record response for "_not-ta" and SERVFAIL for the invalid name.
>
>
> >
> >
> > Joe
>

So for resolvers that can reach the public internet, only one publicly
available authoritative server needs to have these special records in one
zone?

Could that be made clearer in the draft?

-- 
Bob Harold