IETF Logo Mail Archive

[DNSOP] Comments on draft-ietf-dnsop-kskroll-sentinel-11

Edward Lewis <edward.lewis@icann.org> Mon, 09 April 2018 21:02 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B5C912D7ED for <dnsop@ietfa.amsl.com>; Mon, 9 Apr 2018 14:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level:
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o9gUugNTcZpM for <dnsop@ietfa.amsl.com>; Mon, 9 Apr 2018 14:02:30 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A444F12D7EC for <dnsop@ietf.org>; Mon, 9 Apr 2018 14:02:30 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 9 Apr 2018 14:02:28 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Mon, 9 Apr 2018 14:02:28 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Comments on draft-ietf-dnsop-kskroll-sentinel-11
Thread-Index: AQHT0EYRxwZaEbS0w0iPgl+ZiZByhw==
Date: Mon, 09 Apr 2018 21:02:28 +0000
Message-ID: <8F521CF3-4F57-47D2-A973-5CD4CF9B4687@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.a.0.180210
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <6E781E69F306324F96C89ED9686ADE46@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CeBHMZpQbt6Y89wCi8nPRgzhN-s>
Subject: [DNSOP] Comments on draft-ietf-dnsop-kskroll-sentinel-11
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 21:02:32 -0000

1.

##    which they are generated.  The Key Tag is a 16-bit value computed
##    from the RDATA portion of a DNSKEY RR using a formula similar to a
##    ones-complement checksum.  RRSIG RRs contain a Key Tag field whose

Suggest a reference to the section where the formula is defined, lest the
words here be taken as the definition.

"The Key Tag is a 16-bit value computed from the RDATA portion of a DNSKEY RR using a formula found in "Key Tag Calculation" (Appendix B of "Resource Records for the DNS Security Extensions" [RFC 4034]), a formula similar to a ones-complement checksum."

...the latter is not true for the original DNSSEC Security Algorithm, a factoid only significant in trivia games.   (See Appendix B.1 of the same document.)

2.

##    validating resolvers.  The KSK sentinel method cannot provided him

s/provided/provide/

3.

##    "invalid" resource.  His resolver resolves the root-key-sentinel-is-
##    ta-02323.example.com name normally (it contacts the example.com
##    authoritative servers, etc); as it supports the sentinel mechanism,
##    just before Dave's recursive server send the reply to Dave's stub, it

s/send/sends/
Truth is, I can't quite parse the sentence

##    performs the KSK Sentinel check (see below).  The QNAME starts with

4.

Unanswered[1] question from before:

Why is this specific to the root zone?

One reason to make this more general (than the root) is testing.  What if, in about two years, new implementations arrive and the operator of a root zone KSK wants to run tests?  It would be helpful to be able to have a test zone set up where secure entry points can be rotated in the name of testing code bases.  (In the same sense as this test tool: https://automated-ksk-test.research.icann.org/)

Beyond that, there are no other rules or conventions in the protocol specific to one (absolute) name.  Not even "the reverse map" is special to the protocol.  (Perhaps this is too philosophical a topic.)

If this test mechanism only works for the root zone, then other operators exercising Automated Updates will not be able to make use of it.  There are two operators at the TLD level of the global public Internet DNS who exhibit Automated Updates (one has confirmed to me they do), for the sake of clarity, these operators do not include ICANN.  I have never searched in other trees nor deeper in the global public Internet for any operator following Automated Updates nor making use of seeded trust anchors outside the root zone.

[1] - About a month ago, I sent an open question to the list:

https://www.ietf.org/mail-archive/web/dnsop/current/msg22047.html

I missed any public replies to the question, I had one private exchange that said the WG preferred root-only without an explanation.  I'm not saying there's been no rationale given, but I haven't seen any reason.  There may be a good reason, again, I just haven't seen one.

v2.23.0 | Report a Bug | By Email