[DNSOP] kskroll-sentinel and unclear results
"Paul Hoffman" <paul.hoffman@vpnc.org> Mon, 21 May 2018 02:29 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 773C612E05C for <dnsop@ietfa.amsl.com>; Sun, 20 May 2018 19:29:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_hdAWcW3Nvc for <dnsop@ietfa.amsl.com>; Sun, 20 May 2018 19:29:46 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B877712E051 for <dnsop@ietf.org>; Sun, 20 May 2018 19:29:46 -0700 (PDT)
Received: from [10.32.60.56] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w4L2SpuI012950 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Sun, 20 May 2018 19:28:52 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.56]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: dnsop WG <dnsop@ietf.org>
Date: Sun, 20 May 2018 19:29:44 -0700
X-Mailer: MailMate (1.11.2r5479)
Message-ID: <A53AF3DD-205D-4A8D-82DF-3255287FAFB0@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D94lE2Phsw6629zQBNKp_6xEw_M>
Subject: [DNSOP] kskroll-sentinel and unclear results
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2018 02:29:49 -0000
Greetings. As I re-read the current draft of draft-ietf-dnsop-kskroll-sentinel, I'm feeling a bit uneasy about the description of "Vleg" and of what happens when you get a result that doesn't fit into the query/type table. The draft is fine for when the results are Vnew, Vold, and nonV, but it gets mushy for other results. It's just a name, but "Vleg" indicates that the resolver is a legacy validating resolver (that is, doesn't do draft-ietf-dnsop-kskroll-sentinel). As the document says, that's one possibility, but you can also get the same set of answers from a set of resolvers that validate and support the protocol, but don't all support the key whose Key Tag is in the query. Similarly, if all the client's resolvers support this mechanism, but some have loaded the key into the trusted key stash and some have not, then the result is indeterminate ("Vleg"). The draft also uses "indeterminate" in other places for the result. Given that, calling it "Vleg" could lead implementers of tests to the wrong conclusion. Calling it "Vind" would be clearer. And this brings up the second point. The earlier sections of the draft mix saying that the tests are for "a resolver" and for "a system of resolvers". Although Section 4 does a good job of discussing the complications of measuring for a user that has more than one resolver that have different configurations, earlier sections make the protocol sound more definitive than it is. If others agree with me that the draft can use better language around these, I'm happy to offer new proposed text. If I'm the only one who finds this part a bit hidden, that's fine, and it can move on as-is. --Paul Hoffman
- [DNSOP] kskroll-sentinel and unclear results Paul Hoffman
- Re: [DNSOP] kskroll-sentinel and unclear results Warren Kumari
- Re: [DNSOP] kskroll-sentinel and unclear results Paul Hoffman
- Re: [DNSOP] kskroll-sentinel and unclear results Wessels, Duane
- Re: [DNSOP] kskroll-sentinel and unclear results Warren Kumari
- Re: [DNSOP] kskroll-sentinel and unclear results Warren Kumari
- Re: [DNSOP] kskroll-sentinel and unclear results Geoff Huston
- Re: [DNSOP] kskroll-sentinel and unclear results Paul Hoffman
- Re: [DNSOP] kskroll-sentinel and unclear results Paul Hoffman
- Re: [DNSOP] kskroll-sentinel and unclear results Geoff Huston