[DNSOP] kskroll-sentinel and unclear results
"Paul Hoffman" <paul.hoffman@vpnc.org> Mon, 21 May 2018 02:29 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 773C612E05C for <dnsop@ietfa.amsl.com>; Sun, 20 May 2018 19:29:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_hdAWcW3Nvc for <dnsop@ietfa.amsl.com>; Sun, 20 May 2018 19:29:46 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B877712E051 for <dnsop@ietf.org>; Sun, 20 May 2018 19:29:46 -0700 (PDT)
Received: from [10.32.60.56] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w4L2SpuI012950 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Sun, 20 May 2018 19:28:52 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.56]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: dnsop WG <dnsop@ietf.org>
Date: Sun, 20 May 2018 19:29:44 -0700
X-Mailer: MailMate (1.11.2r5479)
Message-ID: <A53AF3DD-205D-4A8D-82DF-3255287FAFB0@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D94lE2Phsw6629zQBNKp_6xEw_M>
Subject: [DNSOP] kskroll-sentinel and unclear results
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2018 02:29:49 -0000
Greetings. As I re-read the current draft of
draft-ietf-dnsop-kskroll-sentinel, I'm feeling a bit uneasy about the
description of "Vleg" and of what happens when you get a result that
doesn't fit into the query/type table. The draft is fine for when the
results are Vnew, Vold, and nonV, but it gets mushy for other results.
It's just a name, but "Vleg" indicates that the resolver is a legacy
validating resolver (that is, doesn't do
draft-ietf-dnsop-kskroll-sentinel). As the document says, that's one
possibility, but you can also get the same set of answers from a set of
resolvers that validate and support the protocol, but don't all support
the key whose Key Tag is in the query.
Similarly, if all the client's resolvers support this mechanism, but
some have loaded the key into the trusted key stash and some have
not, then the result is indeterminate ("Vleg").
The draft also uses "indeterminate" in other places for the result.
Given that, calling it "Vleg" could lead implementers of tests to the
wrong conclusion. Calling it "Vind" would be clearer.
And this brings up the second point. The earlier sections of the draft
mix saying that the tests are for "a resolver" and for "a system of
resolvers". Although Section 4 does a good job of discussing the
complications of measuring for a user that has more than one resolver
that have different configurations, earlier sections make the protocol
sound more definitive than it is.
If others agree with me that the draft can use better language around
these, I'm happy to offer new proposed text. If I'm the only one who
finds this part a bit hidden, that's fine, and it can move on as-is.
--Paul Hoffman
- [DNSOP] kskroll-sentinel and unclear results Paul Hoffman
- Re: [DNSOP] kskroll-sentinel and unclear results Warren Kumari
- Re: [DNSOP] kskroll-sentinel and unclear results Paul Hoffman
- Re: [DNSOP] kskroll-sentinel and unclear results Wessels, Duane
- Re: [DNSOP] kskroll-sentinel and unclear results Warren Kumari
- Re: [DNSOP] kskroll-sentinel and unclear results Warren Kumari
- Re: [DNSOP] kskroll-sentinel and unclear results Geoff Huston
- Re: [DNSOP] kskroll-sentinel and unclear results Paul Hoffman
- Re: [DNSOP] kskroll-sentinel and unclear results Paul Hoffman
- Re: [DNSOP] kskroll-sentinel and unclear results Geoff Huston