IETF Logo Mail Archive

Re: [DNSOP] A conversational description of sentinel.

Joe Abley <jabley@hopcount.ca> Mon, 15 January 2018 02:08 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D975D1200B9 for <dnsop@ietfa.amsl.com>; Sun, 14 Jan 2018 18:08:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pf24lEVXRvnK for <dnsop@ietfa.amsl.com>; Sun, 14 Jan 2018 18:08:20 -0800 (PST)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5BE7124205 for <dnsop@ietf.org>; Sun, 14 Jan 2018 18:08:19 -0800 (PST)
Received: by mail-it0-x229.google.com with SMTP id q8so3582409itb.2 for <dnsop@ietf.org>; Sun, 14 Jan 2018 18:08:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/i1ZcPX8MgOJna+i+0gQwzAatTjIfXxh+ZgJ0or7AuE=; b=nAUC7iaVsyWhkl+wgcff2Zd0ud682RnWoZi0HtSrFmXeLU6oywwExiA7Is7Z7h/aDw 9y7fCp07o4F1W0NLDgNBBN4ITISEEG9ygFO/kW+9HUgJKNmLIp0N5qx6MC7PCNN27h7e zTDX2ejrOM1kAPC+BjFwVS/r9kqTzDrxAXyHo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/i1ZcPX8MgOJna+i+0gQwzAatTjIfXxh+ZgJ0or7AuE=; b=LICkYF7zS67mnB3GjmuT2v1W5TlnbuIeIaFO81F6IlW0ff9tjb87sTndzPbCycr9TA 0Lhzc2tLFxN+jiB9TfUKD/XXnJmNTmlq8/ndYPSKy6My550mA24mJ+SWN8CI9vIgkvTg RuHaKZHh7fw7KnT6l6v3fVVrfcQP8xOwMjlSACHcv+ya1tA3ychXpMNxXZqjoSkUhu0I Wfj0+skRPuA5kJj9/iPsGHgTOVKOfBrQNc6nFZoR6fHkZeZN8V8vA6ztmUdgF6P0aQ0K danzuQsWj1bL2DoeBIba2LDJNeCwXc6pumC6wG2V8a2qQJcW0aM1lgx+9qnwskjfN9jS t7AQ==
X-Gm-Message-State: AKwxytfdYHmcvuCNfXxJHGd8s2wfvjP9LEqfYCh1G/LwlM0rPPI1j7jP /dq4wM+xAQJLesrgM6EhjFA5cg==
X-Google-Smtp-Source: ACJfBosQmebuShELm8NmTOik9PjkGKHPTu6q/3+/MsMhRiJry1+h6XS9wmJnT1Y0z5R8iG3ToYMDVw==
X-Received: by 10.36.152.139 with SMTP id n133mr89571itd.137.1515982098818; Sun, 14 Jan 2018 18:08:18 -0800 (PST)
Received: from [199.212.92.9] (135-23-173-35.cpe.pppoe.ca. [135.23.173.35]) by smtp.gmail.com with ESMTPSA id m21sm4614520itb.43.2018.01.14.18.08.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 14 Jan 2018 18:08:17 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAHw9_iKnD4WtTKyof=nm4ChmDZ5mAPqA7a_-m1t_Lauugf4Uow@mail.gmail.com>
Date: Sun, 14 Jan 2018 21:08:11 -0500
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <52DC3E60-2376-4213-9C17-E2EE11D4980E@hopcount.ca>
References: <CAHw9_iKnD4WtTKyof=nm4ChmDZ5mAPqA7a_-m1t_Lauugf4Uow@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Et5rtM0G1jHqa994KTCtuoYd7jE>
Subject: Re: [DNSOP] A conversational description of sentinel.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2018 02:08:22 -0000

Hi Warren,

On 14 Jan 2018, at 20:51, Warren Kumari <warren@kumari.net> wrote:

> I had a conversation with a friend earlier today, who had carefully read the document​ (https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/)​, but had not managed to understand it at all​.​ ​Since this friend is bright, and really understand​s​ DNS, I figured that the document doesn't do as good a job explaining how this would be used in practice as it should. Sometimes it is easier to explain things in an informal manner, and so here is a (hopefully better) description of draft-ietf-dnsop-kskroll-sentinel).
> 
> 2 things seemed to be causing confusion:

I think the document would benefit from some explicit advice for zone administrators and some explicit requirements for validating resolvers, and having them both separated into obviously-distinct sections. An example of a specific experiment would also be useful.

A careful review of some of the terminology would also probably help. At the moment the text contains contains phrases like "query name that is signed with a DNSEC signature" that I think adds to the ambiguity and confusion (query names are not signed; RRSets are signed, and the corresponding part of an RRSet to a QNAME in the sense that I think is intended is an owner name).

I definitely agree that even with some prior idea of what this mechanism is trying to do (and some prior exposure to the geoffsperiments that provide context) this draft is quite hard to understand. The small handful of slides I saw Geoff present about this seemed far easier to understand than the draft, in fact.

I would be happy to suggest text if that seems useful, but I haven't done that here since it seems likely that other text changes are already in the pipeline, based on reviews on this list so far.


Joe

v2.23.0 | Report a Bug | By Email