Re: [DNSOP] Genart last call review of draft-ietf-dnsop-kskroll-sentinel-15

Geoff Huston <gih@apnic.net> Fri, 31 August 2018 04:04 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E88130E10; Thu, 30 Aug 2018 21:04:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RG9Hdc7X3rH5; Thu, 30 Aug 2018 21:04:51 -0700 (PDT)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-hk2apc01on0628.outbound.protection.outlook.com [IPv6:2a01:111:f400:febc::628]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC198130DDD; Thu, 30 Aug 2018 21:04:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KWZCDjjN04k0637OWWxQRRitmf2QXL+3XFd1Wvv+ypY=; b=ZdbpPar8iArDlTtU13Jhj8GsS3nLP82hx4oZgFKXndSQUzLedGxYRk+nmpUcV7VMAm1UIRooeGEq1kxDaCo+fF3g0v7P5ZzkP6eWtEeoecKdgTloEBqXEIl70jzUG9azJVKQTKb1ZOYFhtSKmyIJSk6qFX4YFHIVmh1VrPp/BH8=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from [IPv6:2001:388:1000:110:e8c5:5ba9:d7ca:68a9] (2001:388:1000:110:e8c5:5ba9:d7ca:68a9) by HK2PR04MB1170.apcprd04.prod.outlook.com (2a01:111:e400:78ff::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.14; Fri, 31 Aug 2018 03:54:42 +0000
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <153560799626.14640.11971224364548163931@ietfa.amsl.com>
Date: Fri, 31 Aug 2018 13:54:33 +1000
Cc: gen-art@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-kskroll-sentinel.all@ietf.org, ietf@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <80C56551-17CF-48A2-8A3F-830D089FA958@apnic.net>
References: <153560799626.14640.11971224364548163931@ietfa.amsl.com>
To: Jari Arkko <jari.arkko@piuha.net>
X-Mailer: Apple Mail (2.3445.9.1)
X-Originating-IP: [2001:388:1000:110:e8c5:5ba9:d7ca:68a9]
X-ClientProxiedBy: SY3PR01CA0138.ausprd01.prod.outlook.com (2603:10c6:0:1b::23) To HK2PR04MB1170.apcprd04.prod.outlook.com (2a01:111:e400:78ff::28)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 387c6f94-c1c4-4498-98df-08d60ef57c41
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:HK2PR04MB1170;
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB1170; 3:65F3vL/IypSn8HlPzFHYzvIVFGsUEB1lSMUr4QZc7xxO6VA0j9BluYZ+e0dyTPD2KtHsM1P3E0Dx+c/cwAlNPQdOycmjLt7Y57jQ7D+CIFpvmry52b/ImSpAXcgn6Q7HzIH1RQ0DhhZTod2UBeq+4c7VQ5HCJ+XL7L3LBWYS4iamXZPrix8Te4KWkzrP/gl1zOFlq1KYyjoqNEQT3qY5eO/PsSYxLWWqB6DB4aG1oCUj4slZddC2H00TIpvyZu3s; 25:8TxHk8ilq4cMhhcgtew0j1wydl9TZtuzpYiGGwAPQ/D0bNPCcgeEeRWeFyjaPhmgpGgXrXpEHSDNh13J7RmcWnIPfTpgOMpih4Q8A1YXhF4QrveXSH/iA7cGHm47GOMrbo7ut14pxHGKxkOsVzyy1GhcMVUgVG9S3EX+IWuJit+NLMmV2guvodfGpDYi6cSrKYoE+FOX9wU20mLWME/Q2jMM+vTGZTLmfBzo2HXNzgB1efB83yaMI0a35Es9EfH3ARNqnRoi2Hq2zQ30IWJ2kTpCLTxl5Xpmv0phtHisH9fphjHfNCGbUFWwJ8EGFXbEDf+bCnEwFtmvawf50WPwgw==; 31:s0dg46/iU+dWykZlbVsN+6bLg+MzPQc/R/oJfSBwZBeDVDuGBjWAoGW1FjxdVzDs0FDdrQIAwqF1LyfA8K5iHq08xOv4mvkHidTL8Cie/XYB1oEqxg9tG4XaY3VYYSfeoSAtTlxptMFqX6ljZNuLvnLlYkd49gNq1s/VdTJxrv+34R9+SYNY4kVibPsV41wKnCv19kQRAviIT6DeC0VQekFMvc0pk18WD8KC4DWSOqI=
X-MS-TrafficTypeDiagnostic: HK2PR04MB1170:
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB1170; 20:7jxAjI/kVUQL5pQofq1N+UtxPY1iT25ZFjPI0lUVtIhCXEsyJApfM7Oq5xagB55q6ueg9aoZtaC3XZav/TgCDsX+x0F8Lyyu/xtvoG8zs6WBfR22RvrBLFdE4NbtRBoE8di8cJ2BozRnxp4cAoURz3FLHfWNmVG4cTp4RUzV4TLY6KYNaBBEYNb3t9MuQ1XW9p+VgsBY/U8mO36ctrvw/SiCkduZLvkFuRlT0B1zjsl5kiqzf6oykYIhsQiVLUY8; 4:MRSydOem24T9ToPUZNO8193p6QqyBvJgw/Nt2hzC0y1vLERK+fDDPYe6uqtbDbGAECo/ck4Vt7oLWKYC5ACGaKALGRbiYJh4lle5LAtjAxQUctlsvT12DizjP/Gw6rg1HYc0yPHK/Zn/FUTf+HsWUJFEXR7aAFFAgbU7cH7XwjE5/8Bf59I3Q+YJGJYR+xj3Ywz8fzY4ExQE3OBUqJE2oBuHrLb3Y0rWvhGcsqMWCEbxz3YIhVxqeQuRwphe5Z3wp5UWtWKW9X+hwW3y+SUokEgdcBmrtC2ngHPrzmShMIPRC4oVJXK2oWqllJWOT5ww
X-Microsoft-Antispam-PRVS: <HK2PR04MB11705A2629CDDFEB7A357F63B80F0@HK2PR04MB1170.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(269456686620040);
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201708071742011)(7699016); SRVR:HK2PR04MB1170; BCL:0; PCL:0; RULEID:; SRVR:HK2PR04MB1170;
X-Forefront-PRVS: 07817FCC2D
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(366004)(376002)(346002)(136003)(396003)(39840400004)(189003)(199004)(60444003)(8936002)(1706002)(8746002)(47776003)(76176011)(7736002)(4326008)(52146003)(2486003)(52396003)(23676004)(52116002)(305945005)(81166006)(81156014)(386003)(6486002)(33656002)(53546011)(105586002)(106356001)(16526019)(6666003)(186003)(6916009)(46003)(50226002)(8676002)(476003)(446003)(2616005)(11346002)(97736004)(68736007)(82746002)(6246003)(5660300001)(229853002)(50466002)(83716003)(53936002)(57306001)(486006)(14444005)(86362001)(2906002)(36756003)(6116002)(316002)(6306002)(25786009)(478600001)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:HK2PR04MB1170; H:[IPv6:2001:388:1000:110:e8c5:5ba9:d7ca:68a9]; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtISzJQUjA0TUIxMTcwOzIzOlFVZEhjRS9mNFlpVnFoMTNHRWVMb2JLb0pz?= =?utf-8?B?TFJsbEdJWGNxbnVvZWZXWS9oY2dESGFwZ1AzTEtFQWFONXl2SnFvSVlRdFor?= =?utf-8?B?eDl1V2tmYXF1blRVYTc1cUlxUzIrM3ZCSmEzWk1pemtvWjFLQUplSGZzVXVn?= =?utf-8?B?R2t0dmY2c29YTGNwSGhFQ096cW01STBic1VWd21LTUR6dm9mLzBjMzBKamVn?= =?utf-8?B?YmFnNWU1Y3VOTW8yNjgyWkFyQ2JITStscnNKOGphZHNGSFM5VFJiUnl4Ykt5?= =?utf-8?B?TzMxWlRQbUpuWGQzVTM5S3dTeGdJTlZYZEpaQWJMdmZsdkpuaHFmUDZGWENG?= =?utf-8?B?MG5CTnhwSy9pUUZvV1RoZFh0VlJwR3ZVNjlqOHIxU3BveFdBRHlMWDBPNVgv?= =?utf-8?B?Q2ppcm1TS3ZnOWdvMEo5L0FWVnlqV0xlV0tGN2w2TW85Skxwakp0TGpUQUQw?= =?utf-8?B?ZEJ4b0pBd0R3WVlTSlZPNWREcmt2VG1tMFZzclpweUthaTZydWJ1WGhiL1hU?= =?utf-8?B?eDZZKzlmMkZ4T1JCR0Z6ZXFvSStkUmo2S0F2Vk1tSmRPTnplenBYcXYwWmZn?= =?utf-8?B?T3ZqeUF1RHNtczZ2MytCWUI2SjhwK3A2MUd5alpmWExwZS95Tlg4cnhrSFBt?= =?utf-8?B?QjdoNk96NWNMcEtiZXJiUWJzMkVCWi93ZUZmcnRJQVBmUVR2Z2ZwVHRHYVdz?= =?utf-8?B?K0tTWEcrLzNTbkVETnhlOEMveDZQM0wwdzFpaFVHa3U5ak9zSFVDcmJwaXJx?= =?utf-8?B?NXB0MVZIZldPZVJuVXQ3ZTZKSjBlWVZkaE9PdnNKQ2I3ZVhRamJWMm9uM2hG?= =?utf-8?B?N1hwcGIyd1dVWnFTRElBSEY5aHdtejZGbVQrR3VrVlp4ODJvSWRNN1ZuRXRt?= =?utf-8?B?THJEWkJZSEFMSzkzbTkybWQyYktkblBha3BlT0RGdDlSUDBLMVF3VmRxTXV6?= =?utf-8?B?bFdOS0Q1bE56NVRVdk42eTV0WlJZeXBhWnpWOTUybGFNVWowcWZ2bFE0L0xJ?= =?utf-8?B?Q1ZrVldSQVJkcEdRQ1JVN0NBSHd0aVNRcklhS25ZZG1IdTlLaEVvRGxxRlBF?= =?utf-8?B?YlRVTmh3M2pCZVJuUFdUUTdsZ1FjTGJKV0MxSjc4anFNNHpJeFF0S2tpZlVn?= =?utf-8?B?a3kvQlBkeCtpeEt4UHFnRk51bndSeUVXWXgvK2xJMFIwU3JwWUhKUWZLdlNo?= =?utf-8?B?NWhXeldHVzNPWE9mYk55eGtXc29LZmxzZUJlOGRFR2h4OFNXVzl5M3o4WlVB?= =?utf-8?B?NGNha0dEcXI3S0ZBQXZvRHdrZ1BxaEo2RUNYQmwwYWxlbHhOeDk2WDlSdkpj?= =?utf-8?B?VTZ6RFZ3MzNBOXo4dVFQU2Y5UGp2NHRza0hGSHRFZXh0a0wrV25kTkx5OUVr?= =?utf-8?B?L0pJcDh0Vk01WEFsUmphd0tsVGtkOHEyVHQzdWFpaUlaRnFkM0RrcCtsUWVa?= =?utf-8?B?NXA1Mmkza3B4cHBYdUR6THRMRUJWSzVhZ1dIUXJWRGdCOGN1ZGlKZGZKT0xB?= =?utf-8?B?SHZwSFJVQUd0aWhZdktENmplOU9NSkQwN1p5OTZtaHk0UiszN1NNOXRldjI5?= =?utf-8?B?a3Zsa1B4MkV3NTA3eGtWWmlBTXlFbzNTTWt3ZG0xVGhqVG9VL0cvZHN6N3R2?= =?utf-8?B?TXVtaHM4cG53dzUwRWxpbFNteEttUjVYWk94a1FPSEQ5bS84OFcxV040WWVV?= =?utf-8?B?Ui9nY0M1aDZ0U1hjV0VKaHo5ZUsvbW5nTlNucURVV1Q0OTQzQWRrSnFscklY?= =?utf-8?B?YVlNeXlhQkFxaFF4NDczakF0SEY2N2RsOGFPYjRNb21scXpMV09EWC9hV1lm?= =?utf-8?B?THhoWHZ3SHk4YjNpclFnZ2pGVGlDR1RUbmhmajFDTVU4R0E9PQ==?=
X-Microsoft-Antispam-Message-Info: 0mvKh28jybOE5mrp/+xWa/dRSxwerRJAWD8Cei1+aDOvU7NVMn/76Svk6slyGq3iehaJq+PWFFUOUsc1XyBqUJEa2tVh1ki5HdiynaP0r+FI7DiXsCRX9qAQN7MnsPRWBqyQZj+d3q7fH7rEzUpMVvlPWkBvSDvJuThY6GvHDrI1yRJQkqk/hDw9ylnqw/XWyH/QsMekOQUtMydHGLvwCo8LLjR3dyZrmA9e8SuWNeBaCAJz5/noOTFs2W5nVTudC7KteFgkX9UiuphqPuGRVFu6JdxuSEocYr/0Rx/eKE9b0p+gJ2N2mlTaDdupXEMHXEqaLr2aJ1S1I6F0qPAYcZZob0gl6g66KFYgs12lBgA=
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB1170; 6:aWKJm3/0vqMFjkPFB+PN69jAmyFWfmAx0486sQNgvU7u96v1VHtI0dW9ggJsX1rM76cxHMBQ+5LTbYBXgl0UFiKywkvMhONwvVrDvTMHIAgRkuGOwicg4KyGXOd6fs09MfoGqsejhJwX7ZmCTyrKG/+4CvcPVFCRbm662LkYxkoCxRTv0l1PzyjIyrXink0Exl6TzWGxFQw5pQ2CmLC6EFLxAF02kmq1OW0MdjP5aVCvdDQC2MKquOTC0DzUi+ugGtgxONOTlHT5gEzr3LR7FWGsKFi0KfcT5qXP/WJBMVnqFafHCZY5zT2tiCdNpEJw3KNo/LAWktlX64G1cYGV88t70ExhZoDWgb27AOQB/BeXdnX8R2oBdCoYasNij1NYSgZeC5Fa5rx9DCR2SZt1Vdt+luku2BPvNOgc+W0NEEkVh8iissAiTDsedIxAnS0JHo2E49aPDVr5qqvCwokpHw==; 5:DhaKuFIHyF9zatjTEhE1CZFqxhuQSNDaj8ad47bIKdsqAZ78x5dw/UVspAX9j00LCKVrXonV1AhxtUcVHFkLKOuEJPw4J5IJNw+OPzjo/IOmeWNdXAtwl3dbCx2o7NjZSNooRBEw/RULITYRMmmRbSOWM8oeJZ2vZ06hKo8G+nE=; 7:PzTtGTQ1WaQmEa6007u8/wlLlZxHUth60ZdWFpZKOd6gFrVVXCHFYp9a4rS7Zf+cGJz8VUbG76oASMZsh70UtspwziHuoeyC7WLsWTXU/4vSAJA3XNcU9um52jeP6119deUQ1Zwk/QSrKG2S1N6sLHw5Y7ZvjmdJnYZMn4cgmrcszmRe0kqN2kHehcrDfs0m6QjAuv7sA4dvRWKOjwcsZLcU6goGX+gI6GCZPHMsGGTJKG6bke7SDQN0FvWcrJl4
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Aug 2018 03:54:42.5236 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 387c6f94-c1c4-4498-98df-08d60ef57c41
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2PR04MB1170
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GFDLZhSbHWmYbRlEDtKy-8zRcN8>
Subject: Re: [DNSOP] Genart last call review of draft-ietf-dnsop-kskroll-sentinel-15
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 04:04:55 -0000

Hi Jari,

thanks for spending the time and doing this review.

in response to the points you raise:

1. Jargon is just a constant factor in this space, and yes, the use of “CD bit” snuck in with either a reference to an explanation. I’ll uzse a reference to section 3.2.2 of RFC4035

2. your second point is because of an inadvertent admission of “or AAAA” in the second part - i.e. the responses are all the same as you had expected.


the minor points are:

the label in the table should probably use ‘Y’ and explain that means a “A or AAAA RRSET response”

yes, “resolver_s_”!

The final point I am not so convinced about. The reason is scope of the document. This document is an instruction to folk who write DNS recursive resolvers. It is not an instruction to folk who want to set up zones that could be used to test KSK trust status. I would rather avoid adding text about the latter topic in this document, as I strongly prefer to leave it to others who may be sufficiently motivated to write a document about how to set up a measurement zone.


thanks,

   Geoff




> On 30 Aug 2018, at 3:46 pm, Jari Arkko <jari.arkko@piuha.net>; wrote:
> 
> Reviewer: Jari Arkko
> Review result: Ready with Issues
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> 
> For more information, please see the FAQ at
> 
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>;.
> 
> Document: draft-ietf-dnsop-kskroll-sentinel-??
> Reviewer: Jari Arkko
> Review Date: 2018-08-29
> IETF LC End Date: 2018-09-06
> IESG Telechat date: Not scheduled for a telechat
> 
> Summary:
> 
> This document was easy to read, and I had no issues to raise. I believe the
> test that it describes is useful and important for the DNSSEC operational
> processes in the Internet.
> 
> I did, however, have one question and one minor issue discussed below, and
> several editorial observations.
> 
> Major issues:
> 
> Minor issues:
> 
> The document says:
> 
>   If the validating resolver has a forwarding configuration, and uses
>   the CD bit on all forwarded queries, then this resolver is acting in
>   a manner that is identical to a standalone resolver.
> 
> What does "using the CD bit" mean? Do you expect the bit to be set or not set?
> Please clarify the language.
> 
> The document says:
> 
>   nonV:  A non-security-aware DNS resolver will respond with an A or
>      AAAA record response for "root-key-sentinel-is-ta", an A record
>      response for "root-key-sentinel-not-ta" and an A or AAAA RRset
>      response for the name that returns "bogus" validation status.
> 
> I do not understand why an old, non-DNSSEC aware resolver would respond in
> different ways to the -is-ta and -not-ta queries. But here you say an A record
> response is returned for -not-ta but A or AAAA RRset response is returned for
> -is-ta. What am I missing?
> 
> Nits/editorial comments:
> 
> Section 3 table lists "A" as responses, while the text talks about "A or RRset
> response". Perhaps this could be aligned to avoid confusion.
> 
> Section 4 title is "Sentinel Tests from Hosts with More than One Configured
> Resolve". Shouldn't that be "... Resolvers"?
> 
> The document did not clearly specify whether the names queried (including the
> -is-ta and not-ta label) need to exist in the used domain, or if it is enough
> for the domain itself to exist. Perhaps this could be clarified.
> 
>