Re: [DNSOP] I-D Action: draft-huston-kskroll-sentinel-04.txt
Warren Kumari <warren@kumari.net> Wed, 15 November 2017 06:38 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00C80129503 for <dnsop@ietfa.amsl.com>; Tue, 14 Nov 2017 22:38:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuN5gY47B9A6 for <dnsop@ietfa.amsl.com>; Tue, 14 Nov 2017 22:38:57 -0800 (PST)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 012A4129508 for <dnsop@ietf.org>; Tue, 14 Nov 2017 22:38:56 -0800 (PST)
Received: by mail-wm0-x22b.google.com with SMTP id 9so705711wme.4 for <dnsop@ietf.org>; Tue, 14 Nov 2017 22:38:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=A7DSQJQ4pqTWmbeyAWloqtaIKl5YvTVAvVm0Pp9rH4E=; b=ubA0ODJdxHFpYnDTgIqoyL9VEeo0s1NC0OMgQ+vnyRLN8nWbL6Exztuv+O02p55Y1V 5Hpty+3QXmViUhvcXS5BwS0m8ADl815OFlEYCj7QQo6k2KlpCvg8X2BH/Oz4oAX17MNU Ayfx4zLBs4DtxkODmYRDx5thU8isQXKtI52glA+A7UB9SWUqN+qViQAdsELjcPAkAMfP Tg6jdTsfrGY3DwLg+6n37zMr/WqbeBzmv+fEJ+6QPB3D+C1IaJ53IRGv79ukin83d7Lv tyN7sT4y579UPRxH2I98cHboHcBWvJaiBduyFhOiKACoShMO18SlPFC1xOqbR+DykfxY w8pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=A7DSQJQ4pqTWmbeyAWloqtaIKl5YvTVAvVm0Pp9rH4E=; b=rORmve1oVBY32Uu+Pw83Y2biPt6S1i0+/mTowvw3V7J4IOGYeNumUT5FMzIWSbDGkd Gw4+dQmJ5VxgG9/stKPrPgpndAd5MRVcalthbUdZ08aj0QQEd+u8/gYlVfV0T4ghSo/0 6JTIMOHLyxFPL4uaeLesfLUeJkoOChXrfxseCmP+BpmvwNt23mVflWqsqEn5jRL5mUM3 ZGVleXIpiPk2Av2bJqjWaLQcoThmIw/LhrrUO27JrUDtT7KhpJ2tujYUrXFZoFjEWJ/k 7NIKVdjQXRkFu/lfbL3MRsxKJtgX3uFW6KaO+UyIJcdJJlGUDC8f1Y+cEMGa2qruisU7 EmpQ==
X-Gm-Message-State: AJaThX4CWl8ZNHkAM9EkHZy3/Y4cUCjRSIwJ8PafbV40Lut03TckCZrm oSRQZfNEKiwrSpCDrhaewFni+Tk2AZkfCgG8rs/jFw==
X-Google-Smtp-Source: AGs4zMamr3gdvAAkDg1ouztXdClQ+C2VzzXpQxeiuECD7aWV+6xF6WTMZwnDRtj8/gAiyfOllgzbHDPHMU1KRa2DZM4=
X-Received: by 10.28.26.194 with SMTP id a185mr443649wma.124.1510727935285; Tue, 14 Nov 2017 22:38:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.160.149 with HTTP; Tue, 14 Nov 2017 22:38:14 -0800 (PST)
In-Reply-To: <7572271693475788861@unknownmsgid>
References: <151062636258.5917.14497839377888768972@ietfa.amsl.com> <CA+nkc8CQPe6eT6QGWmO30Cn1ik5oaGUxS_GQg0BproCPSu-U6Q@mail.gmail.com> <7572271693475788861@unknownmsgid>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 15 Nov 2017 14:38:14 +0800
Message-ID: <CAHw9_iJfa-LOcgy=5hEFLvEHVGEVa0prMgwJVRR2ifxzMtPrLg@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Bob Harold <rharolde@umich.edu>, IETF DNSOP WG <dnsop@ietf.org>, "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HRAndXjESdZhRWZdWSvC7wCr-dM>
Subject: Re: [DNSOP] I-D Action: draft-huston-kskroll-sentinel-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Nov 2017 06:38:59 -0000
On Wed, Nov 15, 2017 at 9:45 AM, Joe Abley <jabley@hopcount.ca> wrote: > Hi Bob, > > On Nov 15, 2017, at 00:23, Bob Harold <rharolde@umich.edu> wrote: > > If I have to add those entries to each zone, I worry that the automated DNS > appliance that I use might not be able to create the broken records > required. > > Since the implementation of the mechanism requires special handling of > queries whose QNAMEs contain the special labels, I don't see why you would > ever need to add anything to any zone. > > The point of this mechanism is to require no administrator action and to be > on by default, I think. Yup, *you* should not need to create these records, as long as someone does the testing will work -- e.g if example.com publishes: _is-ta-4f66.example.com _not-ta-4f66.example.com badlysigned.example.com and you can resolve things in example.com you can do the testing. If your appliance has not been upgraded to know about this new technique the result will correctly be "unknown / indeterminate" (Vleg[0]) W [0]: Vleg: A DNSSEC-Validating resolver that does not include this mechanism will respond with an A record response for "_is-ta", an A record response for "_not-ta" and SERVFAIL for the invalid name. > > > Joe > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] I-D Action: draft-huston-kskroll-sentinel… internet-drafts
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Bob Harold
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Joe Abley
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Warren Kumari
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Bob Harold
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Robert Story
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Warren Kumari
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Martin Hoffmann
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Jaap Akkerhuis
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Richard Gibson
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Andrew Sullivan
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Joe Abley
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Andrew Sullivan
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… George Michaelson
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Warren Kumari
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… George Michaelson
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… George Michaelson
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Joe Abley
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… George Michaelson
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Ray Bellis
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Robert Story
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Bob Harold
- Re: [DNSOP] I-D Action: draft-huston-kskroll-sent… Andrew Sullivan
- [DNSOP] the ??-- thing (was Re: I-D Action: draft… Andrew Sullivan
- Re: [DNSOP] the ??-- thing (was Re: I-D Action: d… Paul Hoffman
- Re: [DNSOP] the ??-- thing (was Re: I-D Action: d… Bob Harold
- Re: [DNSOP] the ??-- thing (was Re: I-D Action: d… Matthew Pounsett