Re: [DNSOP] I-D Action: draft-huston-kskroll-sentinel-04.txt

Warren Kumari <> Wed, 15 November 2017 06:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 00C80129503 for <>; Tue, 14 Nov 2017 22:38:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fuN5gY47B9A6 for <>; Tue, 14 Nov 2017 22:38:57 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 012A4129508 for <>; Tue, 14 Nov 2017 22:38:56 -0800 (PST)
Received: by with SMTP id 9so705711wme.4 for <>; Tue, 14 Nov 2017 22:38:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=A7DSQJQ4pqTWmbeyAWloqtaIKl5YvTVAvVm0Pp9rH4E=; b=ubA0ODJdxHFpYnDTgIqoyL9VEeo0s1NC0OMgQ+vnyRLN8nWbL6Exztuv+O02p55Y1V 5Hpty+3QXmViUhvcXS5BwS0m8ADl815OFlEYCj7QQo6k2KlpCvg8X2BH/Oz4oAX17MNU Ayfx4zLBs4DtxkODmYRDx5thU8isQXKtI52glA+A7UB9SWUqN+qViQAdsELjcPAkAMfP Tg6jdTsfrGY3DwLg+6n37zMr/WqbeBzmv+fEJ+6QPB3D+C1IaJ53IRGv79ukin83d7Lv tyN7sT4y579UPRxH2I98cHboHcBWvJaiBduyFhOiKACoShMO18SlPFC1xOqbR+DykfxY w8pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=A7DSQJQ4pqTWmbeyAWloqtaIKl5YvTVAvVm0Pp9rH4E=; b=rORmve1oVBY32Uu+Pw83Y2biPt6S1i0+/mTowvw3V7J4IOGYeNumUT5FMzIWSbDGkd Gw4+dQmJ5VxgG9/stKPrPgpndAd5MRVcalthbUdZ08aj0QQEd+u8/gYlVfV0T4ghSo/0 6JTIMOHLyxFPL4uaeLesfLUeJkoOChXrfxseCmP+BpmvwNt23mVflWqsqEn5jRL5mUM3 ZGVleXIpiPk2Av2bJqjWaLQcoThmIw/LhrrUO27JrUDtT7KhpJ2tujYUrXFZoFjEWJ/k 7NIKVdjQXRkFu/lfbL3MRsxKJtgX3uFW6KaO+UyIJcdJJlGUDC8f1Y+cEMGa2qruisU7 EmpQ==
X-Gm-Message-State: AJaThX4CWl8ZNHkAM9EkHZy3/Y4cUCjRSIwJ8PafbV40Lut03TckCZrm oSRQZfNEKiwrSpCDrhaewFni+Tk2AZkfCgG8rs/jFw==
X-Google-Smtp-Source: AGs4zMamr3gdvAAkDg1ouztXdClQ+C2VzzXpQxeiuECD7aWV+6xF6WTMZwnDRtj8/gAiyfOllgzbHDPHMU1KRa2DZM4=
X-Received: by with SMTP id a185mr443649wma.124.1510727935285; Tue, 14 Nov 2017 22:38:55 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 14 Nov 2017 22:38:14 -0800 (PST)
In-Reply-To: <7572271693475788861@unknownmsgid>
References: <> <> <7572271693475788861@unknownmsgid>
From: Warren Kumari <>
Date: Wed, 15 Nov 2017 14:38:14 +0800
Message-ID: <>
To: Joe Abley <>
Cc: Bob Harold <>, IETF DNSOP WG <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-huston-kskroll-sentinel-04.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Nov 2017 06:38:59 -0000

On Wed, Nov 15, 2017 at 9:45 AM, Joe Abley <> wrote:
> Hi Bob,
> On Nov 15, 2017, at 00:23, Bob Harold <> wrote:
> If I have to add those entries to each zone, I worry that the automated DNS
> appliance that I use might not be able to create the broken records
> required.
> Since the implementation of the mechanism requires special handling of
> queries whose QNAMEs contain the special labels, I don't see why you would
> ever need to add anything to any zone.
> The point of this mechanism is to require no administrator action and to be
> on by default, I think.

Yup, *you* should not need to create these records, as long as someone
does the testing will work -- e.g if publishes:

and you can resolve things in you can do the testing. If
your appliance has not been upgraded to know about this new technique
the result will correctly be "unknown / indeterminate" (Vleg[0])


[0]: Vleg: A DNSSEC-Validating resolver that does not include this
      mechanism will respond with an A record response for "_is-ta", an
      A record response for "_not-ta" and SERVFAIL for the invalid name.

> Joe
> _______________________________________________
> DNSOP mailing list

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.