IETF Logo Mail Archive

Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones

Geoff Huston <gih@apnic.net> Wed, 20 December 2017 18:34 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFE8D12D0C3 for <dnsop@ietfa.amsl.com>; Wed, 20 Dec 2017 10:34:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4LjxhCSjNkYR for <dnsop@ietfa.amsl.com>; Wed, 20 Dec 2017 10:34:28 -0800 (PST)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-hk2apc01on0084.outbound.protection.outlook.com [104.47.124.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F43B1267BB for <dnsop@ietf.org>; Wed, 20 Dec 2017 10:34:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2jhUXmF3zRhc9V825HqYiLCvqbqvPWO9BxtmJQTEzcs=; b=pPPw74nx43c8mmX18s/Ymrw2vEHu129cLVpGvpg6tivQt0fFr4lJpid3b2NpcsviogU87NLtlKExePRJw04iIfZMEKhgDnC1yIZZvI7CC5Ji4K8eRsbIOQQgK/6MLrEvI/mugU0lVoldKU+j8/y9AIsPRvEmZ6Xi5R6sX9S9K6w=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from 2001-44b8-1121-1a00-dcc1-842d-fce2-c598.static.ipv6.internode.on.net (2001:44b8:1121:1a00:dcc1:842d:fce2:c598) by SIXPR04MB0700.apcprd04.prod.outlook.com (2a01:111:e400:51ee::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Wed, 20 Dec 2017 18:34:20 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <A6465B30-EC72-4282-8600-5B850E67D7BA@vpnc.org>
Date: Thu, 21 Dec 2017 05:34:08 +1100
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <332B908E-77C5-4E9C-B49D-19AFC1A3E76B@apnic.net>
References: <FE393168-BE0E-41E2-BA27-89A3D2DA4790@vpnc.org> <5E1FF941-C80D-442C-ABB5-6C81F3B1A149@apnic.net> <A6465B30-EC72-4282-8600-5B850E67D7BA@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.3445.5.20)
X-Originating-IP: [2001:44b8:1121:1a00:dcc1:842d:fce2:c598]
X-ClientProxiedBy: HK2PR02CA0209.apcprd02.prod.outlook.com (2603:1096:201:20::21) To SIXPR04MB0700.apcprd04.prod.outlook.com (2a01:111:e400:51ee::22)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 637fa793-eb2e-46b7-b3d5-08d547d84a4b
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307)(7153060); SRVR:SIXPR04MB0700;
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0700; 3:VENb3EacQdxpZJ/sw/ao97/dw0wyoYUg6UHJjwipSj+8mWmNW4IPrS8erPv2C1e+C8C1iYHhnig1OFQp3IeMpdLzPUgT8oydplVqzCLF1xNgHBz4+NsYHFkrcIU7OXsVVUJ85s4nph0XQVs3ZKABtctzlFvIfNj3LGL3gxEkuLX3PmpzUEzhkv/6ZuOa5uvlIYg5uKDPVw92qYwn9WiHqEqiakvqs0AqCnu0/PKO134AsXTGgCf8klr+Kk9lHZd7; 25:x5bJGJrk2XNtvjcf9OGqMSElYT0f7Oke3FwPJ4R5ZkrJMSD/Vctdyy1AnJkR2TyXjeQV9B8EKzxtrpqiKMdLQZ6EgDvjqkO6LVOuUud/NBv/JSH6wG3GHTNjetAo5oNsk4qACAST9gy3x+oi6qfmFThgxnmNvQkGj/q9mE6lh2Sj14puz0WvGjLZAunDVbHOQGMHa1OBfPsQ6f8dQdqxv2TLeBei6zKA1/armEA0kc/Yl0dkFca10k24L+xGGV17GdjFAy5UpamQfzvY5hfN7EWKsT8Voi2sYvf3Z73UoJ8viD6CpTWTFkL1ULpkYqvJljGwsozXnRKF2LzrjIz7ID2jMNKT92j1VqHIz97Ec+0=; 31:iGOVBQR8CHcyDA6qFcldueCIETJzqFO96slBH8IJVd25isF9i7Glyl5rEsh95GvvOMv3h83WlnTx/jFgjS45scZsGCiWqRLlr2DKMYV5wJiqOuJT6eEHx4xAboxQcoCLLAh0bUMTrCgVYM1+A9pQ/LaCKjbsQ1NnAiJCReMwEcw+3fesZVxUxkbSZMBiBhv34KheX5zfqzoV/krFDdOua6i5fmhuOWsopZ46yEc+eZA=
X-MS-TrafficTypeDiagnostic: SIXPR04MB0700:
X-Microsoft-Antispam-PRVS: <SIXPR04MB070033336A0C1947D575C2F4B80C0@SIXPR04MB0700.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(166708455590820);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231023)(10201501046)(6041268)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:SIXPR04MB0700; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SIXPR04MB0700;
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0700; 4:dyPtiKAL30nu7awDTnjkxfaQ834BKGPIHWLqHNxhZwefjQfzR4CuHO46IUWJAjn/8J3LhNxzWwcIfca4K16Fc8poD20UnaW4DFbr1pkbbj2Hgd0olnrDbUHxsQpaImazwChWmwYlgX83iGCGVkUuOCMvLnLFasaOO868Nd3PLRMclR6/pZsV+qrA6G52vLSLo1sFmENVNi0lRaY2+LiECQDLDuOV4HgN/hbkTzSjxewyGsNuqg6NeGXJi3daO4r1AezyrKawVzGP+LDQVOjOA4Cpqnwm4NKO0bHihr5ni9eCZqjBs3UgYVny7HLsSayP
X-Forefront-PRVS: 0527DFA348
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39840400004)(346002)(376002)(39380400002)(199004)(24454002)(189003)(50226002)(2906002)(316002)(6116002)(6306002)(5660300001)(81156014)(6666003)(6916009)(81166006)(6486002)(6506007)(386003)(2950100002)(86362001)(83716003)(33656002)(82746002)(8746002)(6512007)(53546011)(305945005)(8936002)(68736007)(8676002)(7736002)(76176011)(478600001)(106356001)(25786009)(52146003)(53936002)(57306001)(6246003)(4326008)(36756003)(229853002)(97736004)(2486003)(230783001)(105586002)(47776003)(52396003)(50466002)(23676004)(52116002)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:SIXPR04MB0700; H:2001-44b8-1121-1a00-dcc1-842d-fce2-c598.static.ipv6.internode.on.net; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;SIXPR04MB0700;23:2ymx9afrwUOHrRKyhj5RI/WCyUhHHJX/1FPBuFKpd/jJxu7S/42L0IbKvtrKvmxX3UfBWt/vuDE8/r8Kb+OcXjqaSiJeoNjwjzIywYOf6/VrW+ZoaB2VpGSKMPX7C6qF3UQRhgqScXDOk89E6iHddUR7oBnh+DEvmnR4fIYpWMepZl5EtcUAKy0V2HCoqGxpBnFGPPifs//KesARzaCA+A/M2rKhDwHB+5FBZfw0n5kPj4KYUvAQZhOoCR2Hc1dTeykrsEOoIEipZQCPkz52ShQatxSrXhXdXO2rxK7LLosHRNw8Z80+lFg60ijcDz3pqsbEAvBaSFRdN/jeDvaX/YALB7FYUzhFP3AnthwclU+TnQohR/3SXz7wAmD1r+CO39110M68EOfMZchdalbjWFwDP8G7HzZ/2YGEePSyWe3d2hUycy/dUavnI3v193KWeq/3w+BbpzbSKK/pO1y5YDI0CmpecBSW/5vQpFYiq/bOm0BQjDeIxwcR8en+3+5w983POgvlHCCgt3ZoFDLxwmjjrz07YxHY7Ruz+t+bDe926DijsW8qBauFIM1wknjMq13dcv8V42YZ4azPoq0Aalrx7iAijGjyr5cCpsYWpP9mXZhteuWhSnFvEOE4tJmyWgQd5+/eLIL+f5GUuBOr9rBIfDCE0PTl0sZDr8uLefij5wO4CArTk477nnmHh3am7m7VDyQfz4AGwB7jyn+3WbBsq5Qybpbc6T3ZT8ndZTv/IiLJEwdIhvqt1nnHsk7q0BlJNsIp0ecJg4PVW4lF0PDND4KKdgY75L1nSmEfR8yJj5p1w8oM0wyWY1zmKyXwmuwsxl/xEmhlb/z0gjVWImwzBoyAM7hkDOYVuASSPSZ9Z5SaqmyfX9DrleWcm/w5ju5SU8DgWwSmeguC3FqJpQI8OfbCAqZo/1fY+rHQuEGal3ot4ngFypY+8d+IXqPsfkFb8pA1UjZ2ItBcr+gMWIncfzWEw/K1rnuMEO7GdvYY5xHYLnOilmMYsbB3OvfBoGwusU2ontQApaJrK9PmXgeGrePyHZXdmNjeVXAvulteLZe7zMkKkmdxpYxjP3kIc5XqOQeHdbD+Vso7GTh1itr6i+Up5y2cLUJbEs7BsPEeNv3w+xHrkiS24cNr+e7A9ZgY8iyC5j1K5atKSO2rxvymtCsNHcDt2eDcS5VfcY+ryWSD22LKfCxQ0zC6/VGXszhwoim40HmrVQE/XNQGdAG0M/n8HWs4FvDZ59VBmRifJFcK6W6A7JvipSwRA/QX6dRY4CUadeaY2B0EmNNnIg==
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0700; 6:uFMUvLtE4+TNeOtDpe1JdZUHcWkBPRQbbx0Cqzel2XrZY4vqWf+COspktMUrNt6RiZHaYAkGrAbaPCHsP8IZJdjlSOqf9NjFL/fmjnO7EATFsW6Dur0l+WOD4M/Tpmno4GFHD5AiEgBP6tHTZFxJA79obmzobXpwnbTk0+YbNxzTJ36AslpUeAXsXx+MCyFoewPOdJgHmhwu3eT3Siv2VVoxy81yP4XFg+UEQWlEhsU13uszi74HN90+BgcRdHMqnFN2abeOcvZyXF38tYlsMRuLFxd3GTTWnSGJipxX3LEIpC4PzSQAWzBT+285Ad5589CXK8WyUqXhe88R5+VKDXBkqrPQe/2foMZWUWMDi+M=; 5:4nGDvFp/5vzDo83SuyGugnBEf0AF6O4C+VvISN6yztJ+RbmcKElj5MgpxSKHMRENt4xTb3+APkOFm8S9PyyKvc1r721x2kRHUZhOxTLJ4NqXFM+xXyhqlgBD+15Y82n/V40nJ0z3JOFGP6/fOV0VEhBzWBPd/a4sfurml/tjgNY=; 24:978UlSXdDUqirk7y1pI81yi0cIdGWk5yIH0I3h4Q/mUwI4d+eFxgAXExD5LxkFk8FJ67vcm/ElQoce6TK4+NSJPuK4tNeunaQwU502jv9/A=; 7:YtQ+GzFDOBnPh/6+0PVh3D2Ws0f6GkVILUwbCRqdfhD8XDv1C9JsI/AYfZ+VrhBm3aQ5nFzlNRXk/GsMtGF7iajd+WxJ1ULHzdrSIAo/SuKGP+0uytAsrBsKRwOVjTwvgYBruXn88j45+o/nBSCJzLzdj3An7qEe8EUoW/UI2oMhg+K+7Itcsr8jTDsgjNOIMqKMRedgrdUi68SscQxKRKs7Im2oAbp2bbSLijpGULh7fEnWyM4tRD+VoY88gIFV
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2017 18:34:20.3712 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 637fa793-eb2e-46b7-b3d5-08d547d84a4b
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SIXPR04MB0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HafNA60IDRJw65aRPqbp6oFZwyI>
Subject: Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2017 18:34:31 -0000


> On 16 Dec 2017, at 2:31 am, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> On 14 Dec 2017, at 21:45, Geoff Huston wrote:
> 
>>> Please see <https://github.com/APNIC-Labs/draft-kskroll-sentinel/pull/1>. This is a small set of changes that make the draft not treat the root zone as special. It allows the labels to be used for any zone, not just the root.
>>> 
>> 
>> Could you please elaborate on the motivation here?
> 
> The last sentence is the motivation. Some operators add trust anchors for things other than the root to their validating resolver, and a user might want to know if such a trust anchor exists and, if it does, what the key tag is.
> 
>> I am unsure whether this is needed, or, perhaps more critically, I’m unsure if this represents a harmless general form of information disclosure (that the resolver is using local trust keys for some unspecified non-root zone).
> 
> Serious question: in your mind, why is the answer for non-root zone any more "information disclosure" than for the root zone?

I suppose that I am concerned that a resolver is disclosing that it has some other trust point in the name space. 

I would normally have thought that such choices of trust are choice a resolver makes, but does not necessarily need to reveal to third parties.


Geoff

v2.23.0 | Report a Bug | By Email