Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)
Joao Damas <joao@bondis.org> Thu, 27 September 2018 07:31 UTC
Return-Path: <joao@bondis.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AF1D130E47; Thu, 27 Sep 2018 00:31:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s1tqaw8-MRsL; Thu, 27 Sep 2018 00:31:35 -0700 (PDT)
Received: from smtp1.bondis.org (smtp1.bondis.org [194.176.119.250]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6575130E01; Thu, 27 Sep 2018 00:31:34 -0700 (PDT)
Received: from [192.168.1.139] (138.red-79-157-4.dynamicip.rima-tde.net [79.157.4.138]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: joao) by smtp1.bondis.org (Postfix) with ESMTPSA id 4679D6204D1; Thu, 27 Sep 2018 09:31:31 +0200 (CEST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_098ED794-CE96-4899-BD86-677950587EC7"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joao Damas <joao@bondis.org>
In-Reply-To: <CAHw9_i+oQ4HPeZmzKYk=aPn8UcMURmnghWK-sBEzi3FA=L+x1A@mail.gmail.com>
Date: Thu, 27 Sep 2018 09:31:30 +0200
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, Tim Wicinski <tjw.ietf@gmail.com>, DNSOP Chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>, Benno Overeinder <benno@nlnetlabs.nl>, Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, draft-ietf-dnsop-kskroll-sentinel@ietf.org
X-Mao-Original-Outgoing-Id: 559726290.150061-5e73de066a0e7fffe53f630f6c7ec633
Message-Id: <8FC9239A-DCA1-42C2-9E77-507106F8851B@bondis.org>
References: <153797498435.21672.17709898221650275799.idtracker@ietfa.amsl.com> <CAHw9_i+Dm7VHAi8eJjhDyGacCwxigeEZv8tSiGT+ZrW+vxu+oA@mail.gmail.com> <20180926181646.GM24695@kduck.kaduk.org> <CAHw9_i+MRJUfiZPBCNiFfio=VetCNXkHwW4Nw=WQa+z0dRWoWw@mail.gmail.com> <FFA0F591-9EC2-4B8E-AB0F-F0B496E8FAFA@vpnc.org> <CAHw9_iLRj9JOL0DU=ztNnrgyFk4VfQCY3pSnq+BEhp6P9ndOXg@mail.gmail.com> <03B733D9-5640-44A7-BEC0-A563ED24DAB1@vpnc.org> <CAHw9_i+oQ4HPeZmzKYk=aPn8UcMURmnghWK-sBEzi3FA=L+x1A@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Hoez4J-t0-_qjcuu2skPEGAHjDA>
Subject: Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2018 07:31:37 -0000
Good additions, warren Joao > On 27 Sep 2018, at 01:35, Warren Kumari <warren@kumari.net <mailto:warren@kumari.net>> wrote: > > Thank you for providing text. I put that in the GitHub version. > > > W > > On Wed, Sep 26, 2018 at 3:13 PM Paul Hoffman <paul.hoffman@vpnc.org <mailto:paul.hoffman@vpnc.org>> wrote: > On 26 Sep 2018, at 14:30, Warren Kumari wrote: > > > On Wed, Sep 26, 2018 at 12:40 PM Paul Hoffman <paul.hoffman@vpnc.org <mailto:paul.hoffman@vpnc.org>> > > wrote: > > > >> On 26 Sep 2018, at 12:07, Warren Kumari wrote: > >> > >>> On Wed, Sep 26, 2018 at 11:16 AM Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>> > >>> wrote: > >>> > >>>> On Wed, Sep 26, 2018 at 10:12:08AM -0700, Warren Kumari wrote: > >>>>> On Wed, Sep 26, 2018 at 8:16 AM Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>> > >>>>> wrote: > >>>>> > >>>>>> Benjamin Kaduk has entered the following ballot position for > >>>>>> draft-ietf-dnsop-kskroll-sentinel-15: Discuss > >>>>>> > >>>>>> When responding, please keep the subject line intact and reply to > >>>>>> all > >>>>>> email addresses included in the To and CC lines. (Feel free to > >>>>>> cut > >>>>>> this > >>>>>> introductory paragraph, however.) > >>>>>> > >>>>>> > >>>>>> Please refer to > >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html <https://www.ietf.org/iesg/statement/discuss-criteria.html> > >>>>>> for more information about IESG DISCUSS and COMMENT positions. > >>>>>> > >>>>>> > >>>>>> The document, along with other ballot positions, can be found > >>>>>> here: > >>>>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/ <https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/> > >>>>>> > >>>>>> > >>>>>> > >>>>>> ---------------------------------------------------------------------- > >>>>>> DISCUSS: > >>>>>> ---------------------------------------------------------------------- > >>>>>> > >>>>>> Thanks for preparing this document and mechanism; it is good to > >>>>>> have > >>>> more > >>>>>> data about the expected impact of the root KSK roll. That said, > >>>>>> I > >>>> have two > >>>>>> Discuss-worthy points, albeit both fairly minor. > >>>>>> > >>>>>> The first one may just be something that I missed, but does this > >>>> document > >>>>>> actually say anywhere that there needs to be a real zone with > >>>>>> real > >>>>>> configured A and/or AAAA records for the query names used for > >>>>>> these > >>>> tests? > >>>>>> The Appendix sort-of-mentions it, but I feel like there needs to > >>>>>> be > >>>>>> a > >>>>>> mention in the main body text. > >>>>>> > >>>>>> > >>>>> No hats (OMG, everyone will see I'm going bald...) > >>>>> > >>>>> Ok, fair. This was actually a source of confusion when we first > >>>>> started > >>>>> discussing the document -- we explained it on-list / at mics / in > >>>>> person, > >>>>> but it became so well understood that we didn't notice that it is > >>>>> not > >>>>> actually specified in the document. I'll try figure out text. > >>>> > >>>> Thanks. > >>>> > >>>> It eventually became pretty clear to me from things like "return > >>>> the > >>>> A or > >>>> AAAA response unchanged" that there was supposed to be a valid > >>>> response > >>>> provisioned so that it could be returned, but I don't want to rely > >>>> on > >>>> all > >>>> readers making the same inference. > >>>> > >>>> > >>> So I opened my editor to add text, and scrolled down to try figure > >>> out > >>> where to add this. > >>> "Section 4.3 - Test Procedure" seemed like a good spot -- and it > >>> already > >>> has this text: > >>> > >>> A query name containing the left-most label > >>> "root-key-sentinel-not-ta-<key-tag-of-KSK-current>". This name MUST > >>> be > >>> a > >>> validly-signed. ***Any validly-signed DNS zone can be used for this > >>> test.*** > >>> A query name containing the left-most label > >>> "root-key-sentinel-is-ta-<key-tag-of-KSK-new>".. This name MUST be a > >>> validly-signed. ***Any validly-signed DNS zone can be used for this > >>> test.*** > >>> > >>> (emphasis mine). > >>> > >>> Does this perhaps address your concerns? > >> > >> It should not: Section 2.1 specifically says that the query must be > >> for > >> A or AAAA. > >> > >> > > Ah, I think I'm starting to understand... > > > > A query name containing the left-most label > > "root-key-sentinel-not-ta-<key-tag-of-KSK-current". This name MUST be > > a > > validly-signed name." cover it? > > I'd tried putting in stuff like "in a public zone" (but this isn't > > actually > > true, I could do this entirely in a private namespace if I only wanted > > to > > test a closed network). > > Or perhaps: "This name MUST be a validly-signed name in a validly > > signed > > zone"? (which is somewhat redundant, but makes it clearer)? > > > > Any suggestions? > > Ben asked for the text to appear early, so I think that putting it in > the last section before the Security Considerations doesn't really > count. :-) > > How about in Section 2.2 where the document defines the special > processing. Adding a last sentence to the last paragraph might clear > things up: > The answer for the A or AAAA query is sent on to the client. > > --Paul Hoffman > > > -- > I don't think the execution is relevant when it was obviously a bad idea in the first place. > This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. > ---maf > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dn… Benjamin Kaduk
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Warren Kumari
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Warren Kumari
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Paul Hoffman
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Warren Kumari
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Paul Hoffman
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Warren Kumari
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Joao Damas