IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel

Joe Abley <jabley@hopcount.ca> Mon, 27 November 2017 19:06 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB06D1270A3 for <dnsop@ietfa.amsl.com>; Mon, 27 Nov 2017 11:06:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2XZjJ_zAjxFz for <dnsop@ietfa.amsl.com>; Mon, 27 Nov 2017 11:06:37 -0800 (PST)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41381126C83 for <dnsop@ietf.org>; Mon, 27 Nov 2017 11:06:37 -0800 (PST)
Received: by mail-io0-x231.google.com with SMTP id d21so15295601ioe.7 for <dnsop@ietf.org>; Mon, 27 Nov 2017 11:06:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=lIbdZCw8xTwvCzHVnI8BRntSy6g1rjF4BSQyUaoFW4c=; b=bzVtJihvMFTN9pITzQ1gkzeb8E3NAmy9QunWRI5i9PpXXrLP0JRisyRBLQkfrDTl37 S7It0uGJx+UuYi0yp6CVWPxYFBNbxwpbPn4Egz05e6ad9cIq7iNIWFXgiKaHZDv1Aypx OgL5YAcspRsiPCyJYgJpGghW7nMS9ZbxJCLFY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=lIbdZCw8xTwvCzHVnI8BRntSy6g1rjF4BSQyUaoFW4c=; b=FA468B26/GgxRAwE0dO1dU00prw9sQoDdAueTtCVH1ymTIdYuY/VnvoNHp7rrhpsU/ 8H5HhGgyx089kRKyGa3CoZtct9T0k6LZebfHx4rIQGYDOzjsAdIusYF5HExlFj7zhiR1 k8F1J6iL0EO7xOssnotAeAal3Jn0O37A799gBdxBPZGNotZImfTAGAoetP7lVswZ8YpK guTbMBPVvbzbK+2D84p7NJSENpyGbpadT10xJm1BF2nSs4qcwfOxc8NlhRFpm4DbryuD e9TjRJdivLw7UMCWpjwW70yeTH5VWhpFbcOzEE7PN3PWDeXYUD3AM1m2NvEBBRYtFsSA rESA==
X-Gm-Message-State: AJaThX4m2rHSiugD92CPkBC/3jto9Pb12Vb4f1TeN7X3JOxkuy4Eai8O lyCgZZxAZBqWX/2Mb1oxAYRQt0XoHws=
X-Google-Smtp-Source: AGs4zMb3ayf8u1X1nCUvecBNj5/vsLhaISTUJcdgoC1yLgOUYkfzU6NNnfZQd3t8W/7AvOQzL08a7Q==
X-Received: by 10.107.141.77 with SMTP id p74mr46825523iod.40.1511809596364; Mon, 27 Nov 2017 11:06:36 -0800 (PST)
Received: from ?IPv6:2607:f2c0:101:202:c849:dad7:a94e:7c1e? ([2607:f2c0:101:202:c849:dad7:a94e:7c1e]) by smtp.gmail.com with ESMTPSA id k23sm7680596iti.22.2017.11.27.11.06.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Nov 2017 11:06:35 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.1 \(3445.4.7\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAL02cgTawPPjWRZ=iMHQOyT+N_cU1r74N+Cp2+Fxn_qLoMh7cQ@mail.gmail.com>
Date: Mon, 27 Nov 2017 14:06:31 -0500
Cc: George Michaelson <ggm@algebras.org>, tjw ietf <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <11C784A2-B8E1-4D63-81F9-B62AA148D9EE@hopcount.ca>
References: <CADyWQ+Fhzybt-aNNF+yJxQfWDM56W+rzWxZ2YB3yf6wy4m_uxA@mail.gmail.com> <CAKr6gn07V7s0Q8czQR3v6uAujj4t1-SRt7xqi=zDNVpsryXhVQ@mail.gmail.com> <CAL02cgTZq2+F5Ki6B-042oBdng=tn3jZagb_EKUNFpS7XYgXbQ@mail.gmail.com> <CAL02cgTawPPjWRZ=iMHQOyT+N_cU1r74N+Cp2+Fxn_qLoMh7cQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.3445.4.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LteViLk2Yy7iBy8rDhcCJEfBnL0>
Subject: Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2017 19:06:39 -0000

As I imagine you've heard, part of the problem with resolver-authoritative telemetry interfaces is that the deployed infrastructure is not so simple; it also includes forwarders, changed resolvers, caches, middleware that interferes with the query path and/or drops queries that don't look normal... It's a jungle out there. Looking at the closest tree from just outside the edge of the jungle is actually much easier than speculating about what bizarre horrors lie within it.

> On 27 Nov 2017, at 13:36, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Well, that's what I get for providing drive-by feedback.  Someone pointed me off-list to RFC 8145 and the operational issues with that.  I still think that that calls for a better authoritative/resolver telemetry interface, not some client-side thing.
> 
> On Mon, Nov 27, 2017 at 1:10 PM, Richard Barnes <rlb@ipv.sx> wrote:
> George, you should know better than to claim that a mechanism that requires resolver updates will have "immediate benefit" :)
> 
> I do not find this mechanism terribly compelling.  It is not useful in the short run, as noted above.  And it has the wrong architecture for the long run.
> 
> What zone operators need, for KSK roll-overs and other evolution decisions, is telemetry about the capabilities of the resolvers they serve.  In order for an approach like this to provide that telemetry, one would need a broad-scale client-side measurement system.  While such systems exist (Geoff and George being expert practitioners), they have a lot of problems -- they're expensive to operate at scale; they're extremely limited in terms of what they can measure and how reliably; and they impose much more overhead than is needed here.  We shouldn't be building a telemetry system for the DNS that has hard-coded assumptions about web ads or dedicated probes.
> 
> It would be far better to build a telemetry mechanism that operated directly between resolvers and authoritative servers.  There are a variety of ways you could do this.  In today's world, you could have some record by which an authoritative server could advertise a telemetry submission point.  In a DOH world, you could have the resolver provide a Link header telling the authoritative server where it could pick up information about resolver capabilities.  None of these are hard to build (and they don't interfere with the "fast path" of the resolver) and they provide much more high quality information.
> 
> If you need data for the KSK roll that we're already a decade late for, gather it in a way that doesn't require a resolver upgrade.  (Deploy a dedicated temporary TLD if you need to.)  If you're trying to solve the long-run telemetry problem, then build it properly.
> 
> --Richard
> 
> 
> On Thu, Nov 16, 2017 at 3:34 AM, George Michaelson <ggm@algebras.org> wrote:
> I support adoption of this work. Its a sensible, simple proposal which
> has immediate benefit, and can be used by anyone to test the ability
> of their nominated resolver to recognise specific keys, and their
> trust state.
> 
> I believe as a community, at large,  we need code deployed into the
> resolvers in the wild, and we need a document specifying the behaviour
> we need deployed into those resolvers. We can use this to inform
> ourselves of operational risk under keychange. We can know as
> individuals, as organizations what we will see, if keys change. I
> think this is quite powerful. compared to measurement of what
> resolvers see, or what authoritatives or roots see, going back to
> these service-providers themselves. This method informs the client
> side of the transaction. Thats big.
> 
> I'm not saying we shouldn't do other things, or measure. I'm saying
> that this proposal has a qualitative aspect which I think is
> different, and good.
> 
> -George
> 
> On Thu, Nov 16, 2017 at 4:23 PM, tjw ietf <tjw.ietf@gmail.com> wrote:
> > All
> >
> > The author has rolled out a new version addressing comments from the meeting
> > on Monday, and we feel it’s ready to move this along.
> >
> > This starts a Call for Adoption for draft-huston-kskroll-sentinel
> >
> > The draft is available here:
> > https://datatracker.ietf.org/doc/draft-huston-kskroll-sentinel/
> >
> > Please review this draft to see if you think it is suitable for adoption by
> > DNSOP, and comments to the list, clearly stating your view.
> >
> > Please also indicate if you are willing to contribute text, review, etc.
> >
> > This call for adoption ends: 30 November 2017 23:59
> >
> > Thanks,
> > tim wicinski
> > DNSOP co-chair
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email