Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-08.txt
Wes Hardaker <wjhns1@hardakers.net> Sun, 17 December 2017 17:20 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 003AD1272E1 for <dnsop@ietfa.amsl.com>; Sun, 17 Dec 2017 09:20:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.108
X-Spam-Level:
X-Spam-Status: No, score=-1.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOaDHF86oEVq for <dnsop@ietfa.amsl.com>; Sun, 17 Dec 2017 09:20:10 -0800 (PST)
Received: from mail.hardakers.net (unknown [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3780127137 for <dnsop@ietf.org>; Sun, 17 Dec 2017 09:20:10 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id 0B6DB22275; Sun, 17 Dec 2017 09:20:10 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Michael StJohns <msj@nthpermutation.com>
Cc: Wes Hardaker <wjhns1@hardakers.net>, dnsop@ietf.org
References: <151199364931.4845.3034001091375154653@ietfa.amsl.com> <yblvahshg6z.fsf@wu.hardakers.net> <9c71768d-4807-3d0a-b4b1-0ac8d066fe9f@nthpermutation.com> <yblindiavlm.fsf@w7.hardakers.net> <6d239b9a-fd1e-46a3-c705-6851dd8ffe0a@nthpermutation.com> <ybl8te8kbaq.fsf@wu.hardakers.net> <142cad85-1e0e-b4c9-1561-ad590984739a@nthpermutation.com> <yblshcfhnai.fsf@wu.hardakers.net> <1ca3daed-d521-0fcd-d1e7-eef2b781707b@nthpermutation.com> <ybl8te7fyks.fsf@wu.hardakers.net> <26d61092-942a-16bc-e939-ed9400a17a29@nthpermutation.com> <19e3ce86-c797-0e88-e192-e82b936be579@nthpermutation.com> <yblshcby29f.fsf@w7.hardakers.net> <a7a362aa-dcfa-da2f-f968-96251ced2cb9@nthpermutation.com>
Date: Sun, 17 Dec 2017 09:20:09 -0800
In-Reply-To: <a7a362aa-dcfa-da2f-f968-96251ced2cb9@nthpermutation.com> (Michael StJohns's message of "Sat, 16 Dec 2017 13:41:46 -0500")
Message-ID: <ybllgi18e5y.fsf@w7.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/M1k3OkxpTL9bCoRhZCW4ozK5uOk>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-08.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Dec 2017 17:20:12 -0000
Michael StJohns <msj@nthpermutation.com> writes: > Also, you're still missing the fact that a given resolver can start > its addHoldDown timer anywhere in the range of [0..activeRefresh] > AFTER the signature expiration depending on when it was starting its > clock. All of your calculations are starting from the wrong point. No I'm not. Set the resolver query offset amount to something large and it does exactly what you're talking about. I didn't forget it. In fact, the most interesting case is when you set it large (set it to 300d, and the code will clip it to activeRefresh-1 anyway) and then you set the resolver query drift amount to -1. You'll note, in this case, that that the dnskey is accepted *after* my current activeRefreshOffset line, *proving* your case. You keep saying I don't understand and don't agree with you, but if this doesn't prove that I both do understand and agree with the problem I don't know what will. Go change *only* those two lines in the simulator and it *shows* that you have very legitimately found a source of real-world error that must be accounted for. > > Your calculations represent the best case [e.g. triggers at 0 for both ends of the problem] when what > you want is worst case. Try 300d in resolver query offset. -- Wes Hardaker USC/ISI
- [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-secu… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker