IETF Logo Mail Archive

Re: [DNSOP] kskroll-sentinel responses

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 03 January 2018 15:26 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21D8A126D3F for <dnsop@ietfa.amsl.com>; Wed, 3 Jan 2018 07:26:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CeGukqPEzY2U for <dnsop@ietfa.amsl.com>; Wed, 3 Jan 2018 07:26:22 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF94A1205D3 for <dnsop@ietf.org>; Wed, 3 Jan 2018 07:26:21 -0800 (PST)
Received: from [10.32.60.87] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w03FQ7le039002 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 3 Jan 2018 08:26:10 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.87]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Ray Bellis <ray@bellis.me.uk>
Cc: dnsop@ietf.org
Date: Wed, 03 Jan 2018 07:26:14 -0800
X-Mailer: MailMate (1.10r5443)
Message-ID: <C86D818C-B6A8-4D05-B6FA-0E626DCE522F@vpnc.org>
In-Reply-To: <cfc69c35-1c42-abbb-8895-b210e854af41@bellis.me.uk>
References: <20171221103623.045eed5e@titan.int.futz.org> <df3a8c29-38ea-6dd0-db4d-f8562653dd69@bellis.me.uk> <C79FED8F-91A7-41C9-A1D6-7DC290B8B938@apnic.net> <EFEEB8B3-EE5D-46D0-852C-E95ABBD69109@vpnc.org> <cfc69c35-1c42-abbb-8895-b210e854af41@bellis.me.uk>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/P6TQkHRqxdSrr2QqsK96zHR5j74>
Subject: Re: [DNSOP] kskroll-sentinel responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 15:26:23 -0000

On 3 Jan 2018, at 1:11, Ray Bellis wrote:

> On 02/01/2018 23:37, Paul Hoffman wrote:
>
>> This answer doesn't seem to fully address Robert's and Ray's 
>> questions.
>> Why use an A/AAAA query if you aren't going to do anything with the
>> result? If you are going to use A/AAAA, you have to tell resolvers 
>> what
>> to return in the results. Using a new RRtype would have clearer 
>> semantics.
>
> Actually, that wasn't my question at all.

Sorry for indicating it was. It was also not (directly) Robert's 
question either. Robert asked "The first is the contents of the A/AAAA 
RRSET returned, and the second is the TTL for the records", and I took 
Geoff's lack of answer to mean that he wasn't going to use the result.

Geoff has now said "At the risk of heading waaaay down potentially 
spurious ratholes here let me quickly explain what I meant. Within the 
structure of a browser-based scripted test, such as you might find in an 
online ad script, the common operation within the script is to perform a 
GET of a URL." I did not realize that draft-ietf-dnsop-kskroll-sentinel 
was only meant for browser-based tests because there is no indication of 
this in the draft.

> The point I was trying to make (perhaps too obliquely) is that if you
> are going to run this experiment from a browser, you'd better make 
> sure
> the IP address you return is one that's either under your control or
> otherwise "harmless" when the browser subsequently tries to access it.

Fully agree.

> Using a new RRTYPE would be futile, since browsers don't know how to
> access those.

That is true for the "browser-based scripted test", definitely. If 
that's the sole motivation for this draft, then we need to stick with A 
/ AAAA records which will be specified in a future version of the draft.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email