Re: [DNSOP] Updated KSK Sentinel document
"John Dickinson" <jad@sinodun.com> Fri, 16 February 2018 17:33 UTC
Return-Path: <jad@sinodun.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97AAA1270FC for <dnsop@ietfa.amsl.com>; Fri, 16 Feb 2018 09:33:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PFYSQZMfuDYO for <dnsop@ietfa.amsl.com>; Fri, 16 Feb 2018 09:33:06 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57914126D0C for <dnsop@ietf.org>; Fri, 16 Feb 2018 09:33:06 -0800 (PST)
Received: from [2001:b98:204:102:fff1::f145] (port=62431 helo=[192.168.12.13]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <jad@sinodun.com>) id 1emjse-00046M-Dk; Fri, 16 Feb 2018 17:33:04 +0000
From: John Dickinson <jad@sinodun.com>
To: dnsop <dnsop@ietf.org>
Date: Fri, 16 Feb 2018 17:35:44 +0000
X-Mailer: MailMate (1.10r5443)
Message-ID: <02D558F6-F820-4627-BAC6-1A38AB00B4F5@sinodun.com>
In-Reply-To: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-BlackCat-Spam-Score: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QQlIB5jA5TZC9aTold2KxcyLaSs>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 17:33:09 -0000
Hi, I like what this draft is trying to do. I am a bit concerned about adding a invalid RR in to a otherwise correctly signed zone. It suspect that there may be a variation in how validating resolvers treat authoritative servers that appear to have sent bogus data. Some might retry, retry other auth servers, stop using that server altogether etc etc… I suggest that the example A/AAAA RRs on page 4 be written fully qualified so there can be no doubt that this draft does not imply new special names at the root (which is what I first thought). In the discussion of Charlie’s resolvers I think “from this he knows (see the logic below) that he is using legacy, non- validating resolvers.” should have the “non-“ removed. regards John On 12 Feb 2018, at 20:28, Warren Kumari wrote: > <author hat only> > > Hi all, > > Sorry it has taken so long to get a new version of this document > posted - you deserve better. > > Anyway, we've finally posted an updated version - > https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/ > > This version includes a (hopefully easily understood) description of > how this would actually be used, and not just "here's a protocol, k, > thnx, bye!". I've tried to layout what each party does, and how it all > fits together - please let me know if it isn't clear. This section is > towards the top of the document - we will likely make it an Appendix > before publication. > > I've also updated it to use the kskroll-sentinel-is-ta-<id> format. It > is easy to change again in the future, but this seemed to be what the > working group liked. I also updated my demo implementation > (http://www.ksk-test.net) to use this naming scheme. > > This version also clarifies that the test is "Is the Key ID a DNSSEC > root KSK?" Originally my view was that it should be "Is there *any* > key in the trust store with this keyID?", but after running some > numbers I decided that there is a significant chance of false > positives. > > As I mentioned, it took an embarrassingly long time to post the update > - please let us know if we missed your comments. > > W > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop John Dickinson http://sinodun.com Sinodun Internet Technologies Ltd. Magdalen Centre Oxford Science Park Robert Robinson Avenue Oxford OX4 4GA U.K.
- [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Bob Harold
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document Joe Abley
- Re: [DNSOP] Updated KSK Sentinel document Wessels, Duane
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Geoff Huston
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Paul Hoffman