[DNSOP] A conversational description of sentinel.
Warren Kumari <warren@kumari.net> Mon, 15 January 2018 01:52 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B508712D942 for <dnsop@ietfa.amsl.com>; Sun, 14 Jan 2018 17:52:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qi8Olrojve7m for <dnsop@ietfa.amsl.com>; Sun, 14 Jan 2018 17:52:40 -0800 (PST)
Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B161C1242EA for <dnsop@ietf.org>; Sun, 14 Jan 2018 17:52:39 -0800 (PST)
Received: by mail-wr0-x22f.google.com with SMTP id x1so6010519wrb.5 for <dnsop@ietf.org>; Sun, 14 Jan 2018 17:52:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=UGy1MQ0rP4WPaCVpwJNvUaTJSM4DLbcX51Y6fDmeyrI=; b=L+D8Gboas+ZJtbiJGmPQC94yntoKc309UiOJCZLWKrOMDP06MXxi3yZ/1CM3X+qKjr h8n9JPWfRr+7+DNkHmKbbX/PIWYX6iiuui3SzWGvs0k0lTvBzhYLS8hvet9YUNuxAw0L ncfzdeaue1Rt7SY+7Dn2UhnMoB0DG5bXLpjpz8QE9K0M8u/d7y2a+9qwPvVGntl2nV9t wC0gxe5G4qUlZ6VR4sM0M3gtVp2RHMS7+adD5dJnThn912nUlsO/uk40cBqouinEwpMs CE8ITwkr9LlDuqsvvhsxwP45pl7WLfZ4U4YvsGzUqrJDW996BPSeIK52tX8vPLThoDip w+Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=UGy1MQ0rP4WPaCVpwJNvUaTJSM4DLbcX51Y6fDmeyrI=; b=ON3NVz6XH6S8DKdw13IP4uboBefrhYvofL5iORKvDLJxUCtAPo6dz42ZNnOa5cav9z 8VFoTu/VSNFGIDN+6NNWsfoThIpYqFzuh0ilDibgAe3ioyL5u5EoAQwaaEiccE5GTCKz 7WDsBrl/Dzdq7TivaR9EwcByr6pvBhN0AzrNpSN9idEjH1Q0OIQ2B99G8j5PQS39FcR/ cKaVG+pPUNwb1E+xSfISeqrgB+7ocXsyLm2QvuZTxOIYfgrxW1jtpnXWHbiQ6QZovM/d LqnhCtFDc8J8ngcYGltN/VBXaY87fgWJJB7kUeeVV7pTd66JOo/GHpFQYTJxDsvBnEGg s2Cw==
X-Gm-Message-State: AKwxytf/HddOHyJcxfFmBkaxkvkZOtwmRtLMDwWlc/ApZYG2Y7ub8RHa OpjR8sh4w21uPi8eZdk5OAkkzDM3zVA5ebkYmPet1+EKPbM=
X-Google-Smtp-Source: ACJfBotPTgH9Jhx4p7a62h71gQ/lf1VQiTRA4guLeYqcauntNSBhWDXWQex+4kadHsl9R4Y4UtI0HsGvEiY6zCrD3Lw=
X-Received: by 10.223.136.81 with SMTP id e17mr268801wre.140.1515981157404; Sun, 14 Jan 2018 17:52:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.128.165 with HTTP; Sun, 14 Jan 2018 17:51:56 -0800 (PST)
From: Warren Kumari <warren@kumari.net>
Date: Sun, 14 Jan 2018 20:51:56 -0500
Message-ID: <CAHw9_iKnD4WtTKyof=nm4ChmDZ5mAPqA7a_-m1t_Lauugf4Uow@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a11492e085fa2260562c6de2e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Saae3to3viM8UaVisr6ShhRLeA4>
Subject: [DNSOP] A conversational description of sentinel.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2018 01:52:44 -0000
Hi all, I had a conversation with a friend earlier today, who had carefully read the document (https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/) , but had not managed to understand it at all . Since this friend is bright, and really understand s DNS, I figured that the document doesn't do as good a job explaining how this would be used in practice as it should. Sometimes it is easier to explain things in an informal manner, and so here is a (hopefully better) description of draft-ietf-dnsop-kskroll-sentinel). 2 things seemed to be causing confusion: 1: The only "magic" that happens is in validating recursive resolvers, right before they send the response to a query . T here is no magic / change needed in authoritative servers, stubs, or anywhere else. 2: Anyone who wants to provide a service like this (see below) can - you don't need to be in any special location in the DNS tree to do this. The (new) rules: A: If the qname starts with _is-ta, and the included keyid is *NOT* in the trust store, the resolver changes the answer to a SERVFAIL (otherwise things proceed normally). B: If the qname starts with _not-ta and the included keyid *IS* in the trust store, the resolver changes the answer to a SERVFAIL (otherwise things proceed normally). (There is some pseudo-code below, but it makes this look much more complex (and I dislike pseudo-code - it's hard to guess at the level of abstraction to use!). Let's pretend I'm the operator of example.com, and I'd like to help users know if the resolvers that they use will survive the new keyroll (with key id 12345). I publish this in my a zone: _is-ta-12345.example.com. 600 IN A 192.0.2.1 _is-ta-12345.example.com. 600 IN RRSIG A <valid signature> _not-ta-12345.example.com. 600 IN A 192.0.2.2 _not-ta-12345.example.com. 600 IN RRSIG A <valid signature> invalid.example.com. 600 IN A 192.0.2.3 invalid.example.com. 600 IN RRSIG A <0x0000 (an invalid signature)> I also run 3 webservers: 192.0.2.1 -- a picture of a cute kitten 192.0.2. 2 -- a picture of a puppy 192.0.2. 3 -- a picture of a fish. I now tell users to please browse to www.example.com, where I have a webpage which includes the following links: http://_is-ta-12345.example.com/ ( kitten) , http://_not-ta-12345.example.com/ (puppy), http://invalid.example.com/ (fish). The pictures the user can see tells them if they will survive the rollover. The user can be in one of 4 classes, depending on which animals they see: 1: The user sees a Fish, a Kitten and a Puppy -- they fetched all the URLs (including http://invalid.example.com/). If they see a Fish, they are not using a validating resolver and so will survive the keyroll (it actually means that at least 1 of their resolvers is not validating). The user is happy and goes to have ice-cream (nonV). 2: The user sees a only Kitten and a Puppy (they fetched http://_ is-ta-12345.example.com/ and http://_not-ta-12345.example.com/, but not http://invalid.example.com/.) This means that they are using a legacy validating resolver (it doesn't implement this mechanism ) . They cannot tell, and this test doesn't tell them anything (Vleg). 3: They see only a Kitten (they fetched http://_is-ta-12345.example.com/, not http://_not-ta-12345.example.com/, and not http://invalid.example.com/). The user is behind a validating resolver which implements this mechanism, and knows about the new key. They are happy, and go have ice-cream (Vnew). 4: The user sees only a Puppy (they did not fetch http://_ is-ta-12345.example.com/, they did fetch http://_not-ta-12345.example.com/, they did not fetch http://invalid.example.com). The user is behind a validating resolver which implements this mechanism, but does NOT have the new key). The user is sad, and calls their ISP to complain (and has cold porridge for dinner) (Vold). +-------------+----------+-----------+------------+ | Type\Query | _is-ta | _not-ta | invalid | +-------------+----------+-----------+------------+ | Vnew | A | SERVFAIL | SERVFAIL | | Vold | SERVFAIL | A | SERVFAIL | | Vleg | A | A | SERVFAIL | | nonV | A | A | A | +-------------+----------+-----------+------------+ In the real world, the user will not be expected to figure this out from looking at pictures -- a bit of JS on www.example.com will do the 3 fetches and report "You'll be just fine", "You will have issues, call your ISP and get them to install the new key" or "Sorry, cannot tell. Call your ISP and ask them to upgrade to a resolver which does this!". There will also likely be some Geoffvertisement which will do this on a large scale and report back. Hopefully this clears things up some -- the only code change needs to happen on recursive resolvers, the A record returned is unmolested (so that if can be used for something) and the only action is to make some VALID answers INVALID (A (or whatever) -> SERVFAIL). W Pseudo-code: func extract_ta(string): # Extracts the queried trust anchor (a set of digits) from a qname. # E.g: "perl -pne "s/_.*-ta-(\d*)\..*/\1/" (_is-ta-55555.foo -> 55555) return (numbers) <normal processing> ... queried_ta = extract_ta (qname); if qname startswith("_is-ta-"): if queried_ta is in trust_store: return; else: return SERVFAIL if qname startswith("_not-ta-"): if queried_ta is in trust_store: return SERVFAIL; else: return; --- -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] A conversational description of sentinel. Warren Kumari
- Re: [DNSOP] A conversational description of senti… Joe Abley
- Re: [DNSOP] A conversational description of senti… william manning
- Re: [DNSOP] A conversational description of senti… Joe Abley
- Re: [DNSOP] A conversational description of senti… Ralph Dolmans
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Tony Finch
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- Re: [DNSOP] A conversational description of senti… Andrew Sullivan
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- Re: [DNSOP] A conversational description of senti… Paul Vixie
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… A. Schulze
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Mark Andrews
- Re: [DNSOP] A conversational description of senti… Ray Bellis
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- Re: [DNSOP] A conversational description of senti… Vladimír Čunát
- Re: [DNSOP] A conversational description of senti… Ray Bellis
- Re: [DNSOP] A conversational description of senti… Tony Finch
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… A. Schulze
- Re: [DNSOP] A conversational description of senti… Tony Finch
- Re: [DNSOP] A conversational description of senti… Patrick Mevzek
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… joel jaeggli
- Re: [DNSOP] A conversational description of senti… Joe Abley
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Benno Overeinder
- Re: [DNSOP] A conversational description of senti… Bob Harold
- Re: [DNSOP] A conversational description of senti… Matt Larson
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- [DNSOP] Risk of using underscores for sentinel (W… Stephane Bortzmeyer
- Re: [DNSOP] Risk of using underscores for sentine… Vladimír Čunát