IETF Logo Mail Archive

Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-recovery-01

Yoshiro YONEYA <yoshiro.yoneya@jprs.co.jp> Thu, 06 September 2012 08:36 UTC

Return-Path: <yoshiro.yoneya@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA7521F8568 for <dnsop@ietfa.amsl.com>; Thu, 6 Sep 2012 01:36:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ytYHk5-IekmE for <dnsop@ietfa.amsl.com>; Thu, 6 Sep 2012 01:36:19 -0700 (PDT)
Received: from off-send01.tyo.jprs.co.jp (off-send01.tyo.jprs.co.jp [IPv6:2001:df0:8:17::10]) by ietfa.amsl.com (Postfix) with ESMTP id BC70B21F8567 for <dnsop@ietf.org>; Thu, 6 Sep 2012 01:36:18 -0700 (PDT)
Received: from off-sendsmg01.tyo.jprs.co.jp (off-sendsmg01.tyo.jprs.co.jp [172.18.8.32]) by off-send01.tyo.jprs.co.jp (8.13.8/8.13.8) with ESMTP id q868aH7E005054 for <dnsop@ietf.org>; Thu, 6 Sep 2012 17:36:17 +0900
X-AuditID: ac120820-b7fe56d000000cec-bf-50486081af77
Received: from NOTE550 (off-cpu04.tyo.jprs.co.jp [172.18.4.14]) by off-sendsmg01.tyo.jprs.co.jp (Symantec Messaging Gateway) with SMTP id 13.A0.03308.18068405; Thu, 6 Sep 2012 17:36:17 +0900 (JST)
Date: Thu, 06 Sep 2012 17:36:16 +0900
From: Yoshiro YONEYA <yoshiro.yoneya@jprs.co.jp>
To: dnsop@ietf.org
Message-Id: <20120906173616.f83c7580ca0c4e1439092747@jprs.co.jp>
In-Reply-To: <504789CA.6040703@nthpermutation.com>
References: <504789CA.6040703@nthpermutation.com>
X-Mailer: Sylpheed 3.2.0 (GTK+ 2.10.14; i686-pc-mingw32)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJIsWRmVeSWpSXmKPExsWyRoiFT7cxwSPA4MBsLYu7by6zODB6LFny kymAMYrLJiU1J7MstUjfLoEro+nfJcaCVSIVj0/uY2pg/MHfxcjBISFgItFxUauLkRPIFJO4 cG89WxcjF4eQwHFGiSsbzrKAJFgEVCQezf/IDGKzCRhI/Fr2mwnEFhEQkvh68wgriC0sYCXx 5+dPNhCbV8BBYtGtNWBxTgEjiUcXZzCC2EIChhI7Luxmh1hmIfH37ncmkBt4BQQl/u4QBgkz C2hJPPx1iwXClpfY/nYO8wRGvlkIVbOQVM1CUrWAkXkVo0x+WppucWpeSnFuuoGhXkllvl5W QVGxXjKI3sQIDi0OhR2MM04ZHGIU4GBU4uHlr3MPEGJNLCuuzD3EKMnBpCTKeyzGI0CILyk/ pTIjsTgjvqg0J7X4EKMEB7OSCK+lKVCONyWxsiq1KB8mJc3BoiTOe/zsDj8hgfTEktTs1NSC 1CKYrAwHh5IEb0EcUKNgUWp6akVaZk4JQpqJgxNkOA/Q8FWxIMOLCxJzizPTIfKnGFU5Zt9c cZ9RiCUvPy9VCmgNyCABkKKM0jy4Oa8YxYHeEebVAcnyANMH3IRXQMOZgIa7vncBGV6SiJCS amCs/xW9yW+V6lKzaTl+Kte4uxWibhdfWLGq89E57v9127y/h7CqR7W3p5XfSzryzOGewKNG 1efFyoZ6Z1IUmCs7uDiYrj/Z9FSwXuNS+dR/E6QWqRTeVXp2ysTwz6aYycq83L73pnU+/VE/ 6Xqn9PeFy+cyvF1msGaj5WkD36Is/vN5Bx5P4sxUYinOSDTUYi4qTgQAriSYLdwCAAA=
Subject: Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-recovery-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2012 08:36:19 -0000

Hi,

On Wed, 05 Sep 2012 13:20:10 -0400 Michael StJohns <msj@nthpermutation.com> wrote:

> Hi -
> 
> As the subject document seems to describe an operations problem rather 
> than a protocol problem, I'm going to use the dnsop mailing list to post 
> some comments.

Thank you for bringing this to dnsop mailing list.

> While I haven't completely internalized this document, I'm pretty sure 
> it's addressing the wrong problem.  The issue is not that there are too 
> many DS in the parent zone as compared to DNSKEY in the child.  It's 
> actually perfectly correct to publish a DS record in advance of 
> publishing the related DNSKEY.   I *think* the issue they may be 
> concerned with is a complete disjunction between the parent DS and child 
> DNSKEY RRSets.  But that's not what the document says.

Disjunction between DS and DNSKEY will happen.  That is premise of 
the document.  And the document (at least, one of the authors) is 
intent to indicate rational procedure to recover from the validation 
failure caused by the disjunction as soon as possible.

> Case 1 - there is no such thing as a failing DS.   There is a DS that 
> does not currently match a child DNSKEY, but that is not necessarily a 
> "fail".  Case 1 - the appropriate problem is "no matching DS for zone 
> DNSKEYs" - the resolution is "add a matching DS to the parent zone, or 
> deploy a DNSKEY that matches an existing DS".
> 
> Case 2-5 seem to be the same problem as case 1, rather than separate 
> problems - but the title of the cases does not reflect this.  In any 
> event, "removal" of data is mostly not going to help the problem - you 
> need to "add" the appropriate links in the trust chain.  Data that does 
> not provide a link in a trust chain is just extraneous and may be safely 
> ignored until it can be removed with normal practices.

Case 1-5 are alternate countermasures in case of disjunction has 
happened.  Of course, add appropriate DS in parent zone is correct 
way to recover the disjunction.  However, if DS is corrected, zone 
banishing may remain until DS cache is expired in validators.  This 
duration will take huge impact to the internet users.  As described 
above, the document is intent to indicate rational procedure to shorten 
the duration.

> At best this is an incomplete ID (and I'd recommend not posting 
> something this incomplete), at worst it's headed in the wrong direction.

Indeed, the document is imcomplete, and need feedbacks from experiences. 

Regards,

-- 
Yoshiro YONEYA <yoshiro.yoneya@jprs.co.jp>

v2.23.0 | Report a Bug | By Email