[DNSOP] Adam Roach's No Objection on draft-ietf-dnsop-kskroll-sentinel-15: (with COMMENT)
Adam Roach <adam@nostrum.com> Thu, 27 September 2018 00:53 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC57130DDF; Wed, 26 Sep 2018 17:53:09 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach <adam@nostrum.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-kskroll-sentinel@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, Benno Overeinder <benno@NLnetLabs.nl>, dnsop-chairs@ietf.org, tjw.ietf@gmail.com, dnsop@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.84.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153800958971.21533.11611507746679579215.idtracker@ietfa.amsl.com>
Date: Wed, 26 Sep 2018 17:53:09 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VFjacp1x_DtmPo9qp01Aoj8nxgQ>
Subject: [DNSOP] Adam Roach's No Objection on draft-ietf-dnsop-kskroll-sentinel-15: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2018 00:53:10 -0000
Adam Roach has entered the following ballot position for draft-ietf-dnsop-kskroll-sentinel-15: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I am balloting "no objection," although I share Benjamin's concerns about the claiming of leaf nodes in the DNS system. However, I think that issue is larger than just this document, and that we are unlikely to come to an agreement within the DNS community about how to handle it in a reasonable amount of time. I have some additional comments, below. --------------------------------------------------------------------------- §4: > 4. Sentinel Tests from Hosts with More than One Configured Resolve Nit: "...Resolvers" --------------------------------------------------------------------------- §4.2: One of the implicit assumptions of this section appears to be that the client performing this test will necessarily be using gethostbyname() (or something similar), and at the mercy of the underlying library with regard to the test assumptions. On systems where the list of configured resolvers can be retrieved programmatically (e.g., 'scutil --dns' under OS X, or the contents of /etc/hosts on most other Unices), I would guess that more reliable results could be achieved by treating the three bullets in section 4.2 as requirements on the testing client rather than assumptions that may make the results invalid if they don't hold. Concretely: I believe it would be useful to add text to this section suggesting that clients can achieve more reliable results by bypassing the local stub resolver and implementing queries themselves (in a fashion similar to the popular "dig" utility), which allows them to ensure that these assumptions are true. --------------------------------------------------------------------------- Appendix A: This walkthrough uses the name "bogus.example.com" for the bogus record used in the testing. I've gone looking through the document and cannot determine whether this is canonical or just the name this example uses. I presume it's the latter. It's probably worth adding text to this example which explains that the choice of "bogus" by Geoff is a site-local decision. What I'd like to avoid is having situations where people hardcode "bogus" into some tooling suite, and then cause sites like "github.io" grief in the case that the (already-registered) user with a username of "bogus" attempts to set up a page at "https://bogus.github.io/").