Re: [DNSOP] A conversational description of sentinel.

Warren Kumari <warren@kumari.net> Fri, 02 February 2018 15:46 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70411127863 for <dnsop@ietfa.amsl.com>; Fri, 2 Feb 2018 07:46:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyQgVD9H4Fk4 for <dnsop@ietfa.amsl.com>; Fri, 2 Feb 2018 07:46:11 -0800 (PST)
Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5F40126C25 for <dnsop@ietf.org>; Fri, 2 Feb 2018 07:46:10 -0800 (PST)
Received: by mail-wm0-x243.google.com with SMTP id r78so13311186wme.0 for <dnsop@ietf.org>; Fri, 02 Feb 2018 07:46:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fS6yvBX/q1UiaPs9E3im//b/i6hkUiagbMVJnB1Iq3s=; b=EYZiNYYQxUHDmF2I/orn4RXSXORHZrSlZHjXNX+riIyD7nXXhGIoubnaFtOuLLs3ck 4AW4E7IQuwFY18nTZq++8wWUjYhIlXef58vqvpVIXRhnlQNpZTv2eyLcVHlVs0T91uw7 b2/NFb3LRafBIxnm3Y4oWP9JTOWCm+PACqH9PRe6JuXwe0tE/affiFTuER+KOkQiyj5d /ONGLRCp83pcchYJ+7f6EwiF/oUSAzpf9AR3D085qZ4/DmrYQKsYnqxLqemYVPX/Hi7q V+2hN/Tlm40kjO0nJizckyEiXwydPa74+DP3DX4UueHhQkH97v3JMq3qs/tMetEN91+U V77w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fS6yvBX/q1UiaPs9E3im//b/i6hkUiagbMVJnB1Iq3s=; b=J0tsLPyolr0+/LgBe+6PHJJ82LXsP7sCI+XzP9hKgU7Nsr5LGCp6VeWr84AaGZGTRH XJBau6qAu0HOvXpmfvlUMYYCGNe3EDIBC6kMhhUjaUyD1C2672gzedpyefr8nSTxr35M KemeTRPZgi9hWVbi0hFhcremcNOF1DlcbtjWOpnpf0R6qXMWg2J5K2OZFtWW4kcEkuOl w4u3llQ9Cg0/C/4gdXMxbSRd7KCMx1YSYHd4V8y0AiyYfeB93ynqc+CwVosdw1zlfzc7 qHXAVFfl42i6T0JspWv5eWG8C+dGBmsdR+/oGkOov8C42QGQJvmU72WdBGOFZPLG6U69 JlBA==
X-Gm-Message-State: AKwxytea/Dichk4lM7YPXizObIxDD7T1wCL95NRsiYOQa92I8SJOGO0E tFsOsm+pjZIpLOW7ee+6rNptwUSLK5sp1DJoPSODNI1ReM0=
X-Google-Smtp-Source: AH8x2279j3ySa71trISljwM6ze6xh3FQfEqr7w8FaKPN+IJbLt36gy4h6A/ICPRT5yDRYp4Y5UqUfudWZOtewhUHCQI=
X-Received: by 10.28.9.18 with SMTP id 18mr29362631wmj.37.1517586369030; Fri, 02 Feb 2018 07:46:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.152.242 with HTTP; Fri, 2 Feb 2018 07:45:28 -0800 (PST)
In-Reply-To: <0c2a4a38-49d7-2b46-1ac8-1dda0812e217@nic.cz>
References: <CAHw9_iKnD4WtTKyof=nm4ChmDZ5mAPqA7a_-m1t_Lauugf4Uow@mail.gmail.com> <alpine.DEB.2.11.1801251505070.5022@grey.csi.cam.ac.uk> <CAHw9_iJ-gwC1ZoWQ3YiJraD3eoUf-9-Ay--rPYzy1zWYUzvYmg@mail.gmail.com> <FDCED4D6-A7CE-465B-8344-CA89753ADF19@vpnc.org> <74C0CA59-6D53-4A60-ACBA-4AF5B51FE3FF@apnic.net> <D5D013D4-1EAD-434B-863A-29CB1BBEF4E4@vpnc.org> <496EFA88-BA70-460B-BFB2-69B2C7BC905D@apnic.net> <4540A279-4A37-4245-AE61-BEE5342E3F72@vpnc.org> <20180202075530.Horde.UWaxe9eenZ7PyxWYFHCFGdN@andreasschulze.de> <e8ac7bd0-26e6-cf97-e2ef-0ead50dc18ce@nic.cz> <88E7D27C-048E-44CB-B317-C892EA603D31@isc.org> <0c2a4a38-49d7-2b46-1ac8-1dda0812e217@nic.cz>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 02 Feb 2018 10:45:28 -0500
Message-ID: <CAHw9_iJ6yL12OaGW5+fm8M3YUkrj46CvC2-ob7Xrc5HEaA_Z1Q@mail.gmail.com>
To: Petr Špaček <petr.spacek@nic.cz>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Wj11nnEohz6M2pk8ayR_xgXwjss>
Subject: Re: [DNSOP] A conversational description of sentinel.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 15:46:13 -0000

On Fri, Feb 2, 2018 at 4:41 AM, Petr Špaček <petr.spacek@nic.cz> wrote:
> On 2.2.2018 09:32, Mark Andrews wrote:
>> This isn’t about whether name servers load A records with non LDH names
>> as they all can.
>>
>> The real question is do the name lookup api’s in the web browsers barf
>> on non IDN, non LDH names since that is the mechanism being proposed
>> for people to test this.
>
> Sure. Given that MS AD users underscore A records in its integrated DNS
> server (at least in older versions), it is going to work with DNS
> resolver distributed with Windows. This covers 99 % of clients which can
> potentially be target of potential ad campaign.
>
> So, now, we need to test browsers...
>


For those who would like to test this, while not having to get their
hands quite as dirty, I've added:
_www     IN CNAME ron.kumari.net
xm--www   IN A 204.194.23.4
to ksk-test.net, and have updated the JavaScript to test these as well.


On Chome and Safari on both OS X and IOS I get:
These below 2 tests are just for debugging / to understand browser
behavior. You:
were able to fetch the "underscore" record
were able to fetch the "dashdash" record


Surprisingly, on Chrome on Android and Samsung Internet (the browser
on Samsung Galaxy Note devices) I get:
These below 2 tests are just for debugging / to understand browser
behavior. You:
were **NOT** able to fetch the "underscore" record
were able to fetch the "dashdash" record


I must admit that I was not expecting this - can others please also test this?

I personally don't really care what the labels are -- we could make it
I-Heart-KennyG-is-ta-[foo] for all I care[0].

W
[0]: Note: anyone who suggests a: an emoticon or b: some cute unicode
hack is dead to me.

>
> Talk is cheap, let's get hands dirty!
>
> I just tested Firefox 58.0.1 on Fedora 27
> URL http://_test.example
>
> Result: The Firefox under test issued DNS queries
> _test.example. A
> _test.example. AAAA
> just fine.
>
> nsswitch.conf:
> hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostnam
>
> I do not have other desktop system at hand, so I will defer other
> experiments to others.
>
> Please do experiments and report your results.
> Petr Špaček  @  CZ.NIC
>
>> Mark
>>
>>> On 2 Feb 2018, at 6:50 pm, Petr Špaček <petr.spacek@nic.cz> wrote:
>>>
>>> On 2.2.2018 07:55, A. Schulze wrote> Paul Hoffman:
>>>>> My preference is #1 because, in general, a label starting with _ has
>>>>> been meant for infrastructure, and that's what these labels are.
>>>>> Others might like #2 so they don't have to add configuration to BIND
>>>>> (and maybe other authoritative servers).
>>>>
>>>> just checked, my NSD and POWERDNS serve A record for _foo.examle.
>>>> without noise...
>>>> so: #1
>>>
>>> For the record, I also like more the underscore variant (#1 above).
>>>
>>> BIND spits a warning about it and I like it. After all, this whole KSK
>>> sentinel bussiness is quite specialized thing to do and should be done
>>> only by people who know what they are doing, so warning is appropriate.
>>>
>>> After all, what is your guess about number of zones containing such
>>> names? 10? 20 zones globally? I cannot see more, and most likely vast
>>> majority of people who would like to create such zones is following this
>>> dicussion.
>>>
>>> Please do not overcomplicate things. The technology seems okay to me.
>>> (I've implemented it including tests, see Knot Resolver 2.0.0.)
>>> Could we polish the text and publish it, pretty please?
>>>
>>>
>>> (BTW I have seen underscore names with A records in Microsoft Active
>>> Direcotry DNS years ago, so this is not the first time _ A is used.)
>>>
>>> --
>>> Petr Špaček  @  CZ.NIC
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf