Re: [DNSOP] draft-huston-kskroll-sentinel - naming format?

Ray Bellis <ray@bellis.me.uk> Tue, 31 October 2017 14:57 UTC

Return-Path: <ray@bellis.me.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1CF013F72D for <dnsop@ietfa.amsl.com>; Tue, 31 Oct 2017 07:57:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKsdQPQ9oHWi for <dnsop@ietfa.amsl.com>; Tue, 31 Oct 2017 07:57:00 -0700 (PDT)
Received: from hydrogen.portfast.net (hydrogen.portfast.net [188.246.200.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F1A513F6DB for <dnsop@ietf.org>; Tue, 31 Oct 2017 07:56:57 -0700 (PDT)
Received: from [46.227.151.81] (port=59921 helo=rays-mbp.local) by hydrogen.portfast.net ([188.246.200.2]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1e9XyI-0002pn-7X (Exim 4.72) (return-path <ray@bellis.me.uk>); Tue, 31 Oct 2017 14:56:54 +0000
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org
References: <027a469c-5bb6-7940-fd89-55b91dd97275@bellis.me.uk> <20171030174052.GB87160@isc.org> <ce2c26be-d944-345c-0e63-d063682c78a6@bellis.me.uk> <alpine.DEB.2.11.1710311427140.22527@grey.csi.cam.ac.uk>
From: Ray Bellis <ray@bellis.me.uk>
Message-ID: <b0d553d2-43f2-b674-f6b0-b2781051b473@bellis.me.uk>
Date: Tue, 31 Oct 2017 14:56:54 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.11.1710311427140.22527@grey.csi.cam.ac.uk>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WwaY9VqnkA4KTz_hiW6mVESaNug>
Subject: Re: [DNSOP] draft-huston-kskroll-sentinel - naming format?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 14:57:02 -0000


On 31/10/2017 14:34, Tony Finch wrote:

> It's NXDOMAIN. (It'll also fall foul of RFCs 8020 and 8198.)
> 
> The problem occurs if you have a validator behind a cache. The cache will
> prevent downstream id._ta. queries from reaching the root, so any
> downstream trust anchor variation will be lost.

Right, but if it's _defined_ to be an ENT instead (with NOERROR) then
that problem shouldn't arise?

In any event, for the proposed new mechanism the queries don't reach the
root, they're handled internally within the resolver.

Ray