Re: [DNSOP] A conversational description of sentinel.

[Petr Špaček <petr.spacek@nic.cz>]

On 2.2.2018 16:45, Warren Kumari wrote:
> On Fri, Feb 2, 2018 at 4:41 AM, Petr Špaček <petr.spacek@nic.cz> wrote:
>> On 2.2.2018 09:32, Mark Andrews wrote:
>>> This isn’t about whether name servers load A records with non LDH names
>>> as they all can.
>>>
>>> The real question is do the name lookup api’s in the web browsers barf
>>> on non IDN, non LDH names since that is the mechanism being proposed
>>> for people to test this.
>>
>> Sure. Given that MS AD users underscore A records in its integrated DNS
>> server (at least in older versions), it is going to work with DNS
>> resolver distributed with Windows. This covers 99 % of clients which can
>> potentially be target of potential ad campaign.
>>
>> So, now, we need to test browsers...
>>
> 
> 
> For those who would like to test this, while not having to get their
> hands quite as dirty, I've added:
> _www     IN CNAME ron.kumari.net
> xm--www   IN A 204.194.23.4
> to ksk-test.net, and have updated the JavaScript to test these as well.
> 
> 
> On Chome and Safari on both OS X and IOS I get:
> These below 2 tests are just for debugging / to understand browser
> behavior. You:
> were able to fetch the "underscore" record
> were able to fetch the "dashdash" record
> 
> 
> Surprisingly, on Chrome on Android and Samsung Internet (the browser
> on Samsung Galaxy Note devices) I get:
> These below 2 tests are just for debugging / to understand browser
> behavior. You:
> were **NOT** able to fetch the "underscore" record
> were able to fetch the "dashdash" record
> 
> 
> I must admit that I was not expecting this - can others please also test this?
Huh, this totally surprised me, but yeah, data trumphs any intuition here.

> I personally don't really care what the labels are -- we could make it
> I-Heart-KennyG-is-ta-[foo] for all I care[0].

Now when I see that this kind of problems is real, it is probably the
right time to ask Geoff to use his tools and get some data from large
scale measurement...

Underscore is now out of the question because we know about the
Android/Chrome problem se might test alternative labels.

??-- variant is out of question because it goest against
https://tools.ietf.org/html/rfc5891#section-5.4

So, to have something realistic and testable, I propse to use strings:

test-name-rfcXXXX-dnssec-root-trust-anchor-key-trusted-yes-0000
(63 octets, unlikely to colide with anything, self-explanatory)
test-name-rfcXXXX-dnssec-root-trust-anchor-key-trusted-no-0000
(62 octets)

Opinions?

Geoff, is it realistic to test that clients are able to resolve A
records containing these leftmost labels?

Petr Špaček  @  CZ.NIC


> 
> W
> [0]: Note: anyone who suggests a: an emoticon or b: some cute unicode
> hack is dead to me.
> 
>>
>> Talk is cheap, let's get hands dirty!
>>
>> I just tested Firefox 58.0.1 on Fedora 27
>> URL http://_test.example
>>
>> Result: The Firefox under test issued DNS queries
>> _test.example. A
>> _test.example. AAAA
>> just fine.
>>
>> nsswitch.conf:
>> hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostnam
>>
>> I do not have other desktop system at hand, so I will defer other
>> experiments to others.
>>
>> Please do experiments and report your results.
>> Petr Špaček  @  CZ.NIC
>>
>>> Mark
>>>
>>>> On 2 Feb 2018, at 6:50 pm, Petr Špaček <petr.spacek@nic.cz> wrote:
>>>>
>>>> On 2.2.2018 07:55, A. Schulze wrote> Paul Hoffman:
>>>>>> My preference is #1 because, in general, a label starting with _ has
>>>>>> been meant for infrastructure, and that's what these labels are.
>>>>>> Others might like #2 so they don't have to add configuration to BIND
>>>>>> (and maybe other authoritative servers).
>>>>>
>>>>> just checked, my NSD and POWERDNS serve A record for _foo.examle.
>>>>> without noise...
>>>>> so: #1
>>>>
>>>> For the record, I also like more the underscore variant (#1 above).
>>>>
>>>> BIND spits a warning about it and I like it. After all, this whole KSK
>>>> sentinel bussiness is quite specialized thing to do and should be done
>>>> only by people who know what they are doing, so warning is appropriate.
>>>>
>>>> After all, what is your guess about number of zones containing such
>>>> names? 10? 20 zones globally? I cannot see more, and most likely vast
>>>> majority of people who would like to create such zones is following this
>>>> dicussion.
>>>>
>>>> Please do not overcomplicate things. The technology seems okay to me.
>>>> (I've implemented it including tests, see Knot Resolver 2.0.0.)
>>>> Could we polish the text and publish it, pretty please?
>>>>
>>>>
>>>> (BTW I have seen underscore names with A records in Microsoft Active
>>>> Direcotry DNS years ago, so this is not the first time _ A is used.)
>>>>
>>>> --
>>>> Petr Špaček  @  CZ.NIC