[DNSOP] dnssec-kskroll-sentinel-06 clarifications

[Petr Špaček <petr.spacek@nic.cz>]

Hello dnsop,

here are two (hopefully non-controversial) additions for
dnssec-kskroll-sentinel-06:

https://github.com/APNIC-Labs/draft-kskroll-sentinel/pull/14/commits


1st proposal
============
There might be dumb stubs which ignore RCODE and just look for data in
the ANSWER section, i.e. these would not see a difference between
SERVFAIL and non-SERVFAIL RCODE and skew measurement results.

Right now the draft says "return SERVFAIL" and naive implementation
could keep content of ANSWER section intact /as I naively did in first
iteration/, which is not desirable. Proposal here is to add text below
table at the end of section in 3.2:

               |   Key Tag is trusted    |   Key Tag is not trusted
    ------------------------------------------------------------------
    is-ta      | return original answer  | return SERVFAIL
    not-ta     | return SERVFAIL         | return original answer

++  Instruction "return SERVFAIL" means that the resolver MUST set
RCODE=SERVFAIL (value 2) and MUST empty the ANSWER section of the DNS
response, ignoring all other documents which specify content of the
ANSWER section.



2nd proposal
============
Add caveat that SERVFAIL can get cached (forwarding!), so TA
fixes/update might not be visible immediatelly.

Addition to the end of "Sentinel Test Result Considerations":
+      <t>Please note that SERVFAIL might be cached according to
+      <xref target="RFC2308"/> section 7 for up to 5 minutes
+      and a positive answer for up to its TTL.</t>


3rd proposal
============
We have one more thing which needs more manpower to be verified. Right
now, the section 3.1.  Preconditions is:

>  3.1.  Preconditions
> 
>    All of the following conditions must be met to trigger special
>    processing inside resolver code:
> 
>    o  The DNS response is DNSSEC validated and result of validation is
>       "Secure"
> 
>    o  The QTYPE is either A or AAAA (Query Type value 1 or 28)
> 
>    o  The OPCODE is QUERY
> 
>    o  The leftmost label of the QNAME is either "kskroll-sentinel-is-ta-
>       <key-tag>" or "kskroll-sentinel-not-ta-<key-tag>"
> 
>    If any one of the preconditions is not met, the resolver MUST NOT
>    alter the DNS response based on the mechanism in this document.

and later 5.  Sentinel Test Result Considerations discusses how to
interpret results, including considerations for CD bit handling between
recursor and forwarder (we are not speaking about stubs here!).

The current text in section 5 is written with an assumption that query
with +CD bit cannot result in "Secure" status and thus cannot trigger
sentinel processing, but this depends on implementation.

E.g. Knot Resolver stores RRs in cache along with their validation
status, so if a client(s) send query *without* CD bit, the RRs will be
validated and then stored into cache along with its state, e.g. Secure.
Later, when another client asks the same query but with +CD bit, the RR
will be read from cache and its state will be Secure despite of the CD bit.


Now, if we were literally following the version 06 of this draft, we
would trigger the sentinel processing despite the CD bit because the
state is Secure (as cached from a previous query). I suspect that this
is not what authors of text in section 5 expect ...

To counter this I propose to add another precondition:
- CD bit in the query is not set

IMHO it should solve the problem with implementation-specific cache
behavior.

Does anyone see a problem with this addition? What did I miss?

-- 
Petr Špaček  @  CZ.NIC