Re: [DNSOP] sentinel and timing?

Joe Abley <jabley@hopcount.ca> Thu, 08 February 2018 18:54 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A53612D838 for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 10:54:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cuGlyFEn0-ML for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 10:54:39 -0800 (PST)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1123212D837 for <dnsop@ietf.org>; Thu, 8 Feb 2018 10:54:39 -0800 (PST)
Received: by mail-io0-x230.google.com with SMTP id n7so6900341iob.0 for <dnsop@ietf.org>; Thu, 08 Feb 2018 10:54:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UnORF8ekESDbUmKR91tlVCWoW65YiAuPqDTW9ndk/pE=; b=NXz7YngfLTJsRYdqFfQE6diN5tCOSvlmUtyAl1GEi+p9X/fGx1jtXlpgmA0IEplEnq DCY5vTiSY90nRyrAIDp2ryrupreA9gEtqsGKHyAkqaJezzP+3SJRujAJFvgutUuFICau /eOMq5fr+EEU1Wi56RjjoOWYmNuBMfE1XXFD8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UnORF8ekESDbUmKR91tlVCWoW65YiAuPqDTW9ndk/pE=; b=qBbX9yY9tfh0IPkAVn2ImavMfK60JcRj3xRBJM9c4j5cYWqBYbsG1Se/BylRbFFzm8 Zt3iPRkNV96eGsfe3O7h7FqcLosflcKIcR//y47PkDA+VImQtIQp/2nv+stXWmWddf/h 5aDNduPGrOc2s5q6F7m8o51517Z7W/1sWUk9RQPSw4dKMeYb64wKQ2G9TDzqqgZmunW3 5GHgEy67dwt/v/Iymi3BK4id1RInTor/kcwbnNnOh4THrQMixH6GJmeVEsj6t9kwwELa 6gE9MEelQNoDDQQ/OKRCIFSgzztEripMGGkYZTM5f/1fXL+Ras11R4zRQLRmuQ2fTaQf NZUw==
X-Gm-Message-State: APf1xPD0jMbB2bbsxvcm2+tS6SrcDMNQgIh/I/0aublvs6QgZmG1B4zz YzQlkCRA1GX3TIRJWApml+QNSQ==
X-Google-Smtp-Source: AH8x225hXTnA10RWvX4HkXVfg3e4+B6TK3L12i09gePIbe0GgYKpq51meyKNBwfEJUfhnGm+iFlNng==
X-Received: by 10.107.179.195 with SMTP id c186mr17680iof.41.1518116078055; Thu, 08 Feb 2018 10:54:38 -0800 (PST)
Received: from [199.212.92.9] (135-23-173-35.cpe.pppoe.ca. [135.23.173.35]) by smtp.gmail.com with ESMTPSA id m145sm417698itg.22.2018.02.08.10.54.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Feb 2018 10:54:37 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <alpine.LRH.2.21.1802081342460.24808@bofh.nohats.ca>
Date: Thu, 8 Feb 2018 13:54:29 -0500
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E4246B3-BFE8-4198-9148-B07A4C59F0BB@hopcount.ca>
References: <alpine.LRH.2.21.1802071035280.6369@bofh.nohats.ca> <20180207215502.46daf6bc@titan.int.futz.org> <alpine.LRH.2.21.1802080059480.6658@bofh.nohats.ca> <7816D681-7A97-466C-A77F-7A0CC87C4F8F@hopcount.ca> <alpine.LRH.2.21.1802081342460.24808@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_MFQmBK3FlYanAJv43P_IG8erJg>
Subject: Re: [DNSOP] sentinel and timing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 18:54:40 -0000

On 8 Feb 2018, at 13:52, Paul Wouters <paul@nohats.ca> wrote:

> On Thu, 8 Feb 2018, Joe Abley wrote:
> 
>> I don't disagree with the need for more data, but I think the hole you mention is not so giant. As far as I can tell it's a result of:
> 
> How do you know without the data?

I'm talking about the data that I have seen. I described how I thought that data was inadequate (not for lack of uptime statistics).

>> 1. RFC5011 support not being turned on in nameservers that have been upgraded but whose older, DNSSEC-validating configuration has been preserved across updates (most cases), and
>> 
>> 2. RFC5011 support exercising a code path that requires a writable, persistent filesystem to store an updated trust anchor, which turns out not to be available (fewer, but some cases).
> 
> 3. gold images instantiated in private clouds
> 
> 4. AMI images used in AWS
> 
> 5. docker containers
> 
> 6. kubernetes containers
> 
> 7. old configs not getting updated unrelated to 1. and 2.

Right, I didn't see any of your cases (3) through (7).


Joe