Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 26 September 2018 22:13 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AD87130DDE; Wed, 26 Sep 2018 15:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsSANHOk_YVk; Wed, 26 Sep 2018 15:13:35 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1063F130DD4; Wed, 26 Sep 2018 15:13:35 -0700 (PDT)
Received: from [10.32.60.43] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w8QMCpBm011373 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 26 Sep 2018 15:12:53 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.43]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Warren Kumari" <warren@kumari.net>
Cc: "Benjamin Kaduk" <kaduk@mit.edu>, "The IESG" <iesg@ietf.org>, draft-ietf-dnsop-kskroll-sentinel@ietf.org, "Tim Wicinski" <tjw.ietf@gmail.com>, "Benno Overeinder" <benno@nlnetlabs.nl>, "DNSOP Chairs" <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>
Date: Wed, 26 Sep 2018 15:13:27 -0700
X-Mailer: MailMate (1.12r5523)
Message-ID: <03B733D9-5640-44A7-BEC0-A563ED24DAB1@vpnc.org>
In-Reply-To: <CAHw9_iLRj9JOL0DU=ztNnrgyFk4VfQCY3pSnq+BEhp6P9ndOXg@mail.gmail.com>
References: <153797498435.21672.17709898221650275799.idtracker@ietfa.amsl.com> <CAHw9_i+Dm7VHAi8eJjhDyGacCwxigeEZv8tSiGT+ZrW+vxu+oA@mail.gmail.com> <20180926181646.GM24695@kduck.kaduk.org> <CAHw9_i+MRJUfiZPBCNiFfio=VetCNXkHwW4Nw=WQa+z0dRWoWw@mail.gmail.com> <FFA0F591-9EC2-4B8E-AB0F-F0B496E8FAFA@vpnc.org> <CAHw9_iLRj9JOL0DU=ztNnrgyFk4VfQCY3pSnq+BEhp6P9ndOXg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c3zd971Pnf-o0I3PQTgESaV_5hE>
Subject: Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 22:13:37 -0000

On 26 Sep 2018, at 14:30, Warren Kumari wrote:

> On Wed, Sep 26, 2018 at 12:40 PM Paul Hoffman <paul.hoffman@vpnc.org>; 
> wrote:
>
>> On 26 Sep 2018, at 12:07, Warren Kumari wrote:
>>
>>> On Wed, Sep 26, 2018 at 11:16 AM Benjamin Kaduk <kaduk@mit.edu>; 
>>> wrote:
>>>
>>>> On Wed, Sep 26, 2018 at 10:12:08AM -0700, Warren Kumari wrote:
>>>>> On Wed, Sep 26, 2018 at 8:16 AM Benjamin Kaduk <kaduk@mit.edu>;
>>>>> wrote:
>>>>>
>>>>>> Benjamin Kaduk has entered the following ballot position for
>>>>>> draft-ietf-dnsop-kskroll-sentinel-15: Discuss
>>>>>>
>>>>>> When responding, please keep the subject line intact and reply to
>>>>>> all
>>>>>> email addresses included in the To and CC lines. (Feel free to 
>>>>>> cut
>>>>>> this
>>>>>> introductory paragraph, however.)
>>>>>>
>>>>>>
>>>>>> Please refer to
>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>>>
>>>>>>
>>>>>> The document, along with other ballot positions, can be found 
>>>>>> here:
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------------------
>>>>>> DISCUSS:
>>>>>> ----------------------------------------------------------------------
>>>>>>
>>>>>> Thanks for preparing this document and mechanism; it is good to
>>>>>> have
>>>> more
>>>>>> data about the expected impact of the root KSK roll.  That said, 
>>>>>> I
>>>> have two
>>>>>> Discuss-worthy points, albeit both fairly minor.
>>>>>>
>>>>>> The first one may just be something that I missed, but does this
>>>> document
>>>>>> actually say anywhere that there needs to be a real zone with 
>>>>>> real
>>>>>> configured A and/or AAAA records for the query names used for 
>>>>>> these
>>>> tests?
>>>>>> The Appendix sort-of-mentions it, but I feel like there needs to 
>>>>>> be
>>>>>> a
>>>>>> mention in the main body text.
>>>>>>
>>>>>>
>>>>> No hats (OMG, everyone will see I'm going bald...)
>>>>>
>>>>> Ok, fair. This was actually a source of confusion when we first
>>>>> started
>>>>> discussing the document -- we explained it on-list / at mics / in
>>>>> person,
>>>>> but it became so well understood that we didn't notice that it is
>>>>> not
>>>>> actually specified in the document. I'll try figure out text.
>>>>
>>>> Thanks.
>>>>
>>>> It eventually became pretty clear to me from things like "return 
>>>> the
>>>> A or
>>>> AAAA response unchanged" that there was supposed to be a valid
>>>> response
>>>> provisioned so that it could be returned, but I don't want to rely 
>>>> on
>>>> all
>>>> readers making the same inference.
>>>>
>>>>
>>> So I opened my editor to add text, and scrolled down to try figure 
>>> out
>>> where to add this.
>>> "Section 4.3 - Test Procedure" seemed like a good spot -- and it
>>> already
>>> has this text:
>>>
>>> A query name containing the left-most label
>>> "root-key-sentinel-not-ta-<key-tag-of-KSK-current>". This name MUST 
>>> be
>>> a
>>> validly-signed. ***Any validly-signed DNS zone can be used for this
>>> test.***
>>> A query name containing the left-most label
>>> "root-key-sentinel-is-ta-<key-tag-of-KSK-new>". This name MUST be a
>>> validly-signed. ***Any validly-signed DNS zone can be used for this
>>> test.***
>>>
>>> (emphasis mine).
>>>
>>> Does this perhaps address your concerns?
>>
>> It should not: Section 2.1 specifically says that the query must be 
>> for
>> A or AAAA.
>>
>>
> Ah, I think I'm starting to understand...
>
> A query name containing the left-most label
> "root-key-sentinel-not-ta-<key-tag-of-KSK-current". This name MUST be 
> a
> validly-signed name." cover it?
> I'd tried putting in stuff like "in a public zone" (but this isn't 
> actually
> true, I could do this entirely in a private namespace if I only wanted 
> to
> test a closed network).
> Or perhaps: "This name MUST be a validly-signed name in a validly 
> signed
> zone"? (which is somewhat redundant, but makes it clearer)?
>
> Any suggestions?

Ben asked for the text to appear early, so I think that putting it in 
the last section before the Security Considerations doesn't really 
count. :-)

How about in Section 2.2 where the document defines the special 
processing. Adding a last sentence to the last paragraph might clear 
things up:
    The answer for the A or AAAA query is sent on to the client.

--Paul Hoffman