Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)
"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 26 September 2018 22:13 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AD87130DDE; Wed, 26 Sep 2018 15:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsSANHOk_YVk; Wed, 26 Sep 2018 15:13:35 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1063F130DD4; Wed, 26 Sep 2018 15:13:35 -0700 (PDT)
Received: from [10.32.60.43] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w8QMCpBm011373 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 26 Sep 2018 15:12:53 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.43]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Warren Kumari <warren@kumari.net>
Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, draft-ietf-dnsop-kskroll-sentinel@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, Benno Overeinder <benno@nlnetlabs.nl>, DNSOP Chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>
Date: Wed, 26 Sep 2018 15:13:27 -0700
X-Mailer: MailMate (1.12r5523)
Message-ID: <03B733D9-5640-44A7-BEC0-A563ED24DAB1@vpnc.org>
In-Reply-To: <CAHw9_iLRj9JOL0DU=ztNnrgyFk4VfQCY3pSnq+BEhp6P9ndOXg@mail.gmail.com>
References: <153797498435.21672.17709898221650275799.idtracker@ietfa.amsl.com> <CAHw9_i+Dm7VHAi8eJjhDyGacCwxigeEZv8tSiGT+ZrW+vxu+oA@mail.gmail.com> <20180926181646.GM24695@kduck.kaduk.org> <CAHw9_i+MRJUfiZPBCNiFfio=VetCNXkHwW4Nw=WQa+z0dRWoWw@mail.gmail.com> <FFA0F591-9EC2-4B8E-AB0F-F0B496E8FAFA@vpnc.org> <CAHw9_iLRj9JOL0DU=ztNnrgyFk4VfQCY3pSnq+BEhp6P9ndOXg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c3zd971Pnf-o0I3PQTgESaV_5hE>
Subject: Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 22:13:37 -0000
On 26 Sep 2018, at 14:30, Warren Kumari wrote: > On Wed, Sep 26, 2018 at 12:40 PM Paul Hoffman <paul.hoffman@vpnc.org> > wrote: > >> On 26 Sep 2018, at 12:07, Warren Kumari wrote: >> >>> On Wed, Sep 26, 2018 at 11:16 AM Benjamin Kaduk <kaduk@mit.edu> >>> wrote: >>> >>>> On Wed, Sep 26, 2018 at 10:12:08AM -0700, Warren Kumari wrote: >>>>> On Wed, Sep 26, 2018 at 8:16 AM Benjamin Kaduk <kaduk@mit.edu> >>>>> wrote: >>>>> >>>>>> Benjamin Kaduk has entered the following ballot position for >>>>>> draft-ietf-dnsop-kskroll-sentinel-15: Discuss >>>>>> >>>>>> When responding, please keep the subject line intact and reply to >>>>>> all >>>>>> email addresses included in the To and CC lines. (Feel free to >>>>>> cut >>>>>> this >>>>>> introductory paragraph, however.) >>>>>> >>>>>> >>>>>> Please refer to >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html >>>>>> for more information about IESG DISCUSS and COMMENT positions. >>>>>> >>>>>> >>>>>> The document, along with other ballot positions, can be found >>>>>> here: >>>>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/ >>>>>> >>>>>> >>>>>> >>>>>> ---------------------------------------------------------------------- >>>>>> DISCUSS: >>>>>> ---------------------------------------------------------------------- >>>>>> >>>>>> Thanks for preparing this document and mechanism; it is good to >>>>>> have >>>> more >>>>>> data about the expected impact of the root KSK roll. That said, >>>>>> I >>>> have two >>>>>> Discuss-worthy points, albeit both fairly minor. >>>>>> >>>>>> The first one may just be something that I missed, but does this >>>> document >>>>>> actually say anywhere that there needs to be a real zone with >>>>>> real >>>>>> configured A and/or AAAA records for the query names used for >>>>>> these >>>> tests? >>>>>> The Appendix sort-of-mentions it, but I feel like there needs to >>>>>> be >>>>>> a >>>>>> mention in the main body text. >>>>>> >>>>>> >>>>> No hats (OMG, everyone will see I'm going bald...) >>>>> >>>>> Ok, fair. This was actually a source of confusion when we first >>>>> started >>>>> discussing the document -- we explained it on-list / at mics / in >>>>> person, >>>>> but it became so well understood that we didn't notice that it is >>>>> not >>>>> actually specified in the document. I'll try figure out text. >>>> >>>> Thanks. >>>> >>>> It eventually became pretty clear to me from things like "return >>>> the >>>> A or >>>> AAAA response unchanged" that there was supposed to be a valid >>>> response >>>> provisioned so that it could be returned, but I don't want to rely >>>> on >>>> all >>>> readers making the same inference. >>>> >>>> >>> So I opened my editor to add text, and scrolled down to try figure >>> out >>> where to add this. >>> "Section 4.3 - Test Procedure" seemed like a good spot -- and it >>> already >>> has this text: >>> >>> A query name containing the left-most label >>> "root-key-sentinel-not-ta-<key-tag-of-KSK-current>". This name MUST >>> be >>> a >>> validly-signed. ***Any validly-signed DNS zone can be used for this >>> test.*** >>> A query name containing the left-most label >>> "root-key-sentinel-is-ta-<key-tag-of-KSK-new>". This name MUST be a >>> validly-signed. ***Any validly-signed DNS zone can be used for this >>> test.*** >>> >>> (emphasis mine). >>> >>> Does this perhaps address your concerns? >> >> It should not: Section 2.1 specifically says that the query must be >> for >> A or AAAA. >> >> > Ah, I think I'm starting to understand... > > A query name containing the left-most label > "root-key-sentinel-not-ta-<key-tag-of-KSK-current". This name MUST be > a > validly-signed name." cover it? > I'd tried putting in stuff like "in a public zone" (but this isn't > actually > true, I could do this entirely in a private namespace if I only wanted > to > test a closed network). > Or perhaps: "This name MUST be a validly-signed name in a validly > signed > zone"? (which is somewhat redundant, but makes it clearer)? > > Any suggestions? Ben asked for the text to appear early, so I think that putting it in the last section before the Security Considerations doesn't really count. :-) How about in Section 2.2 where the document defines the special processing. Adding a last sentence to the last paragraph might clear things up: The answer for the A or AAAA query is sent on to the client. --Paul Hoffman
- [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dn… Benjamin Kaduk
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Warren Kumari
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Warren Kumari
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Paul Hoffman
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Warren Kumari
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Paul Hoffman
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Warren Kumari
- Re: [DNSOP] Benjamin Kaduk's Discuss on draft-iet… Joao Damas