Re: [DNSOP] Updated KSK Sentinel document
"John Dickinson" <jad@sinodun.com> Mon, 19 February 2018 10:16 UTC
Return-Path: <jad@sinodun.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D396127337 for <dnsop@ietfa.amsl.com>; Mon, 19 Feb 2018 02:16:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9C426wUVEot for <dnsop@ietfa.amsl.com>; Mon, 19 Feb 2018 02:15:59 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61318127275 for <dnsop@ietf.org>; Mon, 19 Feb 2018 02:15:59 -0800 (PST)
Received: from [2001:b98:204:102:fff1::f145] (port=65050 helo=[192.168.12.13]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <jad@sinodun.com>) id 1eniUH-0007JR-LL; Mon, 19 Feb 2018 10:15:57 +0000
From: John Dickinson <jad@sinodun.com>
To: dnsop <dnsop@ietf.org>
Cc: Geoff Huston <gih902@gmail.com>
Date: Mon, 19 Feb 2018 10:18:48 +0000
X-Mailer: MailMate (1.10r5443)
Message-ID: <D7FD1C78-C2C6-4106-9E8C-BFD83D5BF5DF@sinodun.com>
In-Reply-To: <A384C66F-E285-4AD2-A8F8-CF9CE0F43DB7@gmail.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <02D558F6-F820-4627-BAC6-1A38AB00B4F5@sinodun.com> <A384C66F-E285-4AD2-A8F8-CF9CE0F43DB7@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-BlackCat-Spam-Score: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dE3CCt_xrys-jw2CToNbwRK34rE>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2018 10:16:01 -0000
On 18 Feb 2018, at 20:21, Geoff Huston wrote: > Hi John, > > thanks for the review of this draft > > >> On 17 Feb 2018, at 4:35 am, John Dickinson <jad@sinodun.com> wrote: >> >> Hi, >> >> I like what this draft is trying to do. >> >> I am a bit concerned about adding a invalid RR in to a otherwise >> correctly signed zone. It suspect that there may be a variation in >> how validating resolvers treat authoritative servers that appear to >> have sent bogus data. Some might retry, retry other auth servers, >> stop using that server altogether etc etc… > > I have been doing this for many years in an ad-based measurement > campaign. When a validating resolver is incapable of validating a > response it sends back a SERVFAIL response code of course. Some years > back “incapable of validating a response” implied an exhaustive > search through all NS’s of all parent zones to see if any path > exists that can validate the RRSIG - these days many resolvers simply > accept the first invalid response and pass back SERVFAIL. OK great - I just wondered if there was all sorts of strange differences between different implementations. > Obviously the SERVFAIL response will prompt a stub resolver to pass > the query tyo any other recursive resolvers that it is configured to > query. This is of course the same behaviour as one would expect from a > validating recursive resolver that has failed to track a KSK roll. I > have not observed any signal that a client resolver accepts a SERVFAIL > response from a recursive resolver as anything other than a failure > for the query itself. > > >> >> I suggest that the example A/AAAA RRs on page 4 be written fully >> qualified so there can be no doubt that this draft does not imply new >> special names at the root (which is what I first thought). > > “example.com” appears four times on page 4 - are you suggesting > that this be altered to read “example.com.”? > > Or are you suggesting that the 5 instances of the label > kskroll-sentinel-(is|not)-ta-2222 which refer to a “resoirce” be > edited to read "kskroll-sentinel-(is|not)-ta-2222.example.com"? > > Or both? The second one but only for the 3 examples invalid IN AAAA 2001:DB8::1 kskroll-sentinel-is-ta-2222 IN AAAA 2001:DB8::1 kskroll-sentinel-not-ta-2222 IN AAAA 2001:DB8::1 regards John > > > >> >> In the discussion of Charlie’s resolvers I think “from >> this he knows (see the logic below) that he is using legacy, non- >> validating resolvers.” >> >> should have the “non-“ removed. >> > > > yes - that’s correct. That was a typo. > > >> regards >> John >> >> >> On 12 Feb 2018, at 20:28, Warren Kumari wrote: >> >>> <author hat only> >>> >>> Hi all, >>> >>> Sorry it has taken so long to get a new version of this document >>> posted - you deserve better. >>> >>> Anyway, we've finally posted an updated version - >>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/ >>> >>> This version includes a (hopefully easily understood) description of >>> how this would actually be used, and not just "here's a protocol, k, >>> thnx, bye!". I've tried to layout what each party does, and how it >>> all >>> fits together - please let me know if it isn't clear. This section >>> is >>> towards the top of the document - we will likely make it an Appendix >>> before publication. >>> >>> I've also updated it to use the kskroll-sentinel-is-ta-<id> format. >>> It >>> is easy to change again in the future, but this seemed to be what >>> the >>> working group liked. I also updated my demo implementation >>> (http://www.ksk-test.net) to use this naming scheme. >>> >>> This version also clarifies that the test is "Is the Key ID a DNSSEC >>> root KSK?" Originally my view was that it should be "Is there *any* >>> key in the trust store with this keyID?", but after running some >>> numbers I decided that there is a significant chance of false >>> positives. >>> >>> As I mentioned, it took an embarrassingly long time to post the >>> update >>> - please let us know if we missed your comments. >>> >>> W >>> -- >>> I don't think the execution is relevant when it was obviously a bad >>> idea in the first place. >>> This is like putting rabid weasels in your pants, and later >>> expressing >>> regret at having chosen those particular rabid weasels and that pair >>> of pants. >>> ---maf >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >> >> >> John Dickinson >> >> http://sinodun.com >> >> Sinodun Internet Technologies Ltd. >> Magdalen Centre >> Oxford Science Park >> Robert Robinson Avenue >> Oxford OX4 4GA >> U.K. >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop John Dickinson http://sinodun.com Sinodun Internet Technologies Ltd. Magdalen Centre Oxford Science Park Robert Robinson Avenue Oxford OX4 4GA U.K.
- [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Bob Harold
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document Joe Abley
- Re: [DNSOP] Updated KSK Sentinel document Wessels, Duane
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Geoff Huston
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Paul Hoffman