Re: [DNSOP] draft-livingood-dnsop-negative-trust-anchors@tools.ietf.org
Warren Kumari <warren@kumari.net> Tue, 05 May 2015 16:23 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E40671B2FD3 for <dnsop@ietfa.amsl.com>; Tue, 5 May 2015 09:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.221
X-Spam-Level:
X-Spam-Status: No, score=0.221 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZ63IcOLvrah for <dnsop@ietfa.amsl.com>; Tue, 5 May 2015 09:23:17 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8293B1A1BE7 for <dnsop@ietf.org>; Tue, 5 May 2015 09:10:01 -0700 (PDT)
Received: by widdi4 with SMTP id di4so167547280wid.0 for <dnsop@ietf.org>; Tue, 05 May 2015 09:10:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=fcMc37ZyEWXn1NuIrgvQu5KpdXgmekPnXkaN3HEqyZU=; b=AAoKXBS2vuy4W5Cih2vS/WKWnpqQCTa0X+IEXoGuv/KPtTwzTAk6OzfN9cttmwoxZI SKQM3RL7oXXxzZMSGL0YPLGdUDQGE0UhPE0Co4RtCrl1wMx15CUH5rIj3UOrFr+JV9OK /sJi1uK9TPtweAmBea4sjcZuososBf15LhqI65dTS17nN+sZLpwlu3vMW27j/xmYqUVG B9Pkibu3dLhERSpFuSV04R7s8ObCT1C0XoH+wwm2lCGgho5QAGTDhYCp0mp4/tC9eatk RcShS/Ec3AL8Kk1s2upFwtNcQizWV4XitdXoQ8jIkhlBV6TyFb9tmb7vkI1MpYVbU9Fo mZuA==
X-Gm-Message-State: ALoCoQkb3vLlgmTAeAOO3SvHur7jz0uZoKJFfDI5J2Q+ls8TZtmQLvGVQuwdu0lTZshvNCQrwMbU
MIME-Version: 1.0
X-Received: by 10.180.93.36 with SMTP id cr4mr5373579wib.61.1430842193855; Tue, 05 May 2015 09:09:53 -0700 (PDT)
Received: by 10.194.47.36 with HTTP; Tue, 5 May 2015 09:09:53 -0700 (PDT)
In-Reply-To: <CAJE_bqeedYN5rmgQEMBKTWnct1v-UVzTkwbvTfk5Bm-rrd3TOw@mail.gmail.com>
References: <CAJE_bqcRiamHQw7q=VYuYLBhh-V75C0w=UJUDBnT3LnBuFEnSQ@mail.gmail.com> <CAHw9_iJ0nKS9jts+vReN7pA3AgWJAcU9Yo9_YjyTi4WyU+B=1g@mail.gmail.com> <CAJE_bqeedYN5rmgQEMBKTWnct1v-UVzTkwbvTfk5Bm-rrd3TOw@mail.gmail.com>
Date: Tue, 05 May 2015 12:09:53 -0400
Message-ID: <CAHw9_i+C43f05Eea_mu83RWJbzCBMb4GWcgMKoO8eN_9HqpcbQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/dI4xqQLGnquIwRqK72NRauXBdAE>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] draft-livingood-dnsop-negative-trust-anchors@tools.ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2015 16:23:20 -0000
On Fri, May 1, 2015 at 2:25 PM, 神明達哉 <jinmei@wide.ad.jp> wrote: > At Fri, 24 Apr 2015 23:59:22 -0400, > Warren Kumari <warren@kumari.net> wrote: > >> So, I have gone back through previous mail and it seems that this was >> the only email that got missed. >> Anyway, it seems that other folk also made similar comments, and so, >> by -03, we had addressed almost all of them. >> Apologies again for not seeing and responding to your mail. > > No worries, and thanks for addressing these so quickly. > >> > I agree with the sense of the statement, but specifically how can >> > the operator confirm that it's misconfiguration? [...] >> >> My last update (a few days ago) included inserting an Appendix that >> covers some of this. It is somewhat rough,and more conversational in >> tone than if it were in the main part of the draft, but I think >> strikes a nice balance. > > Do you mean Appendix B? It certainly looks good enough to me to > address this point. Yup. Excellent! > >> > - Also on that sense and this one in Section 8: >> > >> > Use of a >> > Negative Trust Anchor MUST NOT be automatic. >> > >> > Again, I agree with the sense, but I wonder whether players like big >> > ISPs or public DNS services are really willing to follow the >> > suggestion of human intervention and/or ban of automation. > [...] >> > For these recommendations to be really effective rather than just >> > ignored, I think we need to provide some more information, e.g., >> > statistics on how often these events are happening in actual >> > providers that use NTAs, show example of operational practices >> > (which I guess would include some level of automation). >> >> We don't really have anything published, but I spoke with the person >> who deals with these and it is around once per quarter (it has slowed >> down). This year we have only done it once - for the .KE keyroll event >> ( thread here: https://lists.dns-oarc.net/pipermail/dns-operations/2015-March/013060.html >> ) > > Okay, then I'd suggest adding some brief note on this point. One > possibility would be to add something like this to the end of the > first paragraph of Section 2: > > [... prior to implementing the Negative Trust Anchor.] Involving > trained technical personnel is costly, but operations experiences > so far suggest that this is a very rare event such as around once > per quarter or even less. > Will do. > (and if we can include a concrete reference, do that) > >> > - Also on Section 8: >> > >> > Finally, a Negative Trust Anchor SHOULD be used only in a specific >> > domain or sub-domain and MUST NOT affect validation of other names up >> > the authentication chain. >> > >> > I think it would also help clarify that the deepest anchor should be >> > used, whether positive or negative. [...] >> >> Actually, an NTA stops validation at that point, which includes things >> under that. >> Here is text (which probably changed after your comment: >> "This Negative Trust Anchor can potentially be implemented at any >> level within the chain >> of trust and would stop validation from that point in the chain down." >> >> This gave us the needed behavior when .ke broke... >> Yes, turning off validation for an entire ccTLD is a big hammer -- >> but, it is better than turning off validation for *everyone*, or just >> leaving an entire country unresolvable for many hours.... > > Hmm...first, if this is really the intent, I'd suggest revising > Section 8, too, to state it more explicitly (also possibly with an > example). > > Secondly, does it make most sense? If we have a manually configured > positive trust anchor for "good.example.ke", isn't it better to still > use it for anything on or below that, but skip DNSSEC validation for > everything else on or under .ke? At least this shouldn't mean > "turning off validation for *everyone*" or "just leaving an entire > country unresolvable for many hours", so such arguments don't seem to > be a reason for not doing this. Ah! I've just realized that I'd misunderstood your question -- I'd somehow completely skipped over the "whether **positive** or negative" (emphasis added). This isn't a very common case for us, and so I'm not sure that the authors have discussed it. The way that our resolver works is the most specific ("deepest") TA would win, so, assuming that we had a positive TA for good.example.ke it *would* override the NTA for .ke. I personally (and I think you as well) believe that this makes the most sense, but let me double check with co-authors. Whatever the case, we don't actually address this in the document, and it should be.... > >> > - Section 10 >> > >> > validates can have security considerations. It is therefore >> > recommended that NTA implementors should periodically attempt to >> > validate the domain in question, for the period of time that the >> > >> > I wonder whether this 'should' may better be SHOULD. Not a strong >> > opinion, but it seems to be similar to other recommendations using >> > the capitalized keyword in Section 8. >> >> So, I went to go make that change, and discovered it is already a SHOULD. >> Sometime between when you wrote this mail (11/14) and version -03 I >> incorporated this change. > > It's still a "should" in the 04 version: Will fix. > > validates can have security considerations. It is therefore > recommended that NTA implementors should periodically attempt to > validate the domain in question, for the period of time that the > Negative Trust Anchor is in place, until such validation is again > successful. > (from https://tools.ietf.org/html/draft-ietf-dnsop-negative-trust-anchors-04) > >> > - Appendix A: not intending to endorse a particular implementation(s), >> > but I'd suggest clarifying which specific implementations support >> > various recommendations of the draft. For example, BIND 9 is quite >> > diligently follow it while (if my memory is correct and it's still >> > the case today) unbound's support is quite primitive and you cannot >> > specify timeouts. I think it's important to avoid allowing lazy >> > operators to just configure some NTAs and forget them. It would >> > also encourage "lazy developers" to support full recommendations >> > sooner. >> >> I'm a little uncomfortable doing this. This is still only a draft, and >> vendors will continue to add support when it gets published as an RFC. >> I'd hate vendor X to add support for all the rest of the requirements, >> but have customers discriminate against them because the RFC didn't >> predict that... > > Okay, then I won't push that. But I'd like to suggest adding some > more general note like this to Appendix A: > Will do! > Please note: These are simply examples - nameserver operators are > expected to test and understand the implications of these operations. > Note also that some of available implementations may not implement > all recommended functionality in this document. In that case it is > advisable to request the developer or vendor of the implementation > to support the missing feature, rather than start using the > incomplete implementation. > > -- > JINMEI, Tatuya -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf