[DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?
Warren Kumari <warren@kumari.net> Mon, 14 May 2018 18:11 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EEC0127023 for <dnsop@ietfa.amsl.com>; Mon, 14 May 2018 11:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w9IHqPlRpz1F for <dnsop@ietfa.amsl.com>; Mon, 14 May 2018 11:11:04 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB091200B9 for <dnsop@ietf.org>; Mon, 14 May 2018 11:11:04 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id f6-v6so15108353wmc.4 for <dnsop@ietf.org>; Mon, 14 May 2018 11:11:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=fo//k2sc3o4K29ps7iF24ezBv1bDz1UWgU4wz43kapQ=; b=KDeFXwy/f3aTCa0fbucWfT67dj/4P5POK2PYK7P2KnzbH9i2D3rfoIUTxB4Gsj1C3L yTHIZZ2mnukhfwjbZC483YDTxmmKTgcHJ7g8IPgEdl8acjy1YlthI3PH4+a5AxEu+6Gp aoBONDPta6JB0sonAKBkHaW4NUiS11aE1csaBDuWcCkVAuynCBUAqt7thkjc9kwT2ziz /sHr3976IqqZTzDIhRnPO4M67GZryKOuAT1bSvIwMRaMuq8eDxwAXqkM3tfdI/LmBPPu QQcH7r3Wws5vtCxP3jBlCjDtgF+p7TK54iqeBpkPnIwDxMcvkRFWRIcdRlduqdM5hkce kMkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=fo//k2sc3o4K29ps7iF24ezBv1bDz1UWgU4wz43kapQ=; b=GT063rf/3s6yZ+5b2pHKkZ9tFPB++JwfFxVGW/Iou679+pW1Io8MztSFywf8xyAhST hs7Z6aYR1SBAiWOBKqO7CKuEgrDw9MjTUCRgNKnVRv+21NuJqkF2cODwj1HIOQyVrxTV d7rKbnwNKRsy4uzwnCBb1vINIyeNLcDuKa8ZeMtC8wexMGZAyVIGwtkExsEHdnl77Fpv R8YuDJB/IyfUt0RRYSWqR/BQq+ri8TDD3PmDfzGHrZ/bQpmJoSIkZcqaG+v+Yjk/5Xpj eeojMIJ3gI4iOKNO8iYXd6MaUNspahWTxiObte0q/EBCnmB4w24OY+unIPEc4ZktMOMM StUw==
X-Gm-Message-State: ALKqPwcckq5GvXAbyV7/xu7EshDjAhhu0smsWT34E6dKRHqMssmEnhUZ xqHUMn8wz+p9TAAIwkL/IKYqi6PN5Kr58ZwuxGigynKc9Wk=
X-Google-Smtp-Source: AB8JxZr3wYNRafr59rs7O7N13xC3V/RrY5VC3puu79nfBcyeDFg01+IeQ/6cCXYw24Lc6t9Aexsvfzv111lDL6Al7xc=
X-Received: by 2002:a1c:71dc:: with SMTP id d89-v6mr5742317wmi.26.1526321461911; Mon, 14 May 2018 11:11:01 -0700 (PDT)
MIME-Version: 1.0
From: Warren Kumari <warren@kumari.net>
Date: Mon, 14 May 2018 20:10:25 +0200
Message-ID: <CAHw9_iKPTT686F8piMGJG=ESnioaunJDTKurabvMA6NucqvBow@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/g-fRI6V2kLprx6WxjnVl0oXldW0>
Subject: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2018 18:11:07 -0000
Dear DNSOP, The KSK-Sentinel document ( https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-12) makes use of the (leftmost) labels root-key-sentinel-is-ta-<key-tag> and root-key-sentinel-not-ta-<key-tag>. If a validating recursive resolver sees these labels, it performs special handling. Great, everyone is nodding along so far... Gulp. Now for the question: Is root-key-sentinel-is-ta-<key-tag> an RFC6761 "Special-Use Domain Name"? The authors are in disagreement - RFC6761 talks about "Special-Use Domain *Names*", not "Special-Use Domain *Labels*", but Stuart has said that it wasn't intended to be only for TLDs / pseudo-TLDs / things starting at the top of the tree. My view is that this probably is a SUN; it is a name which requires special handling. My co-authors (rightly) point out that "name" is poorly defined, this is a label not a name, RFC6761 is vague in it's use of terminology, and all of the examples and entries are right-anchored. We've crafted answers to "the 7 questions" from RFC 6761 below; we don't care which option the WG selects (we have the text and revisions are free), but we (and I'm assuming the WG!) desperately don't want this to turn into another extended discussion on SUN / names vs identifiers vs identities vs contexts / who has policy control over root / internet governance / etc. So, please, *clearly* state if you think that this: A: is a SUN B: is not a SUN RFC 8244 [0] was fun, but I'm not sure how much more fun I can handle; we'd love *clear* guidance by next Friday (May 25th) 'So don't delay, act now, supplies are running out Allow, if you're still alive, six to eight years to arrive And if you follow, there may be a tomorrow But if the offer's shunned You might as well be walking on the SUN" -- Smash Mouth Note: We are answering the questions as asked, and so use 6761 terminology: ---------------------- IANA Considerations The IANA is requested to make the following entries in the Special Use Domain Names registry (https://www.iana.org/assignments/special-use-domain-names/special-use- domain-names.xhtml) referencing this RFC root-key-sentinel-is-ta-<key-tag>.* RFC XXXX root-key-sentinel-not-ta-<key-tag>.* RFC XXXX Domain Name Reservation Considerations This refers to the set DNS names where the left-most label matches the specified patterns. The answers to the seven questions listed in [RFC6761] are as follows: 1: Users: Human users are not expected to use or recognize these names as special, other than those who wish to perform testing of their DNS resolution environment. It is expected that the majority of the testing will be performed through automated means (e.g: using JavaScript to cause the user's browser to trigger a DNS lookup), and so the majority of users will never see these. 2. Application Software: No specified behavior is expected of application software. 3. Name Resolution APIs and Libraries: Name resolution libraries are not expected to recognize these names as special. 4. Caching DNS Servers: Caching DNS servers which perform DNSSEC validation are expected to treat these labels specially, as described in this document. Caching DNS servers which are NOT performing DNSSEC validation are not expected to treat these names as special. 5. Authoritative DNS Servers: Authoritative domain name servers are not expected to undertake any altered behaviour for these names. 6. DNS Server Operators: These reserved Special-Use Domain Name have no potential impact on DNS server operators. 7. DNS Registries/Registrars: These names have a special behaviour only when used as the left-most label in a name resolution query. They have no special significance in any other context and are not required to be treated differently in the context of registeries and registrars. ------ W [0]: The Abstract of RFC 8244 says: "The policy defined in RFC 6761 for IANA registrations in the "Special-Use Domain Names" registry has been shown, through experience, to present challenges that were not anticipated when RFC 6761 was written. ... This document should be considered required reading for IETF participants who wish to express an informed opinion on the topic of Special-Use Domain Names." -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Warren Kumari
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Ólafur Guðmundsson
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Paul Wouters
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Tony Finch
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Ted Lemon
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Matthew Pounsett
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Tony Finch
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Petr Špaček
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Matthew Pounsett
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Ted Lemon
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Mark Andrews
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Paul Vixie
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Tony Finch
- Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"? Peter van Dijk