IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-03.txt

"Wessels, Duane" <dwessels@verisign.com> Tue, 06 March 2018 00:30 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27D2B127601 for <dnsop@ietfa.amsl.com>; Mon, 5 Mar 2018 16:30:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tTMJw5Ih7I5j for <dnsop@ietfa.amsl.com>; Mon, 5 Mar 2018 16:30:04 -0800 (PST)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1630C1241F5 for <dnsop@ietf.org>; Mon, 5 Mar 2018 16:30:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1158; q=dns/txt; s=VRSN; t=1520296204; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=RUdDU/+JruvUL+ID6ceM4ghdtJs4b0VcGu3S/2eCqME=; b=OqbWSvPAPdr7DqcWS4v1f8rdfnHeZmr28LTyEFNs+M/xA2aoq3FMS/F9 WgYg591SvaaXJhoCOjUcuelKBpVZAIKS9gwjjTr24gNLUn4V/tdM0T++3 G105PKy9DefJMMEWMC6UN+vJrInbb1GNpDeE3wn95LjHxoM+5bfkk0yC3 eEzoKsPhAYz0NMgcfXYRWOr3MJ8C0a5lsEr46jlAUhMriIVZCDGhsD0zh MQvYFEwtwSyhtTGgaGeZTf2cyp29b8ME1D1zl0krnxfQuL6UZEx7inv5G rZqTPpMZ3RinJKfnYIWvgBKL7TEpM1MebY1JD2nIDs6u8rtBfJi0xcGf8 Q==;
X-IronPort-AV: E=Sophos;i="5.47,429,1515456000"; d="scan'208";a="6055185"
IronPort-PHdr: 9a23:uWyXkR15QLsCNBhSsmDT+DRfVm0co7zxezQtwd8ZseIXI/ad9pjvdHbS+e9qxAeQG9mDsLQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPbQhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmiDkJOSMl8G/ZicJwgqBUoBO9qBJwzIHZe52VO+F7fq/BYd8WWWhMU8BMXCJBGIO8aI4PAvIPMelYsYb9vEAOogW6BQm3HO/k1zFGhmLs0q08zestHxzN0Qs9ENMArnvUt871O7kWUeCu16TI0yvMb+lX2Tfm6YjIfRYhreuQUrJ3dMrc0E8iHB7GgFWIsYHpIi+Z2v4Qv2WZ4edsT/+jhm4ppg1rvDSiycghhpHUio4J0FzI6Cd0zJovKdGlR0N2YsSoHIZTuiycKoB4WNktQ3tytyY/0rAGvJm7czUUx5k/3B7fbuCHc5CP4hL+SOadOTd4i2xheLK4nxu96lKgyuvhWsmw31dKqzBKktjItnAKyhzT9tSLRuZn8ke/xzmPzQHT6vpFIUA7k6rXMYIuwrk1lpYLsETDGDH5mFnugaOLakko4PWk5ubpb7n8u5ORN4F5hhvgPqkhlcGzGeE4PRIPX2if9+S8zrrj/UjhTbpXgPw5jLLZsIvEKsQfva60GBFV3Zg56xa+FDem0dsYnX8dIF1ZfxKHipDlO0vSL/DgEfe/n1OsnS92yPDAJb3hBY3NI2PCkLj/YbZ95VRQyA0pzdBQ/5hUEK0OIOrvWk/ts9zVFhA5Mw20w+v8Etp9zoUeWWOTDaODNqPdr0OItaoTJLyjaYgbtn7dNuM54Pim2XA4mXcUZa+o1t0RZWzuTdp8JEDMK0XhmcwMFXxO9iYjRernwhXWXSFefG2/W7kU+DwhCZmnAoGFTYeo1u/SlBynF4FbMzgVQmuHFm3lIt2J
X-IPAS-Result: A2FxAQCp4J1a//SZrQpdGQEBAQEBAQEBAQEBAQcBAQEBAYVOCoNKmh4RgQWWSQqFMAIagno4FAECAQEBAQEBAgECgQ+COCKCSgEBAQECASMRRQULAgEIDQEKAgImAgICMBUQAgQOBYUTqHOCJ4Ryg3OCJoEPhB6EBoIOgwSFIYMLMIIyBI15jGkDBgKfdZEoAgQLAhkBgS41gXRwFWQBghiESHeKKCyBA4EYAQEB
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id w260U2r6010194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 5 Mar 2018 19:30:02 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Mon, 5 Mar 2018 19:30:01 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Geoff Huston <gih@apnic.net>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-03.txt
Thread-Index: AQHTtN7X9LBICSTD5ESOlzOHPosZIqPCrpkA
Date: Tue, 06 Mar 2018 00:30:00 +0000
Message-ID: <72A1494B-E266-41AF-B215-07153FC70FCF@verisign.com>
References: <151984683961.5212.6854317117587193083@ietfa.amsl.com> <39567D9A-312D-42A8-A108-C8F7EE249668@verisign.com> <99AB422F-C607-412B-BC5C-A1DE17CD2393@apnic.net> <2C0BDA4D-E1E4-48A1-AB54-EFF31F55EB7E@verisign.com> <DE4E39D1-DD65-44C7-9120-3C155D460BDC@apnic.net>
In-Reply-To: <DE4E39D1-DD65-44C7-9120-3C155D460BDC@apnic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <E7141933371DB14DB1711CD10C7B3158@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kmaWABpsp2f73huHgK5LpEaSssg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 00:30:06 -0000

> On Mar 5, 2018, at 4:05 PM, Geoff Huston <gih@apnic.net> wrote:
> 
> For example, if researcher Duane sets up a test zone in Freedonia and sets up validly and invalidly signed domain names within the Freedonia name realm, then couldn’t a Ad-bsed large scale test reveal this information anyway without recourse to a sentinel? Endpoints outside Freedonia would presumably see two invalidly signed names, while folk within the realm would see the validly signed one and not the other. i.e. the sentinel approach would not be the only way to expose this information. 

I think its different.  The above can tell you whether certain names were resolvable (maybe even validatable?) but kskroll sentinel tells you that specific key tags are or are not present in the TA store even if those keys don't have "active" chains of trust.

DW

v2.23.0 | Report a Bug | By Email