IETF Logo Mail Archive

Re: [DNSOP] Updated KSK Sentinel document

Warren Kumari <warren@kumari.net> Wed, 21 February 2018 19:10 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A95912D94E for <dnsop@ietfa.amsl.com>; Wed, 21 Feb 2018 11:10:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JIAZeIMxplSx for <dnsop@ietfa.amsl.com>; Wed, 21 Feb 2018 11:10:42 -0800 (PST)
Received: from mail-wr0-x22b.google.com (mail-wr0-x22b.google.com [IPv6:2a00:1450:400c:c0c::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E65F1124BAC for <dnsop@ietf.org>; Wed, 21 Feb 2018 11:10:41 -0800 (PST)
Received: by mail-wr0-x22b.google.com with SMTP id s5so7543906wra.0 for <dnsop@ietf.org>; Wed, 21 Feb 2018 11:10:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=TfsjM9zlQOchAP9df8nQQnhvU/sQ6CrIEORTNEAnCS0=; b=AQ/kqSm5Wkx2A2Cdfa3vU3KOmgo1ZvJOXODYucYUKka9zNaxWgdq2QyVceCv1bg41E 0XeJd2oRnAFsv4yAVO/DJzAEijHnPVpTAjRIQVSo79toTNA45KM2UcaYx8zguQP9DtNw NT8ql3szA3lMb3Y70hi5wXXMoieYqHH71ne2AC5/HZJDNImz+5MUMGZB/rhrgpl8c6sc 47uWxJ8QAXN74wcyZ5xUgXB4gaxjRol77D3GUnjx6UW0zLiFWLVXf4kP3VBpgTc7kbRb Ev/80E14C1ylet6HpoqCeckSAW1XUGIq4TOicW3U1gowTVemydisuHK3xY70GHjb4D0N RjwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=TfsjM9zlQOchAP9df8nQQnhvU/sQ6CrIEORTNEAnCS0=; b=emkKxVp24hpDUI7YHIo9RkMbk/sKA4IqBzUhqsA+cyIAAyyXksu2ylM0HPAC+y/4zW LKE5tioQVmO0X7OZEcbmLSX5dP5nhqb6TzmwJ8G4L0YU973mu+fCx+5xII/bgs6yTQjY fp49CcJR/b3C3HdTX0T1+wxC44uy6/ahxWPqzokTP+BPgJYStf1S2SMJUbIA0c0GTU9b SiUNDDE4u65QMHH1kgsxZW/x8ONcLceIQh4Y0HTSrz9sOMPLv1y1la8PoBBpQrH1yUl5 xkskKy0LSgQ51qPESmMYyHlR8Ng7COwlC/16RIRMTbl3jI4HGxz0t5UdQGoDq0bO1+As iDdQ==
X-Gm-Message-State: APf1xPBONqNn4zw2FBdKWF52GRwTt5gVDplSFX5gRFOvjy5MVo+xdqKA HPonkH/lRQaNPYsY0rRaNe3C0KAKJfSHD2GI3KX6IyWbUnc=
X-Google-Smtp-Source: AH8x226joY9jy8cCJrA+37oc+mCUuTaEFAV2FNvZhkl5lULRf7ps2B+yS/HfFjDJnQrp5MsusmSgx3fS8f3PQFCDRjA=
X-Received: by 10.223.134.42 with SMTP id 39mr4060491wrv.10.1519240239853; Wed, 21 Feb 2018 11:10:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.152.242 with HTTP; Wed, 21 Feb 2018 11:09:59 -0800 (PST)
In-Reply-To: <CAJE_bqcbcEaS5PAvVQ+s98p6J3vszpkUrBgdDxEJOvkJ79V1gQ@mail.gmail.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <CAJE_bqeTyiotHcnuQ69=dF+MWXwztNNqamRf5BCOj04hhVGrgA@mail.gmail.com> <CAHw9_i+G4V85oH96H9DgZR+mh9vnNA464wUezpyaUmCTqtHdqA@mail.gmail.com> <CAJE_bqcbcEaS5PAvVQ+s98p6J3vszpkUrBgdDxEJOvkJ79V1gQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 21 Feb 2018 14:09:59 -0500
Message-ID: <CAHw9_i+qY+1mgvPuuE0qBZWpjQ4wncvB=nQiZy_Y1+b6FRaQ5w@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/le09T01wEU7WTM-tdssKOhCJJzg>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 19:10:44 -0000

On Wed, Feb 21, 2018 at 1:44 PM, 神明達哉 <jinmei@wide.ad.jp> wrote:
> At Wed, 21 Feb 2018 08:53:23 -0500,
> Warren Kumari <warren@kumari.net> wrote:
>
>> > - General
>> >   I think it's worth pointing out that SERVFAIL can be returned for
>> >   various other reasons and the detection mechanism relying on it
>> >   isn't reliable.  This is probably okay given the purpose of this
>> >   detection, but I think it's better to note it explicitly.
>>
>> Good point. I had some trickiness writing this - how is "The
>> techniques describes in this document rely on (DNSSEC validating)
>> resolvers responding with SERVFAIL (RCODE 2) to valid answers. Note
>> that a slew of other issues can also cause SERVFAIL responses, so
>> false positive or negative results may sometimes occur." ?
>
> Works for me, except that I might avoid 'false positive/negative' as
> it's often ambiguous or confusing (exactly what "false positive" means
> depends on the context).  I'd personally say something like "..., so
> the sentinel processing (Section 4) may sometimes result in incorrect
> conclusions".  But that's probably minor in the entire context of this
> document, so I'd leave it to you.

Thanks, I changed it (in the editor copy) to ", so the sentinel
processing (Section 4) may sometimes result in incorrect conclusions".
When I initially added the false positive/false negative text I spent
some time trying to figure out if it was a false positive or false
negative... and then just listed both :-)


>
>> > - Section 3
>> >
>> >    [...]  Note
>> >    that the <tag-index> is specified in the DNS label using hexadecimal
>> >    notation.
>> >
>> >   I suggest clarifying whether '<tag-index>' contains leading 0s
>> >   somewhere in the document (this may not be the best place to do so,
>> >   but this is the first reference to 'tag-index' that made the
>> >   question occur to me).
>>
>> Hmmm... Good point. I personally actually preferred having these as
>> "decimal" keys.
>> RFC1034, Sec 5.3: The DS RR Presentation Format sayeth:
>>    " The Key Tag field MUST be represented as an unsigned decimal
>> integer.", things like dig +multiline DNSKEY . shows it as decimal,
>> etc.
>> My initial demos (www.ksk-test.net) also all used decimal. Petr
>> recently pointed out to me that I'd messed up, and so I converted my
>> demo to use hex, as the draft states.
>> What does the WG prefer? Is the new KSK called "20326" or it is "4f66"?
>>
>> Note that Knot Resolver 2.1  already implements (thank you!) this, and as hex.
>> But, yes, either way, we need to note if it is padded.
>> [TODO(WK): Raise the hex vs Dec issue]
>
> Personally I don't have a strong opinion/preference on hex vs decimal
> or with or without leading zeros as long as it's clearly specified.
> But I see the point of preferring the decimal representation you
> showed above.  https://data.iana.org/root-anchors/root-anchors.xml
> also uses the decimal representation, so especially if we expect the
> usage of this query by a human operator who builds the query name by
> hand, it would be more convenient if it's consistent with other common
> representations, which is currently decimal.  But again, I don't have
> a strong opinion.

I'll start a separate thread on this question. I have a feeling that
I'm bikeshedding here, but decimal seems preferable to me.

>
>> > - Section 3
>> >
>> >    If the resolver has not placed a
>> >    Root Zone Key Signing Key with tag index value matching the value
>> >    specified in the query into the local resolver's store of trusted
>> >    keys, then the resolver should return a response indicating that the
>> >    response contains authenticated data according to section 5.8 of
>> >    [RFC6840].
>> >
>> >   Should we perhaps define "store of trusted keys" more precisely?
>> >   For example, if a key is in the "AddPend" status (per RFC5011) for
>> >   the resolver, should it be considered in the "store of trusted
>> >   keys"?
>>
>> Nope. Well, yes, we need to better define it, but no, a key in AddPend
>> is not considered.
>> We explicitly mean "keys which are active and can be used for
>> validating entries in the root zone."
>
> To be clear, I didn't think a key in the "AddPend" state is considered
> to be in the "store of trusted keys".  I just pointed out that it may
> not be super clear.  And so...

Yup - you are right, it wasn't super clear (and I'd assumed that you
didn't think that AddPend counted, but it doesn't hurt to clarify in
the doc).
Thanks.

>
>> We have: "In particular, this response mechanism can be used to
>> determine whether a certain Root Zone KSK is ready to be used as a
>> trusted key within the context of a key roll by this resolver."
>> and I added:
>> "An active key is one which could currently be used for validation (ie
>> not in AddPend or Revoked state (RFC5011)).
>>
>> Sounds reasonable?
>
> yes it does.

Yay!
>
>> >   BTW, you might want to say 'a query for an Address Record' or 'an
>> >   Address Record query' instead of 'an A or AAAA query' (I guess
>> >   that's the intent of the introduction of this term.  See also my
>> >   first comment on Section 1.1 above).
>>
>> Actually, there are small enough number of occurrences that explicitly
>> listing them (and not creating a new term) seemed better, so (see
>> ablove) I removed the "Address Record" term and left in the "A or
>> AAAA" stuff - please let me know if you agree.
>
> Works for me.

Excellent!
W

>
> --
> JINMEI, Tatuya



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email