Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-03.txt

Mark Andrews <> Mon, 05 March 2018 23:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CBB7A126DEE for <>; Mon, 5 Mar 2018 15:28:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4BVUrDUOrLBm for <>; Mon, 5 Mar 2018 15:28:05 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 513D4120227 for <>; Mon, 5 Mar 2018 15:28:05 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 68C883AB007; Mon, 5 Mar 2018 23:28:02 +0000 (UTC)
Received: from (localhost []) by (Postfix) with ESMTPS id 523CD160088; Mon, 5 Mar 2018 23:28:02 +0000 (UTC)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 35CBE160087; Mon, 5 Mar 2018 23:28:02 +0000 (UTC)
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id 3TsYSLgMRTO9; Mon, 5 Mar 2018 23:28:01 +0000 (UTC)
Received: from [] ( []) by (Postfix) with ESMTPSA id D72A5160083; Mon, 5 Mar 2018 23:28:00 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <>
In-Reply-To: <>
Date: Tue, 6 Mar 2018 10:27:58 +1100
Cc: Geoff Huston <>, dnsop <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: "Wessels, Duane" <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-03.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Mar 2018 23:28:08 -0000

> On 6 Mar 2018, at 9:31 am, Wessels, Duane <> wrote:
>> On Mar 3, 2018, at 2:32 PM, Geoff Huston <> wrote:
>> I guess that the knowledge that resolver X trusts a key with a hash value of Y does not leave me much the wiser in terms of exploitable knowledge about the (in)security of that resolver.
> If there is a key or algorithm compromise for key Y then that seems like useful information to an attacker.
>> Aren’t we getting into issues of DNS privacy here rather than the sentinel per se? Its not as if the sentinel process calls for any change in the DNS query response mechanism. There is no forking off information to third parties in any form in this draft - the user agent asks a particular query form to its DNS resolvers and the user agent will get a response. As far as I can tell, in the same way that the DNS itself admits third parties to look over the shoulder of DNS transactions in every other DNS query and response, this is no different as far as I can tell.  And in the same way as various DNS privacy mechanisms make it harder for third parties to eavesdrop on user activity, this is no different, and the user agent can take the same measures to attempt to increase the eavesdropping degree of difficulty on sentinel queries as much as any other DNS query that the user agent may make.
>> It seems I must be missing something here that has triggered your concerns Duane - could you explain them in a little more details?
> No, I wasn't thinking of eavesdropping.  I'm thinking whatever Geoff can do, a motivated nation state can just as easily do.  For example...
> The country of Freedonia decides it doesn't trust the ICANN-controlled Internet and goes off and builds its own root server system and signs its version of the root zone with its own set of DNSSEC keys.  Persons and organizations operating in Freedonia are required to install this trust anchor and remove the IANA trust anchor.  kskroll sentinel provides a way for Freedonia to monitor compliance with this policy.  They can use known techniques (ads, embedded javascript, unique URL hostnames) to learn which keys are in the trust anchor set for resolvers/devices within (and even outside) its realm.

And recursive servers will just be modified to lie to hide non compliance.  Also how do you prevent there being minor differences in the zone content which are identifiable?

> DW
> _______________________________________________
> DNSOP mailing list

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: