IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-12

Job Snijders <job@ntt.net> Thu, 17 May 2018 11:29 UTC

Return-Path: <job@instituut.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D53F712EAE2 for <dnsop@ietfa.amsl.com>; Thu, 17 May 2018 04:29:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.671
X-Spam-Level:
X-Spam-Status: No, score=-1.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VN065DvaskwO for <dnsop@ietfa.amsl.com>; Thu, 17 May 2018 04:29:50 -0700 (PDT)
Received: from mail-wm0-f42.google.com (mail-wm0-f42.google.com [74.125.82.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7813F12D87A for <dnsop@ietf.org>; Thu, 17 May 2018 04:29:50 -0700 (PDT)
Received: by mail-wm0-f42.google.com with SMTP id n10-v6so8396962wmc.1 for <dnsop@ietf.org>; Thu, 17 May 2018 04:29:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=YhUtRBVDiEV8DVIP7n2TF9hEj5NkdmeuXgGX7fye8YE=; b=Odgr5QR2Vl9jxjhzUIoT7BPTJ1VqZZILj6K8PQ2gkaRUWw8emaLG0YpmgvG03wJwyI +kFVJHK790hRkBNr7Yj0XmugRoEA5M4yqsHkgVwiEpiOcxJ/jtPVdIAul+eyLaNw882K lwhgqPGfA/9rQ1apaNx0pvYdyY9AvGOXawYHbZStiUVEtQ2UxdhOsVwA32ZgpWF4R1fz 8zg0fpw+nye8fgkdxRsY65I84f/FAJ+rxNvQxDLL5VYd7Yrj3AfeL+wASLGK+y6llaKw F4dTHHQBjLHd1i1GL+sTeWRnWjpH5QzQsO07FAeARjD5YwP+I1Q4GRTUjp8W51bf0r+q t0TA==
X-Gm-Message-State: ALKqPwcJ/Ui0ddt8QwlxSHVxnmUjWHwKTuyOu0CFt8gEl0Z7YNFqsIBt AYGby4f2S2i/RE1gmiS2bBztEw==
X-Google-Smtp-Source: AB8JxZqNUbICNbTQwAzQ5KeeEhPn2HUrmpLwMuZ53O8piwMt0XNSagUasRNsyeFbcHzpPX4UYT1+Og==
X-Received: by 2002:a50:8d81:: with SMTP id r1-v6mr6470963edh.109.1526556588722; Thu, 17 May 2018 04:29:48 -0700 (PDT)
Received: from vurt.meerval.net ([31.161.137.113]) by smtp.gmail.com with ESMTPSA id i22-v6sm2357613eds.28.2018.05.17.04.29.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 17 May 2018 04:29:47 -0700 (PDT)
Received: from localhost (vurt.meerval.net [local]) by vurt.meerval.net (OpenSMTPD) with ESMTPA id a910fe01; Thu, 17 May 2018 11:29:45 +0000 (UTC)
Date: Thu, 17 May 2018 11:29:45 +0000
From: Job Snijders <job@ntt.net>
To: Geoff Huston <gih@apnic.net>
Cc: Suzanne Woolf <suzworldwide@gmail.com>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Message-ID: <20180517112945.GB91015@vurt.meerval.net>
References: <CADyWQ+EE9YCCM03wKvd-HefpoQVqhOfeeLKLV8L2LJj+tqmEzA@mail.gmail.com> <CACWOCC936z-4j8e+d7bvhfr_Mk8tk64tkuiRDTRtrqrBTJBKJw@mail.gmail.com> <CAHw9_iLgTvPHe5jeL-0QZJ4+cxes8bBpCEULuDKThpjXoKzrbA@mail.gmail.com> <20180406134501.GC49550@vurt.meerval.net> <4A943DE7-81BC-41AC-93F7-4EC0975DF6B6@gmail.com> <5E7C31BE-EA5F-4A68-96FE-975CFAF77E42@apnic.net> <20180507190705.GP91015@vurt.meerval.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20180507190705.GP91015@vurt.meerval.net>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.9.5 (2018-04-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rue2WioDthczoAUBqP2ZKGDynf4>
Subject: Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-12
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 11:29:52 -0000

On Mon, May 07, 2018 at 07:07:05PM +0000, Job Snijders wrote:
> 3/ Section 3 states: "The responses received from queries to resolve
> each of these names would allow us to infer a trust key state of the
> resolution environment.".
> From what I understand, in today's DNS world we can only reasonably
> expect to do one query per packet. It is well understood that many
> operators use BGP-4 anycasting (ECMP), the likes of dnsdist, and/or
> simple UDP loadbalancers. I think it may be good to document that
> running 3 queries (in essence 3 independent experiments) may not
> generate sufficient data to properly infer the state (or any state) of
> the resolution environment. Each query (as part of a single sentinel
> data gathering session) may be handled by an entirely different resolver
> with different keys, contaminating any lookup in the proposed truth
> tables. Section 4 covers a number of cases where the results are
> indeterminate. It maybe should be added to Section 4 that the client has
> no awareness of how the resolver environment is constructed, and thus
> requiring multiple independent queries to infer state has its downsides.

Do the authors agree with the above observation? If so, we can work to
produce text.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email