IETF Logo Mail Archive

Re: [DNSOP] Updated KSK Sentinel document

Warren Kumari <warren@kumari.net> Wed, 21 February 2018 14:03 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826BC127077 for <dnsop@ietfa.amsl.com>; Wed, 21 Feb 2018 06:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5aikA1qb0-s for <dnsop@ietfa.amsl.com>; Wed, 21 Feb 2018 06:03:35 -0800 (PST)
Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0595312D779 for <dnsop@ietf.org>; Wed, 21 Feb 2018 06:03:35 -0800 (PST)
Received: by mail-wr0-x22f.google.com with SMTP id o76so4788958wrb.7 for <dnsop@ietf.org>; Wed, 21 Feb 2018 06:03:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=TewFvtFCraOqRETEbfGQeVymi7GLHorD6ZJlhMt5aSU=; b=XgvuVhkTKhlNaP1ZRlds7hC0eMIZO4vsN4Nw+W2VHJ43McpBxvXSjBg+gpuOMPSyuw nSpQhCviuJrm0BV294q9sgQ+Rp+dsbdiUZDAoMzxIEqk2CkXBkl9b/I2DS7IgpiVRBwg CWjtD7aAG0+AiNeMwEdZm4UTj3chMwphMxFgOlMvpHpz1hIsejg0vU10KQMtchps/Nf1 R6wGs6e1YZ/hNv93Ml/plMz5mEfKJWH+pSGUAxZ7FiKE495FtVTcPKhpRt4Obq5+6JeF 2Junp6F/zgTksaEcYNRKwz0MIidI3QxElJsKZP5JH4M49ceQNlGXxbXGKSguKV3wy8ng c4NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=TewFvtFCraOqRETEbfGQeVymi7GLHorD6ZJlhMt5aSU=; b=O9PfuoYhAONltEJtxoKxCPKKnn8qc5I31emNrv5AzFa2G2pptzl9h0Fiz5LoV1QAJb ZWcKOzXgsOXA0ILzdmPIEF5Dwv3D9FzWxAQGnrSCzDdtHURDmImUPYlpyIaH1IVWdgkz c8pgvfbnWO9oqWF4LnWlgFWjgO6WJ4XXBN5wxz60tozBuC76J/Tl9+WGmNuwTV9xRCJ3 svxTRfSd9l6Bm3NR7tDh/yTudo/IlBOejMJ89gXAMTL/4Siqa08t/1EfcpIdy2K6pEUw L5E2Y+AskP7g9udO/cjgsYmnhXCFvrn1cfdm3jzbKVagquvklDxRY+iZ6JjhiuyB4FYD t3ng==
X-Gm-Message-State: APf1xPAqMmESPVE+bgBkYKlk2bOXN1OOBo/BE1DEwaeg9xlZGZJaU2Nr /eCHKJLRH6QbCmYGas/uW5RvEKC4ULLrT7Td9E0ZaKqp
X-Google-Smtp-Source: AH8x2253SWEQVtG+F2LjvvyCougHZYHGUWxtwmuyHovsNI69zUvFDBD9qXW7g1lBh5lJDxN3sbC44wbFtPDRAyMrtb0=
X-Received: by 10.28.39.67 with SMTP id n64mr609535wmn.0.1519221813142; Wed, 21 Feb 2018 06:03:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.152.242 with HTTP; Wed, 21 Feb 2018 06:02:52 -0800 (PST)
In-Reply-To: <02D558F6-F820-4627-BAC6-1A38AB00B4F5@sinodun.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <02D558F6-F820-4627-BAC6-1A38AB00B4F5@sinodun.com>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 21 Feb 2018 09:02:52 -0500
Message-ID: <CAHw9_iKOW=dVC6VtWJfCoe1Sk2016zpQgQZ4zVXAr4G2kUrDWQ@mail.gmail.com>
To: John Dickinson <jad@sinodun.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/u8c5DzDqEroZOHfB08N3rt0IQ90>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 14:03:37 -0000

On Fri, Feb 16, 2018 at 12:35 PM, John Dickinson <jad@sinodun.com> wrote:
> Hi,
>
> I like what this draft is trying to do.
>
> I am a bit concerned about adding a invalid RR in to a otherwise correctly
> signed zone. It suspect that there may be a variation in how validating
> resolvers treat authoritative servers that appear to have sent bogus data.
> Some might retry, retry other auth servers, stop using that server
> altogether etc etc…
>
> I suggest that the example A/AAAA RRs on page 4 be written fully qualified
> so there can be no doubt that this draft does not imply new special names at
> the root (which is what I first thought).

Thank you, that's a good catch -- I've made the names in the
"zonefile" all be fully qualified. The fact that these labels can live
anywhere in the tree was a common souce of confusion, so I should have
caught that earlier.

>
> In the discussion of Charlie’s resolvers I think “from
>    this he knows (see the logic below) that he is using legacy, non-
>    validating resolvers.”
>
> should have the “non-“ removed.

Yup, apologies, that was an unfortunate cut-n-paste error. Fixed, and
I just posted a new version incorporating your and Jinmei's comments.

Review and feedback appreciated,
W

>
> regards
> John
>
>
>
> On 12 Feb 2018, at 20:28, Warren Kumari wrote:
>
>> <author hat only>
>>
>> Hi all,
>>
>> Sorry it has taken so long to get a new version of this document
>> posted - you deserve better.
>>
>> Anyway, we've finally posted an updated version -
>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/
>>
>> This version includes a (hopefully easily understood) description of
>> how this would actually be used, and not just "here's a protocol, k,
>> thnx, bye!". I've tried to layout what each party does, and how it all
>> fits together - please let me know if it isn't clear. This section is
>> towards the top of the document - we will likely make it an Appendix
>> before publication.
>>
>> I've also updated it to use the kskroll-sentinel-is-ta-<id> format. It
>> is easy to change again in the future, but this seemed to be what the
>> working group liked. I also updated my demo implementation
>> (http://www.ksk-test.net) to use this naming scheme.
>>
>> This version also clarifies that the test is "Is the Key ID a DNSSEC
>> root KSK?" Originally my view was that it should be "Is there *any*
>> key in the trust store with this keyID?", but after running some
>> numbers I decided that there is a significant chance of false
>> positives.
>>
>> As I mentioned, it took an embarrassingly long time to post the update
>> - please let us know if we missed your comments.
>>
>> W
>> --
>> I don't think the execution is relevant when it was obviously a bad
>> idea in the first place.
>> This is like putting rabid weasels in your pants, and later expressing
>> regret at having chosen those particular rabid weasels and that pair
>> of pants.
>>    ---maf
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
>
>
> John Dickinson
>
> http://sinodun.com
>
> Sinodun Internet Technologies Ltd.
> Magdalen Centre
> Oxford Science Park
> Robert Robinson Avenue
> Oxford OX4 4GA
> U.K.



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email