Re: [DNSOP] draft-huston-kskroll-sentinel

Re: [DNSOP] draft-huston-kskroll-sentinel - naming format?

Geoff Huston <gih@apnic.net> Tue, 31 October 2017 15:34 UTC

From: Geoff Huston <gih@apnic.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 31 Oct 2017 19:27:06 +0400
References: <027a469c-5bb6-7940-fd89-55b91dd97275@bellis.me.uk> <20171030174052.GB87160@isc.org> <ce2c26be-d944-345c-0e63-d063682c78a6@bellis.me.uk> <alpine.DEB.2.11.1710311427140.22527@grey.csi.cam.ac.uk>
To: dnsop@ietf.org
In-Reply-To: <alpine.DEB.2.11.1710311427140.22527@grey.csi.cam.ac.uk>
Message-Id: <12DEDFB4-AA8B-4495-AFA0-CB72AE03B2FE@apnic.net>
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Oct 2017 15:27:29.8962 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bd5e9f01-e94a-4cbb-9192-08d52073e6e7
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2PR04MB0691
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vsUQ-MqQDGQNjNqQugzOqlUJSk8>
Subject: Re: [DNSOP] draft-huston-kskroll-sentinel - naming format?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 15:34:15 -0000

> On 31 Oct 2017, at 6:34 pm, Tony Finch <dot@dotat.at> wrote:
> 
> Ray Bellis <ray@bellis.me.uk> wrote:
>> On 30/10/2017 17:40, Evan Hunt wrote:
>> 
>>> IIRC we discussed it, and were concerned that _ta. could be cached as
>>> nonexistent by servers implementing QNAME minimization.
>> 
>> How would that happen, at least so long as _ta responds like any other
>> empty non-terminal?
> 
> It's NXDOMAIN. (It'll also fall foul of RFCs 8020 and 8198.)
> 
> The problem occurs if you have a validator behind a cache. The cache will
> prevent downstream id._ta. queries from reaching the root, so any
> downstream trust anchor variation will be lost.
> 

The mechanism does not rely on these queries reaching the root. It's the signal back to the querier that’s important here. So even caching is quite ok. The critical aspect of this mechanism is that it is not intended to measure resolvers, but detect if an end user has a DNS resolution environment that will (or will not) be impacted by a roll in the KSK to a named (via a key tag value) new KSK.

Certainly it would remove some of the QNAME minimisation issues if the test is based on a single label as defined in the draft, and on reflection I _think_ its probably more robust if its the terminal label, but frankly I’m not sure about that latter point. 

Geoff

[DNSOP] draft-huston-kskroll-sentinel - naming fo… Ray Bellis
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Evan Hunt
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Ray Bellis
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Tony Finch
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Joe Abley
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Ray Bellis
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Ray Bellis
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Geoff Huston
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Geoff Huston
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Joe Abley
Re: [DNSOP] draft-huston-kskroll-sentinel - namin… Paul Vixie