IETF Logo Mail Archive

Re: [DNSOP] kskroll-sentinel and unclear results

Geoff Huston <gih@apnic.net> Thu, 31 May 2018 23:50 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDAFA12DA40 for <dnsop@ietfa.amsl.com>; Thu, 31 May 2018 16:50:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBjn5bKK9eHr for <dnsop@ietfa.amsl.com>; Thu, 31 May 2018 16:50:45 -0700 (PDT)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-hk2apc01on0600.outbound.protection.outlook.com [IPv6:2a01:111:f400:febc::600]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBCD212DA04 for <dnsop@ietf.org>; Thu, 31 May 2018 16:50:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=180HdLfjnTg8/K8hACsOKOpUvd83FrPA70OCVSWE36A=; b=F0s1m5XUYTQhTSLECQgwND6wu+3UF2LlwkrZQcaZ5K+lbe05jVOSNYiq54R21FpbczPg9d/+4xPOP7v9g+5SrJpi/S6LfNxBsc36lPcDm1lT3niKEGcRQsSQAsXJWQA72AswZNaxYqukVG2KOdvzMbanK/hd3Bv5Vgsw2IDxjJA=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from [IPv6:2001:388:1000:110:315c:262d:4e22:76e7] (2001:388:1000:110:315c:262d:4e22:76e7) by PS1PR04MB1180.apcprd04.prod.outlook.com (2a01:111:e400:782a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.797.11; Thu, 31 May 2018 23:50:39 +0000
From: Geoff Huston <gih@apnic.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Fri, 01 Jun 2018 09:49:25 +1000
References: <A53AF3DD-205D-4A8D-82DF-3255287FAFB0@vpnc.org> <CAHw9_iLV3R8YxZdN1==FBhekrmSDx+xPm1_Xj8q_1qi0MJ6FGQ@mail.gmail.com> <607759DF-1039-4BA9-A48C-60CF54398BA5@vpnc.org> <CAHw9_iKp=XKoU_kp0R-zZ1-jxaJOXLY5teh-MRsPjXOjQqtxKw@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <CAHw9_iKp=XKoU_kp0R-zZ1-jxaJOXLY5teh-MRsPjXOjQqtxKw@mail.gmail.com>
Message-Id: <970EF265-57FE-4A0A-8AB5-772CD8C76BBF@apnic.net>
X-Mailer: Apple Mail (2.3445.6.18)
X-Originating-IP: [2001:388:1000:110:315c:262d:4e22:76e7]
X-ClientProxiedBy: HK0P153CA0046.APCP153.PROD.OUTLOOK.COM (2603:1096:203:17::34) To PS1PR04MB1180.apcprd04.prod.outlook.com (2a01:111:e400:782a::16)
X-MS-PublicTrafficType: Email
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:PS1PR04MB1180;
X-Microsoft-Exchange-Diagnostics: 1; PS1PR04MB1180; 3:GtJ71COGqQsCe7XNP8/VfRY4AzeIjYJBmriC7b+yWcxjeGOLo+bDphUXHSGVFE8VQ1NwwlnxBJSEVb3tN0P9CpGFX6OLDtFwqYNjAbIZO9rh2kGztGShg45F0MNYpFSll1cUaealvQ2lFbIrgTlnovi26rh0U1I2/dC/bIXTp5spcbn26Gk/yK/ZuXh63/d3EEVFg50QOu/b97vpD+rqjElAGXP+RjxmKL4s+e/gyfbPXkOnRH22iB/u1EwzYRGk; 25:NiHGZP/OgqWsAQXer5nd7GND3tlkVwdqU4wkon2k1CZD5IvXKQg+fPqyRju8jhMytUhV6g0s0NxqedKtBcsbfJa9R8+6tHERyW5uitlmDqMfc3161tAyrFfg1cE2F4CaSZHMlHTgbOABefKSLEGN34E3SUsAN0G8exxmiZkPWS+UxJGDwqmnlWsngev5Qal89XIzk/n28pEeB15ayq9yT7F9pMzymyY2prRe99JbnD/vzJhS/0xw1V43zMWi6ZgPKXp/rKyQP44vOLSLmkuxxsXeHWlMKd8WAoKM3EDq2LrdOua7N+ex29UaWgzJj3QMQdWLBfcN85ELespaywGqJy+2roWjKn5Ld7cLtvrxT6o=; 31:H8k19djnri1tdEAk+z0C9oLbPe8JcKEe1UBlPzO4L0sX4JVLwynyhnC0qlhn8aTQRRduOepLDkAuwDluyHh5dLk1OXfmKIRZmYpO7mOpV1f+suGjYQBbIreOPjgtAmb3MlBSBENCaTcYHmqdFHnknaI9Kkn/gN+8IV7c9hYXfFnzLu3w2122OmZJ/o0ubOkOATLjvLcJrKtCgtipPrmKvOZFu0JjFKG8zdf0YWapDhQ=
X-MS-TrafficTypeDiagnostic: PS1PR04MB1180:
X-Microsoft-Exchange-Diagnostics: 1; PS1PR04MB1180; 20:4rGwb2mpQcJBIodf3ihXHSIgcDzDysxOupLQWSBMDplFnw9IB05RaAcuig1A8BgEEif2GDt3Y+2cwVXIfaA44grP5siQ7Rnkr1+vgkeQ2hE03L7Wftw9B4MKaCiKBTwftZdIuTct0x/0x4HRH2H4Nsrmj3DuPe6Ee/pCs7O+UxogmdqffScr+wqRt5epOY5xHpuEKXFwksFmmKAGVgPb6sNpqjHla1YN1Qgb9At2+LC0Nk7LE8UvThpUxpYvo5Rk; 4:5jUo38P/Xgkhp4U+EQTciZwgIKwveFc0GBaOIv/vvuQYYVpxVLYIaoH0ejjk4s8KY9B6xrgYdEy2F8SPQftkbBhw1rh+JOpzuYvg/hOyNFvsuGouySQnY8EdF6/mdd12o9W2pfGXAXaDVWlX+RAfnGl/KRh/PVbcOvVidFaDgTOEdbKToVoePqcE/ACaBW77K7PtDqWmMa0B4VzqCgnRjrNs82VL3sTihK86+bDTOlOU43xKDnpidxOwXirOo+AtKsl/8sbQ2zl4rsnjZZWaiA==
X-Microsoft-Antispam-PRVS: <PS1PR04MB118088A6E2F450B59ADFA98AB8630@PS1PR04MB1180.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231254)(944501410)(52105095)(10201501046)(3002001)(93006095)(93001095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:PS1PR04MB1180; BCL:0; PCL:0; RULEID:; SRVR:PS1PR04MB1180;
X-Forefront-PRVS: 06891E23FB
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(39840400004)(346002)(366004)(39380400002)(396003)(376002)(189003)(199004)(36756003)(47776003)(6666003)(52116002)(446003)(82746002)(6116002)(229853002)(8676002)(6246003)(83716003)(186003)(76176011)(1706002)(2616005)(11346002)(8746002)(8936002)(57306001)(16526019)(81166006)(6916009)(476003)(46003)(23676004)(53936002)(6486002)(50226002)(5660300001)(25786009)(305945005)(2906002)(50466002)(81156014)(86362001)(97736004)(316002)(52146003)(68736007)(478600001)(93886005)(486006)(106356001)(52396003)(7736002)(386003)(33656002)(59450400001)(105586002)(2486003)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:PS1PR04MB1180; H:[IPv6:2001:388:1000:110:315c:262d:4e22:76e7]; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;PS1PR04MB1180;23:7/2F+kJMQheDJvvR0mPHY5IyKTw41QNrYzI2r5LG2W86G627tmqsknrh5u9it3FTSRfzCL1IrGpg9tCVcaxPoCgddIvlqfH9svLXqT8TDE5BItN9h648iagPp189WPfU0W6SB2MQLoH1Ln7rrlE+jlf0C/1V5uCYo2fhlE01kkcEFee0YIs1Ftq/vxzc/zq66rlZ6zrmHJLlYgnkdiDYe17Y3JGGlqDxnPky6Mo2jBpD15KnNpMANGDM9JBoPzlhdNHDrzVRFcCxxTKMiDFccCya6JFgxr0mNJuupdGk7UPBZeHEHgmuSgnPNfNQBZMV1u1bkZKDFcvX+Yj0SOWROZ/IdbudO9WeuVJLOZzJH912ee29kxeRjpUSj6/AaB56l2z4z2Dblp2UMxYHiTyism3/oT84CIMSbxiSrzyJmCr8nyCQbtBS+qiEE+je2GsqUjqWljs3TepeSQxms6woc2RgJ+enSJrVvrEjd5C1EPo1eLK4d3BvsZU1Nk+zrP8NYXz087rZbk9QUh1Zts8tAzobn7T8Mjumv4Vw5zG754z/mti7byU3HDvmIjs3ieixlOxtvSKoOqt1+jeRmRHK84No6bgJ22z2mf9mbl/VjsGbMzOldmsbrBCy6A/CcgYAFDaNjDUXxSRcChbt9xCiItt1HNrXDOJqBST6xn8GPxY6UCIgmHPNdkGNnLX59jm8MhDtOaA47L3cR3yKXHbkWyQ9a0ZhNp5kt89RCXD6+y2I6aNH7GSlflKxIBM73yNKnMQVvi9ueXv+nEbvw3ReB8pn8YPpcET57cYEDeYjfPll2ANGjScP37TVycRtfVT7iQgaazzqYg0NmM8y1E6c72L3OOI1kYpIMSxAA8Ysr8uylKaR3YXCvx5Ldu7A3o1vEVtk5yvCCymHzdGYlFJ1XhQKUybu8y1cKMhRbzyFDKWPX12mgMQsx2VrqcDfSx2zNHkH/A/BF1cPt6007+nLuqsdRsETNH5FYV+MDjuz+SoKgkmCEFi9zesYXMKDJseqomTnWNLqxC4JwDWku+p/FPBxkZa4RZiSbHwVsZQckUNES4gP2RUULWrSpboD1KVECATlacw9SS3xH4U3K6YZ9uYhUhfHcofxyB4bkMumBbnKsIkZQjWBYUivxxQnCGlB+HxMa0mH4xaxv8r4PnfGzzZatFctlfxaN+bXW2dqKmJ0Z9UZQkXBNWzPmVUQozOZ8W5F5ozBiYCJCfqZv2WtLs9k/nnrtrXQIDZ3UUpg7LJLXvOGpJYQ55gqyP1bl6vBYGHU9/HB1VJlfIXNj5CSsPwnpRLYHUEqNjb35CPrfso=
X-Microsoft-Antispam-Message-Info: CE69uyov2OvkK1v8Ls9ukvKbzzAhLpy+MarBG3/YF8pRGc9AhDsdGi1qJlQfWsWMpDSV+H49gnr4Uym1x1x7LOHxBlgQ8BLFmD3Druj/+AzqlDFaGizR2cwkq/64cDy/XJp1fwdmCCNuweEqzPNhTdmibzb1rerL9IMmOJ7I6X7vPaLUQQNRBeecLhkGV3ST
X-Microsoft-Exchange-Diagnostics: 1; PS1PR04MB1180; 6:dAaOKmiL9x869R8P+IB0+hB4JGIFFX1zJWH+QsTFr0hff6F9z34Chff7nKmd6HMRLSOsycOjbDhi748QLVf9nf5TcV21hynyBBRjpVVFSnHsWZTMcUfCIP5xMBdgmtsSp+nPAakqvfX8sQvq0HaeOuBe+ag0CmJg8DVuPsOawlzMqTExGB880z1LXg+HMeYe7YKT1N7PNumqaA5UZbCTSinDtPJc4qPxqa5FSPq3m+iQFmvqZPqlbY/F260bUPRvzZQ/8Ag8iJ7SSoDDEJIRNA0RZ/RL4BroXFoNHWMJN1i2BDEhxJnGgsFlkeV74+fF6UalYgel8pV8RzZgdPPUwW8a+5qF6YrdmZ9L1SVlFaQoGGO3koAioQLyQHC24o1mQe+FLAaIuDDi4aI7TCna85LGSaa/ivTwHE0KVFwFUHlH0lr8wts2YclE0GC3VAJVDhbPGtFG2oCeh/Nid0rGhw==; 5:HYz4kFCQ5dACovbSLQv/R9y/TtUsRw8lI/7GjuH9wSiQU18hGxfz5izDB7nj6YLKJsyzTnJ6sL/pgYlRELt7+qdM9kZrIFFH+S8HjzY/IJTFxRfujn8ZqtDdYGqq4Ik63qgByXAtV9aXifOj/DZWDGryWxHBwcaaZuw4RBu7L6E=; 24:O612VGPpf3FPrHBtQakaMTxppi1ktPUk2oyaGp7kK/uZ8iT0f9VNLW2hs1Sxc+SQydCYcR2WAO8eDkP61rYNS2jiNjQSCjGQ97BiwmZaDCU=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; PS1PR04MB1180; 7:7f5MufwbuJqsDwWBjLi6UMou/ybIeC3ooMjb1w3JKyKSThXdSyaebNHBo6E0AWAhBI2fNA9OYNvqYF1Mx14pE6Ro6TSJvmmEes4WEa3mLexUGgf5BUHNHKFE7rJmN1yvjQVsSlZ4N5J5lo2EUppodNcFyTeiorx70C+qEeJMHTN+fj2oD+0SvToHIfKBcU2ginjkLHNhN0E605mqF6dhUR5lilK0dK7ItpcjsB5ecruZbBimIJ64VBVKZVPomnA4
X-MS-Office365-Filtering-Correlation-Id: c1623a70-96fc-46a5-17d6-08d5c75150c8
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2018 23:50:39.8111 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c1623a70-96fc-46a5-17d6-08d5c75150c8
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PS1PR04MB1180
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wYdVcWehQzv_UJLcwUa3gKcsOFE>
Subject: Re: [DNSOP] kskroll-sentinel and unclear results
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 23:50:55 -0000

> 
> 
> Thank you, I like most of the changes, but the primary text which addresses
> the above question is:
> "If the resolvers don't all have the same setup (such as if some validate
> but others do not, or if those that validate don't all have the same root
> KSKs trusted), the results of the sentinel test described in this document
> may be indeterminate.  For example, running the same test twice could get
> different results if the different resolvers are queried in a different
> order."
> 
> I believe that the ordering doesn't matter - it will always converge to the
> same answer.
> I've got a really long response to this, which shows all of the options in
> all the different orders, but my co-authors are in different time-zones,
> and want them to sanity check it for me.

Warren’s analysis indicates that when we apply the proposed tests to a user’s collection of resolvers (as distinct from a single resolver)  the proposed test methodology generates responses that may well be unclear at best, particularly when the collection of resolvers include validating and non-validating resolvers and resolvers that variously do and do not recognise this sentinel mechanism. So I’ve been thinking about a subtly different test methodology than that described in the draft that is intended to provide better clarification of the capabilities of the user’s DNS resolution environment.

Firstly a few assumptions that lie behind this proposed analysis methodology:

1) when the user passes a query to a resolver it will get a consistent answer (well consistent over the timeframe of queries). i.e. when the same question asked multiple times by the same user in succession to the same IP address, the DNS responses should give the same answer. (Job’s scenario where the same query passed to the same resolver IP address may generate different responses is a tough situation, and I have no idea just how prevalent this kind of variant behaviour is in any case).

2) all current DNSSEC-validating resolvers have KSK-2010 in their local trust anchor cache.

3) When a resolver returns SERVFAIL the user will re-query using the next resolver in the set. The user’s resolution process will conclude with a SERVFAIL if and only if all the resolvers in the user’s resolver collection have responded with SERVFAIL back to the user.

The modified test uses three queries:

a) a DNS name that is badly signed

b) a DNS name with the left-most label "root-key-sentinel-not-ta-<key-tag=of-ksk-2010>"

c) a DNS name with the left-most label "root-key-sentinel-is-ta-<key-tag=of-ksk-2017>"

(note that the keys referred to in queries b) and c) are different)

I'll describe the responses to these queries as either ‘A’, indicating that the A or AAAA query returned the desired RRset, or ’S’ indicating the the query returned SERVFAIL, and  I’ll describe the sequence of the three responses as the triplet (x x x) indicating responses to queries a, b and c in order.

Firstly, let’ look at the simple case of a single resolver:

If we get a response patter of the form (A * *) then the resolver is not validating, and will survive the key roll just fine.

If we get a response pattern of the form (S A *) then the resolver is validating, but the A response to query b) indicates that it does not recognise the sentinel queries, so we cannot determine its trusted key state.

If we get a response pattern of the form (S S S) then the resolver is validating, and the S response to query b) indicates that it recognises the sentinel queries, and the S response to query c) indicates that it has _NOT_ loaded KSK-2017 as a locally trusted key, and this resolver will not fare well when the KSK rolls.

If we get a response pattern of the form (S S A) then the resolver is validating, and the S response to query b) indicates that it recognises the sentinel queries, and the A response to query c) indicates that it has loaded KSK-2017 as a locally trusted key

Now lets look at the same three queries when used with a collection of resolvers and apply a similar exercise:

The set of possible responses are:

(A * *) - if any of the resolvers returns an A result to query a), then the user’s resolver set contains at least one non-validating resolver, and the KSK roll will not affect them (other than potentially lengthening the DNS resolution times I guess).

(S A *) if any of the resolvers returns an A result to query b) at least one of the user’s resolvers does not recognise the sentinel mechanism, and the behaviour of the collection of resolvers during the KSK roll cannot be reliably determined.

(S S A) implies that all of the user’s resolvers are validating resolvers, all of the user’s resolvers recognise the sentinel mechanism and at least one of the user’s resolvers has loaded KSK-2017 as a trusted key - the user is ok for the KSK roll.

(S S S) implies that all of the user’s resolvers are validating resolvers, all of the user’s resolvers recognise the sentinel mechanism and none of the user’s resolvers has loaded KSK-2017 as a trusted key - the user is NOT ok for the KSK roll.

This analysis approach in no way modifies the actual resolver mechanism described in the draft - the resolver actions are unaltered. The change described here is a change in a test mechanisms that is intended to disambiguate the case of a collection of resolvers where one or more resolvers does not not support this sentinel mechanism from the case where one or more resolvers in the collection has not loaded KSK-2017

Finally, as a personal opinion, not necessarily shared by anyone else, I also note its now June 2018 and the KSK roll appears to be scheduled for early October 2018. As fun as this exercise has been in trying to get this draft through the DNSOP Working Group’s processes, I fear that we are now too late to get this sentinel mechanism implemented and deployed in any meaningful manner to assist in providing meaningful data to inform us of the state of uptake of KSK-2017 before the scheduled KSK roll. That makes me a bit sad.

v2.23.0 | Report a Bug | By Email