Re: [DNSOP] Updated KSK Sentinel document
神明達哉 <jinmei@wide.ad.jp> Wed, 21 February 2018 18:44 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D92C124BE8 for <dnsop@ietfa.amsl.com>; Wed, 21 Feb 2018 10:44:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h90jpLbg5_dc for <dnsop@ietfa.amsl.com>; Wed, 21 Feb 2018 10:44:54 -0800 (PST)
Received: from mail-wr0-x22a.google.com (mail-wr0-x22a.google.com [IPv6:2a00:1450:400c:c0c::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17FA4124BAC for <dnsop@ietf.org>; Wed, 21 Feb 2018 10:44:53 -0800 (PST)
Received: by mail-wr0-x22a.google.com with SMTP id k9so7314453wre.9 for <dnsop@ietf.org>; Wed, 21 Feb 2018 10:44:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=HSTNV24J6mVYqs/0AE5tK00T5fo9H5ikQOo9lWcOrGs=; b=mH9sIDiWjWp+4/spkQpvTf6r0aPJ1y6dawR9cOGBLH2q/tS6GaH6XTS2HcYPQMSDzm tCs2LyN86bvEv6WUX+B6UGY2AwWefgdwjErfb9QGZkccSV26YWt9Yb2v3nUXkJFfSD4P p0RUa3TEBDvBBJlo3Dv3AMlYCLH4X9GmCOmaGUb4WxRDttkmKQmmT35NSqZ8v7qSSdrq IaFxR4Se69fLGVGlkuj9Ie9lzMK1Uq1sVEddqFoDwQzArAV83grcmkCNnf82g6bTrErP QAg7rQCllMho2OOJIwa/h20T+YmalbYstii2vceedRwstCqWT+iWPwotduKHKqN36GAQ 7ksQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=HSTNV24J6mVYqs/0AE5tK00T5fo9H5ikQOo9lWcOrGs=; b=NydetvN8J6RQnCuDlpEjjROtONYJLkv6JcbvPH0sfr4JlXXqNWNnIgKqDWyHGqzJ6I tyBaj9KWhAltLcPo03qoNBZ3HJ8A3m5S7eAPHn1furamiCBJBIOKAhc7E5c1xVJuaSR0 peyRARHm5XID5U7ppmusyUEdbSfIrBJJD2mabW3/rXtaFzI2DcdI4QuoqoxKWdOY4Nbb bTQW6efyZSs+SaZsg0GS6EmPFSsmA9dADCF1WfGMhHeTEBHx0AWA0djUsBCUAdfmUlbo FLbr1CtvA4moruEB7eXlMcW4qPlOZ2nWWKQHgdKCllfcZaVkqPdiY3mQtOscinENVZHh RmDw==
X-Gm-Message-State: APf1xPAvXBcnBUmufNo5790Umk8wAQCrVPZA7wsNClQP+uzuviXJ80sp 1+QYrKtZyyoiUUzeVQ2+7AWnpYpsTsA+lBXBDyPcYIkH
X-Google-Smtp-Source: AH8x226UdlDkJgSJe39JIAMiFcfI3ogbeLcGvoRBpeXicC7rLT6q/AX7xA3Tf7maknPtBWzGHmSwiesJw9vhAZiRZX8=
X-Received: by 10.223.136.188 with SMTP id f57mr3997306wrf.7.1519238692174; Wed, 21 Feb 2018 10:44:52 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.223.134.1 with HTTP; Wed, 21 Feb 2018 10:44:51 -0800 (PST)
In-Reply-To: <CAHw9_i+G4V85oH96H9DgZR+mh9vnNA464wUezpyaUmCTqtHdqA@mail.gmail.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <CAJE_bqeTyiotHcnuQ69=dF+MWXwztNNqamRf5BCOj04hhVGrgA@mail.gmail.com> <CAHw9_i+G4V85oH96H9DgZR+mh9vnNA464wUezpyaUmCTqtHdqA@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Wed, 21 Feb 2018 10:44:51 -0800
X-Google-Sender-Auth: S31YvloXft5VOYPVI7mSwZ1ZuCY
Message-ID: <CAJE_bqcbcEaS5PAvVQ+s98p6J3vszpkUrBgdDxEJOvkJ79V1gQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xUH0-RZfSB1aPRTdWG6tRrO2aFA>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 18:44:56 -0000
At Wed, 21 Feb 2018 08:53:23 -0500, Warren Kumari <warren@kumari.net> wrote: > > - General > > I think it's worth pointing out that SERVFAIL can be returned for > > various other reasons and the detection mechanism relying on it > > isn't reliable. This is probably okay given the purpose of this > > detection, but I think it's better to note it explicitly. > > Good point. I had some trickiness writing this - how is "The > techniques describes in this document rely on (DNSSEC validating) > resolvers responding with SERVFAIL (RCODE 2) to valid answers. Note > that a slew of other issues can also cause SERVFAIL responses, so > false positive or negative results may sometimes occur." ? Works for me, except that I might avoid 'false positive/negative' as it's often ambiguous or confusing (exactly what "false positive" means depends on the context). I'd personally say something like "..., so the sentinel processing (Section 4) may sometimes result in incorrect conclusions". But that's probably minor in the entire context of this document, so I'd leave it to you. > > - Section 3 > > > > [...] Note > > that the <tag-index> is specified in the DNS label using hexadecimal > > notation. > > > > I suggest clarifying whether '<tag-index>' contains leading 0s > > somewhere in the document (this may not be the best place to do so, > > but this is the first reference to 'tag-index' that made the > > question occur to me). > > Hmmm... Good point. I personally actually preferred having these as > "decimal" keys. > RFC1034, Sec 5.3: The DS RR Presentation Format sayeth: > " The Key Tag field MUST be represented as an unsigned decimal > integer.", things like dig +multiline DNSKEY . shows it as decimal, > etc. > My initial demos (www.ksk-test.net) also all used decimal. Petr > recently pointed out to me that I'd messed up, and so I converted my > demo to use hex, as the draft states. > What does the WG prefer? Is the new KSK called "20326" or it is "4f66"? > > Note that Knot Resolver 2.1 already implements (thank you!) this, and as hex. > But, yes, either way, we need to note if it is padded. > [TODO(WK): Raise the hex vs Dec issue] Personally I don't have a strong opinion/preference on hex vs decimal or with or without leading zeros as long as it's clearly specified. But I see the point of preferring the decimal representation you showed above. https://data.iana.org/root-anchors/root-anchors.xml also uses the decimal representation, so especially if we expect the usage of this query by a human operator who builds the query name by hand, it would be more convenient if it's consistent with other common representations, which is currently decimal. But again, I don't have a strong opinion. > > - Section 3 > > > > If the resolver has not placed a > > Root Zone Key Signing Key with tag index value matching the value > > specified in the query into the local resolver's store of trusted > > keys, then the resolver should return a response indicating that the > > response contains authenticated data according to section 5.8 of > > [RFC6840]. > > > > Should we perhaps define "store of trusted keys" more precisely? > > For example, if a key is in the "AddPend" status (per RFC5011) for > > the resolver, should it be considered in the "store of trusted > > keys"? > > Nope. Well, yes, we need to better define it, but no, a key in AddPend > is not considered. > We explicitly mean "keys which are active and can be used for > validating entries in the root zone." To be clear, I didn't think a key in the "AddPend" state is considered to be in the "store of trusted keys". I just pointed out that it may not be super clear. And so... > We have: "In particular, this response mechanism can be used to > determine whether a certain Root Zone KSK is ready to be used as a > trusted key within the context of a key roll by this resolver." > and I added: > "An active key is one which could currently be used for validation (ie > not in AddPend or Revoked state (RFC5011)). > > Sounds reasonable? yes it does. > > BTW, you might want to say 'a query for an Address Record' or 'an > > Address Record query' instead of 'an A or AAAA query' (I guess > > that's the intent of the introduction of this term. See also my > > first comment on Section 1.1 above). > > Actually, there are small enough number of occurrences that explicitly > listing them (and not creating a new term) seemed better, so (see > ablove) I removed the "Address Record" term and left in the "A or > AAAA" stuff - please let me know if you agree. Works for me. -- JINMEI, Tatuya
- [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Bob Harold
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document Joe Abley
- Re: [DNSOP] Updated KSK Sentinel document Wessels, Duane
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Geoff Huston
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Paul Hoffman