Re: [DNSOP] Updated KSK Sentinel document
"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 27 February 2018 21:28 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E1012DA24 for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2018 13:28:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FiJu8zZRs_zs for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2018 13:28:04 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB1C212DA1A for <dnsop@ietf.org>; Tue, 27 Feb 2018 13:28:04 -0800 (PST)
Received: from [10.32.60.76] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w1RLRaph043634 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Tue, 27 Feb 2018 14:27:38 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.76]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: dnsop <dnsop@ietf.org>
Date: Tue, 27 Feb 2018 13:28:02 -0800
X-Mailer: MailMate (1.10r5443)
Message-ID: <FF0E0B2F-45FC-4C9F-8112-B1C940DA4112@vpnc.org>
In-Reply-To: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xgQlvj5t9CijCwy4BKWCN1Ygb5g>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 21:28:07 -0000
On 12 Feb 2018, at 12:28, Warren Kumari wrote: > I also updated my demo implementation > (http://www.ksk-test.net) to use this naming scheme. I would very much like to see draft-ietf-dnsop-kskroll-sentinel move forward, but was concerned that the result might be something where an end-user might not be able to reliably test the resolver they were using for it. Warren's Javascript code from that page uses the idea that an image that could not be loaded would have a height of zero: if (img_invalid.height === 0) {invalid = false;} if (img_is_ta.height === 0) {is_ta = false;} if (img_not_ta.height === 0) {not_ta = false;} That seems to work for some browsers, but I worried that some browsers might implement something different for their Javascript. (This is not to knock Warren's code: he admitted it was a quick hack.) After some investigation, I have a different method that should work in all browsers that follow the HTML and Javascript standards. It does not rely on any non-standard assumptions in the client-side Javascript. In the <head> of an HTML document, first include something like this: <script>var collected_names = [];</script> ... to create a global variable that holds a list. Then include: <script src="http://kskroll-sentinel-is-ta-4f66.example.com/is-ta.js"></script> <script src="http://kskroll-sentinel-not-ta-4f66.example.com/not-ta.js"></script> <script src="http://invalid.example.com/invalid.js"></script> The files that are attempted to be retrieved have one line of code, different for each file: collected_names.push("is_ta"); or collected_names.push("not_ta"); or collected_names.push("invalid"); The result is that the collected_names list now contains an entry for each of the domains where the .js file was fetchable. The Javascript (in yet another <script> block) can then process that list to determine the sentinel status. I have some very simple sample code that tests this for the Vleg and nonV cases, but I'm still waiting for a resolver that runs kskroll-sentinel properly to test for all four. (Kudos to Knot Resolver for being first to implement, but there is a small bug that they say should be fixed soon.) So, for folks waiting to see if draft-ietf-dnsop-kskroll-sentinel could really work in practice, this is a very good sign. --Paul Hoffman
- [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Bob Harold
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document Joe Abley
- Re: [DNSOP] Updated KSK Sentinel document Wessels, Duane
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Geoff Huston
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Paul Hoffman