Re: [DNSOP] Updated KSK Sentinel document

"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 27 February 2018 21:28 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E1012DA24 for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2018 13:28:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FiJu8zZRs_zs for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2018 13:28:04 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB1C212DA1A for <dnsop@ietf.org>; Tue, 27 Feb 2018 13:28:04 -0800 (PST)
Received: from [10.32.60.76] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w1RLRaph043634 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Tue, 27 Feb 2018 14:27:38 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.76]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: dnsop <dnsop@ietf.org>
Date: Tue, 27 Feb 2018 13:28:02 -0800
X-Mailer: MailMate (1.10r5443)
Message-ID: <FF0E0B2F-45FC-4C9F-8112-B1C940DA4112@vpnc.org>
In-Reply-To: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xgQlvj5t9CijCwy4BKWCN1Ygb5g>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 21:28:07 -0000

On 12 Feb 2018, at 12:28, Warren Kumari wrote:

> I also updated my demo implementation
> (http://www.ksk-test.net) to use this naming scheme.

I would very much like to see draft-ietf-dnsop-kskroll-sentinel move 
forward, but was concerned that the result might be something where an 
end-user might not be able to reliably test the resolver they were using 
for it. Warren's Javascript code from that page uses the idea that an 
image that could not be loaded would have a height of zero:

       if (img_invalid.height === 0) {invalid = false;}
       if (img_is_ta.height === 0) {is_ta = false;}
       if (img_not_ta.height === 0) {not_ta = false;}

That seems to work for some browsers, but I worried that some browsers 
might implement something different for their Javascript. (This is not 
to knock Warren's code: he admitted it was a quick hack.)

After some investigation, I have a different method that should work in 
all browsers that follow the HTML and Javascript standards. It does not 
rely on any non-standard assumptions in the client-side Javascript.

In the <head> of an HTML document, first include something like this:
    <script>var collected_names = [];</script>
... to create a global variable that holds a list. Then include:
    <script 
src="http://kskroll-sentinel-is-ta-4f66.example.com/is-ta.js"></script>
    <script 
src="http://kskroll-sentinel-not-ta-4f66.example.com/not-ta.js"></script>
    <script src="http://invalid.example.com/invalid.js"></script>
The files that are attempted to be retrieved have one line of code, 
different for each file:
    collected_names.push("is_ta");
       or
    collected_names.push("not_ta");
       or
    collected_names.push("invalid");
The result is that the collected_names list now contains an entry for 
each of the domains where the .js file was fetchable. The Javascript (in 
yet another <script> block) can then process that list to determine the 
sentinel status.

I have some very simple sample code that tests this for the Vleg and 
nonV cases, but I'm still waiting for a resolver that runs 
kskroll-sentinel properly to test for all four. (Kudos to Knot Resolver 
for being first to implement, but there is a small bug that they say 
should be fixed soon.)

So, for folks waiting to see if draft-ietf-dnsop-kskroll-sentinel could 
really work in practice, this is a very good sign.

--Paul Hoffman