IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel

Richard Barnes <rlb@ipv.sx> Mon, 27 November 2017 19:47 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3653127010 for <dnsop@ietfa.amsl.com>; Mon, 27 Nov 2017 11:47:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-N1hdPI1qRx for <dnsop@ietfa.amsl.com>; Mon, 27 Nov 2017 11:47:38 -0800 (PST)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C0B51204DA for <dnsop@ietf.org>; Mon, 27 Nov 2017 11:47:38 -0800 (PST)
Received: by mail-wm0-x230.google.com with SMTP id v186so37281277wma.2 for <dnsop@ietf.org>; Mon, 27 Nov 2017 11:47:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Y/DEHb6B9p4jzG+4eLqw9b3iRB4EuG7EGJ+NEfPEtYI=; b=P4nYJWS6W9uCN2CWImhRt5+8DZ6jo3ayx/R7fqQNSbliqgUeAvavwIeTOPcLR9uk69 3qi7Cgxi+qZmURkouPLv1X2/1urCPMOlAyT6Gko6wejHzeORKNu5gA+Yo5NMaf/XiNQc +Jd3FoXL+jLGnx+F/27yLjS09gkZ8o1IfKcqYrQ3QL0JZWP8VteEV5vpvLgXC9ePa4i9 J/+FQa61nZsdkI4RjyFZMuy/MLNL0CxRhaQIzZH1kpXIRBNcV7/Zr6lPxOUWzxFEhjjP cvp+1v9Z/ATYzZ8wzAMxdEXo8ueX2egLMzZmclH/ZuppsymcjF9EpzBqOs635ChjQwFJ 0zRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Y/DEHb6B9p4jzG+4eLqw9b3iRB4EuG7EGJ+NEfPEtYI=; b=rv+1sYejQlnSjnp0vhIaJHvvvQtEgBnnOHqQ4zBempfpqDIvZF2FkKCYeiO9U5Yp+e 94PJrgi8sn/DbReCJN+4Y3S3fzeIlhQH642sWfTCnRwRwGJE6LvjLcjfxyLgY4Kcc7A2 T0/Q+vTXzv/y5VhN6TnLT4TrN2StLMX6c1+XT0ygY0pu6qKGM+ZvRJK7xEJwQ3uxmUA6 MrUa7ih1oWz5hTl6eGhEkH0toCjbwuzxesB78DN8TFyKw19VSF96F7fZmmPLf/KYrxKn ttWyQ4yF7xLSIEeJ0/tAeiNEbPeFkxFuHHvDWXUixto6jmf2K1tZWx/VPHanLOao05yc QAMg==
X-Gm-Message-State: AJaThX5/3mP8dCW7dgOedQ+LcZfT02Qe7UE/DbyB6/SdrAJHv8mpFMfu ufLZDWVAXv/NROw41csED9Se1lk89cSVL1Ga4Ae1YA==
X-Google-Smtp-Source: AGs4zMYNCYoQDmmWIpPhnNPRJePhMt6E6iT8FFLotFbe56NfyF4dIoDF/DIcS9yulSnrkKxRDYAPBUSF70y2ud0DMqk=
X-Received: by 10.28.175.73 with SMTP id y70mr20035505wme.21.1511812056555; Mon, 27 Nov 2017 11:47:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.167.74 with HTTP; Mon, 27 Nov 2017 11:47:36 -0800 (PST)
In-Reply-To: <11C784A2-B8E1-4D63-81F9-B62AA148D9EE@hopcount.ca>
References: <CADyWQ+Fhzybt-aNNF+yJxQfWDM56W+rzWxZ2YB3yf6wy4m_uxA@mail.gmail.com> <CAKr6gn07V7s0Q8czQR3v6uAujj4t1-SRt7xqi=zDNVpsryXhVQ@mail.gmail.com> <CAL02cgTZq2+F5Ki6B-042oBdng=tn3jZagb_EKUNFpS7XYgXbQ@mail.gmail.com> <CAL02cgTawPPjWRZ=iMHQOyT+N_cU1r74N+Cp2+Fxn_qLoMh7cQ@mail.gmail.com> <11C784A2-B8E1-4D63-81F9-B62AA148D9EE@hopcount.ca>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 27 Nov 2017 14:47:36 -0500
Message-ID: <CAL02cgRyzri3YKGxj6EYn=O_nfvQ_Hd-b5JR3mPFvp3sPQTgHQ@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: George Michaelson <ggm@algebras.org>, tjw ietf <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a114436c4993b83055efc2c34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xi34Bwe9WuimZzm3gr9Zs9l4M6I>
Subject: Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2017 19:47:41 -0000

As tempting as it may be to do the easy thing, it's not always the best use
of resources.  Looking at the closest tree might be easy for one observer,
but when you try to do it with enough observers to have a result that's
useful for the King of the Jungle, you end up with similar tangles.

I don't think that it make sense to infer from the failure of RFC 8145 that
resolver/authoritative telemetry isn't possible -- just that it's not
possible with the heavy-weight machinery in that mechanism.  To the degree
that the DNS still works at all, there must be some channel by which
information can be faithfully passed from authoritative to resolver, which
can presumably be used to bootstrap telemetry.  Maybe it's a TXT record
with an HTTP URL; maybe it's a funny CNAME.

Maybe you can't build a road through the jungle, but there are still rivers
that make it through, which can carry a message in a bottle.

On Mon, Nov 27, 2017 at 2:06 PM, Joe Abley <jabley@hopcount.ca> wrote:

> As I imagine you've heard, part of the problem with resolver-authoritative
> telemetry interfaces is that the deployed infrastructure is not so simple;
> it also includes forwarders, changed resolvers, caches, middleware that
> interferes with the query path and/or drops queries that don't look
> normal... It's a jungle out there. Looking at the closest tree from just
> outside the edge of the jungle is actually much easier than speculating
> about what bizarre horrors lie within it.
>
> > On 27 Nov 2017, at 13:36, Richard Barnes <rlb@ipv.sx> wrote:
> >
> > Well, that's what I get for providing drive-by feedback.  Someone
> pointed me off-list to RFC 8145 and the operational issues with that.  I
> still think that that calls for a better authoritative/resolver telemetry
> interface, not some client-side thing.
> >
> > On Mon, Nov 27, 2017 at 1:10 PM, Richard Barnes <rlb@ipv.sx> wrote:
> > George, you should know better than to claim that a mechanism that
> requires resolver updates will have "immediate benefit" :)
> >
> > I do not find this mechanism terribly compelling.  It is not useful in
> the short run, as noted above.  And it has the wrong architecture for the
> long run.
> >
> > What zone operators need, for KSK roll-overs and other evolution
> decisions, is telemetry about the capabilities of the resolvers they
> serve.  In order for an approach like this to provide that telemetry, one
> would need a broad-scale client-side measurement system.  While such
> systems exist (Geoff and George being expert practitioners), they have a
> lot of problems -- they're expensive to operate at scale; they're extremely
> limited in terms of what they can measure and how reliably; and they impose
> much more overhead than is needed here.  We shouldn't be building a
> telemetry system for the DNS that has hard-coded assumptions about web ads
> or dedicated probes.
> >
> > It would be far better to build a telemetry mechanism that operated
> directly between resolvers and authoritative servers.  There are a variety
> of ways you could do this.  In today's world, you could have some record by
> which an authoritative server could advertise a telemetry submission
> point.  In a DOH world, you could have the resolver provide a Link header
> telling the authoritative server where it could pick up information about
> resolver capabilities.  None of these are hard to build (and they don't
> interfere with the "fast path" of the resolver) and they provide much more
> high quality information.
> >
> > If you need data for the KSK roll that we're already a decade late for,
> gather it in a way that doesn't require a resolver upgrade.  (Deploy a
> dedicated temporary TLD if you need to.)  If you're trying to solve the
> long-run telemetry problem, then build it properly.
> >
> > --Richard
> >
> >
> > On Thu, Nov 16, 2017 at 3:34 AM, George Michaelson <ggm@algebras.org>
> wrote:
> > I support adoption of this work. Its a sensible, simple proposal which
> > has immediate benefit, and can be used by anyone to test the ability
> > of their nominated resolver to recognise specific keys, and their
> > trust state.
> >
> > I believe as a community, at large,  we need code deployed into the
> > resolvers in the wild, and we need a document specifying the behaviour
> > we need deployed into those resolvers. We can use this to inform
> > ourselves of operational risk under keychange. We can know as
> > individuals, as organizations what we will see, if keys change. I
> > think this is quite powerful. compared to measurement of what
> > resolvers see, or what authoritatives or roots see, going back to
> > these service-providers themselves. This method informs the client
> > side of the transaction. Thats big.
> >
> > I'm not saying we shouldn't do other things, or measure. I'm saying
> > that this proposal has a qualitative aspect which I think is
> > different, and good.
> >
> > -George
> >
> > On Thu, Nov 16, 2017 at 4:23 PM, tjw ietf <tjw.ietf@gmail.com> wrote:
> > > All
> > >
> > > The author has rolled out a new version addressing comments from the
> meeting
> > > on Monday, and we feel it’s ready to move this along.
> > >
> > > This starts a Call for Adoption for draft-huston-kskroll-sentinel
> > >
> > > The draft is available here:
> > > https://datatracker.ietf.org/doc/draft-huston-kskroll-sentinel/
> > >
> > > Please review this draft to see if you think it is suitable for
> adoption by
> > > DNSOP, and comments to the list, clearly stating your view.
> > >
> > > Please also indicate if you are willing to contribute text, review,
> etc.
> > >
> > > This call for adoption ends: 30 November 2017 23:59
> > >
> > > Thanks,
> > > tim wicinski
> > > DNSOP co-chair
> > >
> > > _______________________________________________
> > > DNSOP mailing list
> > > DNSOP@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dnsop
> > >
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
>
>

v2.23.0 | Report a Bug | By Email