Re: [DNSOP] Ben Campbell's No Objection on draft-ietf-dnsop-negative-trust-anchors-10: (with COMMENT)
"Ben Campbell" <ben@nostrum.com> Thu, 09 July 2015 03:11 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 104471A8A4E; Wed, 8 Jul 2015 20:11:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cxfiAkTdUuzC; Wed, 8 Jul 2015 20:10:54 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C47EB1A8A55; Wed, 8 Jul 2015 20:10:54 -0700 (PDT)
Received: from [10.0.1.23] (cpe-70-119-203-4.tx.res.rr.com [70.119.203.4]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id t693AdlR077116 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 8 Jul 2015 22:10:50 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-119-203-4.tx.res.rr.com [70.119.203.4] claimed to be [10.0.1.23]
From: Ben Campbell <ben@nostrum.com>
To: Warren Kumari <warren@kumari.net>
Date: Wed, 08 Jul 2015 22:10:39 -0500
Message-ID: <F7EDDDDB-5607-4EA7-A9DC-BD405095ABFF@nostrum.com>
In-Reply-To: <CAHw9_i+iTyi5VT2e8PO3t_QmktE2_yHaAkVM0j=ge3JLjge16A@mail.gmail.com>
References: <20150708180834.1627.39049.idtracker@ietfa.amsl.com> <CAHw9_i+iTyi5VT2e8PO3t_QmktE2_yHaAkVM0j=ge3JLjge16A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/xuM2odaUXew3uoc10sw_qfLr808>
X-Mailman-Approved-At: Thu, 09 Jul 2015 03:52:01 -0700
Cc: Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dnsop-negative-trust-anchors.ad@ietf.org, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-dnsop-negative-trust-anchors.shepherd@ietf.org, draft-ietf-dnsop-negative-trust-anchors@ietf.org
Subject: Re: [DNSOP] Ben Campbell's No Objection on draft-ietf-dnsop-negative-trust-anchors-10: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 03:11:00 -0000
Hi, thanks for the response. Comments inline--I've deleted text that doesn't seem to require further discussion. Ben. On 8 Jul 2015, at 21:59, Warren Kumari wrote: > On Wed, Jul 8, 2015 at 2:08 PM, Ben Campbell <ben@nostrum.com> wrote: >> Ben Campbell has entered the following ballot position for >> draft-ietf-dnsop-negative-trust-anchors-10: No Objection >> > > Thank for you review. I have posted a new version in github at > https://github.com/wkumari/draft-livingood-dnsop-negative-trust-anchors > >> [...] >> -- section 1.2, last paragraph, last sentence: >> Out of curiosity, has this been an issue? > > Erm, I'm a bit lost -- Section 1.2 is only really a header. I'm not > sure if you mean section 1.2.1, last paragraph, last sentence or > 1.2.3, last paragraph, last sentence. Both are true / have been > issues. > > If 1.2.1: > "For example, it is conceivable that a domain may be DNSSEC signed > properly, and one vendor's DNS recursive resolvers will validate the > domain but other vendors' software may fail to validate the domain." > > Yup, this has happened a few times -- there are part of the DNSSEC > specs that e.g BIND and Unbound interpreted (or implemented) > differently. > An example: > http://comments.gmane.org/gmane.network.dns.bind.user/49875 > That one, sorry. Thanks for the reference. [...] >> >> -- 2, 2nd paragraph: >> Can an operator be reasonably expected to be able to confirm that a >> domain is being operated by its rightful owner? > > In many cases, yes. For example, if the website says: "Hacked by > Syrian Electronic Army" > (http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syrian-electronic-army/) > you can be fairly sure it is *not* being operated by the rightful > owner :-) :-) > > More seriously, usually you *can* tell -- for example, if the > signatures have expired but everything else remained the same it is > likely operated by the rightful owner. Also, during the recent .ke > (Kenya) DNSSEC issue ( > http://ianix.com/pub/dnssec-outages/20150331-ke/ ) various people were > in contact with the ccTLD operator. There are also various things like > passive DNS services which keep historical data on things like > nameservers. If the NS hasn't changed, you can be fairly sure it is > being operated by the owner... > Okay. I accept that an operator can make reasonable decision here in many cases. >> >> -- 2, 2nd to last paragraph: >> >> Since the requirement to limit the time an NTA is used is a MUST, it >> seems like the ability to configure that time should also be a MUST. > > Hmmm.... I'm not sure I agree. The document says: > "NTAs MUST expire automatically when their configured lifetime ends. > The lifetime MUST NOT exceed a week. " > An implementation *could* always install one for a week, and the > operator could remove it before it automatically expires. If I'm > installing one I would install it for the full week and then check it > every few hours, and remove it before it expires. I cannot think of a > scenario where I'd know ahead of time that the problem will be all > solved in e.g 3 days, and so choose a shorter lifetime. If I *did* > think it would be solved in 3 days I'd still set it for a week and > then have a calendar reminder / bug in my bug tracking system that > went "Ping" to make me check it manually. Having the NTA expire before > the issue is resolved makes the domain go bogus again, and users > become frustrated... Okay. > > >> >> -- 2, last paragraph: >> >> Why is the requirement not to affect another branch weaker than the >> requirement not to affect other names higher up the same branch? > > You may have an example like: > example.net IN NS ns1.example.com > > If I install an NTA for example.com (and so make ns1.example.com alive > again) example.net will now work again, so fixing something in one > branch affects something in another branch. Ah, I hadn't considered that case. > > What we are do not want to have happen is that installing an NTA for > example.com disables validation for .com -- it is probably possible > that something like: > .com IN NS foo.bar.example.com > and foo.bar.example.com becomes bogus. Installing an NTA *does* now > affect names higher in the tree, but this is (I think) pathological > and not worth trying to address. > Agreed. > >> >> -- 4, first paragraph, last sentence: >> >> This seems to favor erring on the side of keeping the NTA. I think >> security would suggest erring on the side of removing the NTA. > > I think it is actually more of a stability / "know what you are doing > before mucking with stuff" argument. The next sentence says: > "Once all testing succeeds, an NTA should be removed as soon as is > reasonably possible." > > It you ends up in a situation where e.g the master is serving good > data, but the 3 slaves are all serving expired signatures and the > operator happens to query the master and remove the NTA you may end up > in a situation where 3/4 queries die and 1/4 succeed. This will end up > creating user confusion and a very difficult to debug situation. > > The above is mainly a "hey, before removing an NTA, make sure you > aren't shooting yourself in the foot" reminder. After re-reading some of the other text about determining when to remove an NTA, I'm okay with this. [...] > > >> >> -- 7, paragraph 4, last sentence: >> I suggest adding “At the time of this writing…”, and add >> additional text >> to remind people these may change over time. > > Good point. I changed it to: > > "At the time of this writing are several tools to do this, including: > DNSViz (http://dnsviz.net) > Verisign DNSSEC debugger (http://dnssec-debugger.verisignlabs.com) > zonemaster (http://www.zonemaster.fr, > https://github.com/dotse/zonemaster) > > most of these tools are open source and can be installed locally. > However, using the tools over the Internet has the advantage of > providing visibility from a different point. This is an incomplete > list, and it is expected that additional tools will be developed over > time to aid in troubleshooting DNSSEC issues. > " > That works for me. [...]
- [DNSOP] Ben Campbell's No Objection on draft-ietf… Ben Campbell
- Re: [DNSOP] Ben Campbell's No Objection on draft-… Warren Kumari
- Re: [DNSOP] Ben Campbell's No Objection on draft-… Ben Campbell
- Re: [DNSOP] Ben Campbell's No Objection on draft-… Paul Ebersman