Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Wed, 26 September 2018 21:31 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BECB130E03 for <dnsop@ietfa.amsl.com>; Wed, 26 Sep 2018 14:31:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4kKRQr7vkbfA for <dnsop@ietfa.amsl.com>; Wed, 26 Sep 2018 14:31:14 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32B49130DF4 for <dnsop@ietf.org>; Wed, 26 Sep 2018 14:31:13 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id l7-v6so3760977wme.2 for <dnsop@ietf.org>; Wed, 26 Sep 2018 14:31:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GUI6fVSseCB3SUdtjwqfb62NHJaUBeaDAdPCzNszaqU=; b=Mzq2iVXYNhra5iJci3+M/d0Urrimvs+zkA5niuKP3UNn83wFPDLnGmTvN4cG9cS5Sa AQhqKlXHN52kOK8u6IrkpAyLAyxHDKG8Y0H2NlL8Tda5FyHKZJ+V5MeJ1rm19bagpiSb ECcvJ3L2qVNrhE4BQsxB+64t8ljxRoPyWvneqZWAjya9XzAelYZt9hUi7PUPYj4jsvaE PWAIG1budyGh/Gjms8ivXCPAXJ3LzdFzxPTBbcSrrmYvNuQOplL+eRsLHh97isQg0U1S u8Mfd774FPBsQqfTSFbZT9q2Gq9lMmYg+Puhd7v0ugEHm+wpP6292rU2doKCwU4SzV6W KRGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GUI6fVSseCB3SUdtjwqfb62NHJaUBeaDAdPCzNszaqU=; b=h/6DdtSCd5XcseDlPwXVdrslrnco8bX7iHoLPDQD1mROzC9O7FqPkvxe9pF1m6pDX5 vdpjCD2fiy70TZm285E++KINnGjyznGYTZtutD4jGh6k4sApZfz5uvj0DyxEmtRveukV HpKt/vzhbfNwvJt487zWYBLKap1k6iMAV0c+SCdn/CMXO7bt5mZjk2SRqsOIkqBb+X+i Vi6vaYX4tAqfoi97opsecnDIhpcQwfVz+Zq4bnlSksE6fy8cFCSO8d3lveS7P92T0t8p TMNBlh4sMhQEObGAbHlzWSCsnP7FWsD0R/Bl1inApq3nutlhpVds6wnVCUEw2CbV0lNP 5QXA==
X-Gm-Message-State: ABuFfoiy5doe3/SL6KMmbCcYshWT/DcBlN7hTNhN/yqoHowdNBNyTFkc o9+ayj182PDkpG3ROISNU+706a6sKqojMrYhy4bXrg==
X-Google-Smtp-Source: ACcGV61dvDVRL3rMPg7qvCZZZ80Tmw9tDN4kaM3nI0dUsFx6pWPFw2RN1llzFNFjwz/z4958/G2FQ9HlTZC01zWUngw=
X-Received: by 2002:a1c:1252:: with SMTP id 79-v6mr5570324wms.70.1537997471285; Wed, 26 Sep 2018 14:31:11 -0700 (PDT)
MIME-Version: 1.0
References: <153797498435.21672.17709898221650275799.idtracker@ietfa.amsl.com> <CAHw9_i+Dm7VHAi8eJjhDyGacCwxigeEZv8tSiGT+ZrW+vxu+oA@mail.gmail.com> <20180926181646.GM24695@kduck.kaduk.org> <CAHw9_i+MRJUfiZPBCNiFfio=VetCNXkHwW4Nw=WQa+z0dRWoWw@mail.gmail.com> <FFA0F591-9EC2-4B8E-AB0F-F0B496E8FAFA@vpnc.org>
In-Reply-To: <FFA0F591-9EC2-4B8E-AB0F-F0B496E8FAFA@vpnc.org>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 26 Sep 2018 14:30:31 -0700
Message-ID: <CAHw9_iLRj9JOL0DU=ztNnrgyFk4VfQCY3pSnq+BEhp6P9ndOXg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, draft-ietf-dnsop-kskroll-sentinel@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, Benno Overeinder <benno@nlnetlabs.nl>, DNSOP Chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f119150576ccf066"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yQ-o1jSDoVAcRo72bJUwM17RAY4>
Subject: Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-kskroll-sentinel-15: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 21:31:18 -0000

On Wed, Sep 26, 2018 at 12:40 PM Paul Hoffman <paul.hoffman@vpnc.org>; wrote:

> On 26 Sep 2018, at 12:07, Warren Kumari wrote:
>
> > On Wed, Sep 26, 2018 at 11:16 AM Benjamin Kaduk <kaduk@mit.edu>; wrote:
> >
> >> On Wed, Sep 26, 2018 at 10:12:08AM -0700, Warren Kumari wrote:
> >>> On Wed, Sep 26, 2018 at 8:16 AM Benjamin Kaduk <kaduk@mit.edu>;
> >>> wrote:
> >>>
> >>>> Benjamin Kaduk has entered the following ballot position for
> >>>> draft-ietf-dnsop-kskroll-sentinel-15: Discuss
> >>>>
> >>>> When responding, please keep the subject line intact and reply to
> >>>> all
> >>>> email addresses included in the To and CC lines. (Feel free to cut
> >>>> this
> >>>> introductory paragraph, however.)
> >>>>
> >>>>
> >>>> Please refer to
> >> https://www.ietf.org/iesg/statement/discuss-criteria.html
> >>>> for more information about IESG DISCUSS and COMMENT positions.
> >>>>
> >>>>
> >>>> The document, along with other ballot positions, can be found here:
> >>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/
> >>>>
> >>>>
> >>>>
> >>>> ----------------------------------------------------------------------
> >>>> DISCUSS:
> >>>> ----------------------------------------------------------------------
> >>>>
> >>>> Thanks for preparing this document and mechanism; it is good to
> >>>> have
> >> more
> >>>> data about the expected impact of the root KSK roll.  That said, I
> >> have two
> >>>> Discuss-worthy points, albeit both fairly minor.
> >>>>
> >>>> The first one may just be something that I missed, but does this
> >> document
> >>>> actually say anywhere that there needs to be a real zone with real
> >>>> configured A and/or AAAA records for the query names used for these
> >> tests?
> >>>> The Appendix sort-of-mentions it, but I feel like there needs to be
> >>>> a
> >>>> mention in the main body text.
> >>>>
> >>>>
> >>> No hats (OMG, everyone will see I'm going bald...)
> >>>
> >>> Ok, fair. This was actually a source of confusion when we first
> >>> started
> >>> discussing the document -- we explained it on-list / at mics / in
> >>> person,
> >>> but it became so well understood that we didn't notice that it is
> >>> not
> >>> actually specified in the document. I'll try figure out text.
> >>
> >> Thanks.
> >>
> >> It eventually became pretty clear to me from things like "return the
> >> A or
> >> AAAA response unchanged" that there was supposed to be a valid
> >> response
> >> provisioned so that it could be returned, but I don't want to rely on
> >> all
> >> readers making the same inference.
> >>
> >>
> > So I opened my editor to add text, and scrolled down to try figure out
> > where to add this.
> > "Section 4.3 - Test Procedure" seemed like a good spot -- and it
> > already
> > has this text:
> >
> > A query name containing the left-most label
> > "root-key-sentinel-not-ta-<key-tag-of-KSK-current>". This name MUST be
> > a
> > validly-signed. ***Any validly-signed DNS zone can be used for this
> > test.***
> > A query name containing the left-most label
> > "root-key-sentinel-is-ta-<key-tag-of-KSK-new>". This name MUST be a
> > validly-signed. ***Any validly-signed DNS zone can be used for this
> > test.***
> >
> > (emphasis mine).
> >
> > Does this perhaps address your concerns?
>
> It should not: Section 2.1 specifically says that the query must be for
> A or AAAA.
>
>
Ah, I think I'm starting to understand...

A query name containing the left-most label
"root-key-sentinel-not-ta-<key-tag-of-KSK-current". This name MUST be a
validly-signed name." cover it?
I'd tried putting in stuff like "in a public zone" (but this isn't actually
true, I could do this entirely in a private namespace if I only wanted to
test a closed network).
Or perhaps: "This name MUST be a validly-signed name in a validly signed
zone"? (which is somewhat redundant, but makes it clearer)?

Any suggestions?
W




> --Paul Hoffman
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf