Re: [DNSOP] dnssec-kskroll-sentinel-06 clarifications

Geoff Huston <gih@apnic.net> Sun, 01 April 2018 21:06 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE9A126C19 for <dnsop@ietfa.amsl.com>; Sun, 1 Apr 2018 14:06:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0MfbS1OEpp0 for <dnsop@ietfa.amsl.com>; Sun, 1 Apr 2018 14:06:35 -0700 (PDT)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0073.outbound.protection.outlook.com [104.47.126.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D7D3127871 for <dnsop@ietf.org>; Sun, 1 Apr 2018 14:06:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=oA7vMdwgKwC7V27p6qFng5kORgKCnMJFfd9lMmGg3Tk=; b=S/vd0mCNMr6Pryr57yrZ8Hge9eKi8C6m47+RNn8cEeHOkWs/ZVAJJU7fNDwnUujbR1A+40y9zDq3ANanZtlj8i+eeYAl2VCrMB48wvzMB89CjH8l8L+un/dUu9NbL7j2K2qBOfDbWlvdRBtwHAMxhrZcipng9nWNBubbfa5Ke0c=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from 2001-44b8-1121-1a00-2c18-06a3-2f2d-6dbf.static.ipv6.internode.on.net (2001:44b8:1121:1a00:2c18:6a3:2f2d:6dbf) by SIXPR04MB0699.apcprd04.prod.outlook.com (2a01:111:e400:51ed::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.631.10; Sun, 1 Apr 2018 21:06:28 +0000
From: Geoff Huston <gih@apnic.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Mon, 2 Apr 2018 07:06:17 +1000
References: <dfb0182f-fada-c1ea-93fc-4f8c29046725@nic.cz> <F3995DA1-2BDB-4576-B1F7-0EC40EB5D77F@apnic.net> <DD8FB430-5C55-450F-8EBA-3E64563E8995@apnic.net>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <DD8FB430-5C55-450F-8EBA-3E64563E8995@apnic.net>
Message-Id: <ADAE7214-5CE6-416C-B0D7-FADECAA05AC4@apnic.net>
X-Mailer: Apple Mail (2.3445.6.18)
X-Originating-IP: [2001:44b8:1121:1a00:2c18:6a3:2f2d:6dbf]
X-ClientProxiedBy: HK2P15301CA0022.APCP153.PROD.OUTLOOK.COM (2603:1096:202:1::32) To SIXPR04MB0699.apcprd04.prod.outlook.com (2a01:111:e400:51ed::15)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c54da401-2d1e-4eda-f4fb-08d598147149
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:SIXPR04MB0699;
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0699; 3:sUNZGylDWUXwXHVKi1VZ8PvO6Ox24h7FNOcxZVwZxHsqX22+Q/k3e87rW1vPJ2Pr9CTwe7DrFoFQ0DQTh4u5M8qlg8ro5jEvkXkyHnximZHOfFl2Z79ern1NnitQYtzTtXvXfWrLky+yaZIkSNYO46xW5Wa8VZHbAorU2ioefBnQkzAP7LZp1CItjyucuaKZLgxK5ya4GTkbrJiE1N7glG+WuRSaFrM+1YNY4smvFdd5JFFSMyBnXAVMUAlkA1Xs; 25:XGIEkTHVVgyZQhgCEJeKIWZYbl94rSDmybbhaSbO6HhxE5lY+KKklWubUpWr/+RHo2M3qheQeaVvuSACorpNdlr3rAJkNW0H1pa+lDjzodgDE7OkECFS1TkjR/jfZUHyVZERPsFQp8iXEtcVigXGrvgltgz4u0df7KJT9VUnWeDDZ8nChxwQA/aODKJKDtn0su/DkIFPwfkh8uTujugx95mDmvJQiqZgUBaEm1tWdcPC6xtAq+y5YgLMjQrXz+xgL0mXzqbReC0NmKrE4Qpsyju/xDFj/2O9prBcwCH/zBvMfntIGtpiMz3T6oRO8gmVPDANsszd3JySBH5r50KEog==; 31:mEuZGczHoN5EXQ9EcCyd8ZquSHBtjsokcfBM349Nez4H65pdc55eHX1XgY5TuXK3mUPq0mxouKRiGS/7HixJhuDW9zVr2iUt18qMgb+3UHu3SPHJXTt8NILV4jZTAcvW2qFifvx5kmS+0moTWa/ZhXfLxu1YCuAnWSd1/uOdYRoW6jGbCZWtb+NiUf7pIszxEEFRRyek+cgEvEnE0anekqTETedZtnYvT/Dzk0dn7Xk=
X-MS-TrafficTypeDiagnostic: SIXPR04MB0699:
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0699; 20:Ad1xzkafUqUR6jPNbo6u7OxVBIsONi5aqD57Tm83FXnoNCktwmWcTu1weO8i7QfG7JqP6EJ0RfZyaYu1UtZ/OmDRQXuFKy8AM2n9OLrsXbHuE38cah6nceTaYmgT43btAuUV+2eVPwkIJEb1BiJ3P2e5cGQP7jginBco1WixplCtVwo43C4yIAuwZbBp26hbRoxTE7vOBp2bmZG3SP1GBjHNZSikEfmUjAWNNBjiy+5NSMoJ+hbC/G0BAgqLLalj; 4:5yN0Bip3T12aP9JXAuBv1XKpq7EHUQaipLJ40TcEtUoKF8FIJqSj2Rp87Af0vWvruG8WTq6k9y12nHefIp4t1TjHIUeHapcBZrvkzRhJuKBTHl7sJs6s2Dj4CBweHvlzoCForZkh8ZhW5ADvmy/vIxuE1Ir8nGJ76KQnXP2X3mvdjWEgYgNL+mA+gUt5iNEXcETHz2MJUhNR/w7jrkA+YDca2u9L/FLKUkJ4D0IC5/7KX/U5IiXLf0qfLVc4uN9Ri8V6nMW5lKupvswXjN2pPxcPog19uIDwT+VtaFkYVLwNMi8+i7YdNv9/nNwtfVFJ
X-Microsoft-Antispam-PRVS: <SIXPR04MB06990672D5D70787D79B8A3CB8A70@SIXPR04MB0699.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231221)(944501327)(52105095)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011); SRVR:SIXPR04MB0699; BCL:0; PCL:0; RULEID:; SRVR:SIXPR04MB0699;
X-Forefront-PRVS: 06290ECA9D
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(39830400003)(396003)(346002)(39380400002)(376002)(366004)(199004)(51444003)(189003)(47776003)(25786009)(7736002)(305945005)(5660300001)(229853002)(106356001)(46003)(59450400001)(6666003)(6246003)(57306001)(2616005)(8676002)(11346002)(6486002)(33656002)(50466002)(53936002)(486005)(476003)(81156014)(81166006)(486005)(478600001)(446003)(316002)(105586002)(186003)(6512007)(8936002)(8746002)(82746002)(97736004)(83716003)(36756003)(6116002)(52396003)(52116002)(2486003)(23676004)(52146003)(6916009)(386003)(76176011)(6506007)(86362001)(50226002)(68736007)(16526019)(2906002)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:SIXPR04MB0699; H:2001-44b8-1121-1a00-2c18-06a3-2f2d-6dbf.static.ipv6.internode.on.net; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtTSVhQUjA0TUIwNjk5OzIzOnVIVzhXcnJ1M1JUV0NzR2RHV2RSVDl0eVJk?= =?utf-8?B?Wk5qazNyU0MzbGhIcTk2Nmx0Q1NFa0NaSlV0YlFPSis0cVJUQ0tuWTAxdWNm?= =?utf-8?B?UVVONWlFczRseFY2TDNtNjFMQ2Q0dXVQZngxOFl2YTRTYnhJQUtNQVdrZHE0?= =?utf-8?B?UEhMbHVqc1ZGcUlvWUl4Q3IxaWVHcnFRTTErRVR2Z1ZLMGZFSFRmUFhhbnll?= =?utf-8?B?VmF0U3NSZ1drMjBRS2N5VjBJUjdHZ0ZoYXN2dlBaTHZJNzhWdnJJVElJbFZN?= =?utf-8?B?Riswazl1WHlKRnl4Y0ZZdFZQUDRGUlc4c2RXc0M0TnhTd0Z6MmFrQlZFZ2p5?= =?utf-8?B?clJ4YWQyOVlZV1A3R0FzdEVwRGJTSHdVRVN5RnhTVFVpUzl2c2Nwd3NZOUNV?= =?utf-8?B?aU9RbXVnVU80clJ6dDE3Q2xNSERVNGlwcC9TdWlxbXJySit1YnFVN21KTXhl?= =?utf-8?B?c3BkcnJ1Q0VkYXA4SHFtVXRQamxMNVJJdGdMUVFTdFVIT0J3cVQwY2M2RHBH?= =?utf-8?B?RVZNOHRzVFI1SFNXTE43TTJtZklCajVCZlRQdVdQbnFmZ1JzT0p5NUUrU3Ja?= =?utf-8?B?MS9YSTZmZ0pSL0RVWmtDL3I0K1YyNE55M2tKNHpTU0dEemNFSW5ESkVOcmVa?= =?utf-8?B?c3M2RUFsbElaUml5MGxrNFo1MnJlZ3pyRDYvaGlrUjQ5cG5sY2RNZkw0UjFI?= =?utf-8?B?eURURG1OVTRJc0ZFVit2V283Rit3MGd3SHpTbE1ad2sxVmE1OVRyaTEyaFhB?= =?utf-8?B?NUc4ZWpkMCtYSlBjaXptMVk2SjQ3b0N0QXF6enpsc2RZbnpNM1B3TDJhdXVy?= =?utf-8?B?M29RRm9WZHhSYldneVVSa1YvNVVVN3FtQlp3cDFieVBNa0Z4ajBYeVY5RXg0?= =?utf-8?B?RThNRlZ0YzVOUkpnZXFhNGJIczJKYy9mYkp2Y1R1VzJVYkVZcURSZXBtRFpN?= =?utf-8?B?Qktsb1FLQWdLdU1OL2Z6emtqQUhVaWc2c25lZzYzQXBQRGs5cFpTNzhEOFZa?= =?utf-8?B?NVE1QXIwNTNEaUg3QjEweTRKNWVDanF1WGE0REpsVVc0dVozQTdCK2ZBeklu?= =?utf-8?B?cWVKQTZOdlV0ZklBMDcwSkp3bXF3VGlTSWNETXRjT3V2MDU4SnBnTjZ5Q3Rj?= =?utf-8?B?cFdnYUN4UFFwZmE5WWFtNkFoU0l2OXNjTnA3YTA2cEpKc0hUTlIrSUV0Qzdj?= =?utf-8?B?V0RWU1ZMYWRzTWZRdktmOTVzTGZCRG9IUnFManIrL1NGUGRoaVU0d0ZPMFZp?= =?utf-8?B?RWkzU3BjWDQ1VnBKcG1xUzlhQmJ0dGFpTGY0aFN3L0FxTGxmUis0Mm9hQjNT?= =?utf-8?B?Z3NjRFdoVmFaeVJTQWVPdCt0K0dDc2huWFFrOVNUNVNQVThuaDdLWmNzb0Zs?= =?utf-8?B?UUk2S05BRmUzbERzTHNERnZrNDJMRDBlMTRNcmV5aGtvUG0zbWh2MDdOUURF?= =?utf-8?B?Z3FVQWRJWkdVVjJNS0VQMS9RTjBIWlBPZnBFdndIMjlYN0VtRDdNN3NrSUpv?= =?utf-8?B?cGRseHpZQ2xzL3lVTlgvTVNpajF5WWRLckpnN2hWWkcyNWhmdlMwOGlFN1g0?= =?utf-8?B?aVNpRHgxeCswU1JPdW1XOEVveFUyUFdPM3paUElsWktaMXVpTXFkT2VrY3Rj?= =?utf-8?B?ZC9LWHJ0WHJqeEQ0Sm5wem1VN1pmd0RzaitmdXE2R1BOTzFidmlHZlJzZTVF?= =?utf-8?B?cFAwSzVCb2dJVmZKNUh6dGxFRFc4VGdKbHhGaUJ4eUtWMDBWMzVnTTVmWXhz?= =?utf-8?B?b0VyY216dHo5ZkJqRnJJTnRIMlV6WFl1bnhjVUU4N1NqckcwQmd0NVpkSXha?= =?utf-8?B?OVduYXdYaTNVNzlKOVZwRDB3Y2pCa2hXUzhZd3V4SmZiQnc9PQ==?=
X-Microsoft-Antispam-Message-Info: pP9HDymUod2mX03qjEx4XGAJhoJVqRopwsydUzNFWT4hNfNUnLtKY/pxAxQY5jPMQxQYJ+nSIh3ZOJC1f7bWjCiyqGbYCmGqzmaZLNSLEeX4Zy6we5JIHjqdejuKxYdpdSmBvivWc+Exxo7FY5XEHUZsy5IdDm/xgZU4d0IYfuL6kCpSzzrKUtlUgVIruuiF
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0699; 6:tmuyDTwRc/xPIZOLhBy96BWRvStmKCsEpkQY9NHbRXSnWW9mRFGYYXisMS0f8pgAPfBnUA2NQXn9EoMimpSRe166m0fgzwmrkXEMymcvk07jUQS8okP/fOSUNH6pk3TBlUpss3xz26VerIXbA7vJi+pvBGMoFIDLCvHMMclzfOhZoUm9QpwN5nqeLvV1Gq1ctAWbJJ5n8WC4uD7Ja+oahZsJZ84atSQTFG1T2v/sgKbaR2+2adcly7vq9v01N5rOmqifHKM0c9wgRPImFsHXWzc+6OcNVBaj1HyWwTayFO6rwkPVRIOTylIwSKwZ6i0zGO5GjD/YxSmMIMpOKOxqUrAAGmt+bbN0dGEAYQuWv7vKLEIym0HDgULHXOTaKRw1BZxwMUYJzUQVWPtUPE/93NeTLWHEe+eM/IGEygxeM7oJEnmhT0A9572U1AwKDXIcqF7YU0LIHumqYGBlv+41bQ==; 5:AJZ/iKs5G8Id0bvOi8F9qGb+mrTTuKNQ8M+9aASi4UdOtB284yLmvsyNfGakwTOgb+gmbtt/yn0nUYCujc00TrOFPCIkrvjKraQqPz1FZCJZi7fkXJQzU5LyYkSKUG4mSCgATlBLnTBFU5cOcy0gJxAEKffCNS+RroIsugkr8pU=; 24:yWizEooIizkaOScFhPjs5DG6CDws5kbWSQJ8XZnX2o6G2oi9PPqwjgu06t9ntILFs6lQ/FR6kIdUQx8sgFbAe8LiRuXyEy0QzugjS74/e2Q=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0699; 7:uJHPuA2p9hNc3J6NnxjPR4A3YRZ+Lj3GQkDZjpKS49Vraa1UIOj8M8nII19hul73qYCu9tjR/Ysvx0C/KDDUEIU7s0W2NFueDuv1xdodolycrFWlbJmhBoyjj23qu2PcS49x8ZCjEHNH1Sv7pWOyFYoF60E1kcXkp5npo+e3oyJ1xbMQsVPkDX/U1zfpwTh6MFIJIwGKDIj5cG5Bdo6ZuQpSM0e1K0z3E9ZPDDucpypmR5Q6WBFIWPZVOT0QBONH
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Apr 2018 21:06:28.9451 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c54da401-2d1e-4eda-f4fb-08d598147149
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SIXPR04MB0699
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/z5wiYQp-8pF8c56PFx_8gLkYBZ0>
Subject: Re: [DNSOP] dnssec-kskroll-sentinel-06 clarifications
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Apr 2018 21:06:42 -0000

>> 
>> The current text in -09 reads: 
>> 
>>  The DNS response is DNSSEC validated, regardless of whether	
>>  DNSSSEC validation was requested, and result of validation is	
>>  “Secure”
>> 

After discussing this with Warren and Joao I’d like to propose a slightly different wording to the WG. The proposed wording is:


        All of the following conditions must be met to trigger special
        processing inside resolver code:

            The DNS response is DNSSEC validated

            The result of validation is "Secure"

            The AD bit is to be set in the response

            The QTYPE is either A or AAAA (Query Type value 1 or 28)

            The OPCODE is QUERY

            The leftmost label of the original QNAME (the name sent in the
            Question Section in the orignal query) is either
            "root-key-sentinel-is-ta-<key-tag>" or
            "root-key-sentinel-not-ta-<key-tag>"

        If any one of the preconditions is not met, the resolver MUST NOT
        alter the DNS response based on the mechanism in this document


What was concerning me was that the wording in -09 could be mis-interpreted to be subtly altering the preconditions for a resolver to perform validation, and that's best left to the mainstream DNSSEC specification documents. If there are any lingering uncertainties as to when and why a resolver performs DNSSEC validation and communicates the outcome in a response, I think that they are best resolved in a focussed discussion on the preconditions for DNSSEC validation rather than obliquely in this sentinel draft. Hence the proposed text above, that simply says that the AD bit is set in the response. 

The other change I’m proposing is one of consistency - the -09 text had proposed two conditions in one sentence than enumerated a further three conditions. I felt it was more consistent to explicitly enumerate all conditions.

Are there any objections from the WG to integrating this change and pushing out a -10 version of this draft?

regards,

   Geoff