TSV-ART review of draft-ietf-dnsop-dnssec-roadblock-avoidance
Brian Trammell <ietf@trammell.ch> Tue, 14 June 2016 12:13 UTC
Return-Path: <ietf@trammell.ch>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1003112D542; Tue, 14 Jun 2016 05:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.328
X-Spam-Level:
X-Spam-Status: No, score=-3.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ygcFbJTwMzcI; Tue, 14 Jun 2016 05:13:07 -0700 (PDT)
Received: from trammell.ch (trammell.ch [5.148.172.66]) by ietfa.amsl.com (Postfix) with ESMTP id C1C5D12D59A; Tue, 14 Jun 2016 05:13:06 -0700 (PDT)
Received: from [IPv6:2001:67c:10ec:2a49:8000::10d6] (unknown [IPv6:2001:67c:10ec:2a49:8000::10d6]) by trammell.ch (Postfix) with ESMTPSA id 7DA2F1A0CE2; Tue, 14 Jun 2016 14:13:05 +0200 (CEST)
From: Brian Trammell <ietf@trammell.ch>
X-Pgp-Agent: GPGMail 2.6b2
Content-Type: multipart/signed; boundary="Apple-Mail=_FB82BCB3-B54B-4DCD-B189-3EEED0231947"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Subject: TSV-ART review of draft-ietf-dnsop-dnssec-roadblock-avoidance
Date: Tue, 14 Jun 2016 14:13:04 +0200
Message-Id: <E75E6B47-C915-4302-B950-4502AFB1F640@trammell.ch>
To: ietf <ietf@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/EKwsiO9si2L2OwbwlqTg4cC8kfQ>
Cc: tsv-art@ietf.org, draft-ietf-dnsop-dnssec-roadblock-avoidance@tools.ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2016 12:13:09 -0000
Greetings, I've reviewed this draft as part of the TSV Area Review Team, paying special attention to transport-related concerns. Please take these as any other IETF last call comments. Summary: This draft clearly describes online testing of possible DNSSEC failures, and how to interpret the results. It does not appear to pose any transport-related danger, and is broadly ready for publication as a BCP. I do have the following questions, though: (1) Section 3.1: "The tests are designed to check for one feature at a time". This is generally A Good Thing, but it does seem that there should be some attempt to economize on packets sent. This is not as much a problem when testing recursive resolvers, since they should only need to be run when a host introduces itself to a neighboring recursive resolver and the test traffic shouldn't leave the site. However, section 3.2 are designed to run on the open Internet, and seems to suggests that tests 3.2.1-3.2.3 should be run *first*, then followed by the fourteen tests in section 3.1. In the "best case" future for this document, that every stub resolver implements this online testing automatically, every packet saved is significant. Some optimizations are obvious: 3.2.1 replaces 3.1.1, 3.2.3 replaces 3.1.2. The document should note these (even though they're trivial). Some optimizations have already been made: 3.1.5, 3.1.10, 3.3. test multiple conditions. Are there any other tests that could be combined (e.g. the TCP connectivity and EDNS0 tests) without losing fidelity? (2) Could the retries advised in section 5 be abused to cause a resolver running roadblock avoidance to send unnecessary test traffic? It seems that injecting an error, illegal, or bogus response could induce multiple retries, though it's not clear that the amplification factor makes this worth it. (2) In section 6, the draft raises the possibility of unstable networking after connection (e.g. in a captive portal situation); guidance to refrain from flooding the network with test traffic during this instability might be useful. Perhaps explicitly link the DNSSEC checks to a "network proves to be usable" signal (either from the application or the operating system)? Thanks, cheers, Brian (as TSV-ART reviewer)
- Re: TSV-ART review of draft-ietf-dnsop-dnssec-roa… Tim Wicinski
- Re: TSV-ART review of draft-ietf-dnsop-dnssec-roa… Wes Hardaker
- TSV-ART review of draft-ietf-dnsop-dnssec-roadblo… Brian Trammell