On 7/30/2015 1:44 PM, Wessels, Duane wrote:
On Jul 30, 2015, at 5:25 AM, Olafur Gudmundsson <o...@ogud.com> wrote:
The main usage for this option IMHO is to check if the “local” resolver set is
using expected TA’s, and if it is not enable “user” to complain.
Hi Olafur,
That is not quite what I have in mind. Rather it is to provide data to "trust
anchor operators" that helps them
understand the progress of updates (RFC 5011 or otherwise) during a rollover.
DW
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
VENN Diagram - in Ascii
_______________________________________________________________________________
| |
| All DNS Resolvers |
|
_________________________________________________________________________
|
| | | |
| | DNS Resolvers that
implement | |
| | this option | |
| | ___________________________ ________________________
| |
| | | | | |
| |
| | | DNS Resolvers with up | | DNS Resolvers with |
| |
| | | to date TAs | | out of date TAs |
| |
| |_| |_____| |_____________| |
| | | | |
|
| |__________________________| |_______________________|
|
| |
|_______________________________________________________________________________|
Not drawn to scale. The question continues to be how long until and
whether or not you get enough take on this at both the resolver and root
sides to get usefully sufficient data.
Say you get a 10% uptake rate of implementers and they show 100%
compliance with the installation of a new trust anchor. Is that
sufficient evidence to say its OK to remove the old trust anchor? What
happens if the implementers are non-representative of the set of "All
DNS Resolvers" and that the actual (and unknowable) reality is that only
30% of the world actually is up to date?
Say you get a 100% uptake rate of implementers and they show a 0%
compliance rate? Reality or a bug in your software?
Say you get a 20% uptake rate and an 80% compliance rate - and it stops
there and shows no sign of increasing. Do you ever revoke the old trust
anchor?
Say you get a 0 uptake rate besides the usual suspects - what then?
Data is only useful if you've got a plan for when you get it and if you
understand that perfect knowledge is impossible.
One of the best analogs for the root roll is probably the US transition
to DTV. The US delayed the DTV roll out at least once due to consumer
pushback (and unavailable hardware) - but eventually went ahead and
obsoleted 5-10% of the people who hadn't paid attention, didn't care or
couldn't be bothered. (Probably other categories like couldn't afford
it). It's similar to the root roll problem in that there is no-inband
reverse signalling path to say "Hey - I can understand digital TV, go
ahead and shut down my analog", and that all such reverse signalling
took other paths. It's also very similar in that almost all of the
burden on the transition was mostly borne by other than the end-user
(e.g. cable tv boxes still emitted analog, digital satellite ditto and
few end-users run resolvers - its IT departments, cable internet
operators, organization specialized entities like DISA for the DOD, etc).
While I applaud attempts to (5 years or more too late) provide
suspenders and a belt for this process, I'm not sure that the costs for
doing so will ever be recouped. You would get better data just asking
the operators now than you will get in 5-8 years when you finally get
this rolled out.
By the way, NONE of these should delay adding a second trust anchor as
soon as is practicable.
Later, Mike
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
