On 23 Dec 2017, at 11:59, Geoff Huston wrote:
On 22 Dec 2017, at 8:44 am, Ray Bellis <r...@bellis.me.uk> wrote:
On 21/12/2017 15:36, Robert Story wrote:
I reread the draft today, and noticed that two things aren't
specified.
The first is the contents of the A/AAAA RRSET returned, and the
second
is the TTL for the records.
Maybe the A/AAAA record values could be used to return additional
details? For example, whether or not the key is part of static
configuration, or learned via 5011.
I had also wondered about this.
A browser-based system for triggering these queries can't do so
without
also then attempting a download of some resource via whatever IP
address
is returned.
(in other words, you can't make a browser "just" do a DNS lookup, the
DNS lookup is a side effect of attempting to access a URL)
As Ray points out, if a browser is conducting the experiment, and the
only visible indication of successful resolution is the retrieval of
the
named object, then a reasonable test would use some sentinel object as
the named target (a 1x1 pixel gif is conventional in these
circumstances). In this case the TTL of the DNS record is not directly
visible to the browser.
In situations where a client may have multiple resolvers in their
local
/etc/resolv.conf configuration, and recursive resolvers may themselves
/use forwarders, it is not immediately obvious which resolver
generated the response, so I’m unsure of the interpretation of any
attempt to embed some form of additional information into either the
IP
address of the named object.
The intent of the test is to establish a usable test along the lines
of
"If you can retrieve this named object you are ready for a Root Zone
KSK
roll" The issues around the diversity of behaviours in the DNS turn
this
dsimple songle fetch into a compound fetch of three named objects, but
the semantic intent is the same. That is: "From the pattern of the
results of performing these three tests we can compute a likelihood of
concluding whether or not, you, the end user, will, or will not, be
affected by a pending KSK roll. From a large enough sample of users
was
can then estimate the 'impact' of a KSK roll on the total user
population.
Note that the intent is not to try and isolate the behaviour of a
single
resolver, nor to attempt to diagnose the reasons for that behaviour.
The
intent is to look at the user and the set of resolvers that the user's
DNS is configured to use, and determine if the user's DNS will be
"stranded" in the even of a KSK roll.
This answer doesn't seem to fully address Robert's and Ray's questions.
Why use an A/AAAA query if you aren't going to do anything with the
result? If you are going to use A/AAAA, you have to tell resolvers what
to return in the results. Using a new RRtype would have clearer
semantics.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
