Hi John, thanks for the review of this draft
> On 17 Feb 2018, at 4:35 am, John Dickinson <j...@sinodun.com> wrote: > > Hi, > > I like what this draft is trying to do. > > I am a bit concerned about adding a invalid RR in to a otherwise correctly > signed zone. It suspect that there may be a variation in how validating > resolvers treat authoritative servers that appear to have sent bogus data. > Some might retry, retry other auth servers, stop using that server altogether > etc etc… I have been doing this for many years in an ad-based measurement campaign. When a validating resolver is incapable of validating a response it sends back a SERVFAIL response code of course. Some years back “incapable of validating a response” implied an exhaustive search through all NS’s of all parent zones to see if any path exists that can validate the RRSIG - these days many resolvers simply accept the first invalid response and pass back SERVFAIL. Obviously the SERVFAIL response will prompt a stub resolver to pass the query tyo any other recursive resolvers that it is configured to query. This is of course the same behaviour as one would expect from a validating recursive resolver that has failed to track a KSK roll. I have not observed any signal that a client resolver accepts a SERVFAIL response from a recursive resolver as anything other than a failure for the query itself. > > I suggest that the example A/AAAA RRs on page 4 be written fully qualified so > there can be no doubt that this draft does not imply new special names at the > root (which is what I first thought). “example.com” appears four times on page 4 - are you suggesting that this be altered to read “example.com.”? Or are you suggesting that the 5 instances of the label kskroll-sentinel-(is|not)-ta-2222 which refer to a “resoirce” be edited to read "kskroll-sentinel-(is|not)-ta-2222.example.com"? Or both? > > In the discussion of Charlie’s resolvers I think “from > this he knows (see the logic below) that he is using legacy, non- > validating resolvers.” > > should have the “non-“ removed. > yes - that’s correct. That was a typo. > regards > John > > > On 12 Feb 2018, at 20:28, Warren Kumari wrote: > >> <author hat only> >> >> Hi all, >> >> Sorry it has taken so long to get a new version of this document >> posted - you deserve better. >> >> Anyway, we've finally posted an updated version - >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/ >> >> This version includes a (hopefully easily understood) description of >> how this would actually be used, and not just "here's a protocol, k, >> thnx, bye!". I've tried to layout what each party does, and how it all >> fits together - please let me know if it isn't clear. This section is >> towards the top of the document - we will likely make it an Appendix >> before publication. >> >> I've also updated it to use the kskroll-sentinel-is-ta-<id> format. It >> is easy to change again in the future, but this seemed to be what the >> working group liked. I also updated my demo implementation >> (http://www.ksk-test.net) to use this naming scheme. >> >> This version also clarifies that the test is "Is the Key ID a DNSSEC >> root KSK?" Originally my view was that it should be "Is there *any* >> key in the trust store with this keyID?", but after running some >> numbers I decided that there is a significant chance of false >> positives. >> >> As I mentioned, it took an embarrassingly long time to post the update >> - please let us know if we missed your comments. >> >> W >> -- >> I don't think the execution is relevant when it was obviously a bad >> idea in the first place. >> This is like putting rabid weasels in your pants, and later expressing >> regret at having chosen those particular rabid weasels and that pair >> of pants. >> ---maf >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > > John Dickinson > > http://sinodun.com > > Sinodun Internet Technologies Ltd. > Magdalen Centre > Oxford Science Park > Robert Robinson Avenue > Oxford OX4 4GA > U.K. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
