Hello dnsop, here are two (hopefully non-controversial) additions for dnssec-kskroll-sentinel-06:
https://github.com/APNIC-Labs/draft-kskroll-sentinel/pull/14/commits 1st proposal ============ There might be dumb stubs which ignore RCODE and just look for data in the ANSWER section, i.e. these would not see a difference between SERVFAIL and non-SERVFAIL RCODE and skew measurement results. Right now the draft says "return SERVFAIL" and naive implementation could keep content of ANSWER section intact /as I naively did in first iteration/, which is not desirable. Proposal here is to add text below table at the end of section in 3.2: | Key Tag is trusted | Key Tag is not trusted ------------------------------------------------------------------ is-ta | return original answer | return SERVFAIL not-ta | return SERVFAIL | return original answer ++ Instruction "return SERVFAIL" means that the resolver MUST set RCODE=SERVFAIL (value 2) and MUST empty the ANSWER section of the DNS response, ignoring all other documents which specify content of the ANSWER section. 2nd proposal ============ Add caveat that SERVFAIL can get cached (forwarding!), so TA fixes/update might not be visible immediatelly. Addition to the end of "Sentinel Test Result Considerations": + <t>Please note that SERVFAIL might be cached according to + <xref target="RFC2308"/> section 7 for up to 5 minutes + and a positive answer for up to its TTL.</t> 3rd proposal ============ We have one more thing which needs more manpower to be verified. Right now, the section 3.1. Preconditions is: > 3.1. Preconditions > > All of the following conditions must be met to trigger special > processing inside resolver code: > > o The DNS response is DNSSEC validated and result of validation is > "Secure" > > o The QTYPE is either A or AAAA (Query Type value 1 or 28) > > o The OPCODE is QUERY > > o The leftmost label of the QNAME is either "kskroll-sentinel-is-ta- > <key-tag>" or "kskroll-sentinel-not-ta-<key-tag>" > > If any one of the preconditions is not met, the resolver MUST NOT > alter the DNS response based on the mechanism in this document. and later 5. Sentinel Test Result Considerations discusses how to interpret results, including considerations for CD bit handling between recursor and forwarder (we are not speaking about stubs here!). The current text in section 5 is written with an assumption that query with +CD bit cannot result in "Secure" status and thus cannot trigger sentinel processing, but this depends on implementation. E.g. Knot Resolver stores RRs in cache along with their validation status, so if a client(s) send query *without* CD bit, the RRs will be validated and then stored into cache along with its state, e.g. Secure. Later, when another client asks the same query but with +CD bit, the RR will be read from cache and its state will be Secure despite of the CD bit. Now, if we were literally following the version 06 of this draft, we would trigger the sentinel processing despite the CD bit because the state is Secure (as cached from a previous query). I suspect that this is not what authors of text in section 5 expect ... To counter this I propose to add another precondition: - CD bit in the query is not set IMHO it should solve the problem with implementation-specific cache behavior. Does anyone see a problem with this addition? What did I miss? -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
