Greetings. As I re-read the current draft of
draft-ietf-dnsop-kskroll-sentinel, I'm feeling a bit uneasy about the
description of "Vleg" and of what happens when you get a result that
doesn't fit into the query/type table. The draft is fine for when the
results are Vnew, Vold, and nonV, but it gets mushy for other results.
It's just a name, but "Vleg" indicates that the resolver is a legacy
validating resolver (that is, doesn't do
draft-ietf-dnsop-kskroll-sentinel). As the document says, that's one
possibility, but you can also get the same set of answers from a set of
resolvers that validate and support the protocol, but don't all support
the key whose Key Tag is in the query.
Similarly, if all the client's resolvers support this mechanism, but
some have loaded the key into the trusted key stash and some have
not, then the result is indeterminate ("Vleg").
The draft also uses "indeterminate" in other places for the result.
Given that, calling it "Vleg" could lead implementers of tests to the
wrong conclusion. Calling it "Vind" would be clearer.
And this brings up the second point. The earlier sections of the draft
mix saying that the tests are for "a resolver" and for "a system of
resolvers". Although Section 4 does a good job of discussing the
complications of measuring for a user that has more than one resolver
that have different configurations, earlier sections make the protocol
sound more definitive than it is.
If others agree with me that the draft can use better language around
these, I'm happy to offer new proposed text. If I'm the only one who
finds this part a bit hidden, that's fine, and it can move on as-is.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
