On Thu, Oct 30, 2014 at 3:43 PM, Rose, Scott <[email protected]> wrote: > On the subject of NTA's that should be there - > > Should there be text describing auto-adding of NTA's based on important > domains (for the ISP/resolver's definition of important)? > So that domains that are used by low level services don't fail that also > aren't normally visible to end users? One example is nist.gov. When > nist.gov messed up and went DNSSEC BOGUS, time.nist.gov was unreachable by > validating resolvers. Unless the log files were detailed, a user may not > know what is going on or that NTP is having issues. >
Sorry, but to me this sounds like a bad idea -- you should find out that you "not normally visible to end users" failures are happening because your network monitoring system goes "Beep Beep Beep" when low level important services die. The NOC then goes off and investigates and discovers that e.g the NTP monitor it sad because time.nist.gov is unresolvable. At this point there really needs to be a *human* in the loop to decide what to do, if the failure really *is* a DNSSEC failure and, more importantly, if installing an NTA is the right answer. This requires a human judgment call if the outage requires serious action. For example, for the *huge* majority of folk time.nist.gov going unresolvable was simply not an issue -- but many years a go I worked for a digital timestamp / nonrepudiation company, and things failed spectacularly if *they* couldn't talk to time.nist.gov. This is, and should be, a "Break Glass" type event, not an automated best guess. Neither Google Public DNS, not Comcast have yet installed an NTA for fema.net... > This could be a monitor, or a pre-loaded NTA for certain domains. Not crazy > about the pre-loaded idea, but it would avoid a period of scrambling. I think that some scrambling is preferable to incorrectly overriding DNSSEC validation in the case of an "actual" issue. If the thingie you are talking to is sufficiently critical to your operations you *really* should be monitoring it. When the monitor fires your well trained NOC leaps into action, opens the binder and flips to the checklist - if they discover that the failure is truly a DNSSEC issue (e.g they call up the operators of criticalservice.org who tells them that the HSM and hidden master are both under 3 ft of piranha infested water) they flip to the section marked "Installing an NTA". This has another checklist that confirms that it really is A: an DNSSEC failure and B: that criticalservice.org is actually critical. Once confirming this, the NOC folder references Appendix A in [draft-livingood-dnsop-negative-trust-anchors] and installs an NTA for criticalservice.org. They then note this in the ticketing system, add it to the daily NOC log and go back to playing Minecraft. The following NOC shift has an open ticket and periodically tests if the issue is resolved. Once it is, the NTA gets removed. This should all be a very rare occurrence - but if, and when you need it, you *really* need it. Having the NTA option available in an emergency is really useful, but it should not be used in an automated manner. If a name is critical enough that you are considering automatically installing an NTA there are probably 3 questions you need to ask: 1: DNSSEC is designed to prevent MITM attacks -- if it is this critical to me, is failing "open" the right answer? 2: If the service is *this* critical to me, perhaps I have too many eggs in one basket and need to find a second provider? and 3: If I'm seeing these failures often enough that I'm considering this, have I selected the wrong supplier here? W > > Scott > > On Oct 29, 2014, at 5:11 PM, Warren Kumari <[email protected]> wrote: > >> Over on the BIND-Users list there is currently a discussion of >> fema.net (one the "Federal Emergency Management Agency" domains) >> being DNSSEC borked >> (https://lists.isc.org/pipermail/bind-users/2014-October/094142.html) >> >> This is an example of the sort of issues that an NTA could address -- >> I'd like to note that currently neither Google Public DNS (8.8.8.8) >> nor Comcast (75.75.75.75) have put in an NTA for it, but if it were >> fema.gov, and this were during some sort of national disaster in the >> US, things might be different... >> W >> > > =================================== > Scott Rose > NIST > [email protected] > +1 301-975-8439 > Google Voice: +1 571-249-3671 > http://www.dnsops.gov/ > =================================== > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
