On 23 Dec 2017, at 11:59, Geoff Huston wrote:
In situations where a client may have multiple resolvers in their
local
/etc/resolv.conf configuration, and recursive resolvers may themselves
/use forwarders, it is not immediately obvious which resolver
generated the response, so I’m unsure of the interpretation of any
attempt to embed some form of additional information into either the
IP
address of the named object.
Exactly right. Having a browser run this test can easily lead to false
positive and false negative results for a user who expects that seeing
something in their browser means something.
The intent of the test is to establish a usable test along the lines
of
"If you can retrieve this named object you are ready for a Root Zone
KSK
roll" The issues around the diversity of behaviours in the DNS turn
this
dsimple songle fetch into a compound fetch of three named objects, but
the semantic intent is the same. That is: "From the pattern of the
results of performing these three tests we can compute a likelihood of
concluding whether or not, you, the end user, will, or will not, be
affected by a pending KSK roll.
... for the current set of resolvers that you are using. A quite
believable scenario is that while you're sitting in a coffee shop, you
get one set of results, but a different set when you change to your home
ISP or your organization's network.
From a large enough sample of users was
can then estimate the 'impact' of a KSK roll on the total user
population.
To get a good estimate, you'll need to sample the same user multiple
times, looking for changes in the results. The design methodology for
such a study will be daunting.
Note that the intent is not to try and isolate the behaviour of a
single
resolver, nor to attempt to diagnose the reasons for that behaviour.
Agree. Note, however, that the sentinel can indeed be used to isolate
the behavior of a single resolver if you run the test against a known
address, not against "whatever /etc/resolv.conf gives me".
The
intent is to look at the user and the set of resolvers that the user's
DNS is configured to use, and determine if the user's DNS will be
"stranded" in the even of a KSK roll.
How can this protocol tell the set of resolvers that the user's DNS is
configured to use? Either you are seeing the results as an amorphous
blob (as described in Section 4), or as a specific result because you
are sending the queries to a single known resolver address.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
