On 26 Sep 2018, at 14:30, Warren Kumari wrote:
On Wed, Sep 26, 2018 at 12:40 PM Paul Hoffman <paul.hoff...@vpnc.org>
wrote:
On 26 Sep 2018, at 12:07, Warren Kumari wrote:
On Wed, Sep 26, 2018 at 11:16 AM Benjamin Kaduk <ka...@mit.edu>
wrote:
On Wed, Sep 26, 2018 at 10:12:08AM -0700, Warren Kumari wrote:
On Wed, Sep 26, 2018 at 8:16 AM Benjamin Kaduk <ka...@mit.edu>
wrote:
Benjamin Kaduk has entered the following ballot position for
draft-ietf-dnsop-kskroll-sentinel-15: Discuss
When responding, please keep the subject line intact and reply to
all
email addresses included in the To and CC lines. (Feel free to
cut
this
introductory paragraph, however.)
Please refer to
https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found
here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
Thanks for preparing this document and mechanism; it is good to
have
more
data about the expected impact of the root KSK roll. That said,
I
have two
Discuss-worthy points, albeit both fairly minor.
The first one may just be something that I missed, but does this
document
actually say anywhere that there needs to be a real zone with
real
configured A and/or AAAA records for the query names used for
these
tests?
The Appendix sort-of-mentions it, but I feel like there needs to
be
a
mention in the main body text.
No hats (OMG, everyone will see I'm going bald...)
Ok, fair. This was actually a source of confusion when we first
started
discussing the document -- we explained it on-list / at mics / in
person,
but it became so well understood that we didn't notice that it is
not
actually specified in the document. I'll try figure out text.
Thanks.
It eventually became pretty clear to me from things like "return
the
A or
AAAA response unchanged" that there was supposed to be a valid
response
provisioned so that it could be returned, but I don't want to rely
on
all
readers making the same inference.
So I opened my editor to add text, and scrolled down to try figure
out
where to add this.
"Section 4.3 - Test Procedure" seemed like a good spot -- and it
already
has this text:
A query name containing the left-most label
"root-key-sentinel-not-ta-<key-tag-of-KSK-current>". This name MUST
be
a
validly-signed. ***Any validly-signed DNS zone can be used for this
test.***
A query name containing the left-most label
"root-key-sentinel-is-ta-<key-tag-of-KSK-new>". This name MUST be a
validly-signed. ***Any validly-signed DNS zone can be used for this
test.***
(emphasis mine).
Does this perhaps address your concerns?
It should not: Section 2.1 specifically says that the query must be
for
A or AAAA.
Ah, I think I'm starting to understand...
A query name containing the left-most label
"root-key-sentinel-not-ta-<key-tag-of-KSK-current". This name MUST be
a
validly-signed name." cover it?
I'd tried putting in stuff like "in a public zone" (but this isn't
actually
true, I could do this entirely in a private namespace if I only wanted
to
test a closed network).
Or perhaps: "This name MUST be a validly-signed name in a validly
signed
zone"? (which is somewhat redundant, but makes it clearer)?
Any suggestions?
Ben asked for the text to appear early, so I think that putting it in
the last section before the Security Considerations doesn't really
count. :-)
How about in Section 2.2 where the document defines the special
processing. Adding a last sentence to the last paragraph might clear
things up:
The answer for the A or AAAA query is sent on to the client.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
