Re: [DNSOP] Updated KSK Sentinel document

Tue, 27 Feb 2018 13:28:30 -0800 

On 12 Feb 2018, at 12:28, Warren Kumari wrote:


I also updated my demo implementation
(http://www.ksk-test.net) to use this naming scheme.



I would very much like to see draft-ietf-dnsop-kskroll-sentinel move 
forward, but was concerned that the result might be something where an 
end-user might not be able to reliably test the resolver they were using 
for it. Warren's Javascript code from that page uses the idea that an 
image that could not be loaded would have a height of zero:


      if (img_invalid.height === 0) {invalid = false;}
      if (img_is_ta.height === 0) {is_ta = false;}
      if (img_not_ta.height === 0) {not_ta = false;}


That seems to work for some browsers, but I worried that some browsers 
might implement something different for their Javascript. (This is not 
to knock Warren's code: he admitted it was a quick hack.)



After some investigation, I have a different method that should work in 
all browsers that follow the HTML and Javascript standards. It does not 
rely on any non-standard assumptions in the client-side Javascript.


In the <head> of an HTML document, first include something like this:
   <script>var collected_names = [];</script>
... to create a global variable that holds a list. Then include:

   <script 
src="http://kskroll-sentinel-is-ta-4f66.example.com/is-ta.js";></script>
   <script 
src="http://kskroll-sentinel-not-ta-4f66.example.com/not-ta.js";></script>

   <script src="http://invalid.example.com/invalid.js";></script>

The files that are attempted to be retrieved have one line of code, 
different for each file:

   collected_names.push("is_ta");
      or
   collected_names.push("not_ta");
      or
   collected_names.push("invalid");

The result is that the collected_names list now contains an entry for 
each of the domains where the .js file was fetchable. The Javascript (in 
yet another <script> block) can then process that list to determine the 
sentinel status.



I have some very simple sample code that tests this for the Vleg and 
nonV cases, but I'm still waiting for a resolver that runs 
kskroll-sentinel properly to test for all four. (Kudos to Knot Resolver 
for being first to implement, but there is a small bug that they say 
should be fixed soon.)



So, for folks waiting to see if draft-ietf-dnsop-kskroll-sentinel could 
really work in practice, this is a very good sign.


--Paul Hoffman

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop























					Reply via email to