On 12 Feb 2018, at 12:28, Warren Kumari wrote:
I also updated my demo implementation
(http://www.ksk-test.net) to use this naming scheme.
I would very much like to see draft-ietf-dnsop-kskroll-sentinel move
forward, but was concerned that the result might be something where an
end-user might not be able to reliably test the resolver they were using
for it. Warren's Javascript code from that page uses the idea that an
image that could not be loaded would have a height of zero:
if (img_invalid.height === 0) {invalid = false;}
if (img_is_ta.height === 0) {is_ta = false;}
if (img_not_ta.height === 0) {not_ta = false;}
That seems to work for some browsers, but I worried that some browsers
might implement something different for their Javascript. (This is not
to knock Warren's code: he admitted it was a quick hack.)
After some investigation, I have a different method that should work in
all browsers that follow the HTML and Javascript standards. It does not
rely on any non-standard assumptions in the client-side Javascript.
In the <head> of an HTML document, first include something like this:
<script>var collected_names = [];</script>
... to create a global variable that holds a list. Then include:
<script
src="http://kskroll-sentinel-is-ta-4f66.example.com/is-ta.js"></script>
<script
src="http://kskroll-sentinel-not-ta-4f66.example.com/not-ta.js"></script>
<script src="http://invalid.example.com/invalid.js"></script>
The files that are attempted to be retrieved have one line of code,
different for each file:
collected_names.push("is_ta");
or
collected_names.push("not_ta");
or
collected_names.push("invalid");
The result is that the collected_names list now contains an entry for
each of the domains where the .js file was fetchable. The Javascript (in
yet another <script> block) can then process that list to determine the
sentinel status.
I have some very simple sample code that tests this for the Vleg and
nonV cases, but I'm still waiting for a resolver that runs
kskroll-sentinel properly to test for all four. (Kudos to Knot Resolver
for being first to implement, but there is a small bug that they say
should be fixed soon.)
So, for folks waiting to see if draft-ietf-dnsop-kskroll-sentinel could
really work in practice, this is a very good sign.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop