On 28.3.2018 01:18, Geoff Huston wrote:
>> 3rd proposal
>> ============
>> We have one more thing which needs more manpower to be verified. Right
>> now, the section 3.1. Preconditions is:
>>
>>> 3.1. Preconditions
>>>
>>> All of the following conditions must be met to trigger special
>>> processing inside resolver code:
>>>
>>> o The DNS response is DNSSEC validated and result of validation is
>>> "Secure"
>>>
>>> o The QTYPE is either A or AAAA (Query Type value 1 or 28)
>>>
>>> o The OPCODE is QUERY
>>>
>>> o The leftmost label of the QNAME is either "kskroll-sentinel-is-ta-
>>> <key-tag>" or "kskroll-sentinel-not-ta-<key-tag>"
>>>
>>> If any one of the preconditions is not met, the resolver MUST NOT
>>> alter the DNS response based on the mechanism in this document.
>>
>> and later 5. Sentinel Test Result Considerations discusses how to
>> interpret results, including considerations for CD bit handling between
>> recursor and forwarder (we are not speaking about stubs here!).
>>
>> The current text in section 5 is written with an assumption that query
>> with +CD bit cannot result in "Secure" status and thus cannot trigger
>> sentinel processing, but this depends on implementation.
>>
>> E.g. Knot Resolver stores RRs in cache along with their validation
>> status, so if a client(s) send query *without* CD bit, the RRs will be
>> validated and then stored into cache along with its state, e.g. Secure.
>> Later, when another client asks the same query but with +CD bit, the RR
>> will be read from cache and its state will be Secure despite of the CD bit.
>>
>>
>> Now, if we were literally following the version 06 of this draft, we
>> would trigger the sentinel processing despite the CD bit because the
>> state is Secure (as cached from a previous query). I suspect that this
>> is not what authors of text in section 5 expect ...
>>
>> To counter this I propose to add another precondition:
>> - CD bit in the query is not set
>>
>> IMHO it should solve the problem with implementation-specific cache
>> behavior.
>>
>> Does anyone see a problem with this addition? What did I miss?
>
> I think this is correct Petr - i.e.I agree that it would be clear to add
> a further precondition that the CD bit in the query is _not_ set.
>
> I was VERY surprised to see the opposite text sneak its way into
> a pull request, and equally surprised that a co-author of the draft
> approved the request and pushed the -09 version without raising this
> on the mailing list, particularly as it directly contradicts your
> message here.
Hmm, wait, I think we need to clarify one thing:
Current text in -09 reads:
o The DNS response is DNSSEC validated, regardless of whether
DNSSSEC validation was requested, and result of validation is
"Secure"
I talked to Paul Hoffman about this in person during IETF 101 hackaton
and the intended meaning of "validation was requested" is "regardless of
DO/AD bit in the original query".
Reason is that stubs often emit queries without AD/DO but we want to
validate and apply this logic _unless_ CD is set.
The text "regardless of whether DNSSSEC validation was requested" was
added to warn other avoid other people repeating my mistake from initial
implementation which relied on AD bit in result (which must be requested
by the querier) instead of Secure rank from validator (which does not
depend on AD/DO).
Hopefully it clarifies the intent, but now we need to rephrase the text
in this bullet point... Proposals?
Petr Špaček @ CZ.NIC
>
> The current text in -09 reads:
>
> The DNS response is DNSSEC validated, regardless of whether
> DNSSSEC validation was requested, and result of validation is
> “Secure"
>
> I believe this text in the current draft is incorrect and leads to
> the wrong behaviour. The idea is for the resolver to act in a manner
> that is consistent with the way it would behave in a hypothetical key
> roll scenario - and if the query has the CD bit set the resolver would
> return the response without this special process.
>
>
> Geoff
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
