[ksk-change] How to tell which trust anchors are present at a DNS resolver.
One of the discussions we've been having about 5011 roll overs is that there's no way to tell whether or not they are "taking" because there's no way to check the resolvers externally. I was looking at various possibilities including locally significant RRs that could be queried to , but nothing clicked. After a beer with Scott Rose - we came up with the following convention: Querying a server with QNAME="." and QTYPE="DS" and with no recursion, gets you a set of DS records that represent the trust anchors for that server for the root. This would have to be implemented, but given that I think it may take 2 years to get the rollover done, that may not be a problem. Comments on this approach? (Note comments of "this won't work because its too late" are understood and ignored). What we;re looking for are comments on whether the convention has bad side effects or would be difficult to implement correctly. Mike
On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
One of the discussions we've been having about 5011 roll overs is that there's no way to tell whether or not they are "taking" because there's no way to check the resolvers externally.
Why do we need to check externally? (For that matter what exactly do you mean by "externally"? Most resolvers won't answer queries from outside their local networks anyway.)
Querying a server with QNAME="." and QTYPE="DS" and with no recursion, gets you a set of DS records that represent the trust anchors for that server for the root.
Seems weird but harmless. But I don't understand the use case. I can get this information from a BIND resolver with an "rndc" command, and I would guess there are equivalent mechanisms in other implementations. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
Evan,
On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
One of the discussions we've been having about 5011 roll overs is that there's no way to tell whether or not they are "taking" because there's no way to check the resolvers externally.
Why do we need to check externally?
How can we (the folks who are responsible for the KSK) tell if it is safe to revoke the old KSK?
(For that matter what exactly do you mean by "externally"?
From a non-local vantage point.
Most resolvers won't answer queries from outside their local networks anyway.)
There is that. Regards, -drc
On 24 Mar 2015, at 23:27, David Conrad wrote:
On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
One of the discussions we've been having about 5011 roll overs is that there's no way to tell whether or not they are "taking" because there's no way to check the resolvers externally.
Why do we need to check externally?
How can we (the folks who are responsible for the KSK) tell if it is safe to revoke the old KSK?
With this mechanism only the open-resolvers would be able to tell you. I would hope that is a minimal subset of all the resolvers you'd like to test. This would provide nice trouble-shooting information for people 'inside' the recursive servers service network, and not everybody has rndc permission, or runs BIND, but it may not be that useful for the KSK signing folk. —Olaf - - - Olaf Kolkman Chief Internet Technology Officer Internet Society kolkman@isoc.org www.internetsociety.org
On 3/26/2015 11:26 AM, Olaf Kolkman wrote:
On 24 Mar 2015, at 23:27, David Conrad wrote:
On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
One of the discussions we've been having about 5011 roll overs is that there's no way to tell whether or not they are "taking" because there's no way to check the resolvers externally.
Why do we need to check externally?
How can we (the folks who are responsible for the KSK) tell if it is safe to revoke the old KSK?
With this mechanism only the open-resolvers would be able to tell you. I would hope that is a minimal subset of all the resolvers you'd like to test.
This is going to get you to a large proportion of servers that serve the broadband home market. What it doesn't necessarily get you are the commercial companies. OTOH those commercial companies may be more likely to be actively managed. I was trying to figure out if some sort of "test me" web page could be used to reflect this data back to some sort of collector. *without* ending up with a DOS amplification attack. Or a mozilla or other web browser extension that will do this check every 30 days or so (with user permission and dump the data somewhere accessible). *sigh* Mike
This would provide nice trouble-shooting information for people 'inside' the recursive servers service network, and not everybody has rndc permission, or runs BIND, but it may not be that useful for the KSK signing folk.
—Olaf
------------------------------------------------------------------------
Olaf Kolkman Chief Internet Technology Officer Internet Society kolkman@isoc.org <mailto:kolkman@isoc.org> www.internetsociety.org <http://www.internetsociety.org>
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
participants (4)
-
David Conrad -
Evan Hunt -
Michael StJohns -
Olaf Kolkman