Skip to main content

DNSSEC Roadblock Avoidance
draft-ietf-dnsop-dnssec-roadblock-avoidance-05

Revision differences

Document history

Date Rev. By Action
2016-11-20
05 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2016-10-24
05 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2016-09-22
05 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2016-09-20
05 (System) RFC Editor state changed to EDIT
2016-09-20
05 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2016-09-20
05 (System) Announcement was received by RFC Editor
2016-09-20
05 (System) IANA Action state changed to No IC from In Progress
2016-09-20
05 (System) IANA Action state changed to In Progress
2016-09-20
05 Amy Vezza IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2016-09-20
05 Amy Vezza IESG has approved the document
2016-09-20
05 Amy Vezza Closed "Approve" ballot
2016-09-20
05 Amy Vezza Ballot approval text was generated
2016-09-09
05 Jean Mahoney Closed request for Last Call review by GENART with state 'No Response'
2016-09-07
05 Joel Jaeggli IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup
2016-09-07
05 Joel Jaeggli We look clear on this one

lets ship it.
2016-09-07
05 Joel Jaeggli IESG state changed to Approved-announcement to be sent::AD Followup from IESG Evaluation::AD Followup
2016-08-23
05 Stephen Farrell
[Ballot comment]

Thanks for adding alg 8 in response to my discuss. I think you might
want to do another editing pass just to check …
[Ballot comment]

Thanks for adding alg 8 in response to my discuss. I think you might
want to do another editing pass just to check that the end result is
fully consistent, e.g. I'm not sure if alg 8 should also be mentioned in
section 1.3. The diff from -04 to -05 might also contain a few other
such things, but I'm in an airport now so better I clear the discuss
and leave such tidying to you.

--- OLD COMMENTs below, I didn't check 'em vs. the latest
version

general, mostly 3.x.y: it'd have been nice to include a
dig command line for each of these tests - that'd save the
non-expert reader some time and allow easy scripting of
most of this BCP.

general: Why not say to include a test with a known, but
not well-known, public key (or DS) to check if anyone on
the path is fibbing? E.g. a tester could remember a few
public keys and check that they've not changed in a new
location.  While that may only catch out a cheating real
parent, did you consider including such a test?

- 3.1.4: How is a "recently defined type" a reasonable
thing to check for in a BCP? Seems odd anyway.

- 6.1: what if there is no user? Why not recommend telling
some network observatory? Aren't there some for DNSSEC?
2016-08-23
05 Stephen Farrell [Ballot Position Update] Position for Stephen Farrell has been changed to Yes from Discuss
2016-08-11
05 Terry Manderson [Ballot comment]
Thank you for addressing my DISCUSS (and other comments) in this new version.

Clearing my DISCUSS.
2016-08-11
05 Terry Manderson [Ballot Position Update] Position for Terry Manderson has been changed to No Objection from Discuss
2016-08-11
05 (System) Sub state has been changed to AD Followup from Revised ID Needed
2016-08-11
05 Wes Hardaker IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed
2016-08-11
05 Wes Hardaker New version available: draft-ietf-dnsop-dnssec-roadblock-avoidance-05.txt
2016-07-14
04 Tero Kivinen Closed request for Last Call review by SECDIR with state 'No Response'
2016-07-11
04 Gunter Van de Velde Request for Last Call review by OPSDIR Completed: Has Issues. Reviewer: Eric Vyncke.
2016-07-07
04 Cindy Morgan IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation
2016-07-07
04 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko
2016-07-07
04 Alvaro Retana [Ballot comment]
Just for good measure: I also agree with Terry's DISCUSS.
2016-07-07
04 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2016-07-07
04 Benoît Claise
[Ballot comment]
Here is Eric Vyncke's (pretty knowledgeable security expert) OPS DIR review (you'll see that it's in line with Terry's DISCUSS point):
Based on …
[Ballot comment]
Here is Eric Vyncke's (pretty knowledgeable security expert) OPS DIR review (you'll see that it's in line with Terry's DISCUSS point):
Based on my operational experience, I have seen multiple DNSSEC packets dropped by firewalls because they try to use EDNS0 rather than fragmenting. Does your I-D also address this issue?

I am a little puzzled by the hand waving "we also assume that the path is clear of "DNS interfering" crap-ware/middle-boxes, like stupid firewalls, proxies, forwarders." (I would avoid the use of "stupid") This restriction does not appear as realistic to me in the current deployment.

In the wave of IPv6 deployment and IPv4 sunset, I would suggest that examples (such as in 3.1.1) uses AAAA RR and not A.

It is a little unclear to me WHEN the host should run those test? At boot time? At every network attach? When it resumes operation after a sleep period? Or a periodic test (such as hourly) ? This could cause a scalability problem in vast WiFi deployment.

I am also a little puzzled by another hand waving "The goal of this document is to tie the above tests and aggregations to avoidance practices; however the document does not specify exactly how to do that." and later "Else return an useful error code" which will make interoperation (API portability) complex.

With a little improvement for some unclear (to me) text, this document could be useful. Especially if either the mitigation part is improved or removed completely.

I hope the above will help to improve a very useful document
2016-07-07
04 Benoît Claise [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise
2016-07-06
04 Alia Atlas [Ballot comment]
I do agree with Terry's point.
2016-07-06
04 Alia Atlas [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas
2016-07-06
04 Suresh Krishnan [Ballot comment]
Agree with Terry's DISCUSS and COMMENTs
2016-07-06
04 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2016-07-06
04 Ben Campbell
[Ballot comment]
- I support Terry's discuss.

- 1.2, 2nd paragraph: Is "full non-support" effectively different from "non-support" in this context?

Do we have reason …
[Ballot comment]
- I support Terry's discuss.

- 1.2, 2nd paragraph: Is "full non-support" effectively different from "non-support" in this context?

Do we have reason to expect the github project to be maintained for the life of the RFC?

- 3.1.1 et. al. : Do we have reason to believe the dnssec-tools.org domain will be maintained for the life of the RFC?

- 5:

The first paragraph seems to say that the document does not accomplish it’s goal. Is that really the intent? (And doesn't the document at least do some of that?)

"... we can determine what MUST be done in order..."
Spurious 2119 MUST

"short-circuit any unnecessary fallback attempts.":  Does "short circuit" mean the same as "avoid" in this context?

"problems with the name server MAY manifest": Spurious 2119 "MAY"

- 5.1, "It MAY be possible...": Spurious 2119 "MAY"

-5.1.2: s/real/really

- 6: "A newly established network connection MAY change state...": Spurious 2119 "MAY"

-8: Seems like there could be  more to say about the potential consequences about the “fail or proceed without security” decision in 6 and 6.1.
2016-07-06
04 Ben Campbell [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell
2016-07-06
04 Kathleen Moriarty [Ballot comment]
I support Stephen & Terry's discuss points.
2016-07-06
04 Kathleen Moriarty [Ballot Position Update] New position, No Objection, has been recorded for Kathleen Moriarty
2016-07-06
04 Alissa Cooper
[Ballot comment]
- Agree with Terry's DISCUSS.

- Sec. 2: The last paragraph here isn't really about "goals" and seems like it belongs more appropriately …
[Ballot comment]
- Agree with Terry's DISCUSS.

- Sec. 2: The last paragraph here isn't really about "goals" and seems like it belongs more appropriately in Sec 3.

- Sec 6.1: I thought recently gathered data has been pointing to the futility of popping up security warnings (e.g., http://neurosecurity.byu.edu/media/Anderson_et_al._CHI_2015.pdf). Does it really make sense to recommend warning users in a BCP? What are users expected to do as a result? Is there any evidence about the proportion of users who even know what DNSSEC is?
2016-07-06
04 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2016-07-06
04 Alexey Melnikov
[Ballot comment]
I am agreeing with Terry's DISCUSS.

I think this is a useful document, but it is not entirely clear to me how well …
[Ballot comment]
I am agreeing with Terry's DISCUSS.

I think this is a useful document, but it is not entirely clear to me how well content of this document will age with time.

Nits:

In section 5:

  This will increase the likelihood that spit-view unsigned answers are found.

Should spit-view be split-view?

On page 14:
  For a stub resolver, problems with the name server MAY manifest themselves as the following types of error conditions:

This is not an implementation choice, so use of MAY is not appropriate. Change to "can" or the like.
2016-07-06
04 Alexey Melnikov Ballot comment text updated for Alexey Melnikov
2016-07-05
04 Terry Manderson
[Ballot discuss]
This should be  a very easy DISCUSS to resolve.

In section 4, the second "Note", I urge you to reconsider using the term …
[Ballot discuss]
This should be  a very easy DISCUSS to resolve.

In section 4, the second "Note", I urge you to reconsider using the term "crap-ware", and words "stupid", "crap".. these make this document look and sound very poor for an IETF published document. Knowing the intelligence of the authors I can't see how this was thought of as passable and made it through WGLC irrespective of how we collectively view these devices.

Perhaps such words like "protocol naive" are better placed.
2016-07-05
04 Terry Manderson
[Ballot comment]
small nits and comments:

Abstract: s/outline potential/outlines potential/

s1.1
  second bullet, perhaps you could just say "not DNSSEC aware" to be parsimonious …
[Ballot comment]
small nits and comments:

Abstract: s/outline potential/outlines potential/

s1.1
  second bullet, perhaps you could just say "not DNSSEC aware" to be parsimonious with words
  third bullet '"middle-boxes" actively'?
  fourth bullet "Network components" ?

  para after the bullets: "s/perform these test/perform these tests/ and I don't mean this to sound snide, but what is a regular Validating Resolver? as opposed to something else? (irregular?)
  last para of s1.1. "not uncommon to get results that are not consistent" suggest "not uncommon to get results that are inconsistent"

s1.2 is https://github.com/ogud/DNSSEC_ALG_Check going to be a fully stable URL?

s1.3 May I suggest moving the 'Notation' section above the background to better arm the reader?
    By saying "actual validating resolver" I presume you mean a standalone daemon listening on port 53?

s2 "This document specifies two sets of tests to perform a comprehensive
  one and a fast one." I think you missed a comma.  And is normative language really needed in the following sentence?

s3, you might like to use a RFC4786 reference for anycast in the first 'Note'

s3.1 second para "SHOULD have the recursive flag", suggest "SHOULD have the Recursion Desired (RD) flag set"

s3.1.1, please use the example domain for such examples, ie example.com, and once you have used it do you really need to repeat it for each 'existing' text until you get to the non-existent tests and so on up to 3.1.14.

And on s3.1.14 Will "alltypes.res.dnssecready.org"  be a stable query point?

s 3.3 Some formatting might help with the DNS query examples here.
2016-07-05
04 Terry Manderson [Ballot Position Update] New position, Discuss, has been recorded for Terry Manderson
2016-07-05
04 Spencer Dawkins
[Ballot comment]
This was an entertaining read.

I share Mirja's comments. In addition:

I'm not sure how well ESL readers will understand "crap-ware"/"crap" in this …
[Ballot comment]
This was an entertaining read.

I share Mirja's comments. In addition:

I'm not sure how well ESL readers will understand "crap-ware"/"crap" in this passage ("crap-ware" is probably a reasonable term of art, if it's intelligible enough to readers):

  NOTE: when performing these tests we also assume that the path is
  clear of "DNS interfering" crap-ware/middle-boxes, like stupid
  firewalls, proxies, forwarders.  Presence of such crap can easily
  make the recursive resolver look bad.  It is beyond the scope of the
  document as how to test around the interference.

I'm not sure what "ideally MUST" means, in

  However, querying many zones will
  result in answers greater than 1220 bytes so ideally TCP MUST be
  available.
2016-07-05
04 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2016-07-05
04 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2016-07-04
04 Stephen Farrell
[Ballot discuss]

Why omit sha256 (in particular Alg = 8) from this?  That
seems like a quite bad plan and *not* a BCP given our …
[Ballot discuss]

Why omit sha256 (in particular Alg = 8) from this?  That
seems like a quite bad plan and *not* a BCP given our
current knowledge of hash functions.
2016-07-04
04 Stephen Farrell
[Ballot comment]

general, mostly 3.x.y: it'd have been nice to include a
dig command line for each of these tests - that'd save the
non-expert …
[Ballot comment]

general, mostly 3.x.y: it'd have been nice to include a
dig command line for each of these tests - that'd save the
non-expert reader some time and allow easy scripting of
most of this BCP.

general: Why not say to include a test with a known, but
not well-known, public key (or DS) to check if anyone on
the path is fibbing? E.g. a tester could remember a few
public keys and check that they've not changed in a new
location.  While that may only catch out a cheating real
parent, did you consider including such a test?

- 3.1.4: How is a "recently defined type" a reasonable
thing to check for in a BCP? Seems odd anyway.

- 6.1: what if there is no user? Why not recommend telling
some network observatory? Aren't there some for DNSSEC?
2016-07-04
04 Stephen Farrell [Ballot Position Update] New position, Discuss, has been recorded for Stephen Farrell
2016-07-04
04 Mirja Kühlewind
[Ballot comment]
1) Shouldn't/can't section 3.1.13. (UDP size limits) also specify a real test?

2) To follow up with the tsv-art review: To avoid network …
[Ballot comment]
1) Shouldn't/can't section 3.1.13. (UDP size limits) also specify a real test?

2) To follow up with the tsv-art review: To avoid network as well as server overload, would it be useful to provide further guidance, when and how often these tests should be performed?

3) In section 6.1.  (What To Do): maybe also list logging as an option in cases where no user is directly involved but a human might check later.
2016-07-04
04 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2016-07-03
04 Alexey Melnikov
[Ballot comment]
I think this is a useful document, but it is not entirely clear to me how well content of this document will age …
[Ballot comment]
I think this is a useful document, but it is not entirely clear to me how well content of this document will age with time.

Nits:

In section 5:

  This will increase the likelihood that spit-view unsigned answers are found.

Should spit-view be split-view?

On page 14:
  For a stub resolver, problems with the name server MAY manifest themselves as the following types of error conditions:

This is not an implementation choice, so use of MAY is not appropriate. Change to "can" or the like.
2016-07-03
04 Alexey Melnikov [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov
2016-06-27
04 Joel Jaeggli IESG state changed to IESG Evaluation from Waiting for Writeup
2016-06-27
04 Joel Jaeggli Ballot has been issued
2016-06-27
04 Joel Jaeggli [Ballot Position Update] New position, Yes, has been recorded for Joel Jaeggli
2016-06-27
04 Joel Jaeggli Created "Approve" ballot
2016-06-27
04 Joel Jaeggli Ballot writeup was changed
2016-06-27
04 Joel Jaeggli Placed on agenda for telechat - 2016-07-07
2016-06-17
04 (System) IESG state changed to Waiting for Writeup from In Last Call
2016-06-13
04 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Eric Vyncke
2016-06-13
04 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Eric Vyncke
2016-06-09
04 Jean Mahoney Request for Last Call review by GENART is assigned to Wassim Haddad
2016-06-09
04 Jean Mahoney Request for Last Call review by GENART is assigned to Wassim Haddad
2016-06-09
04 Tero Kivinen Request for Last Call review by SECDIR is assigned to Paul Wouters
2016-06-09
04 Tero Kivinen Request for Last Call review by SECDIR is assigned to Paul Wouters
2016-06-07
04 (System) IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed
2016-06-07
04 Sabrina Tanamal
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt, which is currently in Last Call, and has the following comments:

We understand that this …
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN
2016-06-03
04 Amy Vezza IANA Review state changed to IANA - Review Needed
2016-06-03
04 Amy Vezza
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: tjw.ietf@gmail.com, joelja@gmail.com, draft-ietf-dnsop-dnssec-roadblock-avoidance@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org
Reply-To: ietf@ietf.org …
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: tjw.ietf@gmail.com, joelja@gmail.com, draft-ietf-dnsop-dnssec-roadblock-avoidance@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (DNSSEC Roadblock Avoidance) to Best Current Practice


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document:
- 'DNSSEC Roadblock Avoidance'
  as Best Current
Practice

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-06-17. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes problems that a DNSSEC aware resolver/
  application might run into within a non-compliant infrastructure.  It
  outline potential detection and mitigation techniques.  The scope of
  the document is to create a shared approach to detect and overcome
  network issues that a DNSSEC software/system may face.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-roadblock-avoidance/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-roadblock-avoidance/ballot/


The following IPR Declarations may be related to this I-D:

  https://datatracker.ietf.org/ipr/2716/



2016-06-03
04 Amy Vezza IESG state changed to In Last Call from Last Call Requested
2016-06-03
04 Joel Jaeggli Last call was requested
2016-06-03
04 Joel Jaeggli Last call announcement was generated
2016-06-03
04 Joel Jaeggli Ballot approval text was generated
2016-06-03
04 Joel Jaeggli Ballot writeup was generated
2016-06-03
04 Joel Jaeggli IESG state changed to Last Call Requested from AD Evaluation
2016-05-26
04 Joel Jaeggli IESG state changed to AD Evaluation from Publication Requested
2016-05-26
04 Tim Wicinski
1. Summary

Document Shepherd:  Tim Wicinski
Area Director:      Joel Jaggeli

Document Type: Best Current Practice

Explain briefly what the intent of the document …
1. Summary

Document Shepherd:  Tim Wicinski
Area Director:      Joel Jaggeli

Document Type: Best Current Practice

Explain briefly what the intent of the document is (the document's abstract is usually good for this), and why the working group has chosen the requested publication type (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic).

Summary:

  This document describes problems that a DNSSEC aware resolver or application might run into within a non-compliant infrastructure; outlining potential detection and mitigation techniques.  This document attempts to create a shared approach to detect and overcome    network issues that a DNSSEC deployment may face.

As Document Shepherd, I feel the document is ready for publication and I stand behind the document.

2. Review and Consensus

This document was actively reviewed, though in organized bursts when the authors were available.  The authors were very actively in addressing issues brought up and everything brought up both in meetings and on the mailing list were addressed to satisfaction of the working group.

Also, multiple implementations of the compliance checks were written, including teams not involved with the writing of this draft.  This has shown the working group there is a strong consensus from desire for these checks to be standardized.

- Intellectual Property

    There is one known IPR issue that has been disclosed, and all the authors and working group feel this has little to no bearing on the document itself.

4. Other Points

- There are no downward normative references.

- This document does not change the status of any existing RFCs.

- There are no known formal reviews that are needed for this document.

- The document uses FQDNs from dnssec-failed.org and dnssec-test.org, outside of RFC2606. However, these domains have been registered for the purpose of returning answers for the various tests.

- IANA Considerations

    There are no IANA Considerations for this document.
2016-05-26
04 Tim Wicinski Responsible AD changed to Joel Jaeggli
2016-05-26
04 Tim Wicinski IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2016-05-26
04 Tim Wicinski IESG state changed to Publication Requested
2016-05-26
04 Tim Wicinski IESG process started in state Publication Requested
2016-05-26
04 Tim Wicinski Changed document writeup
2016-05-26
04 Tim Wicinski Changed consensus to Yes from Unknown
2016-05-24
04 Tim Wicinski IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call
2016-04-03
04 Ólafur Guðmundsson New version available: draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt
2016-03-21
03 Ólafur Guðmundsson New version available: draft-ietf-dnsop-dnssec-roadblock-avoidance-03.txt
2015-11-30
Naveen Khan Posted related IPR disclosure: Red Hat, Inc.'s Statement about IPR related to draft-ietf-dnsop-dnssec-roadblock-avoidance and This disclosure relates to text amendment proposed in  http://www.ietf.org/mail-archive/web/dnsop/current/msg13303.html
2015-11-04
02 Tim Wicinski IETF WG state changed to In WG Last Call from WG Document
2015-10-14
02 (System) Notify list changed from "Tim Wicinski"  to (None)
2015-07-04
02 Tim Wicinski Intended Status changed to Best Current Practice from None
2015-07-01
02 Ólafur Guðmundsson New version available: draft-ietf-dnsop-dnssec-roadblock-avoidance-02.txt
2014-12-01
01 Tim Wicinski Notification list changed to "Tim Wicinski" <tjw.ietf@gmail.com>
2014-12-01
01 Tim Wicinski Document shepherd changed to Tim Wicinski
2014-09-03
01 Wes Hardaker New version available: draft-ietf-dnsop-dnssec-roadblock-avoidance-01.txt
2014-03-07
00 Tim Wicinski This document now replaces draft-hardaker-dnsop-dnssec-roadblock-avoidance instead of None
2014-03-07
00 Wes Hardaker New version available: draft-ietf-dnsop-dnssec-roadblock-avoidance-00.txt