<div dir="ltr">On Mon, Aug 10, 2015 at 10:47 AM, Edward Lewis <span dir="ltr"><<a href="mailto:edward.lewis@icann.org" target="_blank">edward.lewis@icann.org</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 8/10/15, 8:40, "dns-operations on behalf of Casey Deccio"<br>
<span><<a href="mailto:dns-operations-bounces@dns-oarc.net" target="_blank">dns-operations-bounces@dns-oarc.net</a> on behalf of <a href="mailto:casey@deccio.net" target="_blank">casey@deccio.net</a>> wrote:<br>
<br>
</span><span>>However, if the "missing" key(s) do not have any RRSIGs in the wild<br>
>(e.g., because they are being introduced into the DNSKEY RRset as part of<br>
>pre-publishing or being retired due to post-publishing), then it is not<br>
>an issue. It is not always easy to tell from a snapshot in time, even<br>
>from the RRSIGs that are returned in response to the diagnostic queries<br>
>that are sent, how much of a problem it is, so DNSViz flags it as a<br>
>potential problem. However, despite the "red" error, note that the color<br>
>of the nodes--which represents their authentication status--is still<br>
>blue, indicating that the chain of trust is in tact.<br>
<br>
</span>Casey's explanation makes me think about the clumsiness. Looking at a<br>
snapshot, no one knows why a key is present - whether it is in pre publish<br>
mode, used for some obscure data set in the zone, or waiting to be<br>
retired. Worse, we don't know if it is just from that one server or all<br>
servers. (One cannot, using queries alone, know if all the servers are<br>
simultaneously holding one set, it's simply infeasible, if only because<br>
the speed of light is not infinite.) So, I don't think DNSviz can do "any<br>
better" in flagging the state seen. (Perhaps not red, maybe pink, for<br>
potential problems? ;) )<br></blockquote><div><br></div><div>Actually, it can do "some" better. It doesn't have to be "always error" or "always warning". DNSViz can use the responses it has received to infer the role of each DNSKEY and then use that to determine the severity of DNSKEY RRset mismatch. In the case where there is a DS or (non-DNSKEY) RRSIG that corresponds to a DNSKEY, then it is marked as an error. Otherwise, it is marked as a warning. Here is the result:<br><br><a href="http://dnsviz.net/d/org/VcfF4Q/dnssec/">http://dnsviz.net/d/org/VcfF4Q/dnssec/</a><br><br></div><div>Thanks for the suggestion.<br></div><div><br></div><div>Casey<br></div></div></div></div>