Re: [dane] Behavior in the face of no answer?

[Nicholas Weaver <nweaver@icsi.berkeley.edu>]

On May 15, 2012, at 8:55 AM, Andrew Sullivan wrote:
> I am currently calling these cases "constraint assertions in the DNS"
> because I don't have a nicer name.  I think those calling for funny
> handling of normal DNS conditions like error messages have identified
> a fundamental need in constraint-assertion cases, because if one
> cannot receive a message about the existence of such a constraint
> assertion, one has a problem.  
> 
> This doesn't leave me more certain of what to say in the draft, but at
> least I have a clearer idea of what's at issue.  Does anyone else
> think this way of thinking about the difference is helpful?


Yes.  

It say either "Hard Failure" or "Annoy the @#)(*#@ User Failure" on inability to fetch a proper DNSSEC validating record when one is expected.


Because the TLS system in practice already has a constraint system, Certificate Revocation Lists, which say "Despite the certificate being valid, don't use these certificates".  The CRL check is a "fail open" (proceed if unable to contact the CRL server), its now viewed as useless and is being discontinued at least in Chrome, and I'd expect other browsers to follow suit.


Since the existing "add constraint" system is now considered useless because of the "fail open" nature, any new constraint system MUST be either "fail closed" or "fail annoying" if it can't get the necessary records from DNS.