IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Scott Schmit <i.grok@comcast.net> Wed, 09 May 2012 00:50 UTC

Return-Path: <i.grok@comcast.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8326B9E801A for <dane@ietfa.amsl.com>; Tue, 8 May 2012 17:50:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRda+tlnvtjQ for <dane@ietfa.amsl.com>; Tue, 8 May 2012 17:50:14 -0700 (PDT)
Received: from qmta05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by ietfa.amsl.com (Postfix) with ESMTP id 10B1D9E8019 for <dane@ietf.org>; Tue, 8 May 2012 17:50:11 -0700 (PDT)
Received: from omta09.emeryville.ca.mail.comcast.net ([76.96.30.20]) by qmta05.emeryville.ca.mail.comcast.net with comcast id 7coo1j0010S2fkCA5cqA6q; Wed, 09 May 2012 00:50:10 +0000
Received: from odin.ulthar.us ([68.33.77.0]) by omta09.emeryville.ca.mail.comcast.net with comcast id 7cq81j01400PQ6U8VcqARE; Wed, 09 May 2012 00:50:10 +0000
Received: from odin.ulthar.us (localhost [127.0.0.1]) by odin.ulthar.us (8.14.5/8.14.3) with ESMTP id q490o6eo016964 for <dane@ietf.org>; Tue, 8 May 2012 20:50:06 -0400
Received: (from draco@localhost) by odin.ulthar.us (8.14.5/8.14.5/Submit) id q490o6QO016963 for dane@ietf.org; Tue, 8 May 2012 20:50:06 -0400
Date: Tue, 8 May 2012 20:50:06 -0400
From: Scott Schmit <i.grok@comcast.net>
To: dane@ietf.org
Message-ID: <20120509005006.GA15139@odin.ulthar.us>
Mail-Followup-To: dane@ietf.org
References: <CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com> <20120504144426.GD4929@mail.yitter.info> <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com> <3FF36EBA-F8B1-4D66-BA00-E8E36A7E449D@kumari.net> <CABcZeBP2iRLa76rSXu4A0OwFxP=tqK1ShZ6wv=6wnaEC6uad+w@mail.gmail.com> <CAMfhd9XYS=9SGotCTwa7NJU4L8WFys2rDVsQZxn4a0wz+NxS3Q@mail.gmail.com> <13B3A487-2C93-4958-8FE6-63132742181E@checkpoint.com> <alpine.LSU.2.00.1205082040330.17365@hermes-2.csi.cam.ac.uk> <alpine.LFD.2.02.1205081547230.14847@bofh.nohats.ca> <alpine.LSU.2.00.1205082113260.17365@hermes-2.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="IJpNTDwzlM2Ie8A6"
Content-Disposition: inline
In-Reply-To: <alpine.LSU.2.00.1205082113260.17365@hermes-2.csi.cam.ac.uk>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 00:50:14 -0000

On Tue, May 08, 2012 at 09:14:21PM +0100, Tony Finch wrote:
> Paul Wouters <paul@cypherpunks.ca> wrote:
> > On Tue, 8 May 2012, Tony Finch wrote:
> >
> > > I think the "DNSSEC works but TLSA doesn't" heuristic may also be useful.
> >
> > I don't think you can use that at all.
> >
> > You will still run into DNS implementations that cannot do TLSA or generic
> > records that are not malicious, and I don't really know how you would
> > distinguish those from malicious TLSA breakage, so you cannot really
> > draw any conclusion from such state.
> 
> What is the overlap between servers that support DNSSEC but not RFC 3597?

RFC 4034 requires use of RFC 3597 for unknown types, so the overlap is
supposed to be an empty set.

-- 
Scott Schmit

v2.8.7 | Report a Bug | By Email