Re: [dane] Behavior in the face of no answer?

[Eric Rescorla <ekr@rtfm.com>]

On Fri, May 4, 2012 at 12:44 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> On Fri, May 04, 2012 at 11:59:25AM -0700, Eric Rescorla wrote:
>
>> I'm sorry, I think we're still talking past each other. If you treat
>> non-response
>> the same way as you treat a validated empty RRSET, then a network
>> attacker can get the same effect (i.e., no DANE checks) by simple
>> suppressing DNS resolution.
>
> I likely wasn't clear enough.  I was not advocating treating
> non-response that way.   I was saying that "non-response" and "an
> empty answer" (i.e. an empty answer section in the DNS response)
> are not to be treated the same; somewhere else in the discussion it
> seemed that they were being collapsed.
>
> I believe it is possible to get a useful response that has nothing in
> the Answer, Authority, and Additional sections only if you trust your
> upstream, you trust the connection somehow, you set CD=0, and you get
> AD=1 on the response.  In that case, I believe it is a legitimate
> NODATA response (though I don't know of any implementation that works
> this way), and it is validated.  It means there is no TLSA record at
> that owner name, just like if you used CD=1 and got back an answer
> with (say) an NSEC3 record in the Authority.  If I sound tentative,
> it's because I haven't in the last 48 hours walked through the
> relevant RFCs in order to be perfectly sure that this is what a NODATA
> response looks like for a non-validated security-aware stub relying on
> upstream validation.  But I think this is right.
>
> In any case, if all of those necessary conditions aren't satisfied,
> then the answer is either bogus or indeterminate and you should react
> accordingly.  This is already covered in the existing draft.

Now I'm really confused. What do you think the draft says about "no response"

-Ekr