Re: [dane] [Trans] CT for DNSSEC

Tony Finch <dot@dotat.at> Tue, 04 April 2017 09:51 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6BF126DC2; Tue, 4 Apr 2017 02:51:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4zj3PaK9Ty4V; Tue, 4 Apr 2017 02:51:33 -0700 (PDT)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [131.111.8.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80705128896; Tue, 4 Apr 2017 02:51:33 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:59388) by ppsw-42.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1cvL7X-000Z0o-80 (Exim 4.89) (return-path <dot@dotat.at>); Tue, 04 Apr 2017 10:51:27 +0100
Date: Tue, 4 Apr 2017 10:51:27 +0100
From: Tony Finch <dot@dotat.at>
To: Paul Wouters <paul@nohats.ca>
cc: Viktor Dukhovni <ietf-dane@dukhovni.org>, trans@ietf.org, dane@ietf.org
In-Reply-To: <alpine.LRH.2.20.999.1704031534460.13781@bofh.nohats.ca>
Message-ID: <alpine.DEB.2.11.1704041031160.13590@grey.csi.cam.ac.uk>
References: <CAAFsWK0bCDZmg0csCfXAJ1=jqbOBc7sUUvSg-6ZKjxuAQKmQPA@mail.gmail.com> <455EC3FC-9140-40D3-88F8-77990B7C7DD0@vpnc.org> <CAAFsWK2z1AR6RZToQvw7s_t_u+333Jyk6pUQ5KznbsrQGxkvgQ@mail.gmail.com> <C54BF614-378D-4A0A-964F-AE372E064D42@vpnc.org> <1DA6DC8F-CA06-4453-96E6-D8D257555437@dukhovni.org> <CAAFsWK1Jeq18mLsKJpv3DJzhrHzX1Z=rQpyxX5TmF+AOLX8-3Q@mail.gmail.com> <9FC39E28-4285-40F8-8FE9-283FA83B1A0A@dukhovni.org> <CAAFsWK09KAsYSsDP0mMijYU7E6uw=JyL78kWGiwyJNrn_r3hSw@mail.gmail.com> <A86DBCF1-A0E6-4E2F-B588-1DA510771D90@dukhovni.org> <alpine.LRH.2.20.999.1704031534460.13781@bofh.nohats.ca>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/7pYHj2B9BraM8yF0I_NUpvcG3WU>
Subject: Re: [dane] [Trans] CT for DNSSEC
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Apr 2017 09:51:36 -0000

Paul Wouters <paul@nohats.ca>; wrote:
>
> Because this is the parental NS RRset for the child, which the parent
> does not sign.

Right.

> The NSEC only covers the existance of the DS record, not of the glue
> records.

Not quite. A delegation NSEC record lists NS NSEC RRSIG and maybe DS, even
though NS isn't signed. (You are right that glue records aren't in the
NSEC chain, though.)

> You really need to find the NSEC(3) record that proves the parent has
> no DS record for the child zone, and really have to find and submit
> the TLSA record and RRSIG. That way the logs can tell who signed the
> DS and/or TLSA record.

Yes. Should probably log the whole DS/DNSKEY/RRSIG chain. You don't need
to log NSEC(3) unless you need to log a proof of nonexistence - maybe to
prove lack of delegation points if there are intermediate labels?

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>;  http://dotat.at/  -  I xn--zr8h punycode
Fitzroy: Northerly veering northeasterly 4 or 5, increasing 5 to 7 in east.
Rough or very rough. Drizzle. Moderate or good.