IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 03 May 2012 22:37 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AED221F86DF for <dane@ietfa.amsl.com>; Thu, 3 May 2012 15:37:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.635
X-Spam-Level:
X-Spam-Status: No, score=-2.635 tagged_above=-999 required=5 tests=[AWL=-0.036, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7U5UsvYdtUjJ for <dane@ietfa.amsl.com>; Thu, 3 May 2012 15:37:58 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 9A66621F86BA for <dane@ietf.org>; Thu, 3 May 2012 15:37:58 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id B06251ECB41C for <dane@ietf.org>; Thu, 3 May 2012 22:37:51 +0000 (UTC)
Date: Thu, 3 May 2012 18:37:49 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dane@ietf.org
Message-ID: <20120503223745.GC1804@mail.yitter.info>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 22:37:59 -0000

On Thu, May 03, 2012 at 03:20:47PM -0700, Paul Hoffman wrote:
> >From the earlier thread on this topic, I do not think there is "wide agreement" on what is and is not bogus. RFC 4033 and 4035 don't even agree about it.
> 

I'm not sure I agree about this.  There is a possible difference in
4033 and 4035 on the meaning of "indeterminate", but I don't know
anyone who disagrees about "bogus": you ought to be able to validate
it, and for some reason, you can't.  Whatever the reason is, it's
bogus.

In this case, what you're talking about is "didn't get an answer".

>    o  If the DNSSEC validation state on the response to the request for
>       the TLSA RRset is bogus, or if a response is not received or the
>       response has no data, this MUST cause TLS not to be started or,
>       if the TLS negotiation is already in progress, MUST cause the
>       connection to be aborted.

I get the analysis, but I feel rather uncomfortable with it.  If you
can't get responses from the DNS, surely you have other problems, to
begin with?

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.8.7 | Report a Bug | By Email