Re: [dane] Behavior in the face of no answer?

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 07 May 2012 16:08 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1053F21F8642 for <dane@ietfa.amsl.com>; Mon, 7 May 2012 09:08:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.627
X-Spam-Level:
X-Spam-Status: No, score=-2.627 tagged_above=-999 required=5 tests=[AWL=-0.028, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7woTI59WHIHS for <dane@ietfa.amsl.com>; Mon, 7 May 2012 09:08:26 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 68C3F21F8616 for <dane@ietf.org>; Mon, 7 May 2012 09:08:26 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id BFC981ECB41D for <dane@ietf.org>; Mon, 7 May 2012 16:08:25 +0000 (UTC)
Date: Mon, 7 May 2012 12:08:24 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dane@ietf.org
Message-ID: <20120507160824.GK8963@mail.yitter.info>
References: <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com> <20120504165512.GC7394@mail.yitter.info> <CABcZeBO4zRSa=JexqZ8uw7o26tM4SZk2GDivTAWD5ZF1pZR9Og@mail.gmail.com> <20120504194132.GF7394@mail.yitter.info> <alpine.LFD.2.02.1205041553030.7798@bofh.nohats.ca> <AD11709E-F662-492E-BE3B-23ADD82536F0@icsi.berkeley.edu> <C8A32DF2-E912-4D53-B0E3-D79852632A3E@kumari.net> <C8244A46-63BD-4903-B72C-6AB43413FB61@ICSI.Berkeley.EDU> <DEED37B2-216E-44DA-8EDC-8E4271BDCBD5@vpnc.org> <A6208FF0-4544-470C-BBBD-5C4E328C6EC4@ICSI.Berkeley.EDU>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <A6208FF0-4544-470C-BBBD-5C4E328C6EC4@ICSI.Berkeley.EDU>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2012 16:08:27 -0000

On Mon, May 07, 2012 at 08:23:06AM -0700, Nicholas Weaver wrote:
> 
> The cynic in me observes that without end-host validation, DANE is
> just a connectionless version of the existing browser Certificate
> Revocation List protocol:

Not every browser is in a home or public network with an ISP's
corrupted resolver upstream.  Just because that is the main network
model you test doesn't make it the Internet, as I already pointed out
in this thread.

MSFT's main DNSSEC offering depends on IPSec and doing validation in
the central resolver.  That approach -- which I personally happen not
to like -- is enabled by the DNSSEC specifications.  Their stuff isn't
unusual in enterprise deployments.  We don't get to pooh-pooh that for
DANE just because we don't like it.  If we think that model is broken,
then we need to deprecate it.  If we're not going to deprecate it --
and I wish you luck -- then DANE needs to work for that DNSSEC
deployment, too.

Best,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com