Re: [dane] An AD bit discussion

Florian Weimer <fw@deneb.enyo.de> Sat, 08 March 2014 17:06 UTC

Return-Path: <fw@deneb.enyo.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB371A02DB for <dane@ietfa.amsl.com>; Sat, 8 Mar 2014 09:06:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQHdw4Itqxfx for <dane@ietfa.amsl.com>; Sat, 8 Mar 2014 09:06:01 -0800 (PST)
Received: from ka.mail.enyo.de (ka.mail.enyo.de [87.106.162.201]) by ietfa.amsl.com (Postfix) with ESMTP id 8AEA91A02B8 for <dane@ietf.org>; Sat, 8 Mar 2014 09:06:01 -0800 (PST)
Received: from [172.17.135.4] (helo=deneb.enyo.de) by ka.mail.enyo.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1WMKh9-0001ZQ-IQ; Sat, 08 Mar 2014 18:05:55 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.80) (envelope-from <fw@deneb.enyo.de>) id 1WMKh9-0003nv-Dv; Sat, 08 Mar 2014 18:05:55 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Paul Wouters <paul@nohats.ca>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <20140226155752.GT21390@mournblade.imrryr.org> <alpine.LFD.2.10.1402261114460.3528@bofh.nohats.ca>
Date: Sat, 08 Mar 2014 18:05:55 +0100
In-Reply-To: <alpine.LFD.2.10.1402261114460.3528@bofh.nohats.ca> (Paul Wouters's message of "Wed, 26 Feb 2014 11:16:36 -0500 (EST)")
Message-ID: <87a9d0ei30.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/VD41ZTzfuOnvpnHt8Ci_sVObSpg
Cc: dane@ietf.org
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 17:06:03 -0000

* Paul Wouters:

> Sorry, I mistook the flags in the struct to be the DNS flags. Let me
> rephrase it as "a DNS API call that returns the presence or lack of
> AD bit"

I think this focus on the AD bit is a grave mistake.  There are other
technologies for securing DNS data.  At least one of them (installing
an authenticated copy of the zone in the resolver) is superior to
DNSSEC according to various criteria, but full implementation requires
that the resolver clears the AD bit.