IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Eric Rescorla <ekr@rtfm.com> Thu, 03 May 2012 22:50 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA57921F8740 for <dane@ietfa.amsl.com>; Thu, 3 May 2012 15:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.852
X-Spam-Level:
X-Spam-Status: No, score=-102.852 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5jlRm7Qi8cn for <dane@ietfa.amsl.com>; Thu, 3 May 2012 15:50:04 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0F15621F873E for <dane@ietf.org>; Thu, 3 May 2012 15:49:59 -0700 (PDT)
Received: by vcbfo1 with SMTP id fo1so2004770vcb.31 for <dane@ietf.org>; Thu, 03 May 2012 15:49:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=45MN0ohGJBlCAlGWEW7k03wJk4+UOpzAoGilzqx8F9M=; b=daj0/wUCSD3ssUnnrr+dH5umueSbhf/4UTSNO5+YnwFoQtPxhFjrqKWPAYmb5kgEl5 8Q9inAALGFPAddpgbDP1DLSOpWCG2qKPQcSEQ6kvMEX6IsFY9oFrx0rJnxLBTLNfIxpR Y/F15+/MKSLzSsntb3+eWurYXZe3gYHa7zI7vM1SkFP4miwLP+cjlPc84Kygs1g89Tdz OhGO7/T/bZcV4/DIpH2y4SOqWn/wVYoZvPg5hzR1US7aoWLHKHUMm75ocsQn7c8n7YRZ 8+20hwpOaUnGQrVxGXAaDrOuAXhoM6dRnibHbpwv7iVmI6wfIemJ7waDp357JC/9087g DrMw==
Received: by 10.52.172.194 with SMTP id be2mr1829416vdc.60.1336085399588; Thu, 03 May 2012 15:49:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.19.233 with HTTP; Thu, 3 May 2012 15:49:19 -0700 (PDT)
X-Originating-IP: [74.95.2.169]
In-Reply-To: <alpine.LFD.2.02.1205031834060.28022@bofh.nohats.ca>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org> <alpine.LFD.2.02.1205031834060.28022@bofh.nohats.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 3 May 2012 15:49:19 -0700
Message-ID: <CABcZeBPiYtDQF-BxAGRMOinHhZL6ABJPvTyCF2USzpzL__jhrg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQkxcnQu9792S8oY3dCGNLOm/hj3lgF50aUnbdrqjKTf2sEkvZDCFG5rmqJqJec+J1HW5gzQ
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 22:50:05 -0000

On Thu, May 3, 2012 at 3:45 PM, Paul Wouters <paul@nohats.ca> wrote:
> On Thu, 3 May 2012, Paul Hoffman wrote:
> A response with no data, where there is a DNSSEC chain of trust, is
> per definition bogus, as your response, even for 'no data' has to come
> with the signed proof (NSEC/NSEC3)
>
> I would just leave out "or the response has no data"

I should probably mention that the analysis I am offering applies to any
other non-cryptographically verifiable error case, such as ICMP
errors, unverifiable SERVFAILs, etc. It's not clear to me if these
are all treated as Bogus but in this context I claim they must
be.

-Ekr

v2.8.7 | Report a Bug | By Email