IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 04 May 2012 02:00 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 442EC11E8086 for <dane@ietfa.amsl.com>; Thu, 3 May 2012 19:00:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.635
X-Spam-Level:
X-Spam-Status: No, score=-2.635 tagged_above=-999 required=5 tests=[AWL=-0.036, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OlBRdldIh-GR for <dane@ietfa.amsl.com>; Thu, 3 May 2012 19:00:39 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 572B911E8085 for <dane@ietf.org>; Thu, 3 May 2012 19:00:39 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 505CC1ECB41C for <dane@ietf.org>; Fri, 4 May 2012 02:00:38 +0000 (UTC)
Date: Thu, 3 May 2012 22:00:27 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dane@ietf.org
Message-ID: <20120504020027.GA4560@mail.yitter.info>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org> <alpine.LFD.2.02.1205031834060.28022@bofh.nohats.ca> <F8F0237D-C940-4404-B4D0-AF8C079B4081@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <F8F0237D-C940-4404-B4D0-AF8C079B4081@vpnc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 02:00:40 -0000

On Thu, May 03, 2012 at 04:11:51PM -0700, Paul Hoffman wrote:
> On May 3, 2012, at 3:45 PM, Paul Wouters wrote:
> > 
> > I'm not sure I understand "has no data" in the context of DNSSEC with
> > a validation path (eg DS at the parent).
> 
> A response of SERVFAIL is a response, and it has no data in it.

Aha.  That's not what many people think of when they say "no data".
See section 1 of RFC 2308.  SERVFAIL is actually an error response.
Since SERVFAIL was sort of overloaded in DNSSEC, maybe you want to
call that out.  But what are you going to do with things like NOTIMP,
then?

But I think it still may be possible to get a validated NODATA
response, if you're a non-validating security-aware stub resolver and
your upstream decided not to send you the NSEC or NSEC3 record, but
sent you a response with AD=1, and you had a secure connection.  I
think this would be _stupid_, but I think it's protocol-legal.  (I am
not aware of any implementation that works this way.  Also, I haven't
checked this interpretation tonight, and am therefore prepared to be
wrong.)

> > A response with no data, where there is a DNSSEC chain of trust, is
> > per definition bogus, as your response, even for 'no data' has to come
> > with the signed proof (NSEC/NSEC3)
> 
> That is a reasonable interpretation. Can you point to somewhere in 4033-5 where it says that clearly?
> 

As I say above, I think it depends on whether you think a response
with AD=1 and some assurances about the last hop qualify.  If you
don't, then Paul W is right.

A
-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.8.7 | Report a Bug | By Email