IETF Logo Mail Archive

Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

Edward Lewis <Ed.Lewis@neustar.biz> Mon, 06 October 2008 15:12 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4BAE13A6A1D; Mon, 6 Oct 2008 08:12:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.641
X-Spam-Level:
X-Spam-Status: No, score=-0.641 tagged_above=-999 required=5 tests=[AWL=-0.146, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ma5N58zjhcvS; Mon, 6 Oct 2008 08:12:18 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5C9163A688C; Mon, 6 Oct 2008 08:12:18 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KmrW3-000Es3-4r for namedroppers-data@psg.com; Mon, 06 Oct 2008 14:56:55 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1KmrVm-000Epp-AE for namedroppers@ops.ietf.org; Mon, 06 Oct 2008 14:56:45 +0000
Received: from [192.168.1.101] (ns.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.2/8.14.2) with ESMTP id m96EuSmR053845; Mon, 6 Oct 2008 10:56:28 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240800c50fd3decd5b@[192.168.1.101]>
In-Reply-To: <E1KicTm-000ANO-PO@psg.com>
References: <Your message of "Mon, 22 Sep 2008 15:12:44 -0400." <E1KhqqB-000CE1-QD@psg.com> <200809230016.m8N0GS9E069236@drugs.dv.isc.org> <E1Khwdp-000J3V-QJ@psg.com> <a06240804c4ffc42abc16@[10.122.105.108]> <E1KicTm-000ANO-PO@psg.com>
Date: Mon, 06 Oct 2008 10:55:02 -0400
To: Michael StJohns <mstjohns@comcast.net>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, namedroppers@ops.ietf.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 10.20.30.4
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

At 18:04 -0400 9/24/08, Michael StJohns wrote:
>If "intermediate validation to protect legacy stub resolvers" were deprecated,
>I'd agree with you.  (can we please huh huh can we deprecate it????)

If we deprecate that, what's the point of DNSSEC?  DNSSEC is designed 
to stem cache poisoning, so that caches don't give out answers they 
can't verify to their clients.  The client to cache is protected by 
TSIG, TKEY, IPSEC, or maybe just crossing one's fingers and hoping 
for the link to be secure.  (Legacy has to count on the latter - 
assuming legacy is pre-TSIG et.al.)

>Since we're still touting the utility of having an intermediate make a
>decision about what it wants to send to a stub based on the intermediate's
>understanding of security, we need to pick a consistent understanding of
>that security.  (In other words, the application we're concerned with here
>is the stub side server of the validating resolver).

Or we make use of the CD bit.  In early workshops (about 10 years ago 
I mean) we ran into the problem that not all computers agreed on the 
current time.  (NTP wasn't as widespread as it is now.)  The way 
around that at the time was to use the CD bit and get the answer as 
it passed through from the source.

>ps - anyone want to take a whack at documenting how various applications
>should handle various DNSSEC outcomes?  The ones I can think of off the top
>of my head that should be done are: SMTP (both submitter to MTA and MTA
>to MTA), HTTP (what the browser does *before* the user gets involved -
>pretty sure just exposing the DNSSEC resolution state isn't the best
>answer), SSH,  peer-to-peer.

DNSSEC was built ("repeat chorus") to stem cache poisoning, i.e., 
protect the admission of DNS data to the cache.  It wasn't meant to 
protect the applications making use of the data.  If an application 
wants to act like a cache with a verifier, fine.  Then it asks for 
everything with CD, gets as much raw data, and does it's own check. 
If it can't reach the source (because of firewalls, forwarders, 
etc.,), well it's up a creek anyway.

To an application - either their is an answer in DNS or not.  The 
grey area is too hard to make use of, a general solution isn't 
useful.  It's like with lame delegation testing in the reverse map. 
There are a lot of screw ups there, a lot follow certain pathologies 
that, even common, make up a small percentage of the total problems. 
It isn't worth trying to diagnose for the few predictable 
misconfigurations.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email