[dnsext] Trying to reading RFC 4035 as a requirements document
Edward Lewis <Ed.Lewis@neustar.biz> Mon, 03 August 2009 17:23 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4852228C1AF; Mon, 3 Aug 2009 10:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.744
X-Spam-Level:
X-Spam-Status: No, score=-0.744 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xwFrP-fUYOS; Mon, 3 Aug 2009 10:23:15 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id AF1E128C1BF; Mon, 3 Aug 2009 10:23:14 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MY19N-000F31-Qy for namedroppers-data0@psg.com; Mon, 03 Aug 2009 17:16:41 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1MY19J-000F1G-4R for namedroppers@ops.ietf.org; Mon, 03 Aug 2009 17:16:39 +0000
Received: from [10.31.200.165] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n73HGTIb022024; Mon, 3 Aug 2009 13:16:29 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240800c69cc735ef53@[10.31.200.165]>
Date: Mon, 03 Aug 2009 13:09:18 -0400
To: namedroppers@ops.ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: [dnsext] Trying to reading RFC 4035 as a requirements document
Cc: ed.lewis@neustar.biz
Content-Type: multipart/alternative; boundary="============_-962802706==_ma============"
X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
I am trying to boil this document into a list of requirements and have run across a "MUST NOT" that I can't parse. "and MUST NOT perform any of the additional processing described below." The "additional processing described below" seems to be missing or has been altered in someway to make me wonder what is to be skipped - coming from the perspective of already understanding the protocol. Following the "offending" use of requirement language (in the same paragraph) is a comment that DS's "always require" special processing, which is a contradiction with the previous MUST NOT. The next point is about handling queries that are ambiguous, specifically the QNAME, CLASS, NSEC for names owning an NS set. This situation applies DNSSEC or not. Then there is talk about handling the CD and AD bits in situations they are to be ignored. (Does this mean that without the DNSSEC indication in the query, we have to look at these bits? - the old double negative conundrum.) Finally the comment about CNAME synthesis and "server... SHOULD NOT generate signatures". Ignoring a negative requirement - a little hard to test. I have no fix in mind because I'm puzzled about the intent of the offending requirement fragment. Perhaps it should be omitted? The text for convenience. "^^^^" underlines the problem. # 3. Serving # # ... # # A security-aware name server that receives a DNS query that does not # include the EDNS OPT pseudo-RR or that has the DO bit clear MUST # treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and # MUST NOT perform any of the additional processing described below. ---------------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # Because the DS RR type has the peculiar property of only existing in # the parent zone at delegation points, DS RRs always require some # special processing, as described in Section 3.1.4.1. # # Security aware name servers that receive explicit queries for # security RR types that match the content of more than one zone that # it serves (for example, NSEC and RRSIG RRs above and below a # delegation point where the server is authoritative for both zones) # should behave self-consistently. As long as the response is always # consistent for each query to the name server, the name server MAY # return one of the following: # # o The above-delegation RRsets. # o The below-delegation RRsets. # o Both above and below-delegation RRsets. # o Empty answer section (no records). # o Some other response. # o An error. # # DNSSEC allocates two new bits in the DNS message header: the CD # (Checking Disabled) bit and the AD (Authentic Data) bit. The CD bit # is controlled by resolvers; a security-aware name server MUST copy # the CD bit from a query into the corresponding response. The AD bit # is controlled by name servers; a security-aware name server MUST # ignore the setting of the AD bit in queries. See Sections 3.1.6, # 3.2.2, 3.2.3, 4, and 4.9 for details on the behavior of these bits. # # A security aware name server that synthesizes CNAME RRs from DNAME # RRs as described in [RFC2672] SHOULD NOT generate signatures for the # synthesized CNAME RRs. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction.
- [dnsext] Trying to reading RFC 4035 as a requirem… Edward Lewis
- Re: [dnsext] Trying to reading RFC 4035 as a requ… Mark Andrews