IETF Logo Mail Archive

Re: AS IF: draft-ietf-dnsext-ad-is-secure-03.txt

Greg Hudson <ghudson@MIT.EDU> Mon, 30 July 2001 07:41 UTC

Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id DAA05366 for <dnsext-archive@lists.ietf.org>; Mon, 30 Jul 2001 03:41:42 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15R5Ju-000FFw-00 for namedroppers-data@psg.com; Sun, 29 Jul 2001 22:10:22 -0700
Received: from rip.psg.com ([147.28.0.39] ident=exim) by psg.com with esmtp (Exim 3.31 #1) id 15R5Jt-000FFp-00 for namedroppers@ops.ietf.org; Sun, 29 Jul 2001 22:10:21 -0700
Received: from randy by rip.psg.com with local (Exim 3.31 #1) id 15R5Jt-000B1Q-00 for namedroppers@ops.ietf.org; Sun, 29 Jul 2001 22:10:21 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Greg Hudson <ghudson@MIT.EDU>
To: Brian Wellington <Brian.Wellington@nominum.com>
cc: DNSEXT <namedroppers@ops.ietf.org>
Subject: Re: AS IF: draft-ietf-dnsext-ad-is-secure-03.txt
In-Reply-To: Your message of "Sun, 29 Jul 2001 17:34:48 PDT." <Pine.BSF.4.33.0107291726490.69443-100000@shell.nominum.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15R5Ju-000FFw-00@psg.com>
Date: Sun, 29 Jul 2001 22:10:22 -0700
Content-Transfer-Encoding: 7bit

> Which sounds more secure?  2, obviously.  Until you notice that the
> key is read from disk also.

First, the reason not to set AD bits on unchecked data is not to
protected against compromised data on the server, but to detect
expired signatures.  Under your scheme, an authoritative server might
yield a different value of the AD bit than a checking recursive
resolver, and that's confusing and error-prone.

Second, you've given an argument why it might be acceptable to set AD
on non-checked responses, but do not give any motivation for doing so.
An authoritative server is probably not acting as a recursive resolver
for stub resolvers; if it is, then it needs to be prepared to do
cryptographic checking if it wants to set AD bits on out of zone data
at least.  I can't envision a realistic scenario where your scheme
adds any value.  A cryptography-free authoritative server which also
serves stub resolvers and sets AD bits but only on in-zone data?
Seems a bit of a stretch.


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.39.1 | Report a Bug | By Email | System Status