Re: CNAME/DNAME - Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 12:30 -0400 10/13/08, Michael StJohns wrote:
>Hi Ed -
>
>I agree that you can determine the security state of X and the security
>state of Y by examining trust anchors, dlv etc.  But that's not the question.
>The question is "What is the security state of the compound answer XY?"

The security state - in the eyes of DNS that is easy.  If the X 
passes the DNSSEC test, Y passes the test as being unsigned, and Z 
passes the DNSSEC test, the answer is "AD."  IOW, there's nothing 
suspicious about the result as far as the DNS is concerned.

It's fair to ask though "what's the value" of piecemeal checking.  My 
answer is that "it's out of scope" for DNS.

>  From Marc Andrew's and somewhat from Wouter's email, it could be a new
>state "unauthenticated" - because the response out of an intermediate resolver
>is to return the data but not set the AD bit.  I say new, because it's
>different than unknown, secure,  and bogus and wouldn't be returned for the
>same reasons that you would return it for unsecure data under a single trust
>anchor.  But even that begs the question of what an application should do
>with it.
>
>Later, Mike

After the debate in Winter 2001 (SLC IETF) over the AD bit not being 
tied to cryptography, I'd set the AD bit in the response.  I(f i)t's 
authenticated to the responding server.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>