IETF Logo Mail Archive

Re: [dnsext] Reminder: two WGLC closing in one week

Mark Andrews <Mark_Andrews@isc.org> Tue, 23 September 2008 08:07 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0B203A695E; Tue, 23 Sep 2008 01:07:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.024
X-Spam-Level:
X-Spam-Status: No, score=-2.024 tagged_above=-999 required=5 tests=[AWL=0.575, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZsQzyc7wal8h; Tue, 23 Sep 2008 01:07:51 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id EEC713A69AF; Tue, 23 Sep 2008 01:07:50 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Ki2l4-0006Ws-Ij for namedroppers-data@psg.com; Tue, 23 Sep 2008 07:56:30 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1Ki2l0-0006WH-Q1 for namedroppers@ops.ietf.org; Tue, 23 Sep 2008 07:56:28 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.2) with ESMTP id m8N7uHdg075258; Tue, 23 Sep 2008 17:56:17 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200809230756.m8N7uHdg075258@drugs.dv.isc.org>
To: Michael StJohns <mstjohns@comcast.net>
Cc: Andrew Sullivan <ajs@commandprompt.com>, namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: [dnsext] Reminder: two WGLC closing in one week
In-reply-to: Your message of "Tue, 23 Sep 2008 03:23:48 -0400." <20080923072354.BB38011402C@mx.isc.org>
Date: Tue, 23 Sep 2008 17:56:17 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

In message <20080923072354.BB38011402C@mx.isc.org>, Michael StJohns writes:
> --=====================_638747484==.ALT
> Content-Type: text/plain; charset="us-ascii"
> 
> At 02:18 AM 9/23/2008, Mark Andrews wrote:
> >        No, it is NOT unkown.  It is insecure.  You are attempting to introd
> uce
> >        a state which does not exist.
> >
> >        secure -> passes validation
> >        insecure -> no TA or there is a insecure delegation from a secure zo
> ne.
> >        bogus -> fails validation
> 
>  From 4035...
> 
>    Secure: An RRset for which the resolver is able to build a chain of
>       signed DNSKEY and DS RRs from a trusted security anchor to the
>       RRset.  In this case, the RRset should be signed and is subject to
>       signature validation, as described above.
> 
>    Insecure: An RRset for which the resolver knows that it has no chain
>       of signed DNSKEY and DS RRs from any trusted starting point to the
>       RRset.  This can occur when the target RRset lies in an unsigned
>       zone or in a descendent of an unsigned zone.  In this case, the
>       RRset may or may not be signed, but the resolver will not be able
>       to verify the signature.

	If there is no trust anchor then the answer is insecure.

	"The resolver knows that it has no chain of signed DNSKEY
	 and DS RRs from any trusted starting point to the RRset."

>    Bogus: An RRset for which the resolver believes that it ought to be
>       able to establish a chain of trust but for which it is unable to
>       do so, either due to signatures that for some reason fail to
>       validate or due to missing data that the relevant DNSSEC RRs
>       indicate should be present.  This case may indicate an attack but
>       may also indicate a configuration error or some form of data
>       corruption.
> 
>    Indeterminate: An RRset for which the resolver is not able to
>       determine whether the RRset should be signed, as the resolver is
>       not able to obtain the necessary DNSSEC RRs.  This can occur when
>       the security-aware resolver is not able to contact security-aware
>       name servers for the relevant zones.

	Which is *not* what you were calling unknown.

	Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email