IETF Logo Mail Archive

Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

Ben Laurie <ben@links.org> Mon, 13 October 2008 13:52 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 46A3E3A6947; Mon, 13 Oct 2008 06:52:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Level:
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v7IC+ttjX+SP; Mon, 13 Oct 2008 06:52:11 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4052F3A67E3; Mon, 13 Oct 2008 06:52:11 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KpNlp-00063U-2Q for namedroppers-data@psg.com; Mon, 13 Oct 2008 13:47:37 +0000
Received: from [217.155.92.109] (helo=mail.links.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ben@links.org>) id 1KpNla-00062B-MU for namedroppers@ops.ietf.org; Mon, 13 Oct 2008 13:47:29 +0000
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 2314833C1F; Mon, 13 Oct 2008 14:48:46 +0100 (BST)
Message-ID: <48F35170.30900@links.org>
Date: Mon, 13 Oct 2008 14:47:28 +0100
From: Ben Laurie <ben@links.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: Alex Bligh <alex@alex.org.uk>
CC: Wouter Wijngaards <wouter@NLnetLabs.nl>, Michael StJohns <mstjohns@comcast.net>, Edward Lewis <Ed.Lewis@neustar.biz>, namedroppers@ops.ietf.org
Subject: Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
References: <Your message of "Mon, 22 Sep 2008 15:12:44 -0400." <E1KhqqB-000CE1-QD@psg.com> <200809230016.m8N0GS9E069236@drugs.dv.isc.org> <E1Khwdp-000J3V-QJ@psg.com> <a06240804c4ffc42abc16@[10.122.105.108]> <E1KicTm-000ANO-PO@psg.com> <a06240800c50fd3decd5b@[192.168.1.101]> <48F2DE42.1060209@links.org> <E1KpLkt-000HQ3-Is@psg.com> <48F33C34.3010901@nlnetlabs.nl> <D3AA46B662F334B8639E08CF@Ximines.local>
In-Reply-To: <D3AA46B662F334B8639E08CF@Ximines.local>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Alex Bligh wrote:
> 
> 
> --On 13 October 2008 14:16:52 +0200 Wouter Wijngaards
> <wouter@NLnetLabs.nl> wrote:
> 
>> I think it is much simpler than that. The application is interested in
>> what is known with certainty.
>> 1. It is certain the data is valid (secure)
>> 2. It is certain that security checks failed (bogus)
>> 3. whatever (insecure).
> 
> One of the merits of Ben's list was it attempted to list the states "as
> a user might see them" without associating them in the first instance
> to the workings and terminology of the protocol.
> 
>> From the user's point of view, I think you (and, I think Ben) have missed
> at least one. Using your numbering above here is what a DNSSEC aware
> application might find when looking up the name:
> 
> 1. We have data, which we know is correct & secure (DNSSEC signatures
>   verify)
> 2. We have data, which we know is invalid (DNSSEC shows insecure)
> 3. We have data, but we are uncertain as to the correctness of the
>   data (e.g. no DNSSEC information for that zone, or missing DLV
>   or whatever).
> 4. We have no data, e.g. we got a SERVFAIL. As I understand, we can't
>   tell this is secure or not (willing to be corrected here).
> 
> Non-DNSSEC-aware resolver stacks return (3) or (4).
> 
> As far as I can tell, treating (2) like (4) at the application layer
> seems sensible (i.e. I can't see any/many applications distinguishing) (*).
> However, an application might handle (1), (3) and [(2)/(4)] at least
> as different states (even if only colouring a browser address bar
> yet another shade of the rainbow). Compatibility reasons suggest
> that legacy applications (non-DNSSEC aware) get to treat (1) and (3)
> the same, or every such application will fail when a DNSSEC compliant
> library is installed. Given evidence to date suggests adoption of
> DNSSEC will be non-instantaneous, this seems mandatory.
> 
> (*) interesting nit: state 2 includes secure denial of existence. I am
> arguing here secure denial of existence gets treated at the application
> layer just like an insecure failure in every circumstance I can think
> of. IE, you can spoof a SERVFAIL, DoS the resolver so it times out,
> or whatever and it will be treated the same way as a guaranteed denial
> of existence through NSEC/NSEC3 at the application layer. I know there
> are people who think that maintaining the difference between an
> authenticated denial and a failure is useful for more than debugging
> purposes, or we wouldn't have spent so long ensuring NSEC's successor
> maintained authenticated denial of existence. This implies that they
> must see a need for (2) and (4) to be different.

No.

If I am delivering mail, and the domain does not exist, I bounce it. If
I get SERVFAIL, I hold on to it and try again later.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email