Re: [dnsext] Reminder: two WGLC closing in one week

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 15:12 -0400 9/22/08, Michael StJohns wrote:

>For example - what happens if the DNAME is signed, but the referenced
>target isn't?

There's no problem.  The querier can cryptographically verify that 
the rewrite (DNAME) is true and also determine that there is no 
ancillary data provided for the target's authenticity.

>What happens if both are signed, but the resolver doesn't have a trust
>anchor for the target but has one for the DNAME? For the DNAME but not
>the target?

Same situation - remember that DNSSEC is "security for the querier."

>What happens if the DNAME is directly reachable (e.g. querier is a validating
>recursive resolver) but the target is available only through a forwarder?

DNSSEC is end-to-end, so it doesn't matter the path the data takes. 
If you are saying that the target is not signed and only comes from a 
cache, again, then the querier can only get what it gets.

>What happens if the DNAME and the target are signed with different algorithm
>and the querier only understands one of they.

Same as answer #2.  DNSSEC is protection from the querier's perspective.

>I can see about a number of  different ways to have different resolvers behave
>given different combinations.  I think they need to be called out and a
>specific behavior proposed for each prior to sending this forward.

All we need is interoperability, not full agreement. ;)

>One proposal, once the "must be signed bit" is set (e.g. DNAME or target
>subordinate to a trust anchor without a delegation to unsecure), then ALL
>data must be signed to be considered valid.  (Not sure this is the right
>way of doing things, but its a conversation starter).

"Must be signed bit?"  Data is expected to have a signature if the 
querier can build a "chain" from a configured anchor to the data.  A 
querier can "expect" a signature and barf is one is not received.  A 
querier, upon seeing no DS set at a delegation point (signed negative 
response) has to deal with their being no signature - the querier 
can't ever "demand" a signature (as in "must be signed").

>Sorry - Mike
>
>
>
>At 08:45 PM 9/18/2008, Andrew Sullivan wrote:
>>Dear colleagues,
>>
>>This is a reminder that there are two outstanding WGLC open, and that
>>they both expire in one week.  They are for the following two
>>documents:
>>
>>draft-ietf-dnsext-rfc2672bis-dname-14.txt
>>
>>draft-ietf-dnsext-dnssec-rsasha256-05.txt
>>
>>The WGLC for both of these have already been extended in order to
>>address concerns that many people were on vacation in August.  By my
>>count, we're not quite to the threshold of reviewers with either of
>>these.  _PLEASE read them and comment_, or else, by the conventions
>>adopted by the working group, they'll have to die as far as the
>>working group is concerned.  Given that we took both of these on as WG
>>items, we owe it to our colleagues who have worked on them to perform
>>the review.
>>
>>Thanks, and best regards,
>>
>>Andrew (for the chairs)
>>
>>--
>>Andrew Sullivan
>>ajs@commandprompt.com
>>+1 503 667 4564 x104
>>http://www.commandprompt.com/
>>
>>--
>>to unsubscribe send a message to namedroppers-request@ops.ietf.org with
>>the word 'unsubscribe' in a single line as the message text body.
>>archive: <http://ops.ietf.org/lists/namedroppers/>
>
>
>
>--
>to unsubscribe send a message to namedroppers-request@ops.ietf.org with
>the word 'unsubscribe' in a single line as the message text body.
>archive: <http://ops.ietf.org/lists/namedroppers/>

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>