Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

[Alex Bligh <alex@alex.org.uk>]

Ben,

--On 13 October 2008 14:47:28 +0100 Ben Laurie <ben@links.org> wrote:

> If I am delivering mail, and the domain does not exist, I bounce it. If
> I get SERVFAIL, I hold on to it and try again later.

Ah yes. Agreed. So that makes the states:

1. We have data, which we know is correct & secure (DNSSEC signatures
   verify)
2. We have data, which we know is invalid (DNSSEC signature failure)
3. We have data, but we are uncertain as to the correctness of the
   data (e.g. no DNSSEC information for that zone, or missing DLV
   or whatever).

4. We have a failure, e.g. we got a SERVFAIL. As I understand, we can't
   tell this is secure or not (willing to be corrected here).

5. We have no data, and the absence of data is correctly authenticated
   (e.g. by NSEC/NSEC3)
6. We have no data, but the response is invalid (DNS signature failure
   on NSEC/NSEC3 proof of denial of existence)
7. We have no data, but we are uncertain as to its correctness (e.g.
   NXDOMAIN in vanilla DNS)

I think 2 and 4 in the above are (at an application layer) the same,
in that if I spoof by sending bogus answers, that should result in
the same action as DoS and timeout, or spoofing SERVFAIL or whatever.
That would suggest treating 6 the same as these two as well.

By the same logic that a non-DNSSEC-aware application should treat
1 and 3 the same, it should treat 5 and 7 the same I presume.

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>