Re: [dnsext] [dane] Aiming towards some specific wording
Mark Andrews <marka@isc.org> Mon, 21 November 2011 21:13 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7DAE21F8ADC; Mon, 21 Nov 2011 13:13:45 -0800 (PST)
X-Quarantine-ID: <U1o6Z8TpOiqR>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
X-Spam-Flag: NO
X-Spam-Score: -2.303
X-Spam-Level:
X-Spam-Status: No, score=-2.303 tagged_above=-999 required=5 tests=[AWL=-0.004, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1o6Z8TpOiqR; Mon, 21 Nov 2011 13:13:45 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 344E221F8AD9; Mon, 21 Nov 2011 13:13:45 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 296015F98B6; Mon, 21 Nov 2011 21:13:18 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 8F479216C6B; Mon, 21 Nov 2011 21:13:16 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 6692917DB0E8; Tue, 22 Nov 2011 08:13:12 +1100 (EST)
To: Ondřej Surý <ondrej.sury@nic.cz>
From: Mark Andrews <marka@isc.org>
References: <45EA694E-096C-41A1-B60E-BF7B3832FE2A@vpnc.org> <4EC70173.9090106@sv.cmu.edu> <247CAE36-68FB-4048-B07C-9B4C0903434D@vpnc.org> <92AA2445-000C-44CF-8CA5-9796528EA946@checkpoint.com> <0536F82C-346C-4ABE-81E6-3B008219DBD9@kirei.se> <773BAA00-22B9-43A6-BB36-8E3CB6166E38@nic.cz> <4B541E04-4A37-4402-AD01-EA95F69C8FB1@vpnc.org> <6CA2C172-4BE7-479C-B305-E454B15EA9FA@nic.cz>
In-reply-to: Your message of "Mon, 21 Nov 2011 19:32:26 BST." <6CA2C172-4BE7-479C-B305-E454B15EA9FA@nic.cz>
Date: Tue, 22 Nov 2011 08:13:12 +1100
Message-Id: <20111121211312.6692917DB0E8@drugs.dv.isc.org>
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [dnsext] [dane] Aiming towards some specific wording
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dnsext@ietf.org
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2011 21:13:45 -0000
The only difference between "insecure" and "indeterminate" is that there was a TA configured somewhere above the name and there is a insecure delegation between that TA and data. We don't actually prove that something is insecure. We prove that there is not a secure path to the data. If you don't have a TA you do not have a secure path to the data. If you have a TA but a insecure delegation you do not have a secure path to the data. In both case the data could be signed or unsigned. "insecure" and "indeterminate" zones are logically the same. Dane should just treat them as !secure. Dnsext should fix the DNSSEC RFC's to get rid of one or other of them as having two terms for the same thing is pointless. Reply-to set to dnsext@ietf.org Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [dnsext] [dane] Aiming towards some specific … Mark Andrews
- Re: [dnsext] [dane] Aiming towards some specific … Edward Lewis
- Re: [dnsext] [dane] Aiming towards some specific … Mark Andrews
- Re: [dnsext] [dane] Aiming towards some specific … Paul Hoffman
- Re: [dnsext] [dane] Aiming towards some specific … Mohan Parthasarathy
- Re: [dnsext] [dane] Aiming towards some specific … Matt McCutchen
- Re: [dnsext] [dane] Aiming towards some specific … Edward Lewis
- Re: [dnsext] [dane] Aiming towards some specific … Edward Lewis
- Re: [dnsext] [dane] Aiming towards some specific … Mohan Parthasarathy