Re: [dnsext] caches, validating resolvers, CD and DO

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Wed, 30 March 2011 18:16 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DCB033A6BB2 for <>; Wed, 30 Mar 2011 11:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nquXK8GPh8C1 for <>; Wed, 30 Mar 2011 11:16:35 -0700 (PDT)
Received: from taffy.ICSI.Berkeley.EDU (taffy.ICSI.Berkeley.EDU []) by (Postfix) with ESMTP id 41E8F3A6BAB for <>; Wed, 30 Mar 2011 11:16:35 -0700 (PDT)
Received: from ( []) (Authenticated sender: nweaver) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id 43F0136A032; Wed, 30 Mar 2011 11:18:14 -0700 (PDT)
References: <> <0CAE569785C163CFE87B957E@nimrod.local><> <> <> <005301cbeedc$e9653150$bc2f93f0$> <> <>
In-Reply-To: <>
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <F50154E3-1D42-4791-B8F1-E04B3B7F85C5@ICSI.Berkeley.EDU>
Content-Transfer-Encoding: quoted-printable
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Date: Wed, 30 Mar 2011 11:18:13 -0700
To: Mark Andrews <>
X-Mailer: Apple Mail (2.1084)
Cc: Marc Lampo <>, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>,
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Mar 2011 18:16:37 -0000

On Mar 30, 2011, at 8:22 AM, Mark Andrews wrote:
>> The problem is that the forwarding or caching nameservers are a security =
>> disaster.  They lie, cheat, and manipulate results with reckless =
>> abandon. =20
> And w/ dnssec you detect this.

Until they strip DNSSEC information.  You MUST validate locally....

>> Thus probably the best default policy for DNSSEC validation is:
>> Validate on the client (sending all requests with DO and CD!
> You don't need CD to validate.
>> Don't let =
>> the resolver in between validate, you can't trust it anyway so why have =
>> it waste cycles?). 
> Because you want it to sort out when a authoritative server has stale
> DNSSEC data, authoritative servers that are not dnssec enabled, .....
> It's much easier for the recursive server handle this directly and
> give the stub resolver answers that have been successfully validated.

You want the end client to have its own policy on what to do on DNSSEC failure, not be dependent on the resolver's policy, and thus validating clients really should use CD with every request.

EG, I'd WANT clients to be able to visit IFF the client is able to contact the root, .org, and Comcast's DNS servers directly.

That way, the client knows that it can trust the DNS information to exactly the same degree that it can trust the rest of its network traffic.

>> If local validation successful, accept.
>> If failed (For any reason, including no DNSSEC information at all [1]), =
>> the client MUST contact the authorities directly (NOT through the =
>> intermediary systems) and accept the results without validation [2].
> That's nice when you can do it, but there are lots of enviroments
> where you can't.  We need to make those deployment senarios work.
> Failures are not alway malicious.

You notice that the proposed policy ONLY causes a failure IFF:

a)  There is an actual DNSSEC failure-to-validate (not simply "no DNSSEC").  
b)  The client is prohibited from contacting authoritative DNS servers directly.