IETF Logo Mail Archive

Re: restart: Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.txt

Jakob Schlyter <jakob@crt.se> Sun, 29 July 2001 05:52 UTC

Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id BAA13802 for <dnsext-archive@lists.ietf.org>; Sun, 29 Jul 2001 01:52:11 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15QiXW-0008PX-00 for namedroppers-data@psg.com; Sat, 28 Jul 2001 21:50:54 -0700
Received: from rip.psg.com ([147.28.0.39] ident=exim) by psg.com with esmtp (Exim 3.31 #1) id 15QiXV-0008PR-00 for namedroppers@ops.ietf.org; Sat, 28 Jul 2001 21:50:53 -0700
Received: from randy by rip.psg.com with local (Exim 3.31 #1) id 15QiXV-000Im3-00 for namedroppers@ops.ietf.org; Sat, 28 Jul 2001 21:50:53 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Jakob Schlyter <jakob@crt.se>
To: Edward Lewis <lewis@tislabs.com>
Cc: Brian Wellington <Brian.Wellington@nominum.com>, ogud@ogud.com, DNSEXT <namedroppers@ops.ietf.org>
Subject: Re: restart: Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.txt
In-Reply-To: <E15QWPH-000CkC-00@psg.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15QiXW-0008PX-00@psg.com>
Date: Sat, 28 Jul 2001 21:50:54 -0700
Content-Transfer-Encoding: 7bit

On Sat, 28 Jul 2001, Edward Lewis wrote:

> IMHO an AA bit outranks an AD bit.  Data with AA=1,AD=0 is reputedly
> coming from *the* source (TSIG, et.al.)  Data with AA=0,AD=1 is
> reputedly data that some intermediary has verified as coming from the
> source.  I would assign higher credibility to AA=1,AD=0 than
> AA=0,AD=1.

an application could put trust in a dns reply by several reasons:

	reply source (i.e. who did I query)
	reply transport (i.e. tsig, tkey or nothing)
	status of some bits in the header (AA, AD, ...)

I have to configure who and how I send my query, so this is a very basic
administrative problem (except for the policy part, but let's leave that
out for the moment). the AD-bit however is harder and needs to be well
defined as applications will interpret it without knowing the verification
policy.

the reason I like the nameserver to use the AD-bit, and only the AD-bit,
to signal that the data is authenticated cryptographically is simplicity.
I do not care about whether my nameserver is authorative or not - I only
care if it has validated the data or not. it could be authorative, yet the
zonefile could be invalid (e.g. the nameserver is secondary and doesn't
fully trust source).

let us, for the people using this - not the implementators, keep this
simple. finding something to trust and communicate securely with that
entity is hard enough.

	jakob



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.39.1 | Report a Bug | By Email | System Status