Re: Question about TSIG, AD/AA, and AXFR
Yuji Kamite <kamite@kaynet.ecc.u-tokyo.ac.jp> Wed, 18 July 2001 13:32 UTC
Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA21582 for <dnsext-archive@lists.ietf.org>; Wed, 18 Jul 2001 09:32:46 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15MqlX-000IwB-00 for namedroppers-data@psg.com; Wed, 18 Jul 2001 05:49:23 -0700
Received: from cbb-sc2.cbbtier3.att.net ([12.0.1.9] helo=roam.psg.com) by psg.com with esmtp (Exim 3.31 #1) id 15MqlW-000Iw0-00 for namedroppers@ops.ietf.org; Wed, 18 Jul 2001 05:49:22 -0700
Received: from randy by roam.psg.com with local (Exim 3.30 #1) id 15Mql2-0000MF-00 for namedroppers@ops.ietf.org; Wed, 18 Jul 2001 08:48:52 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Yuji Kamite <kamite@kaynet.ecc.u-tokyo.ac.jp>
To: Edward Lewis <lewis@tislabs.com>
Cc: namedroppers@ops.ietf.org
Subject: Re: Question about TSIG, AD/AA, and AXFR
In-Reply-To: <E15MbdO-0005nK-00@psg.com>
References: <v0313030eb779efd43e81@[208.58.212.166]> <E15MbdO-0005nK-00@psg.com>
X-Mailer: Sylpheed version 0.4.4 (GTK+ 1.2.8; FreeBSD 4.2-RELEASE; i386)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15MqlX-000IwB-00@psg.com>
Date: Wed, 18 Jul 2001 05:49:23 -0700
Content-Transfer-Encoding: 7bit
On Tue, 17 Jul 2001 13:39:58 -0700 Edward Lewis <lewis@tislabs.com> wrote: > Host should "trust" answers that pass the TSIG test and have either AA or > AD. Answers with TSIG and neither ought to be used as "as best as can be > gotten, but obviously unreliable." I think a good question is what is the > interaction of the "gimme DNSSEC records" bit, the AA bit, and validity > period checking. If the authoritative server does not check the validity > period, and the SIGs aren't sent, then the stub might accept temporally > invalid data. I have a question about AD and "gimme DNSSEC records". Is it allowed to return responses with AD bit even if they do not include SIG, NXT and so on? I'm a little confused with usage of AD because the definition about AD in documents seems to be obscure, especially about when it must be set. For example, in BIND9 implementaition, recursive resolver seems to set AD flag in answer if given query has "gimme DNSSEC records" bit. It does not set AD unless given query has "gimme DNSSEC records" bit even when the RRs themselves are Authenticated by the server. Is this right behavior? I think it might be okay for the recursive resolver to reply AD-set answer without DNSSEC-related RRs, if the RRs have been authenticated (i.e. if the server has succeeded to verified the RRs' SIGs according to trust chains) and the message to the stub-resolver are protected by TSIG. >From the view of the host (stub-resolver) which asked the recursive resolver, it would like to trust all tasks of the resolver by means of adding TSIG into queries. But it depends totally on the stub-resolver whether it will send queries with "gimme DNSSEC records" bit. Stub-resolver may send query without "gimme DNSSEC records" bit, if it wants to restrict the packet size exchaged. In this case, queries and responses between stub-resolver and recursive resolver are protected by TSIG, so, I think only if the answer's AD can be set, stub-resolvers might be able to trust aquired RRs' validity. -- Yuji Kamite Information Technology Center, Univ. of Tokyo E-Mail: kamite@kaynet.ecc.u-tokyo.ac.jp to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
- Re: Question about TSIG, AD/AA, and AXFR Jakob Schlyter
- Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
- Re: Question about TSIG, AD/AA, and AXFR Jakob Schlyter
- Re: Question about TSIG, AD/AA, and AXFR Yuji Kamite