Re: [dnsext] caches, validating resolvers, CD and DO
Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Thu, 31 March 2011 14:26 UTC
Return-Path: <nweaver@ICSI.Berkeley.EDU>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D10283A6AD7 for <dnsext@core3.amsl.com>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mk-ReYSn-F51 for <dnsext@core3.amsl.com>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
Received: from taffy.ICSI.Berkeley.EDU (taffy.ICSI.Berkeley.EDU [192.150.187.26]) by core3.amsl.com (Postfix) with ESMTP id 053BA3A6A92 for <dnsext@ietf.org>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
Received: from gala.icir.org (gala.ICIR.org [192.150.187.49]) (Authenticated sender: nweaver) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id DCE5736A367; Thu, 31 Mar 2011 07:27:43 -0700 (PDT)
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org> <0CAE569785C163CFE87B957E@nimrod.local> <46410.1301468733@nsa.vix.com> <20110330081029.867FDDAD484@drugs.dv.isc.org> <alpine.LSU.2.00.1103301218140.5244@hermes-1.csi.cam.ac.uk> <005301cbeedc$e9653150$bc2f93f0$@lampo@eurid.eu> <B433F924-C6B8-497C-9D59-79CD5307C84D@icsi.berkeley.edu> <20110330152241.CAA97DB0215@drugs.dv.isc.org> <F50154E3-1D42-4791-B8F1-E04B3B7F85C5@ICSI.Berkeley.EDU> <sjmvcyz1jhg.fsf@pgpdev.ihtfp.org>
In-Reply-To: <sjmvcyz1jhg.fsf@pgpdev.ihtfp.org>
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <AC2624E2-F035-4B58-9082-CFEEC91B7F2C@ICSI.Berkeley.EDU>
Content-Transfer-Encoding: quoted-printable
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Date: Thu, 31 Mar 2011 07:27:42 -0700
To: Derek Atkins <warlord@mit.edu>
X-Mailer: Apple Mail (2.1084)
Cc: Marc Lampo <marc.lampo@eurid.eu>, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsext@ietf.org
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2011 14:26:04 -0000
>> Until they strip DNSSEC information. You MUST validate locally.... > > I disagree. I run a local network in my house and run local caching > recursive resolvers. I have all my hosts on my network resolve through > my local caches. I run all my machines, therefore I trust my cache. I > see no reason to *require* all my machines to bypass the local cache. > Moreover, in my case I see no reason to require all my machines to > perform local validation. I trust myself. > > Therefore, calling it a MUST is wrong. > >> You want the end client to have its own policy on what to do on DNSSEC >> failure, not be dependent on the resolver's policy, and thus >> validating clients really should use CD with every request. > > I agree in principle, however that policy can also be "trust the caching > recursive resolver." Saying that the client MUST validate does not > allow for this trusting policy. > > -derek Good point, however, the default policy should still be a must, since your configuration is rather unusual: DNSSEC enables DNS to not trust the recursive resolver, and the default policy should take advantage of this. Defaults should provide maximum safety and maximum interoperability for the majority of the clients.
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- [dnsext] caches, validating resolvers, CD and DO Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Alex Bligh
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Michael Richardson
- Re: [dnsext] caches, validating resolvers, CD and… Alex Bligh
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Tony Finch
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Jelte Jansen
- Re: [dnsext] caches, validating resolvers, CD and… Marc Lampo
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Edward Lewis
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Marc Lampo
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… Derek Atkins
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… bmanning