Re: [dnsext] caches, validating resolvers, CD and DO

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Thu, 31 March 2011 14:26 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D10283A6AD7 for <dnsext@core3.amsl.com>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mk-ReYSn-F51 for <dnsext@core3.amsl.com>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
Received: from taffy.ICSI.Berkeley.EDU (taffy.ICSI.Berkeley.EDU [192.150.187.26]) by core3.amsl.com (Postfix) with ESMTP id 053BA3A6A92 for <dnsext@ietf.org>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
Received: from gala.icir.org (gala.ICIR.org [192.150.187.49]) (Authenticated sender: nweaver) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id DCE5736A367; Thu, 31 Mar 2011 07:27:43 -0700 (PDT)
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org> <0CAE569785C163CFE87B957E@nimrod.local> <46410.1301468733@nsa.vix.com> <20110330081029.867FDDAD484@drugs.dv.isc.org> <alpine.LSU.2.00.1103301218140.5244@hermes-1.csi.cam.ac.uk> <005301cbeedc$e9653150$bc2f93f0$@lampo@eurid.eu> <B433F924-C6B8-497C-9D59-79CD5307C84D@icsi.berkeley.edu> <20110330152241.CAA97DB0215@drugs.dv.isc.org> <F50154E3-1D42-4791-B8F1-E04B3B7F85C5@ICSI.Berkeley.EDU> <sjmvcyz1jhg.fsf@pgpdev.ihtfp.org>
In-Reply-To: <sjmvcyz1jhg.fsf@pgpdev.ihtfp.org>
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
Message-Id: <AC2624E2-F035-4B58-9082-CFEEC91B7F2C@ICSI.Berkeley.EDU>
Content-Transfer-Encoding: quoted-printable
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Date: Thu, 31 Mar 2011 07:27:42 -0700
To: Derek Atkins <warlord@mit.edu>
X-Mailer: Apple Mail (2.1084)
Cc: Marc Lampo <marc.lampo@eurid.eu>, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsext@ietf.org
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2011 14:26:04 -0000

>> Until they strip DNSSEC information.  You MUST validate locally....
> 
> I disagree.  I run a local network in my house and run local caching
> recursive resolvers.  I have all my hosts on my network resolve through
> my local caches.  I run all my machines, therefore I trust my cache.  I
> see no reason to *require* all my machines to bypass the local cache.
> Moreover, in my case I see no reason to require all my machines to
> perform local validation.  I trust myself.
> 
> Therefore, calling it a MUST is wrong.
> 
>> You want the end client to have its own policy on what to do on DNSSEC
>> failure, not be dependent on the resolver's policy, and thus
>> validating clients really should use CD with every request.
> 
> I agree in principle, however that policy can also be "trust the caching
> recursive resolver."  Saying that the client MUST validate does not
> allow for this trusting policy.
> 
> -derek

Good point, however, the default policy should still be a must, since your configuration is rather unusual:  DNSSEC enables DNS to not trust the recursive resolver, and the default policy should take advantage of this.

Defaults should provide maximum safety and maximum interoperability for the majority of the clients.