IETF Logo Mail Archive

Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16

Mohan Parthasarathy <suruti94@gmail.com> Mon, 30 January 2012 02:12 UTC

Return-Path: <suruti94@gmail.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 621AB21F84BF for <dnsext@ietfa.amsl.com>; Sun, 29 Jan 2012 18:12:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.354
X-Spam-Level:
X-Spam-Status: No, score=-3.354 tagged_above=-999 required=5 tests=[AWL=0.245, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oVvpYQglrLvN for <dnsext@ietfa.amsl.com>; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id B476821F8471 for <dnsext@ietf.org>; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
Received: by qan41 with SMTP id 41so110142qan.10 for <dnsext@ietf.org>; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ITh6O3D7dK+oCGYH7Bdaq8wnjkYxfxjMMNrfYIcHajk=; b=x+EIAiAzFqlYkjGwSMci8MX/YZnbpl0H0Xc/VV/iWfRX7g0leNcOPh3zE3uSU18iWG KLwP+uLwjQtx9PwKu6aIRQJcH94aRaJHl3bNMTAlT1rBMbOmfaYpwXWdU0VSKAnk+TTR +LIORzDAkoneso7bDkk65uSqyTZvoTLcZiz9E=
MIME-Version: 1.0
Received: by 10.224.198.3 with SMTP id em3mr18775221qab.23.1327889534195; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
Received: by 10.229.20.193 with HTTP; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
In-Reply-To: <20120128134331.819221C33944@drugs.dv.isc.org>
References: <20120120054939.GD4365@mail.yitter.info> <CACU5sDnS-3V26yKyvTGObR67H2LPiBjWxCZAbMpHPZrgXJeNFg@mail.gmail.com> <20120128052029.618CE1C32BFA@drugs.dv.isc.org> <CACU5sD=P-agE2oOqvAiCs=bcX3Off6cCubW-f=skKP54-1oQaQ@mail.gmail.com> <20120128134331.819221C33944@drugs.dv.isc.org>
Date: Sun, 29 Jan 2012 18:12:14 -0800
Message-ID: <CACU5sDnuW7hUkYAoyyBY=W2yN0EgYiuX3wY8gBryDGN5LxUkSw@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2012 02:12:15 -0000

On Sat, Jan 28, 2012 at 5:43 AM, Mark Andrews <marka@isc.org> wrote:
>
> In message <CACU5sD=P-agE2oOqvAiCs=bcX3Off6cCubW-f=skKP54-1oQaQ@mail.gmail.com>
> , Mohan Parthasarathy writes:
>> On Fri, Jan 27, 2012 at 9:20 PM, Mark Andrews <marka@isc.org> wrote:
>> >
>> > In message <CACU5sDnS-3V26yKyvTGObR67H2LPiBjWxCZAbMpHPZrgXJeNFg@mail.gmai=
>> l.com>
>> > , Mohan Parthasarathy writes:
>> >
>> >> - Section 5.7 setting the AD bit on queries. Is CD=0,DO=0 in the que=
>> ry
>> >> same as AD=1,DO=0 ?
>> >
>> > The question doesn't make sense.
>> >
>> > AD=0,DO=1 and AD=1,DO=1 produce the same result.
>> > AD=0,DO=0 and AD=1,DO=0 produce different results.
>> > AD=0,DO=0 and AD=0,DO=1 produce different results.
>> > AD=1,DO=0 and AD=0,DO=1 produce different results.
>> >
>> Thanks for the clarification. I realized after I posted that not
>> setting CD and DO is pre-DNSSEC.
>>
>> >> missed the discussion on this earlier. If there is a valid reason,
>> >> that needs to be stated explicitly as to why we are introducing this
>> >> new option.
>> >
>> > Section 5.7 explains why this option exists.
>> >
>> >                This allows a requestor to indicate that i=
>> t understands
>> >   the AD bit without also requesting DNSSEC data via the DO bit.
>> >
>> >
>> So, "understands" here means "Please do the validation for me " ?
>> Then, is  CD=1, AD=1 a invalid option ?
>
> No.  AD will be 1 if the answer + authority sections come from
> cached data that has validated as secure.  That said I don't think
> there is much use unless you are trying to check if a lookup failure
> was due to DNSSEC errors.
>
Okay.

>> So, there are implementations out there that want to know whether
>> validation was successful or not but just not want to handle any
>> DNSSEC records?
>
> I will put it this way.  I doubt if there is a application that
> cares about AD that *wants* the DNSSEC records.  At the moment they
> have no choice unless they are using the draft.
>
Agreed that those DNSSEC records are not of much use. For
non-validating resolvers, there is now a choice of setting the DO bit
or AD bit and setting both does not make sense. Perhaps, this should
be explained.

>> My question was more on what prompted the addition of this new feature ?
>
> 1. It reduces the response size.
> 2. You can apply DNS64, NXDOMAIN redirection, bad site filtering, etc. with
>   AD=1 which you can't with DO=1.
>
Why does the extra DNSSEC records affect DNS64 ?

If AD=1 seems better for non-validating resolvers, perhaps that should
be recommended in the draft ?

-mohan

>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.39.1 | Report a Bug | By Email | System Status