IETF Logo Mail Archive

Re: [dnsext] stub validation

David Conrad <drc@virtualized.org> Mon, 25 October 2010 04:19 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 375A93A6800; Sun, 24 Oct 2010 21:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.467
X-Spam-Level:
X-Spam-Status: No, score=-2.467 tagged_above=-999 required=5 tests=[AWL=0.132, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sp5IHTLBJxjT; Sun, 24 Oct 2010 21:18:59 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8D7803A6359; Sun, 24 Oct 2010 21:18:59 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1PAERa-000NgS-O0 for namedroppers-data0@psg.com; Mon, 25 Oct 2010 04:13:58 +0000
Received: from trantor.virtualized.org ([204.152.189.190] helo=virtualized.org) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <drc@virtualized.org>) id 1PAERW-000Nfj-VW for namedroppers@ops.ietf.org; Mon, 25 Oct 2010 04:13:56 +0000
Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 2517EEDE5CA; Sun, 24 Oct 2010 21:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at virtualized.org
Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZgVl8Oizw3RE; Sun, 24 Oct 2010 21:13:47 -0700 (PDT)
Received: from [10.0.1.8] (c-24-130-212-17.hsd1.ca.comcast.net [24.130.212.17]) by virtualized.org (Postfix) with ESMTP id C000EEDE5BF; Sun, 24 Oct 2010 21:13:46 -0700 (PDT)
Subject: Re: [dnsext] stub validation
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: David Conrad <drc@virtualized.org>
In-Reply-To: <88612.1287969841@nsa.vix.com>
Date: Sun, 24 Oct 2010 21:13:44 -0700
Cc: "namedroppers@ops.ietf.org" <namedroppers@ops.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <54EE9BB9-3C71-4E04-B0D1-EADDD4748337@virtualized.org>
References: <C8EA875A.83BA%roy@nominet.org.uk> <8D01F5E3-F863-4873-BB0E-654FA89983F7@virtualized.org> <88612.1287969841@nsa.vix.com>
To: Paul Vixie <vixie@isc.org>
X-Mailer: Apple Mail (2.1081)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

On Oct 24, 2010, at 6:24 PM, Paul Vixie wrote:
> among many critical defects in DNSSEC as specified, there's no good model
> for stub validation,

Stub validation never really made a lot of sense to me since it implies the stub to do all the work of an iterative resolver each and every time a lookup is done for each application that links in the stub resolver library.  It seems to me that a local rdns server makes way more sense.

> and as time goes on there are fewer and fewer trustworthy rdns servers.  

A separate issue. I have as much trust in the rdns server that runs on my local machine as I do in the application that linked the stub resolver library.  I have slightly less trust in the remote rdns server that exists within my administrative realm (assuming I can communicate with it via a trusted channel, e.g., (GSS-)TSIG, SIG(0), IPSEC, TLS, etc).  Even less for the remote rdns server outside of my administrative realm but with which I have some sort of contractual relationship (and a trusted channel).  Etc. 

> let me say that until DNSSEC is commonplace, DNSSEC is a failure.

I would argue that DNSSEC is a success if it protects against a cache poisoning attack in which a high value target is involved.  As DNSSEC deployment becomes more commonplace, the probability that it will be successful increases.

> but please everybody, don't dilute the DMNF thread with this argument.

Right.  Completely separate topics.

Regards,
-drc

v2.23.0 | Report a Bug | By Email