IETF Logo Mail Archive

Re: [dnsext] Reminder: two WGLC closing in one week

Mark Andrews <Mark_Andrews@isc.org> Tue, 23 September 2008 03:19 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 938F13A66B4; Mon, 22 Sep 2008 20:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n7Pxhyd7OePG; Mon, 22 Sep 2008 20:19:45 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6E6D73A677E; Mon, 22 Sep 2008 20:18:44 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KhyHY-0002nJ-KY for namedroppers-data@psg.com; Tue, 23 Sep 2008 03:09:44 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KhyHU-0002me-2N for namedroppers@ops.ietf.org; Tue, 23 Sep 2008 03:09:42 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.2) with ESMTP id m8N39Uwt073117; Tue, 23 Sep 2008 13:09:30 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200809230309.m8N39Uwt073117@drugs.dv.isc.org>
To: Michael StJohns <mstjohns@comcast.net>
Cc: Andrew Sullivan <ajs@commandprompt.com>, namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: [dnsext] Reminder: two WGLC closing in one week
In-reply-to: Your message of "Mon, 22 Sep 2008 22:52:10 -0400." <20080923025212.A378411402C@mx.isc.org>
Date: Tue, 23 Sep 2008 13:09:30 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

In message <20080923025212.A378411402C@mx.isc.org>, Michael StJohns writes:
> OK - so if the last chain validates, but the intermediate chain was unsecure, t
> hen you return the answer, but don't set the AD bit.  If the last chain doesn't
>  validate, you return what?  The data without the AD bit, or  RCODE 2/SERVFAIL?

	SERVFAIL.  If they ask with cd=1 then they get the full answer.

>   (I.e.is it really possible to have data that's both bogus and unsecure?)

	A particulare RRset is falls into exactly one of secure, insecure or
	bogus post validation.

> Is t
> here any reason to do validation for the third chain in my example once you've 
> wandered over into unsecure land?  

	Yes as you may be asked the later question.

> Where - exactly - in the documentation of either CNAME or DNAME (or DNSSEC for 
> that matter) is your last conclusion stated as a specific protocol element?  I 
> just back and review 4035 sections 3.1.6, 3.2.3 and 5 and they don't seem to sa
> y this.  The definition for "secure" in 4.3 only says to trace from the answer 
> to a trust anchor.  The definition for insecure *could* be read to say what you
> said, but then it would be in conflict with the definition for "secure".

   A security-aware name server MUST NOT set the AD bit in a response
   unless the name server considers all RRsets in the Answer and
   Authority sections of the response to be authentic.  A security-aware
   name server's local policy MAY consider data from an authoritative
   zone to be authentic without further validation.  However, the name
   server MUST NOT do so unless the name server obtained the
   authoritative zone via secure means (such as a secure zone transfer
   mechanism) and MUST NOT do so unless this behavior has been
   configured explicitly.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email