Re: Question about TSIG, AD/AA, and AXFR
Edward Lewis <lewis@tislabs.com> Tue, 17 July 2001 14:47 UTC
Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA20960 for <dnsext-archive@lists.ietf.org>; Tue, 17 Jul 2001 10:47:32 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15MVFO-000I03-00 for namedroppers-data@psg.com; Tue, 17 Jul 2001 06:50:46 -0700
Received: from h-135-207-10-122.research.att.com ([135.207.10.122] helo=roam.psg.com) by psg.com with esmtp (Exim 3.31 #1) id 15MVFN-000Hzx-00 for namedroppers@ops.ietf.org; Tue, 17 Jul 2001 06:50:45 -0700
Received: from randy by roam.psg.com with local (Exim 3.30 #1) id 15MVFN-0000D7-00 for namedroppers@ops.ietf.org; Tue, 17 Jul 2001 09:50:45 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Edward Lewis <lewis@tislabs.com>
To: Jakob Schlyter <jakob@crt.se>
Cc: Edward Lewis <lewis@tislabs.com>, namedroppers@ops.ietf.org
Subject: Re: Question about TSIG, AD/AA, and AXFR
In-Reply-To: <Pine.BSO.4.33.0107170922390.27119-100000@fonbella.crt.se>
References: <E15MI1g-000IVw-00@psg.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15MVFO-000I03-00@psg.com>
Date: Tue, 17 Jul 2001 06:50:46 -0700
Content-Transfer-Encoding: 7bit
It is true DNSSEC can't guarantee that data is correct nor correctly handled, but at least it will help point out where the fault is. Perhaps I've been assuming "trustworthy" with being able to trace the data back to the (appropriate) source. >From you message it sounds like no one should trust data with the AA bit, as this means the authentication has not been checked. This is an ironic conclusion, as we've been assigning more credibility to AA'd data. (Once again, the credibility vs. authenticated issue arises.) At 3:31 AM -0400 7/17/01, Jakob Schlyter wrote: >On Mon, 16 Jul 2001, Edward Lewis wrote: > >> Case TSIG AD AA Server-type >> 1 Y 0 1 Primary "From disk," so it can be trusted >> 2 Y 0 1 Secondary Via AXFR, trustworthy only if AXFR is secure > >why can the data be trusted just because the server read it from disk or >safely AXFRed? a lot of bad things could have happen to the data between >signing och loading, especially if you're doing off-line signing. > > - the signatures could have expired > - the signatures could not be valid yet > - someone could maliciously have inserted or altered data > - data could be corrupted by other means > > > jakob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer. to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Question about TSIG, AD/AA, and AXFR Brian Wellington
- Re: Question about TSIG, AD/AA, and AXFR Jakob Schlyter
- Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
- Re: Question about TSIG, AD/AA, and AXFR Robert Elz
- Re: Question about TSIG, AD/AA, and AXFR Roy Arends
- Re: Question about TSIG, AD/AA, and AXFR Roy Arends