Re: DNSSEC - Signature Only vs the MX/A issue.
Mike StJohns <Mike.StJohns@nominum.com> Thu, 30 November 2006 19:34 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gprfx-0008Sf-QL; Thu, 30 Nov 2006 14:34:29 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gprft-0001nF-Ea; Thu, 30 Nov 2006 14:34:29 -0500
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1GprXL-0004PR-Fj for namedroppers-data@psg.com; Thu, 30 Nov 2006 19:25:35 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.1.7
Received: from [81.200.64.181] (helo=shell-ng.nominum.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from <Mike.StJohns@nominum.com>) id 1GprW2-0004Cw-Vh for namedroppers@ops.ietf.org; Thu, 30 Nov 2006 19:24:31 +0000
Received: from STJOHNS-LAPTOP.nominum.com (shell-ng.nominum.com [81.200.64.181]) by shell-ng.nominum.com (Postfix) with ESMTP id B254C5688E; Thu, 30 Nov 2006 11:24:12 -0800 (PST) (envelope-from Mike.StJohns@nominum.com)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 30 Nov 2006 12:48:58 -0500
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
From: Mike StJohns <Mike.StJohns@nominum.com>
Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
Cc: namedroppers@ops.ietf.org
In-Reply-To: <20061128204758.GA20253@nic.fr>
References: <20061127032712.CD1FE56890@shell-ng.nominum.com> <20061128135806.GA24695@nic.fr> <20061128203532.0DC4F56890@shell-ng.nominum.com> <20061128204758.GA20253@nic.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-Id: <20061130192412.B254C5688E@shell-ng.nominum.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081
At 03:47 PM 11/28/2006, Stephane Bortzmeyer wrote: >On Tue, Nov 28, 2006 at 03:13:50PM -0500, > Mike StJohns <Mike.StJohns@nominum.com> wrote > a message of 25 lines which said: > > > Not exactly. See my previous note to Mark. SO still protects the > > atomicity of an RRSet - you can delete ALL of the SRV records or > > none of them. If you delete all of them at a label, the lookup > > fails and you can't proceed. > >See Peter Koch's reply :-) Many protocols define a fallback outside of >the RRset. For instance, in >http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-andrews-http-srv-01.txt, >there is a fallback from SRV to A. Couldn't find a copy - the link you provided is bad. But that brings up a question. Just what atomicity guarantees do you expect DNSSEC to provide for DNS lookups? For example - an SRV or NAPTR record at one name can point to a record at another name - do you expect that the entire group of related records MUST be signed? If so how do you enforce it, especially if the references point outside the zone? If you're talking about A record fall back (e.g. asking for a SRV/NAPTR/pick one record at www.example.com and falling back to the A records at www.example.com), what atomicity guarantee do you need in the temporal dimension? E.g. if I try and retrieve the SRV record and am told it doesn't exist - securely - but the zone operator is in the process of installing it and does so before I can retrieve (perhaps manually) the A record - is that OK even though by the time I retrieved the A record the SRV record actually did exist? Or worse yet, the operator was in the process of deleting the A record and adding the SRV record - I was able to prove when I went to get the SRV record it didn't exist - when I went to get the A record it also didn't exist. Both things were true when I asked, but the result is that for some period of time I will believe that no service exists. PNE makes the entire zone atomic for some measure of atomicity - what statement would you make to an application developer about reliance on that atomicity? -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- DNSSEC - Signature Only vs the MX/A issue. Mike StJohns
- Re: brain cycles of the WG Edward Lewis
- Re: DNSSEC - Signature Only vs the MX/A issue. Ben Laurie
- Re: DNSSEC - Signature Only vs the MX/A issue. Florian Weimer
- Re: DNSSEC - Signature Only vs the MX/A issue. Robert Story
- Re: DNSSEC - Signature Only vs the MX/A issue. Mike StJohns
- Re: brain cycles of the WG Paul Vixie
- Re: brain cycles of the WG Pekka Savola
- Re: brain cycles of the WG Edward Lewis
- Back to Ohta's old proposal (Was: DNSSEC - Signat… Stephane Bortzmeyer
- Re: brain cycles of the WG Florian Weimer
- Re: DNSSEC - Signature Only vs the MX/A issue. David Blacka
- Re: DNSSEC - Signature Only vs the MX/A issue. Mike StJohns
- Re: DNSSEC - Signature Only vs the MX/A issue. Paul Vixie
- Re: brain cycles of the WG bert hubert
- Re: DNSSEC - Signature Only vs the MX/A issue. Ralph Droms
- Re: brain cycles of the WG Edward Lewis
- Re: DNSSEC - Signature Only vs the MX/A issue. bert hubert
- Re: DNSSEC - Signature Only vs the MX/A issue. Stephane Bortzmeyer
- Re: DNSSEC - Signature Only vs the MX/A issue. bert hubert
- Re: DNSSEC - Signature Only vs the MX/A issue. Mike StJohns
- Re: brain cycles of the WG Edward Lewis
- Re: DNSSEC - Signature Only vs the MX/A issue. Edward Lewis
- Re: DNSSEC - Signature Only vs the MX/A issue. Paul Vixie
- Re: DNSSEC - Signature Only vs the MX/A issue. bert hubert
- Re: DNSSEC - Signature Only vs the MX/A issue. Robert Story
- Re: brain cycles of the WG Pekka Savola
- Re: DNSSEC - Signature Only vs the MX/A issue. bert hubert
- Re: brain cycles of the WG Jim Reid
- Re: DNSSEC - Signature Only vs the MX/A issue. Stephane Bortzmeyer
- Re: brain cycles of the WG Pekka Savola
- Re: DNSSEC - Signature Only vs the MX/A issue. Paul Vixie
- Re: DNSSEC - Signature Only vs the MX/A issue. bert hubert
- Re: brain cycles of the WG Ben Laurie
- brain cycles of the WG Pekka Savola
- Re: brain cycles of the WG Jay Daley
- Re: DNSSEC - Signature Only vs the MX/A issue. Stephane Bortzmeyer
- Re: DNSSEC - Signature Only vs the MX/A issue. Mike StJohns
- Re: Back to Ohta's old proposal (Was: DNSSEC - Si… Masataka Ohta
- Re: DNSSEC - Signature Only vs the MX/A issue. Mike StJohns