IETF Logo Mail Archive

Re: DNSSEC - Signature Only vs the MX/A issue.

Mike StJohns <Mike.StJohns@nominum.com> Thu, 30 November 2006 19:34 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gprfx-0008Sf-QL; Thu, 30 Nov 2006 14:34:29 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gprft-0001nF-Ea; Thu, 30 Nov 2006 14:34:29 -0500
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1GprXL-0004PR-Fj for namedroppers-data@psg.com; Thu, 30 Nov 2006 19:25:35 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.1.7
Received: from [81.200.64.181] (helo=shell-ng.nominum.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from <Mike.StJohns@nominum.com>) id 1GprW2-0004Cw-Vh for namedroppers@ops.ietf.org; Thu, 30 Nov 2006 19:24:31 +0000
Received: from STJOHNS-LAPTOP.nominum.com (shell-ng.nominum.com [81.200.64.181]) by shell-ng.nominum.com (Postfix) with ESMTP id B254C5688E; Thu, 30 Nov 2006 11:24:12 -0800 (PST) (envelope-from Mike.StJohns@nominum.com)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 30 Nov 2006 12:48:58 -0500
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
From: Mike StJohns <Mike.StJohns@nominum.com>
Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
Cc: namedroppers@ops.ietf.org
In-Reply-To: <20061128204758.GA20253@nic.fr>
References: <20061127032712.CD1FE56890@shell-ng.nominum.com> <20061128135806.GA24695@nic.fr> <20061128203532.0DC4F56890@shell-ng.nominum.com> <20061128204758.GA20253@nic.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-Id: <20061130192412.B254C5688E@shell-ng.nominum.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081

At 03:47 PM 11/28/2006, Stephane Bortzmeyer wrote:
>On Tue, Nov 28, 2006 at 03:13:50PM -0500,
>  Mike StJohns <Mike.StJohns@nominum.com> wrote
>  a message of 25 lines which said:
>
> > Not exactly.  See my previous note to Mark.  SO still protects the
> > atomicity of an RRSet - you can delete ALL of the SRV records or
> > none of them.  If you delete all of them at a label, the lookup
> > fails and you can't proceed.
>
>See Peter Koch's reply :-) Many protocols define a fallback outside of
>the RRset. For instance, in
>http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-andrews-http-srv-01.txt,
>there is a fallback from SRV to A.

Couldn't find a copy - the link you provided is bad.

But that brings up a question.  Just what atomicity guarantees do you 
expect DNSSEC to provide for DNS lookups?

For example - an SRV  or NAPTR record at one name can point to a 
record at another name - do you expect that the entire group of 
related records MUST be signed?  If so how do you enforce it, 
especially if the references point outside the zone?

If you're talking about A record fall back (e.g. asking for a 
SRV/NAPTR/pick one record at www.example.com and falling back to the 
A records at www.example.com), what atomicity guarantee do you need 
in the temporal dimension?  E.g. if I try and retrieve the SRV record 
and am told it doesn't exist - securely - but the zone operator is in 
the process of installing it and does so before I can retrieve 
(perhaps manually) the A record - is that OK even though by the time 
I retrieved the A record the SRV record actually did exist?  Or worse 
yet, the operator was in the process of deleting the A record and 
adding the SRV record - I was able to prove when I went to get the 
SRV record it didn't exist - when I went to get the A record it also 
didn't exist.  Both things were true when I asked, but the result is 
that for some period of time I will believe that no service exists.

PNE makes the entire zone atomic for some measure of atomicity - what 
statement would you make to an application developer about reliance 
on that atomicity? 


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email