IETF Logo Mail Archive

Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

Alex Bligh <alex@alex.org.uk> Mon, 13 October 2008 13:48 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B39628C11E; Mon, 13 Oct 2008 06:48:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIX0gQ3wWPEK; Mon, 13 Oct 2008 06:48:02 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1D72928C0E9; Mon, 13 Oct 2008 06:48:02 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KpNga-0005Pr-9a for namedroppers-data@psg.com; Mon, 13 Oct 2008 13:42:12 +0000
Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <alex@alex.org.uk>) id 1KpNgQ-0005MO-Co for namedroppers@ops.ietf.org; Mon, 13 Oct 2008 13:42:05 +0000
Received: from [192.168.100.15] (localhost [127.0.0.1]) by mail.avalus.com (Postfix) with ESMTP id 6EF2DC2DAF; Mon, 13 Oct 2008 14:41:54 +0100 (BST)
Date: Mon, 13 Oct 2008 14:41:52 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: Wouter Wijngaards <wouter@NLnetLabs.nl>, Michael StJohns <mstjohns@comcast.net>
cc: Ben Laurie <ben@links.org>, Edward Lewis <Ed.Lewis@neustar.biz>, namedroppers@ops.ietf.org, Alex Bligh <alex@alex.org.uk>
Subject: Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Message-ID: <D3AA46B662F334B8639E08CF@Ximines.local>
In-Reply-To: <48F33C34.3010901@nlnetlabs.nl>
References: <Your message of "Mon, 22 Sep 2008 15:12:44 -0400." <E1KhqqB-000CE1-QD@psg.com> <200809230016.m8N0GS9E069236@drugs.dv.isc.org> <E1Khwdp-000J3V-QJ@psg.com> <a06240804c4ffc42abc16@[10.122.105.108]> <E1KicTm-000ANO-PO@psg.com> <a06240800c50fd3decd5b@[192.168.1.101]> <48F2DE42.1060209@links.org> <E1KpLkt-000HQ3-Is@psg.com> <48F33C34.3010901@nlnetlabs.nl>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>


--On 13 October 2008 14:16:52 +0200 Wouter Wijngaards <wouter@NLnetLabs.nl> 
wrote:

> I think it is much simpler than that. The application is interested in
> what is known with certainty.
> 1. It is certain the data is valid (secure)
> 2. It is certain that security checks failed (bogus)
> 3. whatever (insecure).

One of the merits of Ben's list was it attempted to list the states "as
a user might see them" without associating them in the first instance
to the workings and terminology of the protocol.

>From the user's point of view, I think you (and, I think Ben) have missed
at least one. Using your numbering above here is what a DNSSEC aware
application might find when looking up the name:

1. We have data, which we know is correct & secure (DNSSEC signatures
   verify)
2. We have data, which we know is invalid (DNSSEC shows insecure)
3. We have data, but we are uncertain as to the correctness of the
   data (e.g. no DNSSEC information for that zone, or missing DLV
   or whatever).
4. We have no data, e.g. we got a SERVFAIL. As I understand, we can't
   tell this is secure or not (willing to be corrected here).

Non-DNSSEC-aware resolver stacks return (3) or (4).

As far as I can tell, treating (2) like (4) at the application layer
seems sensible (i.e. I can't see any/many applications distinguishing) (*).
However, an application might handle (1), (3) and [(2)/(4)] at least
as different states (even if only colouring a browser address bar
yet another shade of the rainbow). Compatibility reasons suggest
that legacy applications (non-DNSSEC aware) get to treat (1) and (3)
the same, or every such application will fail when a DNSSEC compliant
library is installed. Given evidence to date suggests adoption of
DNSSEC will be non-instantaneous, this seems mandatory.

(*) interesting nit: state 2 includes secure denial of existence. I am
arguing here secure denial of existence gets treated at the application
layer just like an insecure failure in every circumstance I can think
of. IE, you can spoof a SERVFAIL, DoS the resolver so it times out,
or whatever and it will be treated the same way as a guaranteed denial
of existence through NSEC/NSEC3 at the application layer. I know there
are people who think that maintaining the difference between an
authenticated denial and a failure is useful for more than debugging
purposes, or we wouldn't have spent so long ensuring NSEC's successor
maintained authenticated denial of existence. This implies that they
must see a need for (2) and (4) to be different.

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email