Re: [dnsext] Reminder: two WGLC closing in one week
Mark Andrews <Mark_Andrews@isc.org> Tue, 23 September 2008 06:30 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 25FB03A6B8F; Mon, 22 Sep 2008 23:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.299
X-Spam-Level:
X-Spam-Status: No, score=-0.299 tagged_above=-999 required=5 tests=[AWL=-2.300, BAYES_00=-2.599, MANGLED_BELOW=2.3, MANGLED_FROM=2.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utH4d-v7+9-h; Mon, 22 Sep 2008 23:30:37 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C8F233A6C66; Mon, 22 Sep 2008 23:30:36 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Ki1EX-000Mk8-FX for namedroppers-data@psg.com; Tue, 23 Sep 2008 06:18:49 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1Ki1EQ-000Mio-LO for namedroppers@ops.ietf.org; Tue, 23 Sep 2008 06:18:47 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.2) with ESMTP id m8N6IXIU074687; Tue, 23 Sep 2008 16:18:33 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200809230618.m8N6IXIU074687@drugs.dv.isc.org>
To: Michael StJohns <mstjohns@comcast.net>
Cc: Andrew Sullivan <ajs@commandprompt.com>, namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: [dnsext] Reminder: two WGLC closing in one week
In-reply-to: Your message of "Tue, 23 Sep 2008 00:37:21 -0400." <E1Khzea-000Bob-2Y@psg.com>
Date: Tue, 23 Sep 2008 16:18:33 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
In message <E1Khzea-000Bob-2Y@psg.com>, Michael StJohns writes: > At 11:09 PM 9/22/2008, Mark Andrews wrote: > > >In message <20080923025212.A378411402C@mx.isc.org>, Michael StJohns writes: > >> OK - so if the last chain validates, but the intermediate chain was unsecure > , t > >> hen you return the answer, but don't set the AD bit. If the last chain does > n't > >> validate, you return what? The data without the AD bit, or RCODE 2/SERVFA > IL? > > > > SERVFAIL. If they ask with cd=1 then they get the full answer. > > > >> (I.e.is it really possible to have data that's both bogus and unsecure?) > > > > A particulare RRset is falls into exactly one of secure, insecure or > > bogus post validation. > > Right, but the answer is a mixture of three RRSets - one secure, one unknown an > d one bogus... which I guess makes the whole thing bogus and results in the ret > urn of RCODE 2. > > > >> Is t > >> here any reason to do validation for the third chain in my example once you' > ve > >> wandered over into unsecure land? > > > > Yes as you may be asked the later question. > > Fair enough. > > > >> Where - exactly - in the documentation of either CNAME or DNAME (or DNSSEC f > or > >> that matter) is your last conclusion stated as a specific protocol element? > I > >> just back and review 4035 sections 3.1.6, 3.2.3 and 5 and they don't seem to > sa > >> y this. The definition for "secure" in 4.3 only says to trace from the answ > er > >> to a trust anchor. The definition for insecure *could* be read to say what > you > >> said, but then it would be in conflict with the definition for "secure". > > > > A security-aware name server MUST NOT set the AD bit in a response > > unless the name server considers all RRsets in the Answer and > > Authority sections of the response to be authentic. > > OK. I can go along with this reading - but I think I'm still not quite done. > > > So the last question is what goes on when you have the same three queries - exc > ept the last one now validates, and the DO bit wasn't set from the stub resolve > r? (e.g, I won't understand the lack of AD bit) You return the answer. > The simple answer would be to return the three RRSets - but is that the right a > pproach or only one of several correct approaches? > > I could argue the paranoids point, that once the answer becomes secure, unless > it becomes securely unsecure (by proving there's no DS at a delegation point), > then the final answer must either be secure or bogus. In other words, if I get > a referral via a CNAME or DNAME into unsecure space, then the final answer sho > uld be "bogus". No. Everything that is not at or below a TA is deemed to be insecure. > The above is different than the secure delegation to an unsecure zone: The sig > ned delegation to an unsigned zone is controllable by the delegator. The signe > d CNAME or DNAME referral to an zone carries no information about whether the r > eferrer/signer believes the target zone/name should be signed. > > I'm trying to reconcile this with the general policies on how data is returned > from a validating recursive resolver to a non-DNSSEC aware stub resolver. The > VRR returns an RCODE 2 for any data below a trust anchor it can't validate (bog > us), and returns the data which has no superior trust anchor (unknown), No, it is NOT unkown. It is insecure. You are attempting to introduce a state which does not exist. secure -> passes validation insecure -> no TA or there is a insecure delegation from a secure zone. bogus -> fails validation > returns > the data it was able to validate (secure), and returns the data which was belo > w an unsecure delegation point (unsecure). > > I'm not sure I can argue that a DNAME or CNAME into an unknown/unsecure zone fr > om a secure zone is equivalent to an unsecure delegation from that secure zone > to a subsidiary, because the target of the DNAME/CNAME can change the DNSSEC st > atus at any time after the CNAME/DNAME is published. Unfortunately, I can't se > e any way of encoding the DNAME/CNAME signers expectation of security for the t > arget zone in the current definitions. Each QNAME when following a CNAME chain is independently validated. When you return the final answer you look at all the components to determine whether the final answer is secure (AD could be set if requested) or not. > So if I follow the principal of "if it started out secure and I can't prove it > was meant to be unsecure then it should be bogus if I can't validate it" which > we follow for on-tree delegations, shouldn't I follow it for off-tree delegatio > ns? Except you can validate that it is insecure. Mark > Mike -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Reminder: two WGLC closing in one week Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Scott Rose
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Edward Lewis
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Remind… Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Re… Edward Lewis
- [dnsext] recommeded contents for Re: DNAME (and C… Edward Lewis
- [dnsext] flip-flopping secure and unsecure DNAME/… Edward Lewis
- Re: [dnsext] recommeded contents for Re: DNAME (a… Scott Rose
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… John Dickinson
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Olafur Gudmundsson
- Re: [dnsext] flip-flopping secure and unsecure DN… Edward Lewis
- the DO bit Re: [dnsext] Reminder: two WGLC closin… Edward Lewis
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… bmanning
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… David Conrad
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Wouter Wijngaards
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- CNAME/DNAME - Re: [dnsext] flip-flopping secure a… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Shane Kerr
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Interpreting DNSSEC was Re: [dnsext] flip-floppin… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Wouter Wijngaards
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Stephane Bortzmeyer
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis