IETF Logo Mail Archive

Re: [dnsext] Reminder: two WGLC closing in one week

Mark Andrews <Mark_Andrews@isc.org> Tue, 23 September 2008 06:30 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 25FB03A6B8F; Mon, 22 Sep 2008 23:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.299
X-Spam-Level:
X-Spam-Status: No, score=-0.299 tagged_above=-999 required=5 tests=[AWL=-2.300, BAYES_00=-2.599, MANGLED_BELOW=2.3, MANGLED_FROM=2.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utH4d-v7+9-h; Mon, 22 Sep 2008 23:30:37 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C8F233A6C66; Mon, 22 Sep 2008 23:30:36 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Ki1EX-000Mk8-FX for namedroppers-data@psg.com; Tue, 23 Sep 2008 06:18:49 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1Ki1EQ-000Mio-LO for namedroppers@ops.ietf.org; Tue, 23 Sep 2008 06:18:47 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.2) with ESMTP id m8N6IXIU074687; Tue, 23 Sep 2008 16:18:33 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200809230618.m8N6IXIU074687@drugs.dv.isc.org>
To: Michael StJohns <mstjohns@comcast.net>
Cc: Andrew Sullivan <ajs@commandprompt.com>, namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: [dnsext] Reminder: two WGLC closing in one week
In-reply-to: Your message of "Tue, 23 Sep 2008 00:37:21 -0400." <E1Khzea-000Bob-2Y@psg.com>
Date: Tue, 23 Sep 2008 16:18:33 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

In message <E1Khzea-000Bob-2Y@psg.com>, Michael StJohns writes:
> At 11:09 PM 9/22/2008, Mark Andrews wrote:
> 
> >In message <20080923025212.A378411402C@mx.isc.org>, Michael StJohns writes:
> >> OK - so if the last chain validates, but the intermediate chain was unsecure
> , t
> >> hen you return the answer, but don't set the AD bit.  If the last chain does
> n't
> >>  validate, you return what?  The data without the AD bit, or  RCODE 2/SERVFA
> IL?
> >
> >        SERVFAIL.  If they ask with cd=1 then they get the full answer.
> >
> >>   (I.e.is it really possible to have data that's both bogus and unsecure?)
> >
> >        A particulare RRset is falls into exactly one of secure, insecure or
> >        bogus post validation.
> 
> Right, but the answer is a mixture of three RRSets - one secure, one unknown an
> d one bogus... which I guess makes the whole thing bogus and results in the ret
> urn of RCODE 2.
> 
> 
> >> Is t
> >> here any reason to do validation for the third chain in my example once you'
> ve 
> >> wandered over into unsecure land?  
> >
> >        Yes as you may be asked the later question.
> 
> Fair enough.
> 
> 
> >> Where - exactly - in the documentation of either CNAME or DNAME (or DNSSEC f
> or 
> >> that matter) is your last conclusion stated as a specific protocol element? 
>  I 
> >> just back and review 4035 sections 3.1.6, 3.2.3 and 5 and they don't seem to
>  sa
> >> y this.  The definition for "secure" in 4.3 only says to trace from the answ
> er 
> >> to a trust anchor.  The definition for insecure *could* be read to say what 
> you
> >> said, but then it would be in conflict with the definition for "secure".
> >
> >   A security-aware name server MUST NOT set the AD bit in a response
> >   unless the name server considers all RRsets in the Answer and
> >   Authority sections of the response to be authentic.  
> 
> OK. I can go along with this reading - but I think I'm still not quite done.
> 
> 
> So the last question is what goes on when you have the same three queries - exc
> ept the last one now validates, and the DO bit wasn't set from the stub resolve
> r? (e.g, I won't understand the lack of AD bit)

	You return the answer.
 
> The simple answer would be to return the three RRSets - but is that the right a
> pproach or only one of several correct approaches?  
> 
> I could argue the paranoids point, that once the answer becomes secure, unless 
> it becomes securely unsecure (by proving there's no DS at a delegation point), 
> then the final answer must either be secure or bogus.  In other words, if I get
>  a referral via a CNAME or DNAME into unsecure space, then the final answer sho
> uld be "bogus".

	No.  Everything that is not at or below a TA is deemed to
	be insecure.

> The above is different than the secure delegation to an unsecure zone:  The sig
> ned delegation to an unsigned zone is controllable by the delegator.  The signe
> d CNAME or DNAME referral to an zone carries no information about whether the r
> eferrer/signer believes the target zone/name should be signed.  
>
> I'm trying to reconcile this with the general policies on how data is returned 
> from a validating recursive resolver to a non-DNSSEC aware stub resolver.  The 
> VRR returns an RCODE 2 for any data below a trust anchor it can't validate (bog
> us), and returns the data which has no superior trust anchor (unknown),

	No, it is NOT unkown.  It is insecure.  You are attempting to introduce
	a state which does not exist.

	secure -> passes validation
	insecure -> no TA or there is a insecure delegation from a secure zone.
	bogus -> fails validation

> returns
> the data it was able to validate (secure), and returns the data which was belo
> w an unsecure delegation point (unsecure). 
> 
> I'm not sure I can argue that a DNAME or CNAME into an unknown/unsecure zone fr
> om a secure zone is equivalent to an unsecure delegation from that secure zone 
> to a subsidiary, because the target of the DNAME/CNAME can change the DNSSEC st
> atus at any time after the CNAME/DNAME is published.  Unfortunately, I can't se
> e any way of encoding the DNAME/CNAME signers expectation of security for the t
> arget zone in the current definitions.

	Each QNAME when following a CNAME chain is independently
	validated.  When you return the final answer you look at
	all the components to determine whether the final answer
	is secure (AD could be set if requested) or not.
 
> So if I follow the principal of "if it started out secure and I can't prove it 
> was meant to be unsecure then it should be bogus if I can't validate it" which 
> we follow for on-tree delegations, shouldn't I follow it for off-tree delegatio
> ns?

	Except you can validate that it is insecure.

	Mark

> Mike
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email