Re: [dnsext] Checking RRSIG RR validity
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Sat, 01 January 2011 22:13 UTC
Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95F603A6936 for <dnsext@core3.amsl.com>; Sat, 1 Jan 2011 14:13:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.495
X-Spam-Level:
X-Spam-Status: No, score=-1.495 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAmya-4oBoBm for <dnsext@core3.amsl.com>; Sat, 1 Jan 2011 14:13:21 -0800 (PST)
Received: from rotring.dds.nl (rotring.dds.nl [85.17.178.138]) by core3.amsl.com (Postfix) with ESMTP id 7F1CD3A6931 for <dnsext@ietf.org>; Sat, 1 Jan 2011 14:13:20 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by rotring.dds.nl (Postfix) with ESMTP id 6033458660 for <dnsext@ietf.org>; Sat, 1 Jan 2011 23:15:26 +0100 (CET)
Received: from [192.168.1.3] (195-241-9-117.adsl.dds.nl [195.241.9.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rotring.dds.nl (Postfix) with ESMTPSA id 72D5658658 for <dnsext@ietf.org>; Sat, 1 Jan 2011 23:15:14 +0100 (CET)
Message-ID: <4D1FA772.6070000@nlnetlabs.nl>
Date: Sat, 01 Jan 2011 23:15:14 +0100
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: dnsext@ietf.org
References: <AANLkTinkmbx7yaTcd6P9sBryzQa7An2FMCS8aFk7jhb7@mail.gmail.com> <5C578182DAA04FE6B9CF4A18B7BC0D95@local> <AANLkTimPVve7f-KWyq-R2A-+Teb-8nqF+VYhSJrCcyXh@mail.gmail.com>
In-Reply-To: <AANLkTimPVve7f-KWyq-R2A-+Teb-8nqF+VYhSJrCcyXh@mail.gmail.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.96.4 at rotring
X-Virus-Status: Clean
Subject: Re: [dnsext] Checking RRSIG RR validity
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jan 2011 22:13:22 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mohan or Sean and George, On 12/31/2010 08:36 PM, Sean Wells or Mohan wrote: > On Fri, Dec 31, 2010 at 9:55 AM, George Barwood wrote: >> I agree the standard is not explicit here. These are my thoughts That looks ok to me. >> Unfortunately a validating resolver does not know the zone in a >> secure way, so it's unclear how this is to be implemented. Yes it may know more, because it may know where the information was fetched from (it is also a full resolver) and thus that the signer name must be equal or lower to that last delegation point. If you really want, it is possible to securely determine the zone, think nodata DS answers. > That is exactly my issue. > Perhaps, it would be good to clarify this in the > Clarifications document ? (assuming there is consensus). The checks from George look good to me. However I do not think that needs to be RFC-ed, because, I do not want to force 'bottom-up' or 'top-down' validation. Also, I believe those RR type checks are a bit over-the-top. Although it means the zone is badly configured, you can leniently let it pass, since it was signed by the owner. (And Happy New Year for Ed :-) ). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0fp3EACgkQkDLqNwOhpPiUdgCgqH3S6NUAn+fmW+IwCTkMET59 HTgAnjqzViLyG5uSUn7gz71MAmpxfTcd =EcXP -----END PGP SIGNATURE-----
- [dnsext] Checking RRSIG RR validity Sean Wells
- Re: [dnsext] Checking RRSIG RR validity Francis Dupont
- Re: [dnsext] Checking RRSIG RR validity George Barwood
- Re: [dnsext] Checking RRSIG RR validity Sean Wells
- Re: [dnsext] Checking RRSIG RR validity W.C.A. Wijngaards