IETF Logo Mail Archive

Re: [dnsext] Possible DNSSECbis clarifications

"George Barwood" <george.barwood@blueyonder.co.uk> Mon, 28 March 2011 08:57 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 965AF3A696A for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 01:57:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.01
X-Spam-Level:
X-Spam-Status: No, score=0.01 tagged_above=-999 required=5 tests=[AWL=0.856, BAYES_00=-2.599, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zTo1QuYZUXz for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 01:57:38 -0700 (PDT)
Received: from mtaout01-winn.ispmail.ntl.com (mtaout01-winn.ispmail.ntl.com [81.103.221.47]) by core3.amsl.com (Postfix) with ESMTP id 4B2533A695A for <dnsext@ietf.org>; Mon, 28 Mar 2011 01:57:37 -0700 (PDT)
Received: from know-smtpout-4.server.virginmedia.net ([62.254.123.3]) by mtaout01-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20110328085907.VMBO18231.mtaout01-winn.ispmail.ntl.com@know-smtpout-4.server.virginmedia.net>; Mon, 28 Mar 2011 09:59:07 +0100
Received: from [92.238.99.235] (helo=GeorgeLaptop) by know-smtpout-4.server.virginmedia.net with smtp (Exim 4.63) (envelope-from <george.barwood@blueyonder.co.uk>) id 1Q48Hz-0000kV-FB; Mon, 28 Mar 2011 09:59:07 +0100
Message-ID: <A496654AFE2E4E04922966B61D46D0F1@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Olafur Gudmundsson <ogud@ogud.com>, dnsext@ietf.org
References: <4D9042DA.30002@ogud.com>
Date: Mon, 28 Mar 2011 09:59:06 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-Cloudmark-Analysis: v=1.1 cv=JvdXmxIgLJv2/GthKqHpGJEEHukvLcvELVXUanXFreg= c=1 sm=0 a=F1NOll8JUcwA:10 a=8nJEP1OIZ-IA:10 a=5DHTYsOjAAAA:8 a=48vgC7mUAAAA:8 a=Tcq4zHyceHOgtvVFY6sA:9 a=mhyPiA7n3xpxJavXUenra3Om-tYA:4 a=wPNLvfGTeEIA:10 a=8ie3zQVgER4A:10 a=lZB815dzVvQA:10 a=vghTk32N3AhTqR0a:21 a=aukgVSn-w9ynva9d:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 08:57:39 -0000

My understanding on these questions...

----- Original Message ----- 
From: "Olafur Gudmundsson" <ogud@ogud.com>
To: <dnsext@ietf.org>
Sent: Monday, March 28, 2011 9:12 AM
Subject: [dnsext] Possible DNSSECbis clarifications


> 
> Dear colleagues,
> 
> The following is a result of a side conversation on the interpretation
> of RFC403x with number of DNS colleagues.
> Any mistakes in the questions are mine.
> 
> The questions are:
> 1) What is the valid order of signed RRsets?
> 2) How many times SHOULD/MUST RRSIG(SOA) appear in an AXFR?
> 3) What RRSIG(SOA)'s MUST appear on the wire in an IXFR transaction?
> 
> 
> Q1) A: In RFC403x there is no order requirement on an signed RRset thus 
> implementations should be ready to handle any combination
> Following Examples should be treated as the same RRset
> RR1 RR3 RRSIG2
> RR2 RRSIG1 RR2
> RR3 RR1 RR3
> RRSIG1 RR2 RRSIG1
> RRSIG2 RRSIG2 RR1
> 

Agreed. Within a section, records may be in any order.
The normal aproach is to have RRSIGs immediately follow that records that
they sign, but this is not required by the standard.

> 
> Q2) In AXFR the SOA record is used as a marker record to signal the 
> beginning of a zone transfer and the end of the zone transfer.
> The open question is how many times should RRSIG(SOA) appear in the
> AXFR stream ?
> a) Only once
> b) Both times
> c) Does not matter both are ok.
> 
> if the answer is a) then the question is when should it appear,
> i) in the beginning after the SOA
> ii) at any time in the AXFR
> iii) just before the final one.
> iv) after the final one.

RRSIG(SOA) records should be anywhere after initial SOA and before the final SOA record.
 
> Q3) In IXFR there are multiple SOA records used as maker both on the 
> overall transaction and on each delta.
> The questions here are:
> Which RRSIG(SOA) i.e. for each serial number, are needed ?
> a) All of them once
> b) all of them each time SOA appears
> b) only the final one, all the other ones are immaterial
>   (open question is how often and where)
> c) The first and last one and each only once,
>    the first one is needed to identify what to delete from
>    the zone, the final one is what is going to be in the
>            zone after the IXFR is applied.
> 

I'm not familiar with IXFR, so no opinion on this one.

George
 
> Is there need put this information in dnssec-bis (the answer to the AXFR 
> question may update RFC5936) and in IXFR-bis document ?
> 
> Olafur
> 
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

v2.14.0 | Report a Bug | By Email