Re: Question about TSIG, AD/AA, and AXFR
Edward Lewis <lewis@tislabs.com> Tue, 17 July 2001 15:25 UTC
Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA29601 for <dnsext-archive@lists.ietf.org>; Tue, 17 Jul 2001 11:25:46 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15MWYo-000KrV-00 for namedroppers-data@psg.com; Tue, 17 Jul 2001 08:14:54 -0700
Received: from h-135-207-10-122.research.att.com ([135.207.10.122] helo=roam.psg.com) by psg.com with esmtp (Exim 3.31 #1) id 15MWYm-000KrM-00 for namedroppers@ops.ietf.org; Tue, 17 Jul 2001 08:14:53 -0700
Received: from randy by roam.psg.com with local (Exim 3.30 #1) id 15MWYm-0000Fd-00 for namedroppers@ops.ietf.org; Tue, 17 Jul 2001 11:14:52 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Edward Lewis <lewis@tislabs.com>
To: Roy Arends <Roy.Arends@nominum.com>
Cc: Edward Lewis <lewis@tislabs.com>, Brian Wellington <Brian.Wellington@nominum.com>, namedroppers@ops.ietf.org
Subject: Re: Question about TSIG, AD/AA, and AXFR
In-Reply-To: <Pine.BSF.4.33.0107171614250.79103-100000@node10c4d.a2000.nl>
References: <E15MVFG-000Hzo-00@psg.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15MWYo-000KrV-00@psg.com>
Date: Tue, 17 Jul 2001 08:14:54 -0700
Content-Transfer-Encoding: 7bit
If you are doing the chain validation, your queries should be issued with no TSIG and the CD flag on, if you really want to optimize performance (in the "good" case[0]). [0] Meaning - optimizing for the situation when there is no attack on. If you are being flooded with maliciously inserted answers, then, yes, TSIG is a good thing. At 10:29 AM -0400 7/17/01, Roy Arends wrote: >On Tue, 17 Jul 2001, Edward Lewis wrote: > >> (Perhaps we should recommend that TSIG queries be issued with the >> DNSSEC indication off.) > >I think this is not a good idea. > >Since TSIG is server authentication (origin), DNSSEC is zone >authentication (content) we could have the following situation: > >Say there is some application that wants to verify signatures itself (SSH >KEY + SIG(KEY)), using the stub-resolver for queries, which is configured >to TSIG all data from the caching forwarder. No DNSSEC response will then >be received at the stub since the stub uses TSIG and the DO bit unset in >your scenario. > >Roy Arends >Nominum -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer. to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Question about TSIG, AD/AA, and AXFR Edward Lewis
- Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
- Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
- Re: Question about TSIG, AD/AA, and AXFR Scott Rose