IETF Logo Mail Archive

Re: [dnsext] Design team report on dnssec-bis-updates and CD bit

"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Mon, 12 July 2010 10:21 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 313843A68F9; Mon, 12 Jul 2010 03:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.111
X-Spam-Level:
X-Spam-Status: No, score=-101.111 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6b6s9RzVgZo; Mon, 12 Jul 2010 03:21:04 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 49B163A6828; Mon, 12 Jul 2010 03:21:00 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OYG1N-0000GI-Md for namedroppers-data0@psg.com; Mon, 12 Jul 2010 10:13:57 +0000
Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <wouter@nlnetlabs.nl>) id 1OYG1K-0000FW-F7 for namedroppers@ops.ietf.org; Mon, 12 Jul 2010 10:13:54 +0000
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id o6CADbvj054096 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 12 Jul 2010 12:13:38 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4C3AEAD1.3070308@nlnetlabs.nl>
Date: Mon, 12 Jul 2010 12:13:37 +0200
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100621 Fedora/3.0.5-1.fc13 Thunderbird/3.0.5
MIME-Version: 1.0
To: Michael Graff <mgraff@isc.org>
CC: Andrew Sullivan <ajs@shinkuro.com>, namedroppers@ops.ietf.org
Subject: Re: [dnsext] Design team report on dnssec-bis-updates and CD bit
References: <20100709142108.GA68527@shinkuro.com> <4C3AA142.1030304@isc.org>
In-Reply-To: <4C3AA142.1030304@isc.org>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Mon, 12 Jul 2010 12:13:38 +0200 (CEST)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I sort of agree with Michael and George, that there are multiple
options, this seems to be a list of what local-policy a resolver could
implement.  What a CD flag does works fine: the upstream either gives
the unaltered, unabridged data or does "funky policy" on it.  Below I
attempt to list some pros and cons.

* After root key deployment, it is likely that if a trust anchor is in
place, it is the root key.  Thus everything falls under the trust
anchor.  And the tables are not useful in that case.
* CD=1 in general makes debugging DNSSEC easier.  This for the question
'help or hinder DNSSEC deployment'.
* intelligence at the end points.  CD=1 makes sure that the end point is
doin' the do, and I think we ought to promote that principle.
* Seems that the current implementations all set CD=1, but I could be
mistaken.
* If you want to improve current implementations, 'CD=1 cache MAY be
validated in order to attempt to not cache nonvalidatable data', so
using its trust anchors simply to attempt to flush bogus data out of the
cache (but not refusing to serve contents).
* The only case I can think of that has 'cooperating validators with
different trust anchors' in today's dnssec deployment is a firm that has
a local DNS zone signed, and also uses an upstream ISP cache.  But it
would be trivial to add the public internet trust anchor to the firm's
validators?

Therefore I think the always-set is simpler.  I think these tables are
not appropriate in dnssec-bis-updates.

Best regards,
   Wouter

On 07/12/2010 06:59 AM, Michael Graff wrote:
> On 7/9/10 9:21 AM, Andrew Su
>> Please offer your thoughts on these models and state which of them you
>> think should be in the draft as the way to handle the CD bit.  We will
>> devote some time in the Monday Maastricht session to this issue.  We
>> want to bring it to a close at that meeting.
> 
> I may make some sense to list the behaviors of the common resolvers, and
> define what problems we're trying to fix by selectively setting the CD=1
> flag.  There was mention that there was lack of agreement, but no
> reasons (pros, cons) for the various choices really.
> 
> Please also note that you might not know that you have a covering TA for
> the name in question in all cases, specifically DLV or when learning
> about the existence of DNSSEC does not start from the parent and move
> into the child, but moves the other way.  Which some resolvers implement.
> 
> Also, just because a query did not have CD set, it does not mean the
> next one won't, and I believe it's against the RFCs to query for RRSIG
> or NXT records.  This would mean more queries, and to be safe, probably
> two caches in the resolver, one for CD=1 and one for CD=0.
> 
> 
> --Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkw66tEACgkQkDLqNwOhpPjU2ACgpIqrfC0isYDpifB129MNak/7
rQkAn1opEjylLQhzK+ofL1E3F6lOq7cx
=jhgI
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email