IETF Logo Mail Archive

Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

Michael StJohns <mstjohns@comcast.net> Wed, 24 September 2008 22:11 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 513CB3A6BCB; Wed, 24 Sep 2008 15:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.205
X-Spam-Level:
X-Spam-Status: No, score=-0.205 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99I6hxoU3G+V; Wed, 24 Sep 2008 15:11:42 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 49CF13A6BD9; Wed, 24 Sep 2008 15:11:42 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KicTm-000ANO-PO for namedroppers-data@psg.com; Wed, 24 Sep 2008 22:05:02 +0000
Received: from [76.96.62.24] (helo=QMTA02.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <mstjohns@comcast.net>) id 1KicTg-000AMM-85 for namedroppers@ops.ietf.org; Wed, 24 Sep 2008 22:04:59 +0000
Received: from OMTA12.westchester.pa.mail.comcast.net ([76.96.62.44]) by QMTA02.westchester.pa.mail.comcast.net with comcast id Jkv51a0040xGWP852m4eGk; Wed, 24 Sep 2008 22:04:38 +0000
Received: from MIKES-LAPTOM.comcast.net ([69.140.151.110]) by OMTA12.westchester.pa.mail.comcast.net with comcast id Jm4s1a00L2P9w053Ym4saE; Wed, 24 Sep 2008 22:04:53 +0000
X-Authority-Analysis: v=1.0 c=1 a=dmE0DmLRt_UA:10 a=-5nm-dUE1uIA:10 a=A1X0JdhQAAAA:8 a=yHGabWYmAAAA:8 a=iFNjgg71AAAA:8 a=48vgC7mUAAAA:8 a=QexsbqdH6aALbwBd0EoA:9 a=hqqWUq2qlh65pwhW-EgA:7 a=teZvx7pFmya8a1b-kLsIeBsVOtYA:4 a=9k6G2--EmesA:10 a=a9rVEY26BewA:10 a=g-J4WiLAdV0A:10 a=f3vTY2RCmVgA:10
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 24 Sep 2008 18:04:52 -0400
To: Edward Lewis <Ed.Lewis@neustar.biz>, namedroppers@ops.ietf.org
From: Michael StJohns <mstjohns@comcast.net>
Subject: Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Cc: ed.lewis@neustar.biz
In-Reply-To: <a06240804c4ffc42abc16@[10.122.105.108]>
References: <Your message of "Mon, 22 Sep 2008 15:12:44 -0400." <E1KhqqB-000CE1-QD@psg.com> <200809230016.m8N0GS9E069236@drugs.dv.isc.org> <E1Khwdp-000J3V-QJ@psg.com> <a06240804c4ffc42abc16@[10.122.105.108]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Message-Id: <E1KicTm-000ANO-PO@psg.com>

If "intermediate validation to protect legacy stub resolvers" were deprecated, I'd agree with you.  (can we please huh huh can we deprecate it????) 

Since we're still touting the utility of having an intermediate make a decision about what it wants to send to a stub based on the intermediate's understanding of security, we need to pick a consistent understanding of that security.  (In other words, the application we're concerned with here is the stub side server of the validating resolver).

Mike

ps - anyone want to take a whack at documenting how various applications should handle various DNSSEC outcomes?  The ones I can think of off the top of my head that should be done are: SMTP (both submitter to MTA and MTA to MTA), HTTP (what the browser does *before* the user gets involved - pretty sure just exposing the DNSSEC resolution state isn't the best answer), SSH,  peer-to-peer.

At 06:21 AM 9/24/2008, Edward Lewis wrote:
>At 21:24 -0400 9/22/08, Michael StJohns wrote:
>
>>Original query is:  "www.somewhere.example.com A" and we have a trust anchor for somewhere.example.com
>>At somewhere.example.com is a DNAME into unsecure.com which is not signed or for which we have no trust anchor.
>>At www.unsecure.com is a CNAME pointing at www.otherexample.com
>>We have a trust anchor for otherexample.com and the zone contents will verify.
>>At www.otherexample.com is a A record - the answer to our original query.
>>
>>It turns out the original data at www.unsecure.com was an A record... a hacker got in and changed it.
>>
>>Does the result parse out as verified?  Should it?
>
>This isn't a problem for the DNS, it's a problem for the application.
>
>DNSSEC will allow the querier to know that it got some records and they are verified, it will also know that it got other records for which there is no ancillary protection information.  DNSSEC will not permit "protected" records to be spoofed (within the bounds of what it can do).
>
>So far as whether the "final answer" is right, that's an issue for applications.  The application would have to make the judgement whether it would accept the "chain" of DNAMEs and CNAMEs - or judge what the semantics of the proofs are.
>
>Perhaps a discussion of this belongs in the Security Considerations of DNSSEC bis.
>-- 
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>Edward Lewis                                                +1-571-434-5468
>NeuStar
>
>Never confuse activity with progress.  Activity pays more.
>
>--
>to unsubscribe send a message to namedroppers-request@ops.ietf.org with
>the word 'unsubscribe' in a single line as the message text body.
>archive: <http://ops.ietf.org/lists/namedroppers/>



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email