Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Michael StJohns <mstjohns@comcast.net> Wed, 24 September 2008 22:11 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 513CB3A6BCB; Wed, 24 Sep 2008 15:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.205
X-Spam-Level:
X-Spam-Status: No, score=-0.205 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99I6hxoU3G+V; Wed, 24 Sep 2008 15:11:42 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 49CF13A6BD9; Wed, 24 Sep 2008 15:11:42 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KicTm-000ANO-PO for namedroppers-data@psg.com; Wed, 24 Sep 2008 22:05:02 +0000
Received: from [76.96.62.24] (helo=QMTA02.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <mstjohns@comcast.net>) id 1KicTg-000AMM-85 for namedroppers@ops.ietf.org; Wed, 24 Sep 2008 22:04:59 +0000
Received: from OMTA12.westchester.pa.mail.comcast.net ([76.96.62.44]) by QMTA02.westchester.pa.mail.comcast.net with comcast id Jkv51a0040xGWP852m4eGk; Wed, 24 Sep 2008 22:04:38 +0000
Received: from MIKES-LAPTOM.comcast.net ([69.140.151.110]) by OMTA12.westchester.pa.mail.comcast.net with comcast id Jm4s1a00L2P9w053Ym4saE; Wed, 24 Sep 2008 22:04:53 +0000
X-Authority-Analysis: v=1.0 c=1 a=dmE0DmLRt_UA:10 a=-5nm-dUE1uIA:10 a=A1X0JdhQAAAA:8 a=yHGabWYmAAAA:8 a=iFNjgg71AAAA:8 a=48vgC7mUAAAA:8 a=QexsbqdH6aALbwBd0EoA:9 a=hqqWUq2qlh65pwhW-EgA:7 a=teZvx7pFmya8a1b-kLsIeBsVOtYA:4 a=9k6G2--EmesA:10 a=a9rVEY26BewA:10 a=g-J4WiLAdV0A:10 a=f3vTY2RCmVgA:10
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 24 Sep 2008 18:04:52 -0400
To: Edward Lewis <Ed.Lewis@neustar.biz>, namedroppers@ops.ietf.org
From: Michael StJohns <mstjohns@comcast.net>
Subject: Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Cc: ed.lewis@neustar.biz
In-Reply-To: <a06240804c4ffc42abc16@[10.122.105.108]>
References: <Your message of "Mon, 22 Sep 2008 15:12:44 -0400." <E1KhqqB-000CE1-QD@psg.com> <200809230016.m8N0GS9E069236@drugs.dv.isc.org> <E1Khwdp-000J3V-QJ@psg.com> <a06240804c4ffc42abc16@[10.122.105.108]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Message-Id: <E1KicTm-000ANO-PO@psg.com>
If "intermediate validation to protect legacy stub resolvers" were deprecated, I'd agree with you. (can we please huh huh can we deprecate it????) Since we're still touting the utility of having an intermediate make a decision about what it wants to send to a stub based on the intermediate's understanding of security, we need to pick a consistent understanding of that security. (In other words, the application we're concerned with here is the stub side server of the validating resolver). Mike ps - anyone want to take a whack at documenting how various applications should handle various DNSSEC outcomes? The ones I can think of off the top of my head that should be done are: SMTP (both submitter to MTA and MTA to MTA), HTTP (what the browser does *before* the user gets involved - pretty sure just exposing the DNSSEC resolution state isn't the best answer), SSH, peer-to-peer. At 06:21 AM 9/24/2008, Edward Lewis wrote: >At 21:24 -0400 9/22/08, Michael StJohns wrote: > >>Original query is: "www.somewhere.example.com A" and we have a trust anchor for somewhere.example.com >>At somewhere.example.com is a DNAME into unsecure.com which is not signed or for which we have no trust anchor. >>At www.unsecure.com is a CNAME pointing at www.otherexample.com >>We have a trust anchor for otherexample.com and the zone contents will verify. >>At www.otherexample.com is a A record - the answer to our original query. >> >>It turns out the original data at www.unsecure.com was an A record... a hacker got in and changed it. >> >>Does the result parse out as verified? Should it? > >This isn't a problem for the DNS, it's a problem for the application. > >DNSSEC will allow the querier to know that it got some records and they are verified, it will also know that it got other records for which there is no ancillary protection information. DNSSEC will not permit "protected" records to be spoofed (within the bounds of what it can do). > >So far as whether the "final answer" is right, that's an issue for applications. The application would have to make the judgement whether it would accept the "chain" of DNAMEs and CNAMEs - or judge what the semantics of the proofs are. > >Perhaps a discussion of this belongs in the Security Considerations of DNSSEC bis. >-- >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >Edward Lewis +1-571-434-5468 >NeuStar > >Never confuse activity with progress. Activity pays more. > >-- >to unsubscribe send a message to namedroppers-request@ops.ietf.org with >the word 'unsubscribe' in a single line as the message text body. >archive: <http://ops.ietf.org/lists/namedroppers/> -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Reminder: two WGLC closing in one week Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Scott Rose
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Edward Lewis
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Remind… Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Re… Edward Lewis
- [dnsext] recommeded contents for Re: DNAME (and C… Edward Lewis
- [dnsext] flip-flopping secure and unsecure DNAME/… Edward Lewis
- Re: [dnsext] recommeded contents for Re: DNAME (a… Scott Rose
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… John Dickinson
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Olafur Gudmundsson
- Re: [dnsext] flip-flopping secure and unsecure DN… Edward Lewis
- the DO bit Re: [dnsext] Reminder: two WGLC closin… Edward Lewis
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… bmanning
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… David Conrad
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Wouter Wijngaards
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- CNAME/DNAME - Re: [dnsext] flip-flopping secure a… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Shane Kerr
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Interpreting DNSSEC was Re: [dnsext] flip-floppin… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Wouter Wijngaards
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Stephane Bortzmeyer
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis