Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Michael StJohns <mstjohns@comcast.net> Mon, 13 October 2008 16:21 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 23F2928C164; Mon, 13 Oct 2008 09:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.184
X-Spam-Level:
X-Spam-Status: No, score=-1.184 tagged_above=-999 required=5 tests=[AWL=-0.747, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DX2h7U-dluOS; Mon, 13 Oct 2008 09:21:21 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C08D328C17F; Mon, 13 Oct 2008 09:21:02 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KpQ4X-000MBk-NG for namedroppers-data@psg.com; Mon, 13 Oct 2008 16:15:05 +0000
Received: from [76.96.62.64] (helo=QMTA07.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <mstjohns@comcast.net>) id 1KpQ4F-000M7V-UN for namedroppers@ops.ietf.org; Mon, 13 Oct 2008 16:14:54 +0000
Received: from OMTA06.westchester.pa.mail.comcast.net ([76.96.62.51]) by QMTA07.westchester.pa.mail.comcast.net with comcast id SFWy1a00416LCl057GEmmz; Mon, 13 Oct 2008 16:14:46 +0000
Received: from MIKES-LAPTOM.comcast.net ([69.140.151.110]) by OMTA06.westchester.pa.mail.comcast.net with comcast id SGEm1a0042P9w053SGEmmD; Mon, 13 Oct 2008 16:14:46 +0000
X-Authority-Analysis: v=1.0 c=1 a=dmE0DmLRt_UA:10 a=-5nm-dUE1uIA:10 a=hqaSkvWfAAAA:8 a=OzSqGtDSAAAA:8 a=-90TJPE8zmM4IHy4HNsA:9 a=Q_SJ-4H7ap5jBwhSmQsA:7 a=Z59Ha5NdSBBGVJcUQHBUBl6G-6wA:4 a=Ly75NXeMEyIA:10 a=B-GU5LaGV7AA:10 a=h9s5Ru71U4oA:10
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 13 Oct 2008 12:14:46 -0400
To: Ben Laurie <ben@links.org>
From: Michael StJohns <mstjohns@comcast.net>
Subject: Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, namedroppers@ops.ietf.org
In-Reply-To: <48F33BDF.6020304@links.org>
References: <Your message of "Mon, 22 Sep 2008 15:12:44 -0400." <E1KhqqB-000CE1-QD@psg.com> <200809230016.m8N0GS9E069236@drugs.dv.isc.org> <E1Khwdp-000J3V-QJ@psg.com> <a06240804c4ffc42abc16@[10.122.105.108]> <E1KicTm-000ANO-PO@psg.com> <a06240800c50fd3decd5b@[192.168.1.101]> <48F2DE42.1060209@links.org> <20081013113946.D7DAA33C1E@mail.links.org> <48F33BDF.6020304@links.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Message-Id: <E1KpQ4X-000MBk-NG@psg.com>
At 08:15 AM 10/13/2008, Ben Laurie wrote: >Michael StJohns wrote: >>> missing keys, etc. 5. Insecure transition from secure - I've got >> valid signatures as far as a CNAME or DNAME, but the CNAME or DNAME >> point into an area of the tree with Unknown trust. > >I don't quite see the point of state 5 - why treat that differently from >1? (Oh, I do now, having read below more carefully) > >But you do have a point. Yup. More on this in my response to Ed's note which follows. >> Those three DNS states matrix (somewhat) with the 5 security states >> to actually give you 15 distinct intersections - but a number of >> those substates collapse into each other. (E.g., secure/exist, >> secure/non-exist, bogus/exist, bogus/non-exist, any/indeterminate, >> unsecure/any, unknown/any). You might also consider that DNSSEC >> extends the original 3 dns resolution states to 4 by adding a "data >> determinate/dnssec indeterminate" - but those may collapse mostly >> into the bogus entries. > >We should actually figure out what all the distinct states are, rather >than handwave. That's really all I'm saying. If we want DNSSEC to be useful at the application level we need to do something like this. >> I'm not trying to be difficult here - but considering each of these >> intersections and figuring out what to do for each application seems >> to be a reasonable approach. >> >> Taking specifically email MTA-MTA interactions. It seems to me that >> you'd treat (secure | unsecure | indeterminate)/exist as states where >> you'd allow the MTA to connect and deliver, that you'd treat >> bogus/any as a reportable security error condition and not deliver (- >> but would you retry?), that you'd treat any/indeterminate as a retry >> error condition (e.g. temporary failure), and that you'd treat >> secure/non-exist as a permanent mail delivery failure. What would >> you do with unknown/non-exist - would you treat as a permanent >> failure or retry after a long or short interval? > >As with many security decisions, this would depend on requirements. I >can imagine running an MTA in an environment that only wants to trust >DNSSEC (or in a mythical future where everything is IPv6, sorry, I mean >DNSSEC), and so configuring this to "retry but eventually fail" in the >usual way. > >For most people transitioning to DNSSEC, then I'd treat this as a >permanent failure. Right. That's probably a reasonable approach... now to get it standardized... :-) >> >> Going back to the DNAME/CNAME stuff - DNSSEC provides a mechanism to >> indicate to a resolver securely that a chain of trust is being turned >> off (is ending securely?) (secure delegation to an unsecure zone). >> CNAME and DNAME do not have any way of indicating the expected >> security state of the zone to which they point. It seems to me that >> an application might actually care about this when trying to figure >> out what to do. Let's pretend for a moment that DNAME has a way of >> indicating its target status as one of either - must be secure, or >> don't care. If the must be secure bit is set and the target can't be >> validated (either as secure or as delegated to unsecure), then the >> answer for the whole chain is bogus. If the bit isn't set, then >> security resolution for the target restarts with the target - e.g. if >> the target is under a trust anchor then it must validate or the chain >> is bogus. Obviously, this bit doesn't exist - should it? > >Interesting question. Perhaps it should. > >> And finishing up with MTA-MTA - if I use the current model and have a >> lookup chain to a DNAME that validates, but that the target of the >> DNAME isn't under a trust anchor - should I deliver the mail? If so, >> why? If not, why? >> >> What do I do if the MX look up is secure, but the A lookup is >> unsecure or unknown? Vice versa? >> >> What markings if any should go on an email (header notation) to >> indicate a forwarding routing was based on data with an "unsecure" or >> "unknown" trust state? or if the MX was secure and the A wasn't or >> vice versa? > >Routing headers aren't very rigidly defined now, so this seems orthogonal. Each hop in email routing adds a Received-From line. Would it make sense to tag that line in some manner or to add a different element related to DNSSEC? Not saying that we should or not - but that the discussion is part of DNSSEC plus MTA-MTA handling standardization. Mike >> Should a downstream receiver do anything special for messages marked >> as above? Would this ever be a reasonable filtering criteria? >> >> >> >>> The question is: what should applications do for state 3? My answer >>> would be to treat it like state 4, I think, but there's room for >>> debate. >>> >>> Cheers, >>> >>> Ben. >>> >>> -- http://www.apache-ssl.org/ben.html >>> http://www.links.org/ >>> >>> "There is no limit to what a man can do or how far he can go if he >>> doesn't mind who gets the credit." - Robert Woodruff >> >> >> > > >-- >http://www.apache-ssl.org/ben.html http://www.links.org/ > >"There is no limit to what a man can do or how far he can go if he >doesn't mind who gets the credit." - Robert Woodruff -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Reminder: two WGLC closing in one week Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Scott Rose
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Edward Lewis
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Remind… Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Re… Edward Lewis
- [dnsext] recommeded contents for Re: DNAME (and C… Edward Lewis
- [dnsext] flip-flopping secure and unsecure DNAME/… Edward Lewis
- Re: [dnsext] recommeded contents for Re: DNAME (a… Scott Rose
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… John Dickinson
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Olafur Gudmundsson
- Re: [dnsext] flip-flopping secure and unsecure DN… Edward Lewis
- the DO bit Re: [dnsext] Reminder: two WGLC closin… Edward Lewis
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… bmanning
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… David Conrad
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Wouter Wijngaards
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- CNAME/DNAME - Re: [dnsext] flip-flopping secure a… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Shane Kerr
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Interpreting DNSSEC was Re: [dnsext] flip-floppin… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Wouter Wijngaards
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Stephane Bortzmeyer
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis