Re: [dnsext] caches, validating resolvers, CD and DO
Jelte Jansen <jelte@isc.org> Wed, 30 March 2011 11:59 UTC
Return-Path: <jelte@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EBD428C126 for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 04:59:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPM9imgfL2eE for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 04:59:49 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by core3.amsl.com (Postfix) with ESMTP id E36F828C12F for <dnsext@ietf.org>; Wed, 30 Mar 2011 04:59:48 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 5981A5F9891; Wed, 30 Mar 2011 12:01:13 +0000 (UTC) (envelope-from jelte@isc.org)
Received: from [IPv6:2001:df8:0:16:222:43ff:fe24:8028] (unknown [IPv6:2001:df8:0:16:222:43ff:fe24:8028]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 2B923216C33; Wed, 30 Mar 2011 12:01:09 +0000 (UTC) (envelope-from jelte@isc.org)
Message-ID: <4D931B80.2040407@isc.org>
Date: Wed, 30 Mar 2011 14:01:04 +0200
From: Jelte Jansen <jelte@isc.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8
MIME-Version: 1.0
To: Paul Vixie <vixie@isc.org>
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org> <46219.1301468571@nsa.vix.com>
In-Reply-To: <46219.1301468571@nsa.vix.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: dnsext@ietf.org
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 11:59:50 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > the wire change i would like is wholly different. since clients should > not need to add caches when they add validation, i'd like the chain of > rrsig and dnskey to be sent from the recursive server to the stub, > everything it takes to validate the answer. to do this, a new EDNS > option would allow the client to express its closest trust point. so if > the client already knows (in a current-transaction cache that is not > shared with other applications or transactions on the client host) it > has a valid dnskey for google.com and it's asking for www.google.com > then the only RRSIGs or DS/DNSKEY's it needs are for www.google.com > and www.l.google.com. > Note that this makes the assumption that that is actually the trust point that has a validatable chain, and not a failing one while there is a higher trust point that would lead to succesful validation (yes yes, this may or may not be good or bad or local policy or whatever, cue discussion for multiple chains where some fail). > again, if we're going to change the servers by adding support for some > new wire element, let's just make the server do the right kind of failure > avoidance. and if we're going to add a new wire element let's have it be > one that lets cacheless stub validation work. i would also like to see something like this, btw. Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TG4AACgkQ4nZCKsdOncUpvACcCshacCAQx+GnU/+NXAnRUL/n hbkAn34dNBZuvqHubIIhKlcS9WtASj21 =jnsf -----END PGP SIGNATURE-----
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- [dnsext] caches, validating resolvers, CD and DO Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Alex Bligh
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Michael Richardson
- Re: [dnsext] caches, validating resolvers, CD and… Alex Bligh
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Tony Finch
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Jelte Jansen
- Re: [dnsext] caches, validating resolvers, CD and… Marc Lampo
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Edward Lewis
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Marc Lampo
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… Derek Atkins
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… bmanning