IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

"Roy Arends" <roy@nominet.org.uk> Fri, 25 July 2008 23:18 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1A4A3A694F; Fri, 25 Jul 2008 16:18:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qM-sCaJWzVCi; Fri, 25 Jul 2008 16:18:42 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2EEA13A6949; Fri, 25 Jul 2008 16:18:42 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KMWUQ-000FHY-Vu for namedroppers-data@psg.com; Fri, 25 Jul 2008 23:14:22 +0000
Received: from [213.248.199.23] (helo=mx3.nominet.org.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <roy@nominet.org.uk>) id 1KMWUN-000FH3-4w for namedroppers@ops.ietf.org; Fri, 25 Jul 2008 23:14:21 +0000
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Subject: MIME-Version:X-Mailer:Message-ID:From:Date:X-MIMETrack: Content-Type; b=lo+Ibx0HHfpW5ePqTgdm0XvVf0OITy/Lr5e/INLWAJS9IzhF4yq4XFbd LkndFh+v3ABRfUjOjeq011jLQXlvDoMEfv/pLalshpMngNSY4bmYIfAZr oLNcUiAAleEs5cf;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=roy@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1217027659; x=1248563659; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Roy=20Arends"=20<roy@nominet.org.uk>|Subject: =20Re:=20How=20do=20we=20get=20the=20whole=20world=20to =20upgrade=20to=20DNSSEC=20capable=09resolvers?|Date:=20S at,=2026=20Jul=202008=2001:14:08=20+0200|Message-ID:=20<O FF4F9438A.D83AC9AB-ON80257491.007DB303-C1257491.007FA301@ nominet.org.uk>|To:=20namedroppers@ops.ietf.org |MIME-Version:=201.0|In-Reply-To:=20<20080725221002.GK297 75@commandprompt.com>|References:=20<2FFE6519-7E9C-4DE8-A F69-697A4D875011@nominum.com>=20<20080723191636.GB32507@o utpost.ds9a.nl>=20<8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@v irtualized.org>=20<20080724060743.GA7420@outpost.ds9a.nl> =20<48886C4D.4020500@ca.afilias.info>=20<63C0FFE7-17E6-4E CE-9A12-0537FE2E3F4B@ca.afilias.info>=20<4888FED2.6060204 @NLnetLabs.nl>=20<E7388E94-D031-4059-91F9-1596A254E21C@ca .afilias.info>=20<20080725193101.GB8193@outpost.ds9a.nl> =20<BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info> =20<20080725221002.GK29775@commandprompt.com>; bh=+ZyDZMJy/Mvill9ILwZxzgWTBBZN6zncYwFzufWAmNU=; b=3BsY3q2mYpnZFIwXJJCZyFBjRRzcpsSIV5RVb3SDbAuIG/KzipPY9EUz frQYrT2T03r5HDolTPHtpCGIAIc0SYwwb/PUPRyGUVrvJUCzYxOPOAq/p YablmYZrwWYrVPF;
X-IronPort-AV: E=Sophos;i="4.31,254,1215385200"; d="scan'208";a="5437887"
Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx3.nominet.org.uk with ESMTP; 26 Jul 2008 00:14:10 +0100
In-Reply-To: <20080725221002.GK29775@commandprompt.com>
References: <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info> <20080725193101.GB8193@outpost.ds9a.nl> <BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info> <20080725221002.GK29775@commandprompt.com>
To: namedroppers@ops.ietf.org
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
MIME-Version: 1.0
X-Mailer: Lotus Notes Build VMac_Beta85_20080115_MM2 January 15, 2008
Message-ID: <OFF4F9438A.D83AC9AB-ON80257491.007DB303-C1257491.007FA301@nominet.org.uk>
From: Roy Arends <roy@nominet.org.uk>
Date: Sat, 26 Jul 2008 01:14:08 +0200
X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 26/07/2008 12:14:10 AM, Serialize complete at 26/07/2008 12:14:10 AM
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

When a validator has a trust anchor configured for root, it _expects_ 
signatures for root. 

No signatures -> no validation -> data marked bogus -> client/stub gets 
servfail (*).

When a validator has a trust anchor configured for root, it expects 
signatures for root and _everything_ below until it hits a proof of 
absence of DS. This proof is given by NSEC/NSEC3 records and its 
signatures.

If something mucks in the middle, is either removing a sig or does fondles 
the data even one single teeny bit, ->

failed validation -> data marked bogus -> client/stub gets a servfail (*).

DNSSEC is perfect that way, in Berts terms.

Roy Arends
Nominet UK

(*) The client/stub has the option to query the validating resolver with 
the CD bit set, in which case the resolver may return bad/bogus data.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email