IETF Logo Mail Archive

Re: Question about TSIG, AD/AA, and AXFR

Edward Lewis <lewis@tislabs.com> Tue, 17 July 2001 21:16 UTC

Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA16252 for <dnsext-archive@lists.ietf.org>; Tue, 17 Jul 2001 17:16:37 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15MbdO-0005nK-00 for namedroppers-data@psg.com; Tue, 17 Jul 2001 13:39:58 -0700
Received: from h-135-207-10-122.research.att.com ([135.207.10.122] helo=roam.psg.com) by psg.com with esmtp (Exim 3.31 #1) id 15MbdL-0005nD-00 for namedroppers@ops.ietf.org; Tue, 17 Jul 2001 13:39:55 -0700
Received: from randy by roam.psg.com with local (Exim 3.30 #1) id 15MbdK-0000Vb-00 for namedroppers@ops.ietf.org; Tue, 17 Jul 2001 16:39:54 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Edward Lewis <lewis@tislabs.com>
To: Jakob Schlyter <jakob@crt.se>
Cc: Edward Lewis <lewis@tislabs.com>, namedroppers@ops.ietf.org
Subject: Re: Question about TSIG, AD/AA, and AXFR
In-Reply-To: <E15MaoL-00041z-00@psg.com>
References: <v0313030eb779efd43e81@[208.58.212.166]>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15MbdO-0005nK-00@psg.com>
Date: Tue, 17 Jul 2001 13:39:58 -0700
Content-Transfer-Encoding: 7bit

At 3:47 PM -0400 7/17/01, Jakob Schlyter wrote:
>authorative. I belive this is wrong - data shouldn't be checked on load,
>it should be checked on query.

What are the chances that this will happen, I mean software development
wise?  It does make more sense to check on query for two reasons - the SIG
validity is more timely and the need to get other data (the key chain)
shouldn't slow the loading process.

>I think the AA-bit could be trustworthy for very simple resolvers that,
>for some reason, do trust their local resolver.

I don't think this as "special case" as you make it seem.

  -------------------------------- (network A)
    |             |
  Host         NS/FW
                 |
             --------------------- (network B, ie, the Internet)


Assuming NS/FW is recursive only for hosts on A, uses TSIG (possibly the
criteria for recursion), but answers authoritatively for domains on both A
and B:

Host should "trust" answers that pass the TSIG test and have either AA or
AD.  Answers with TSIG and neither ought to be used as "as best as can be
gotten, but obviously unreliable."  I think a good question is what is the
interaction of the "gimme DNSSEC records" bit, the AA bit, and validity
period checking.  If the authoritative server does not check the validity
period, and the SIGs aren't sent, then the stub might accept temporally
invalid data.

I think I (or someone) needs to document the cases in a more formal way to
make sure we're on the same page.  To late for an I-D, but perhaps
something will be distributed on dnssec@cafax.se in the next few weeks.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.




to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.40.3 | Report a Bug | By Email | System Status