IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt

Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 09 July 2013 01:40 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E107921F8651 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2013 18:40:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.84
X-Spam-Level:
X-Spam-Status: No, score=-0.84 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zRGO48H20Oyz for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2013 18:40:03 -0700 (PDT)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id 221F121F9A38 for <dnsop@ietf.org>; Mon, 8 Jul 2013 18:40:02 -0700 (PDT)
Received: from mx1.yitter.info (c-75-69-155-67.hsd1.nh.comcast.net [75.69.155.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 8A5698A031 for <dnsop@ietf.org>; Tue, 9 Jul 2013 01:40:00 +0000 (UTC)
Date: Mon, 08 Jul 2013 21:39:58 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20130709013958.GD20597@mx1.yitter.info>
References: <33496ED6-4D88-485B-8369-566B2A1FC7C0@frobbit.se> <CE0080AE.B7C0%bdickson@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CE0080AE.B7C0%bdickson@verisign.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2013 01:40:09 -0000

On Mon, Jul 08, 2013 at 06:49:53PM +0000, Dickson, Brian wrote:
> 
> Thoughts?

My immediate thought is, "What problem is this trying to solve?"

In the DNSSSEC case, the problem is that you're trying not to break
the chain of trust, and you need a mechanism that is cryptographically
securable to make the communication.  This is made harder in some
sense by the fact that the DS and DNSKEY RRsets are authoritative on
different sides of the zone cut.

In the NS case, because the child side RRset is the really
authoritative one, that's the one that generally gets cached.  Since
both sides of the cut have the same RRTYPE, and since only one of the
RRsets can be cached, you end up with only one such set and it's the
one that gets used.

It's it possible to bollocks this so that resolution fails?  Yes.  But
that's not a result of disagreement between two different RRsets, so
in this case having the additional communication path (especially
inside the DNS) is less necessary.

Best,

A
-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email