Re: [DNSOP] Validating responses when following unsigned CNAME chains...

Mark Andrews <marka@isc.org> Wed, 29 April 2020 23:27 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1656F3A0A01 for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 16:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KC2PdueJIepT for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 16:27:42 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCEC13A09FC for <dnsop@ietf.org>; Wed, 29 Apr 2020 16:27:38 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id BD4273AB002; Wed, 29 Apr 2020 23:27:36 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id AFBE7160052; Wed, 29 Apr 2020 23:27:36 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 9FEA6160077; Wed, 29 Apr 2020 23:27:36 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id P_xV7294Sund; Wed, 29 Apr 2020 23:27:36 +0000 (UTC)
Received: from [172.30.42.69] (unknown [49.2.228.79]) by zmx1.isc.org (Postfix) with ESMTPSA id 0C4A5160052; Wed, 29 Apr 2020 23:27:35 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <1EA6A13C-6E60-4ED9-9A50-E33D9D17504C@fugue.com>
Date: Thu, 30 Apr 2020 09:27:32 +1000
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C2F884B-1A96-41BB-A11E-A652DF3091D1@isc.org>
References: <1EA6A13C-6E60-4ED9-9A50-E33D9D17504C@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2q2zRY-pWRYgnWKrpuCwQZMPvCE>
Subject: Re: [DNSOP] Validating responses when following unsigned CNAME chains...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 23:27:44 -0000


> On 30 Apr 2020, at 07:50, Ted Lemon <mellon@fugue.com> wrote:
> 
> Is there an RFC or draft that talks about what the right thing is to do when an unsigned CNAME points to a record in a signed zone?
> 
> That is, suppose we are doing validation. The CNAME doesn’t validate, because it’s not signed. When we look up the record the CNAME points to, do we set the DO bit? Do we validate the answer? Or do we assume that because the CNAME isn’t signed, we don’t need to validate what it points to?
> 
> I think the answer is that we validate, but I’m curious to know what others think of this.

Ted you need to be more precise.  The CNAME validates as insecure.  The output of the validation
process is “provably secure”, “provably insecure”, “bogus”, or “indeterminate” (e.g. because you
can’t get intermediate records in the chain and which you should treat as bogus).  Named combines
the last two as a bogus.  It doesn’t try to distinguish the failure modes.  SERVFAIL will be returned
in either case.

provably insecure:  proved no DS records at a delegation at or above the name, proved that there are only
	unsupported algorithms in the DS RRset at a delegation at or above the name, not under a trust-anchor.

You always validate everything that is under a trust anchor.

> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org