IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-rfc6598-rfc6303-01

Mark Andrews <marka@isc.org> Thu, 21 August 2014 00:52 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A11A71A001B for <dnsop@ietfa.amsl.com>; Wed, 20 Aug 2014 17:52:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.548
X-Spam-Level:
X-Spam-Status: No, score=-1.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_HEADERS=1.021, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G01RrZg3UfxC for <dnsop@ietfa.amsl.com>; Wed, 20 Aug 2014 17:52:51 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C10331A000F for <dnsop@ietf.org>; Wed, 20 Aug 2014 17:52:51 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id B4D803493C5; Thu, 21 Aug 2014 00:52:50 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 2083216006C; Thu, 21 Aug 2014 01:04:09 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id DD11E16006B; Thu, 21 Aug 2014 01:04:08 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id E3C7D1D1B8C8; Thu, 21 Aug 2014 10:52:46 +1000 (EST)
From: Mark Andrews <marka@isc.org>
References: <20140814001610.3124D1CC688D@rock.dv.isc.org> <86AC48C0-4DFF-4286-A9B1-2A6BE3D14BDC@hopcount.ca> <20140814160453.1C7931CCE03D@rock.dv.isc.org> <7EA38D42-3915-403E-AFE3-C0A8E4A391BF@hopcount.ca> <Prayer.1.3.5.1408201750020.12368@hermes-1.csi.cam.ac.uk> <19AE3CB3-B108-42CB-BAE2-A2F1FBB55EF4@hopcount.ca> <20140820214845.70AEA1D1A20E@rock.dv.isc.org> <E4AD7D21-995C-46B1-813E-70CA0919F6CE@hopcount.ca> <20140820235118.E952B1D1B042@rock.dv.isc.org>
In-reply-to: Your message of "Thu, 21 Aug 2014 09:51:18 +1000." <20140820235118.E952B1D1B042@rock.dv.isc.org>
Date: Thu, 21 Aug 2014 10:52:46 +1000
Message-Id: <20140821005246.E3C7D1D1B8C8@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/3Lozq68TfTE9SxJhPdeGGD5j_cY
Cc: dnsop@ietf.org, Joe Abley <jabley@hopcount.ca>, "cet1@cam.ac.uk Thompson" <cet1@cam.ac.uk>
Subject: Re: [DNSOP] draft-ietf-dnsop-rfc6598-rfc6303-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 00:52:52 -0000

In message <20140820235118.E952B1D1B042@rock.dv.isc.org>, Mark Andrews writes:
> 
> In message <E4AD7D21-995C-46B1-813E-70CA0919F6CE@hopcount.ca>, Joe Abley writ
> es
> :
> >
> > On 20 Aug 2014, at 17:48, Mark Andrews <marka@isc.org> wrote:
> >
> > > You will give answers that validate as bogus in the stub resolver.
> >
> > This seems to be the crux of our differing world views.
> >
> > > A validating stub resolver
> >
> > Validating stub resolvers?
> >
> > In my own personal taxonomy a stub resolver doesn't validate. Validation
> > signalling is available from a validating resolver (e.g. using the AD
> > bit, of which I am not a fan), and that resolver (validating or not) is
> > where I was suggesting the locally-relevant data would be served.
> >
> > (Note that I'm not saying that my own personal taxonomy is of any use to
> > anybody apart from me; I'm just putting it out there by way of
> > explanation of the current forehead wrinkles. I continue to think it
> > would be good to have a common understanding of these overloaded terms.)

DNSSEC responses were, from day one, designed to be validated in
the application/client/resolver library.  For the discussion about
100.64/10 reverse in which of these places is immaterial

Getting validation into recursive servers was a first step and it
also protected non-DNSSEC aware clients from a class of attacks.
It was also one of the easiest piece to update which was why it was
promoted first.  It was also a required step as you can't reliably
validate in the client unless the recursive server has filtered out
the spoofed answers.

The next step was/is getting validation performed in the clients.
There are several validating stub resolver libraries from different
vendors.  ISC has shipped one as part of BIND for over a decade.

Yes, you can link libdns into a application and have it validate
answers you receive from a recursive server before handing them to
the application.  named is the main application that uses this
library but it is not the only one.  The newer releases have simpler
calling points and setup.

Validation is starting to move into the application with inititatives
like DANE.

AD is only useful as a signal that a answer is secure when you can
trust the path between the recursive server and the application
*and* you can trust the configuration of the recursive server to
be setting AD appropriately.  See all the caveats about trusting
AD in the RFC's where it is mentioned.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.37.1 | Report a Bug | By Email | System Status