IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD

Geoff Huston <gih902@gmail.com> Tue, 03 April 2018 08:32 UTC

Return-Path: <gih902@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E952B12E053 for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 01:32:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nsDCS4SeT8n for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 01:32:58 -0700 (PDT)
Received: from mail-pl0-x22e.google.com (mail-pl0-x22e.google.com [IPv6:2607:f8b0:400e:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7051F12EA95 for <dnsop@ietf.org>; Tue, 3 Apr 2018 01:32:55 -0700 (PDT)
Received: by mail-pl0-x22e.google.com with SMTP id 61-v6so5903165plb.2 for <dnsop@ietf.org>; Tue, 03 Apr 2018 01:32:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DnT28jM+iNy+c7XJ+1fNfDHQRrsbSKgIOmAZ3clwJgw=; b=fHQhmG0K8eVwyJN/7NkrGwTeRiT8l/pE9w8j9wJB0tcKe9K1AheGmzdxMvMWato9qw g43W10rhjBsb9bUVyD6vDO0jSfx+4X6EmILoyOPaTgvO+4YJnrDwtuXGrojJj+5tc4Zs UspaBmpnNTxwOZ+ei/UcjR4PbrqCHBUPjdDpVBm7RCOdMZhIAVvEJSWcNbAmNQGSJzYZ L8ms1IASNPmp3wNHjNICzp0KXr0RT9puzZbL2kvwHu2tETg/+MkLe9PgxqBV9PCPWUlj deyhShI0M41hnrLSFMNfoE3RZSXhXLjU3EvrCHV2TWyL/8VFW0PrjLLqXOeE/6jakbUW pSag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DnT28jM+iNy+c7XJ+1fNfDHQRrsbSKgIOmAZ3clwJgw=; b=dcxzBjEFIQmgdOffGbM7cl/tpfJC+SbtIfUYfRLEuGBpf1ndMTXt5ZkVFthLYZv30U XbNUz78LAxMLf2JLSSO/hq3x5Pxn1hZucI1kAfftP1Jodsiwq4lOOwzUh4cjTllBSrNJ xsSe4KgvpPfw6CQ6onXcVIGtD6Yx8SbDblce0rRIARmApzWG719b7raan6WHRJHkocwl yXMnEcyosbX5JUdXKwYJilOMJMl4TPVQ5mHbpym7lCMCodDHqpcxzyPSvaTnaKH/SH5l Doos03ZU/WX+ZDMzDnUNLmeiFSDEGANHZpumJoNB8i+9Snlh4QH6wJKx+cSLMjePMpse utDQ==
X-Gm-Message-State: AElRT7Ey2/wVV3SUwRQcn0TFuhn74rW2lWEU4FUU63MwvrfAb68na15L qjD36P9XllbiHi2cj6bjByuR7z64
X-Google-Smtp-Source: AIpwx4+ivHqGeyaBTJLBZaSFUT23k3ETAY3F4lGnquJyZckGIwcSj3OKzvYNOd+crLGbnaLXfJMdQA==
X-Received: by 10.99.127.88 with SMTP id p24mr8369397pgn.93.1522744374939; Tue, 03 Apr 2018 01:32:54 -0700 (PDT)
Received: from 2001-44b8-1121-1a00-8d4c-677b-ce9d-cc95.static.ipv6.internode.on.net (2001-44b8-1121-1a00-8d4c-677b-ce9d-cc95.static.ipv6.internode.on.net. [2001:44b8:1121:1a00:8d4c:677b:ce9d:cc95]) by smtp.gmail.com with ESMTPSA id k126sm4183241pfc.142.2018.04.03.01.32.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Apr 2018 01:32:54 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Geoff Huston <gih902@gmail.com>
In-Reply-To: <64816369-700A-4413-B1F0-160FB145EE6C@gmail.com>
Date: Tue, 03 Apr 2018 18:32:49 +1000
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2294986E-D515-470C-8232-9EA7646729EC@gmail.com>
References: <039408B0-89EE-4038-B9C9-CBCC35EC24EC@isc.org> <64816369-700A-4413-B1F0-160FB145EE6C@gmail.com>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3Yc3l6VMZLcpBfJwaSp0jSPJ82w>
Subject: Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 08:33:00 -0000


> On 3 Apr 2018, at 4:39 pm, Geoff Huston <gih902@gmail.com> wrote:
> 
> 
> 
>> On 3 Apr 2018, at 1:10 pm, Mark Andrews <marka@isc.org> wrote:
>> 
>> Do we really want to test for AD?  How many stub resolvers set DO or AD to elicit a AD response?
>> 
> 
> I’m not sure that we are on the same page here. The precondition is: "The AD bit is to be set in the response”  i.e. it is not a test on the query per se - it is a test on the response. Your comment appears to suggest that you believe that the text is asking for a test on the query. That is definitely not the intention of the text. i.e. it does not attempt to say what combination of flags in the query is used to signal that validation is to be applied (thats the role of RFC4035 and RFC6840), but the text is attempting to say “if the resolver has validated the response and is passing back a response that it is marking as being valid” then perform <actions>
> 
> I felt that saying that:
> 
>   o  The DNS response is DNSSEC validated
> 
>   o  the result of validation is "Secure"
> 
>   o  the AD bit is to be set in the response
> 
> would encompass this state. 
> 
> Is there a better way of saying this? Please suggest text if you believe that this could be stated more accurately.


heh - the more I read the DNSSEC RFCs the more confused I get!

After further reading I now suspect that Mark is right, and the 
AD bit test is _not_ what is wanted.

Section 3.2.3 of RFC4035  reads

3.2.3.  The AD Bit


   The name server side of a security-aware recursive name server MUST
   NOT set the AD bit in a response unless the name server considers all
   RRsets in the Answer and Authority sections of the response to be
   authentic.  The name server side SHOULD set the AD bit if and only if
   the resolver side considers all RRsets in the Answer section and any
   relevant negative response RRs in the Authority section to be
   authentic. 


So this text is saying that the AD bit is set if the resolver considers all
RRsets in the Answer section to be authentic. Fair enough.


But Section 5.8 of RFC 6840  reads:

5.8.  Setting the AD Bit on Replies

   Section 3.2.3 of [RFC4035] describes under which conditions a
   validating resolver should set or clear the AD bit in a response.  In
   order to interoperate with legacy stub resolvers and middleboxes that
   neither understand nor ignore the AD bit, validating resolvers SHOULD
   only set the AD bit when a response both meets the conditions listed
   in Section 3.2.3 of [RFC4035], and the request contained either a set
   DO bit or a set AD bit.

which appears to be saying that the AD bit is only set of the request contained
either a set DO ot a set AD bit.

What happens when neither DO nor AD is set in the request? 

Do you get a response that is authentic (but without any explicit signalling
in the response  that would indicate that authentication has occurred) or the
Servfail response in the case where authentication fails?

Or do you get a response that is not necessarily authenticated even though
the CD bit is not set?

If its the former then the AD bit may or may not be set on responses even though
they have been "DNSSEC validated”

v2.23.0 | Report a Bug | By Email