Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming
Matthäus Wander <matthaeus.wander@uni-due.de> Sat, 23 January 2016 22:25 UTC
Return-Path: <matthaeus.wander@uni-due.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE8581B29C6 for <dnsop@ietfa.amsl.com>; Sat, 23 Jan 2016 14:25:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.551
X-Spam-Level:
X-Spam-Status: No, score=-3.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lX5KFcy_3qoT for <dnsop@ietfa.amsl.com>; Sat, 23 Jan 2016 14:25:22 -0800 (PST)
Received: from mailout.uni-due.de (mailout.uni-due.de [132.252.185.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AE1A1B29D1 for <dnsop@ietf.org>; Sat, 23 Jan 2016 14:25:21 -0800 (PST)
Received: from [192.168.1.5] (f049077082.adsl.alicedsl.de [78.49.77.82]) (authenticated bits=0) by mailout.uni-due.de (8.13.1/8.13.1) with ESMTP id u0NMPIH0014385 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <dnsop@ietf.org>; Sat, 23 Jan 2016 23:25:19 +0100
To: dnsop@ietf.org
References: <12831BC8-EE53-46C7-80A5-A7DAE651F157@vpnc.org> <2552EB05-B015-42F6-ABA6-D67B21CEBD4F@verisign.com> <C702935B-C23E-4DBC-9467-6DD024E172DE@vpnc.org>
From: Matthäus Wander <matthaeus.wander@uni-due.de>
X-Enigmail-Draft-Status: N1110
Message-ID: <56A3FDCE.6070001@uni-due.de>
Date: Sat, 23 Jan 2016 23:25:18 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <C702935B-C23E-4DBC-9467-6DD024E172DE@vpnc.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030004090903050701080702"
X-Virus-Scanned: Clam Anti Virus - http://www.clamav.net
X-Spam-Scanned: SpamAssassin: 3.002004 - http://www.spamassassin.org
X-Scanned-By: MIMEDefang 2.57 on 132.252.185.19
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/4-i4qcgrlGyN7C-fA-LVVDf35IU>
Subject: Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 22:25:24 -0000
Paul Hoffman wrote on 2016-01-23 21:47: > On 22 Jan 2016, at 14:44, Wessels, Duane wrote: > >> I think I'm okay with "resolvers SHOULD send DO when priming." Seems >> like BIND and Unbound already do this. > > Noted. Waiting to hear from a bunch more people on this. No objection. >> Do we also need to say that the resolver SHOULD/MUST retry with DO=0 >> if there is no response to the first priming query? > > Personal opinion: yes for SHOULD, but we need to integrate it with the > earlier text about going to a different server if you don't get a > response within 2 seconds. This is only useful if validation is disabled and should be stated accordingly. >> The more important question may be: what shall the resolver do if >> validation of the priming response fails? I'm skeptical that we, as a >> group, will be willing to say that the resolver should refuse to >> forward any queries to a root unless validation succeeds. > > Personal opinion: agree. We can say that it is local policy. One > possible policy is to keep trying other hints until one response validates. Yep, this matches the standard implementation behavior of handling bogus responses: discard response and try again. If it keeps failing, give up and don't update the root hints. There's no need to stop communicating with root. There's another issue: once root-servers.net is signed, the priming response will contain RRSIG in the ADDITIONAL section. 1) What if there's not enough space for all RRSIG and the server omits some of them? (which seems to be allowed according to RFC 4035 Sec. 3.1.1) 2) What if the ANSWER section validates (i.e. response is not bogus) but some of the addresses in the ADDITIONAL section fail to validate? I suggest that validators use the following approach: - If root-servers.net is signed, validate the ANSWER section as usual. - Attempt to validate all address records. If any of them is bogus or incomplete (A, AAAA or RRSIG missing), query directly for the server name and validate the response, e.g. A/a.root-servers.net. This behavior is consistent with Sec. 4.2 in the current draft ("... issue direct queries for A and AAAA RRSets for the remaining names.") Regards, Matt
- [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-primi… Paul Hoffman
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Paul Hoffman
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Matthäus Wander
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Shane Kerr
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- [DNSOP] TCP for resolver priming (was DNSSEC in d… Shane Kerr
- Re: [DNSOP] TCP for resolver priming (was DNSSEC … Wessels, Duane