[DNSOP] If DNSSEC signatures do not validate ...

Davey Song <songlinjian@gmail.com> Tue, 28 April 2020 13:11 UTC

Return-Path: <songlinjian@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F8063A1525 for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 06:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N33VNhtYcgBE for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 06:11:10 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 044A63A150D for <dnsop@ietf.org>; Tue, 28 Apr 2020 06:11:09 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id g74so21583149qke.13 for <dnsop@ietf.org>; Tue, 28 Apr 2020 06:11:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=rA4hS5HsarSesQpYl64JwAtKt4o+hRPEmD7FIgdgu1Q=; b=P9HlHFP+H46Z/UZecK6mwWRuH/3usNDSJ2TAOgLpXdGZh+b8DdDFxgjbAde8NNIqhB 1GYx++UbvwifGvJUQrL9WY3+f1x6h9sbSA7KprofHyFwdVvV1tvlBFLHdG7sq0Ahan92 vlnQYQywxR8Sodxt7gtf4crNTCWWx0HATH5vg3j64lRpgOglrHc3qzjv3uwcEpvDSqAI d0ejuMvQkMGg3M0XyEz1lr2mBo9hrqZOdPgPFR47Af0BqHWTKLe1HbWxWyDkbFHLRN9A MaH1TnAEMtN0PNfg1iqaKLC2nO040BEfKsE/o+Ry/ZJOjec/wM1653Lx8ae2fOHKYZTs 2uAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=rA4hS5HsarSesQpYl64JwAtKt4o+hRPEmD7FIgdgu1Q=; b=RqFaS5GJfZnrga7UCuOEHHgHvc0k0jfS3Aqy3qZN4QKOjD+HKo2snBrZDpqHfo+eu2 C61XoiEg/0TmzkVVsH2C75mCa0/9z8Fc7Ky3Y2/hbGzUeNhJcNDdKh5ZCfhxf7DLG3aD 0pYzAW2yQQWG7g2Cro2EDKc046XJYL5tmpgRAPtQ889RjVx4JoP6ErxuU89ribQCFBnO 062D7skke+QB8EkqTmYLYzg1t+pCD+X6czkVk0S3w13M/eYNntmzWvjA+otOU2aFrv/c iUCGRp5dh5Wi75MtniGQ9MwWxwfJZbSJUwol6EA5MV00nF+s0vlwR+5M3Mx2B0tQPhT2 utlQ==
X-Gm-Message-State: AGi0PubaWZXAxPl3PeddKMEr6kW6QIAwk+4u7qNvDe6VcRQCaGhpmXAU gRX7WS8GrJUdJXrpNUaDI1ZD0NqKiSyLOmoxJIA9kJMym0M=
X-Google-Smtp-Source: APiQypKvRVARcbY8O8yayDgzGfsG5tjAWjiSIJJINlTJu9E1SJvs/LAGSlxPsvQ3GsoQYsfM+xUV7ajek+DxASIplQE=
X-Received: by 2002:ae9:eb94:: with SMTP id b142mr28021938qkg.143.1588079466581; Tue, 28 Apr 2020 06:11:06 -0700 (PDT)
MIME-Version: 1.0
From: Davey Song <songlinjian@gmail.com>
Date: Tue, 28 Apr 2020 21:10:46 +0800
Message-ID: <CAAObRXL-hFZ1jFo8dW-+M+2SR8gJ7vypKLMaJNuQJBvCsdJ0Gg@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007b15c805a4599034"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4WjJFGKT1lYSk_Ol0K-tj9uw53w>
Subject: [DNSOP] If DNSSEC signatures do not validate ...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 13:11:18 -0000

Hi folks,

As far as I know, in DNSSEC the validating resolver is able to identify a
Bad response if signatures do not validate. But it unable to retrieve the
good one for stub resolver if there are other alternatives.

I'm thinking about a draft proposal if signatures do not validate, the
validating resolver can try other resolution path like DoT or DoH directly
to authoritative servers or other public DNS servers which open the DNS
encryption service. It aims to  work around the resolution path where DNS
hijack happened.

Do you think it is a good idea? or a useful use case for DNS encryption in
DNSEEC?

Best regards,
Davey