Re: [DNSOP] Resolver behaviour with multiple trust anchors

"Paul Hoffman" <> Tue, 31 October 2017 20:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A57B139A2F for <>; Tue, 31 Oct 2017 13:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z86CC7NRGJl5 for <>; Tue, 31 Oct 2017 13:51:45 -0700 (PDT)
Received: from (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 55C8913F574 for <>; Tue, 31 Oct 2017 13:51:45 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.15.2/8.14.9) with ESMTPSA id v9VKoK4u060765 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <>; Tue, 31 Oct 2017 13:50:21 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
From: Paul Hoffman <>
Date: Tue, 31 Oct 2017 13:51:42 -0700
Message-ID: <>
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.7r5425)
Archived-At: <>
Subject: Re: [DNSOP] Resolver behaviour with multiple trust anchors
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Oct 2017 20:51:46 -0000

On 31 Oct 2017, at 12:23, Michael StJohns wrote:

> But sadly - the language in RFC6840 section 5.10 is controlling... 
> basically, any implementation can do whatever it wants.
>> A DNSSEC validator may be configured such that, for a given response,
>> more than one trust anchor could be used to validate the chain of
>> trust to the response zone. For example, imagine a validator
>> configured with trust anchors for "example." and "zone.example."
>> When the validator is asked to validate a response to
>> "", either trust anchor could apply.
>> When presented with this situation, DNSSEC validators have a choice
>> of which trust anchor(s) to use. Which to use is a matter of
>> implementation choice. Appendix C discusses several possible
>> algorithms.

And the two paragraphs that follow those give more guidance:

    It is possible and advisable to expose the choice of policy as a
    configuration option.  As a default, it is suggested that validators
    implement the "Accept Any Success" policy described in Appendix C.2
    while exposing other policies as configuration options.

    The "Accept Any Success" policy is to try all applicable trust
    anchors until one gives a validation result of Secure, in which case
    the final validation result is Secure.  If and only if all 
    trust anchors give a result of Insecure, the final validation result
    is Insecure.  If one or more trust anchors lead to a Bogus result 
    there is no Secure result, then the final validation result is 

> And once again we see the folly of the words "implementation choice" 
> when trying to come up with a coherent DNS.

The full quote makes the situation murkier: it is a combination of 
implementation choice plus configuration options. Some folks on this 
list strongly prefer that, others strongly don't.

--Paul Hoffman