Re: [DNSOP] Definition of "validating resolver"
Florian Weimer <fw@deneb.enyo.de> Thu, 12 March 2015 16:20 UTC
Return-Path: <fw@deneb.enyo.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6DA21A1B20 for <dnsop@ietfa.amsl.com>; Thu, 12 Mar 2015 09:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.56
X-Spam-Level:
X-Spam-Status: No, score=-1.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6x_2Qt4mEvdU for <dnsop@ietfa.amsl.com>; Thu, 12 Mar 2015 09:20:29 -0700 (PDT)
Received: from albireo.enyo.de (albireo.enyo.de [46.237.207.196]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 520821A0222 for <dnsop@ietf.org>; Thu, 12 Mar 2015 09:20:29 -0700 (PDT)
Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) id 1YW5qS-0000qW-Uv; Thu, 12 Mar 2015 17:20:25 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.80) (envelope-from <fw@deneb.enyo.de>) id 1YW5qS-0001FY-Le; Thu, 12 Mar 2015 17:20:24 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Ted Lemon <Ted.Lemon@nominum.com>
References: <DED3D224-C507-4751-808C-3D881A238942@vpnc.org> <20150308223157.GA2770@PorcupineTree> <6C4EA12D-B7AA-4606-8507-D16DFA14E128@nominum.com>
Date: Thu, 12 Mar 2015 17:20:24 +0100
In-Reply-To: <6C4EA12D-B7AA-4606-8507-D16DFA14E128@nominum.com> (Ted Lemon's message of "Mon, 9 Mar 2015 09:11:12 -0400")
Message-ID: <87a8zi192v.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/ARkx6dbjFN5Md0DcxVJZhpg-zGQ>
Cc: IETF DNSOP WG <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Ralf Weber <dns@fl1ger.de>
Subject: Re: [DNSOP] Definition of "validating resolver"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 16:20:31 -0000
* Ted Lemon: > On Mar 8, 2015, at 6:31 PM, Ralf Weber <dns@fl1ger.de> wrote: >> I was told that the difference is that a security aware resolver does >> not validate, but instead relies on the "Validating Stub Resolver" to >> protect the user. So it would handle all the DNSSEC processing to the >> authoritative and would store the records with signatures in the cache, >> but it wouldn't check if they are valid. > > Doesn't this create an opportunity for a DoS attack based on > poisoning the cache with a record that won't validate? Yes, but that's inherent to DNSSEC and not specific to this configuration. For instance, you might cache bad glue records, which also prevents using DNSSEC to see that they are bad.
- [DNSOP] Definition of "validating resolver" Paul Hoffman
- Re: [DNSOP] Definition of "validating resolver" Paul Wouters
- Re: [DNSOP] Definition of "validating resolver" Ralf Weber
- Re: [DNSOP] Definition of "validating resolver" Tony Finch
- Re: [DNSOP] Definition of "validating resolver" Ted Lemon
- Re: [DNSOP] Definition of "validating resolver" Paul Hoffman
- Re: [DNSOP] Definition of "validating resolver" Tony Finch
- Re: [DNSOP] Definition of "validating resolver" Willem Toorop
- Re: [DNSOP] Definition of "validating resolver" Mark Andrews
- Re: [DNSOP] Definition of "validating resolver" Florian Weimer