Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt

Wes Hardaker <wjhns1@hardakers.net> Fri, 08 July 2016 20:57 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B8D212D595 for <dnsop@ietfa.amsl.com>; Fri, 8 Jul 2016 13:57:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.327
X-Spam-Level:
X-Spam-Status: No, score=-3.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CTrFcuHEekVP for <dnsop@ietfa.amsl.com>; Fri, 8 Jul 2016 13:57:43 -0700 (PDT)
Received: from mail.hardakers.net (dawn.hardakers.net [IPv6:2001:470:1f00:187::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C7F812B034 for <dnsop@ietf.org>; Fri, 8 Jul 2016 13:57:43 -0700 (PDT)
Received: from localhost (50-1-20-198.dsl.static.fusionbroadband.com [50.1.20.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id 9DC6220641; Fri, 8 Jul 2016 13:57:42 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Paul Wouters <paul@nohats.ca>
References: <20160404033239.9766.8255.idtracker@ietfa.amsl.com> <alpine.LFD.2.20.1604041720120.7069@bofh.nohats.ca>
Date: Fri, 08 Jul 2016 13:57:41 -0700
In-Reply-To: <alpine.LFD.2.20.1604041720120.7069@bofh.nohats.ca> (Paul Wouters's message of "Mon, 4 Apr 2016 17:23:23 -0400 (EDT)")
Message-ID: <0lpoqnzw3e.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/C4WzG6nsO8-pcaZeLIGanRhVrhc>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 20:57:44 -0000

Paul Wouters <paul@nohats.ca> writes:

> Should item 3. be "if the answer is INSECURE" instead of "If the query
> is INSECURE" ?

Good catch, fixed.

> And should it be "w/o the DO and AD bit set" instead of "w/o the AD
> bit set" ?

I think not, because if the DO bit was set and you understand it but
need to return non-DNSSEC protected data, I think we should be returning
the DO bit but no AD or DNSSEC data.

I suppose you could argue that since we can't do DNSSEC we shouldn't say
we're DO (DNSSEC) compliant?
-- 
Wes Hardaker
Parsons