Re: [DNSOP] Definition of "validating resolver"

Ted Lemon <Ted.Lemon@nominum.com> Mon, 09 March 2015 13:11 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EF231A8881 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 06:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QCVmSpx4dCEP for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 06:11:34 -0700 (PDT)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2D421A887F for <dnsop@ietf.org>; Mon, 9 Mar 2015 06:11:34 -0700 (PDT)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id B6260DA03CD; Mon, 9 Mar 2015 13:11:34 +0000 (UTC)
Received: from [10.0.20.107] (71.233.43.215) by CAS-03.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.3.224.2; Mon, 9 Mar 2015 06:11:34 -0700
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <20150308223157.GA2770@PorcupineTree>
Date: Mon, 09 Mar 2015 09:11:12 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <6C4EA12D-B7AA-4606-8507-D16DFA14E128@nominum.com>
References: <DED3D224-C507-4751-808C-3D881A238942@vpnc.org> <20150308223157.GA2770@PorcupineTree>
To: Ralf Weber <dns@fl1ger.de>
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: [71.233.43.215]
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/D_PS_de9Inrz-RLhW949hFqnDoU>
Cc: IETF DNSOP WG <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] Definition of "validating resolver"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 13:11:36 -0000

On Mar 8, 2015, at 6:31 PM, Ralf Weber <dns@fl1ger.de> wrote:
> I was told that the difference is that a security aware resolver does
> not validate, but instead relies on the "Validating Stub Resolver" to 
> protect the user. So it would handle all the DNSSEC processing to the
> authoritative and would store the records with signatures in the cache,
> but it wouldn't check if they are valid. 

Doesn't this create an opportunity for a DoS attack based on poisoning the cache with a record that won't validate?   So I am in violent agreement with your conclusion. :)