Re: [DNSOP] If DNSSEC signatures do not validate ...
Shumon Huque <shuque@gmail.com> Tue, 28 April 2020 13:56 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D1C53A1573 for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 06:56:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2UpKLKS8-Hf for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 06:56:57 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E2903A156F for <dnsop@ietf.org>; Tue, 28 Apr 2020 06:56:57 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id p16so16431312edm.10 for <dnsop@ietf.org>; Tue, 28 Apr 2020 06:56:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nDaw+RXdAjCj5wcqG1i/JiAi0ZHCh23VNkcH/pWe3Gw=; b=KZPdtPCiJBQrOZ2w8Al98i2ipTQ2UHKSBQp2jQPdoBVDT13OkFKJk7MMoFMkmdy28V 1zpE36CYQFlAEjR9vHEvotxL0P7t3/qADryw5a9QzbzQ+2U1ch7rmfAJcpvEBlExm9su KcwKi1tkn6iUxlusS5MMNRJfh03jFX1IbhkUAcgvHHUZ4bbhsxkDkknGP5f3OAKFxUS/ 5RtkjsORs05CJh1wA2t4PyRHX/KgCkXEfFByI2WEx6VYdQQKpVhyvefX0SxNiA/hSxnZ E2dxBR52UfnxOVnJtcYk8hfgJjV2ZS01BgzUpas+4RCBqaZkTartPst5UsSUCS2lvM7M PK9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nDaw+RXdAjCj5wcqG1i/JiAi0ZHCh23VNkcH/pWe3Gw=; b=DrLvH9utH6XmXJduN8KK2/6oAsRM86LxbleanRalqlx9j0D8nUwNJkWhwB6+DEVzww h+qi6Vzx5rCjSraL4Z75Q7AxAxeAbffJIT6hODJNd6VQKUrlxk1+djNxOQQHhgvcdm6P oomR7UY4ASB6AMPOhUZNBBpnTKnmQcSC3PDOlT2LTAb2G9aiJPaemVrCsnfo6yAq6s1Z Lbne4a5+peEgFtiGpJLpeXckUlRPd+oZAoGIBRy525hph1UWBfRk4mTh0nS8Duiy3L8t X/KptwZrj3W08MbRBhlcP8qxmlJr/Zt4lcYwmr/eHcYyCIqRjrKjVRDX0XlCe0eoXo1C Hrhg==
X-Gm-Message-State: AGi0PuYdDpur/UsxYr3ACdYUcB/7x6uSuVFtd45w3pVPD03xZjFB89ZK V0GgG3nuDh6R4Kzi1BTw2NdBWoTpaqD0+0QS3Dc=
X-Google-Smtp-Source: APiQypJnPdAQDY6BSUsn3um/cEuHRL9NuhTV5YdqGb1aXqSr4lYQnFgcuQsAKQ64pmO/D82gSiyGxNIeNEUWoRT2xu4=
X-Received: by 2002:a50:9e6a:: with SMTP id z97mr5340991ede.375.1588082215910; Tue, 28 Apr 2020 06:56:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAAObRXL-hFZ1jFo8dW-+M+2SR8gJ7vypKLMaJNuQJBvCsdJ0Gg@mail.gmail.com> <alpine.LRH.2.21.2004280931470.18623@bofh.nohats.ca> <CAAObRXJKf67Hv8i+fTUWcQMqpk-8hL6PPQ=iXtWnZ8yzk-wNWQ@mail.gmail.com>
In-Reply-To: <CAAObRXJKf67Hv8i+fTUWcQMqpk-8hL6PPQ=iXtWnZ8yzk-wNWQ@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 28 Apr 2020 09:56:44 -0400
Message-ID: <CAHPuVdWpqEs+OfVT6Udviyigwegh6416sG5MeaBY_3mf5mpJPw@mail.gmail.com>
To: Davey Song <songlinjian@gmail.com>
Cc: Paul Wouters <paul@nohats.ca>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005a82db05a45a3466"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IaFec9oWVgS_I1vOpN5ru-iWuyg>
Subject: Re: [DNSOP] If DNSSEC signatures do not validate ...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 13:56:59 -0000
On Tue, Apr 28, 2020 at 9:48 AM Davey Song <songlinjian@gmail.com> wrote: > > I think you mean if you receive a BOGUS validation result (eg missing >> RRSIG records, or otherwise are not getting the records needed for proof >> of non-existance or signatures. In that case, I think the existing >> DNS protocol already tells you to try other servers? >> > > According to RFC4035 section 5.5, there is no retry to other servers. > That language could probably use some clarification. I would interpret "if .. none of the RRSIGs can be validated" as "if .. none of the RRSIGs can be validated from _any_ of the authority servers". In practice, every validating resolver I'm familiar with will retry other servers upon signature validation failure. Otherwise, we would have a very fragile system - an adversary would just have to be able to intercept one path between resolver and one of the authority servers for a zone to cause resolution failure. Shumon.
- [DNSOP] If DNSSEC signatures do not validate ... Davey Song
- Re: [DNSOP] If DNSSEC signatures do not validate … Paul Wouters
- Re: [DNSOP] If DNSSEC signatures do not validate … Davey Song
- Re: [DNSOP] If DNSSEC signatures do not validate … Shumon Huque
- Re: [DNSOP] If DNSSEC signatures do not validate … Davey Song
- Re: [DNSOP] If DNSSEC signatures do not validate … Paul Wouters
- Re: [DNSOP] If DNSSEC signatures do not validate … Shumon Huque
- Re: [DNSOP] If DNSSEC signatures do not validate … Davey Song
- Re: [DNSOP] If DNSSEC signatures do not validate … Ben Schwartz