IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback

Doug Barton <dougb@dougbarton.us> Mon, 17 November 2014 23:39 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC4E61ACEF6 for <dnsop@ietfa.amsl.com>; Mon, 17 Nov 2014 15:39:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.596
X-Spam-Level:
X-Spam-Status: No, score=-2.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zOibtd2JrQSV for <dnsop@ietfa.amsl.com>; Mon, 17 Nov 2014 15:39:47 -0800 (PST)
Received: from dougbarton.us (dougbarton.us [208.79.90.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F13F1ACEF3 for <dnsop@ietf.org>; Mon, 17 Nov 2014 15:39:47 -0800 (PST)
Received: from bcn-dbarton.lan (unknown [67.159.169.102]) by dougbarton.us (Postfix) with ESMTPSA id 977FF22B0D; Mon, 17 Nov 2014 23:39:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1416267584; bh=s9dEvNxMiF16ZHWNaCBlHa8pgPG3oazj7mN211qozG0=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=ds2Gb8BkXnm7fBW7NgivCeKzXvSIjbSwLZBTBUpHUdXZjZU/sSoSNVTq7W8j2ln3B tw7bJ4KXMMSlTMnEfkLmq4xNaowJwgnWozJdP2iSk721N4zFDAP9f4eIs2k5/OlzJt ldb8p6r5Xdm5VpU/QMdZu0ut2UQkNdVzAnQ++Mic=
Message-ID: <546A873F.8060402@dougbarton.us>
Date: Mon, 17 Nov 2014 15:39:43 -0800
From: Doug Barton <dougb@dougbarton.us>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Evan Hunt <each@isc.org>
References: <54691B0A.6060508@gmail.com> <54692F7A.6030803@dougbarton.us> <20141117071250.GA55492@isc.org> <546A73B6.2060005@dougbarton.us> <20141117225045.GA35924@isc.org>
In-Reply-To: <20141117225045.GA35924@isc.org>
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/Khgm8uUQNU9lFxlcZG7sqjKFq90
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 23:39:49 -0000

On 11/17/14 2:50 PM, Evan Hunt wrote:
> On Mon, Nov 17, 2014 at 02:16:22PM -0800, Doug Barton wrote:
>> That seems like something that should be fixable in BIND, yes? (And
>> thanks for doing that testing, btw)
>
> Yes, by using two views and slaving the root in one of them and validating
> in the other one, like it recommends in the draft. :)

:)

> With a single view, if you're authoritative for a zone, then you're
> the authority, period.  You *know* the corect answer.  Validating yourself
> to find out whether you're lying to yourself would be somewhat silly.

... except in the case where you're an authoritative slave, not the 
authoritative master.

But even as the master, let's say you do off-line signing, and now the 
file is sitting on the name server. I would still like to see a knob 
that says "validate everything, even if I'm authoritative for it" since 
that data file may have been tampered with. Perhaps that's needlessly 
paranoid (if they can attack the file they can probably attack other 
things as well), but in the case of a validating resolver that is also 
slaving signed data, "validate everything just in case" makes a lot of 
sense to me.

I would even go so far as to argue that the fact this isn't done is an 
oversight, since even if you're authoritative for a given strata there 
is always a signer a level above you. In the case of the root zone 
that's the root KSK, so even if I'm "authoritative" for the root zone I 
would still want the data in it to be validated when it's used.

... and yes, I realize that the different views (or different instances) 
trick will work, but now you're doing more work than you would have to 
do if there was a "validate everything" knob, PLUS you have the 
disadvantage of your resolving view caching data for long periods even 
though that data has changed in the slave view. So to me the "validate 
everything" knob seems like a win/win. Am I missing something?

Doug

v2.31.3 | Report a Bug | By Email | System Status