Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key lengths...)

Colm MacCárthaigh <colm@allcosts.net> Wed, 02 April 2014 21:56 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4996E1A03EC for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 14:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9goXeLKkdf5r for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 14:56:22 -0700 (PDT)
Received: from mail-oa0-f42.google.com (mail-oa0-f42.google.com [209.85.219.42]) by ietfa.amsl.com (Postfix) with ESMTP id 74F6C1A03D9 for <dnsop@ietf.org>; Wed, 2 Apr 2014 14:56:22 -0700 (PDT)
Received: by mail-oa0-f42.google.com with SMTP id i4so1048595oah.1 for <dnsop@ietf.org>; Wed, 02 Apr 2014 14:56:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=poSAV7gDWsEC1fBjSWUNfguKvA2YXcbk38sut6as1pg=; b=bW6AyO1pjVqqukHyfbElWKe46ySWL479zhjEccrmq0qxwZgpNWjcr/Mr+9E2EIfGUO YitiznvtP2mB+24k9WLtugqWRxNeRxWE4eaaJAeYhQxsonit+hxPakWVz8MRjNBR+O+k JUQSMqMc7q1wljPMQTnPQRm/yDusQslHARWc70zvNkBh/nxPtGACU9mQF74lLt/WPrAi CMvKHjCElk7GwcoHL0QBXA/1vd4w+UNrT34QlvYyZS8dlMl6/DkGMCd+HEPiD6+NwOhB al+kGJYXeUDByEOgK6lMGYuyYQHka92oWwxUxquHwJpLD+CEN29fMC/MKME6zAnDRXUn uJ2A==
X-Gm-Message-State: ALoCoQl3vZwAY1ayLFWY9oz/FbJyS1Snawezz6OCpM98wOT2djgD4nci3kCpydyn2Y2xb5+huwWN
MIME-Version: 1.0
X-Received: by 10.182.29.2 with SMTP id f2mr2051046obh.5.1396475778110; Wed, 02 Apr 2014 14:56:18 -0700 (PDT)
Received: by 10.76.20.164 with HTTP; Wed, 2 Apr 2014 14:56:18 -0700 (PDT)
In-Reply-To: <20140402214001.32F5D1234256@rock.dv.isc.org>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <53345C77.8040603@uni-due.de> <B7893984-2FAD-472D-9A4E-766A5C212132@pch.net> <102C13BE-E45E-437A-A592-FA373FF5C8F0@ogud.com> <474B0834-C16B-4843-AA0A-FC2A2085FEFB@icsi.berkeley.edu> <CAMm+Lwh-G7D5Cjx4NWMOhTjBZd=VVRHiPdK7L1zm-P0QRP8P2Q@mail.gmail.com> <20140401223943.528B71226903@rock.dv.isc.org> <CAAF6GDe=39bmVDOtox+9coaH7R06erm-JUK19ZwPEUVkxepKTg@mail.gmail.com> <20140402003159.B4B631228652@rock.dv.isc.org> <CAAF6GDdLs3V9JMa8jgD_asYqhmt=PCaBAmk4LO0JaX_q6q0UHQ@mail.gmail.com> <20140402024919.GA97087@isc.org> <CAAF6GDcP77MBBUJbEdQgOqOLh2UHPEOmxYNTaAO-8F=OdLYxOQ@mail.gmail.com> <20140402214001.32F5D1234256@rock.dv.isc.org>
Date: Wed, 2 Apr 2014 14:56:18 -0700
Message-ID: <CAAF6GDeDDYpz3HqizRXAWTYjKK8PxFkudbawvPm0G_ZxMPOVsw@mail.gmail.com>
From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <colm@allcosts.net>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary=001a11c2c104b1769304f6165aed
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/L65dMxJJvyAKhj1CSrEUOpn2HfE
Cc: Nicholas Weaver <nweaver@icsi.berkeley.edu>, Bill Woodcock <woody@pch.net>, "dnsop@ietf.org" <dnsop@ietf.org>, Evan Hunt <each@isc.org>, Phillip Hallam-Baker <hallam@gmail.com>, Matth?us Wander <matthaeus.wander@uni-due.de>
Subject: Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key lengths...)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 21:56:26 -0000

On Wed, Apr 2, 2014 at 2:40 PM, Mark Andrews <marka@isc.org> wrote:

> > I don't think this makes much sense for a coherent resolver. If I were
> > writing a resolver, the behaviour would instead be;  try really hard to
> > find a valid response, exhaust every reasonable possibility. If it can't
> > get a valid response, then if CD=1 it's ok to pass back the invalid
> > response and its supposed signatures - maybe the stub will no better, at
> > least fail open. If CD=0, then SERVFAIL, fail closed.
>
> Guess what, resolvers do not work like that.  They are not required
> to work like that.


Nothing can compel any particular resolver to choose a particular
implementation - but I take note of
https://tools.ietf.org/html/rfc6840#section-5.9 and
https://tools.ietf.org/html/rfc6840#appendix-B which recommends it (as a
"SHOULD") and I generally agree with the good reasoning that's in the RFC.

As I wrote, if it were me writing a validating stub resolver, I would
always set CD=1 - and when acting as an intermediate resolver, I would
always make a reasonable effort to find a validating response, even if CD=0
is on the incoming query. I'm certain that at least one resolver does work
like this, and I suspect it's also how Google Public DNS works, based on
some experimentation.


-- 
Colm