IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD

Geoff Huston <gih902@gmail.com> Tue, 03 April 2018 08:34 UTC

Return-Path: <gih902@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FD7F12DA6A for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 01:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ArV_58kmuOSY for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 01:34:31 -0700 (PDT)
Received: from mail-pl0-x229.google.com (mail-pl0-x229.google.com [IPv6:2607:f8b0:400e:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20DD1124205 for <dnsop@ietf.org>; Tue, 3 Apr 2018 01:34:31 -0700 (PDT)
Received: by mail-pl0-x229.google.com with SMTP id c21-v6so4273253plz.10 for <dnsop@ietf.org>; Tue, 03 Apr 2018 01:34:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jdIPFLN4p2NHQWhwnJtJIR7R9Y1eEo9YBvz1ydjlgg8=; b=Wbh3q5O8DsfrdmbfthsmWMzrX/Zg6fQhiJceazR92TOxLq0K3HF0iANi3lV003uGbk QChqXEOjIZ/KC2ijtFbFJXLmzHCbr4O3+1xfOBhOdxHCZcUdolWSEWVmeSZiSM3xzVw+ LnaUjDxXTwWjXtQnDhLiIHR90W1SaYL/g9x8Eh5SIAJZII0rT6h5RJrQ90noJXoBJpBx r2Uv0aLoG/LOcO+Slm3bOtxNQAGSuDE8mhwyghrohch3rQ+mTJml+Btsgpub4le6oc69 xYR6lYQfE42ZfdXzETa5cmpw0anOeH26l7YeFwdTSII/A3RruYC+aL+PbgpBc8aYhYPg 4Dvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jdIPFLN4p2NHQWhwnJtJIR7R9Y1eEo9YBvz1ydjlgg8=; b=CGzPPfWsle2ZhuYtK5Kqk3zHUA1jj7FbFehn24pxCGpL7gz9gBv02QlQXMOHA2gCbH dqFrMF4iHR378cw2V00sxGqORWnWUS5g1JMj5tSebIwGGhxiJxYOLtfNcGBFvw9hJoVp OequJSP9xUmSUc0fTb1cofI26Qm8AilNuvqOCW6iIizyrzDBuc6JDsql46vYWak6L+I5 69UksbDJwHx8Qo/528hy0W4n9WoNm9iK4SrCFEVM2ctUlBR0XjGc283CgzbEy+WUA2oN qp/An8PTerl7p2I/qdCls4dIy/VH6UzqKZMIaOkP0YXgmJtiozek12CAfleEHii20Zy6 0ngQ==
X-Gm-Message-State: AElRT7GaJm/N1S2XpGE5DK5teTvMxbdpf+u4JwCcCgXiejIIr6iAy9xY JlLHu2fw6i1abwIrjNX3Q1c=
X-Google-Smtp-Source: AIpwx4+kI/0BuWmlv2AnKusLZCNLh0ScwbV/jonIPSvyuDTSCU66JxK2wWXNI/FX0hcRK44mc76WNw==
X-Received: by 2002:a17:902:102:: with SMTP id 2-v6mr13213854plb.48.1522744470726; Tue, 03 Apr 2018 01:34:30 -0700 (PDT)
Received: from dhcp202.potaroo.net (eth143.act.adsl.internode.on.net. [203.16.208.142]) by smtp.gmail.com with ESMTPSA id e21sm3902065pfi.68.2018.04.03.01.34.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Apr 2018 01:34:30 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Geoff Huston <gih902@gmail.com>
In-Reply-To: <BF3E4F4D-027C-4A2B-8026-14AF3FBA4603@isc.org>
Date: Tue, 03 Apr 2018 18:34:25 +1000
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2F103A8E-72F6-4159-900D-B7006D0AC647@gmail.com>
References: <039408B0-89EE-4038-B9C9-CBCC35EC24EC@isc.org> <64816369-700A-4413-B1F0-160FB145EE6C@gmail.com> <BF3E4F4D-027C-4A2B-8026-14AF3FBA4603@isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/L6mh7mLdORzRoJvs0SYBUUSFY9k>
Subject: Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 08:34:32 -0000


> On 3 Apr 2018, at 5:38 pm, Mark Andrews <marka@isc.org> wrote:
> 
> AD is only set or potentially set in the response if DO or AD is set on the query.
> 
> The condition boils down to testing for AD or DO in the query because the answer needs to be secure and there can’t be a CNAME or DNAME pointing to it.  About the only way it to not have a AD would be for there to be a CNAME and the target be insecure based on the other conditions.
> 
> I would just remove the condition. 
> 

Thanks Mark. 

I had just posted a followup before seeing your response.

I’ll remove the condition then.


Geoff

v2.23.0 | Report a Bug | By Email