Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key lengths...)

Nicholas Weaver <> Wed, 02 April 2014 05:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7EBCD1A011F for <>; Tue, 1 Apr 2014 22:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.611
X-Spam-Status: No, score=-1.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nh3ofgBpdCIv for <>; Tue, 1 Apr 2014 22:38:07 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU []) by (Postfix) with ESMTP id A7F831A0116 for <>; Tue, 1 Apr 2014 22:38:07 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 231E62C4030; Tue, 1 Apr 2014 22:38:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([]) by localhost (maihub.ICSI.Berkeley.EDU []) (amavisd-new, port 10024) with LMTP id bg8UtX-q28XG; Tue, 1 Apr 2014 22:38:00 -0700 (PDT)
Received: from [] ( []) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 90C332C4006; Tue, 1 Apr 2014 22:37:59 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_B017D213-8733-4BD7-9C75-B99A5D5E99D6"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Nicholas Weaver <>
In-Reply-To: <>
Date: Tue, 1 Apr 2014 22:37:57 -0700
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
To: =?iso-8859-1?Q?Colm_MacC=E1rthaigh?= <>
X-Mailer: Apple Mail (2.1874)
Cc: Nicholas Weaver <>, Bill Woodcock <>, "" <>, Evan Hunt <>, Phillip Hallam-Baker <>, Matth?us Wander <>
Subject: Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key lengths...)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Apr 2014 05:38:11 -0000

On Apr 1, 2014, at 10:24 PM, Colm MacCárthaigh <> wrote:
> I don't think this makes much sense for a coherent resolver. If I were writing a resolver, the behaviour would instead be;  try really hard to find a valid response, exhaust every reasonable possibility. If it can't get a valid response, then if CD=1 it's ok to pass back the invalid response and its supposed signatures - maybe the stub will no better, at least fail open. If CD=0, then SERVFAIL, fail closed. 

The bigger problem is not the CD case, but getting the data at all to validate locally.  

A lot (and I mean a LOT) of NATs give a DNS proxy that doesn't understand or forward requests for DNSSEC information. Heck, even Apple (which in my opinion makes the best overall CPE) doesn't do this right.  These NATs don't give the IP of the real recursive resolver, which often does support DNSSEC (and, in the case of Comcast, even validates).

Which means you have to go around and do a full local fetch, starting at the root and going down from there to validate on the client.

And then, to make matters worse, you have the hotspots and similar cases which force the user to use the configured recursive resolver.  Fortunately, most of those support fetching DNSSEC records.  But note that I said most, not all....

Nicholas Weaver                  it is a tale, told by an idiot,                full of sound and fury,
510-666-2903                                 .signifying nothing