Re: [DNSOP] More comments on draft-wessels-edns-key-tag-00

Edward Lewis <> Wed, 25 November 2015 20:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 85B891B2F53 for <>; Wed, 25 Nov 2015 12:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.006
X-Spam-Status: No, score=-4.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_NEUTRAL=0.779] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rcc5wz_rLV30 for <>; Wed, 25 Nov 2015 12:17:13 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 35DD31B2F4E for <>; Wed, 25 Nov 2015 12:17:13 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 25 Nov 2015 12:17:11 -0800
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1044.021; Wed, 25 Nov 2015 12:17:11 -0800
From: Edward Lewis <>
To: "Wessels, Duane" <>
Thread-Topic: More comments on draft-wessels-edns-key-tag-00
Thread-Index: AQHRJtmPXkdjXahmsEiTn01cYVzaVZ6sNYcAgADLrwCAAI7hgP//0QOA
Date: Wed, 25 Nov 2015 20:17:10 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="B_3531309427_12004695"
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [DNSOP] More comments on draft-wessels-edns-key-tag-00
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Nov 2015 20:17:17 -0000

On 11/25/15, 13:05, "Wessels, Duane" <> wrote:

>Can you say more about how limited you think it should be?  Never?

(Probably) as much as possible.  I can't see the benefit of telling a
third party this.  (First party being the validator/querier, second party
being the authority of the trust anchor set, third party including the

>In what I'm proposing the stub also would send the option only for DNSKEY
>and only for trust anchor zones (i.e. root).  Is that limited enough?

And to the IP addresses for the zone's advertised name servers.

>Do you have particular concerns about who knows about the stub's trust
>Are you thinking of on-path attackers or the recursive operator or
>something else?

Nothing in particular.  I'm not even clear if it's attackers I am worried
about, it's just general leakage.   I don't see damage in leaking, per se,
outside of the "if someone knows trust anchor #4 was reverse engineered,
then the verifier using it is vulnerable."  It's more that I don't see a
benefit in allowing leakage.

>Is it okay for a recursive to expose old trust anchors, but not okay for
>a stub?

Hmmm, I don't think the two (stub and recursive) are different for this
option.  (In the sense that EDNS is hop-by-hop and not end-to-end, and the
only query handler that can make any use of this information is the

>I actually like the suggestion I heard from someone (sorry, can't remember
>exactly who right now) that instead of intersection or union, the
>could just forward a second instance of the option.

Not commenting directly on that, but, I'm leaning towards this never being
an issue - that is - there should be no middlebox of any kind that would
forward/relay the option.

>I'd say there is a benefit to the zone operator in knowing what trust
>are in use by stubs.

Zone operator would be the one plowing through the packets seen at the
authoritative addresses, I think.  (Me being fully aware that zone
operators aren't always DNS operators.)

>> (If there's a conflict between the two (which could
>> also be sever clock skew), use 'CD' in queries.)
>Sorry I didn't follow that.

I was thinking - if a validator is forwarding all traffic to a recursive
server that is also DNSSEC validating, and there is a conflict because the
"upstream" is SERVFAIL'ing some data because of, say, the trust anchor not
right, the "downstream" ought to revert to "+CD" to avoid the buggy

>Forgive me for saying, but it sounds to me like you might've misunderstood
>a little about what I proposed.  I'm saying the edns-key-tag option rides
>along with a DNSKEY query.  So the response is a normal DNSKEY response.
>The draft currently says:
>  A responder MUST NOT include the edns-key-tag option in any DNS

Missed that.  (Yes, I did read the draft, twice,...still missed it. ;))

>So what I've proposed is one-way, passive data collection only.  Note I
>modeled this
>after RFC 6975, which works the same way.