Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Mark Andrews <marka@isc.org> Fri, 13 March 2015 21:25 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3552D1A6FEC for <dnsop@ietfa.amsl.com>; Fri, 13 Mar 2015 14:25:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mn7QEzjxmr1e for <dnsop@ietfa.amsl.com>; Fri, 13 Mar 2015 14:25:09 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77A601A0404 for <dnsop@ietf.org>; Fri, 13 Mar 2015 14:25:09 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 033D01FCBC4; Fri, 13 Mar 2015 21:25:06 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 448FF160067; Fri, 13 Mar 2015 21:32:10 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-175-41.carlnfd1.nsw.optusnet.com.au [211.30.175.41]) by zmx1.isc.org (Postfix) with ESMTPSA id 14D38160055; Fri, 13 Mar 2015 21:32:10 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 2BF272B54AAA; Sat, 14 Mar 2015 08:25:05 +1100 (EST)
To: Morizot Timothy S <Timothy.S.Morizot@irs.gov>
From: Mark Andrews <marka@isc.org>
References: <20150312125913.20188.qmail@cr.yp.to> <3D558422-D5DA-4434-BDED-E752BA353358@flame.org> <m27fulry37.wl%randy@psg.com> <55030A28.8050707@necom830.hpcl.titech.ac.jp> <5503101F.9060205@redbarn.org> <968C470DAC25FB419E0159952F28F0C06DF659F0@MEM0200CP3XF04.ds.irsnet.gov> <00B5D36F-5DFA-46EE-B61B-F5307738A910@icsi.berkeley.edu> <968C470DAC25FB419E0159952F28F0C06DF65DD3@MEM0200CP3XF04.ds.irsnet.gov>
In-reply-to: Your message of "Fri, 13 Mar 2015 21:02:33 -0000." <968C470DAC25FB419E0159952F28F0C06DF65DD3@MEM0200CP3XF04.ds.irsnet.gov>
Date: Sat, 14 Mar 2015 08:25:04 +1100
Message-Id: <20150313212505.2BF272B54AAA@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/QSrGxg5BoWfUhT-Z9MMUjX2PyQ8>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 21:25:11 -0000

In message <968C470DAC25FB419E0159952F28F0C06DF65DD3@MEM0200CP3XF04.ds.irsnet.gov>ov>, Morizot Timothy S writes:
>
> DNSSEC validation is not a panacea, but if you refuse to implement it you
> are denying your users one layer of protection you could pretty easily
> provide. And given that in the US the large majority of federal agency
> DNS authoritative zones are signed, you also can't claim there's no
> benefit to the US public from validation. Implementing validation on
> recursive nameservers does not protect users from every attack. Nothing
> does. Nor is it as good as performing validation at the client. But it is
> a solid first step with real security benefits. And it's a step that can
> be followed and built upon with further enhancements later.

And validating in the recursive server is required for DNSSEC to
work reliably when the client is validating as it doesn't talk
directly to the authoritative servers.  Turning on DNSSEC validation
in the recursive servers is the first step in turning on validation
in the client.

> Scott
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org