IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-12.txt

Tony Finch <dot@dotat.at> Thu, 03 October 2019 11:11 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD6A912003F for <dnsop@ietfa.amsl.com>; Thu, 3 Oct 2019 04:11:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwsHKteFYxef for <dnsop@ietfa.amsl.com>; Thu, 3 Oct 2019 04:11:17 -0700 (PDT)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [131.111.8.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECC52120026 for <dnsop@ietf.org>; Thu, 3 Oct 2019 04:11:16 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:41130) by ppsw-42.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1iFz0t-001cZs-7H (Exim 4.92.3) for dnsop@ietf.org (return-path <dot@dotat.at>); Thu, 03 Oct 2019 12:11:15 +0100
Date: Thu, 03 Oct 2019 12:11:14 +0100
From: Tony Finch <dot@dotat.at>
To: dnsop@ietf.org
In-Reply-To: <B640CD6C-863D-44E7-A085-BE44D2D3BCCC@dukhovni.org>
Message-ID: <alpine.DEB.2.20.1910031202210.11804@grey.csi.cam.ac.uk>
References: <156997343802.26389.15326556193059712475@ietfa.amsl.com> <alpine.DEB.2.20.1910021250120.11804@grey.csi.cam.ac.uk> <B640CD6C-863D-44E7-A085-BE44D2D3BCCC@dukhovni.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/R9tzrDuiJAohLVbUA2C7OYd8NPg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-12.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 11:11:19 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> > On Oct 2, 2019, at 8:01 AM, Tony Finch <dot@dotat.at> wrote:
> >
> > Is this not also covered by EDE 9 (DNSKEY missing) and EDE 10 (RRSIG
> > missing)?
>
> No it is not.  The indeterminate state happens when DS RRset lookups
> servfail, for the zone or one of its ancestors, this could be a lookup
> timeout or a validation issue.  So not identical with DNSKEY missing.

So EDE 22 or 23 then? You can't handwave "validation issue" here because
the point of these error codes is to explain what kind of validation
issue.

> > [ I'm still not convinced "indeterminate" is a coherent validation state... ]
>
> It happens when glue NS records are available, but DS RRsets are not.

That is "insecure".

I think the definitions of the terms in RFC 4033 are a lot more clear than
RFC 4035. By the 4033 definitions the distinction between insecure and
indeterminate is whether you have a covering trust anchor or not, so
nothing is indeterminate any more for normal validator configurations.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Dover, Wight: South 4 or 5, veering west 5 to 7, perhaps gale 8 later. Slight
or moderate, becoming moderate or rough, occasionally very rough later in
Wight. Fair then rain. Good, occasionally poor.

v2.23.0 | Report a Bug | By Email