Re: [DNSOP] Should root-servers.net be signed

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Sat, 20 March 2010 14:26 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 579A43A68CC for <dnsop@core3.amsl.com>; Sat, 20 Mar 2010 07:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.533
X-Spam-Level:
X-Spam-Status: No, score=-5.533 tagged_above=-999 required=5 tests=[AWL=-0.064, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXg6LSbfdJ+2 for <dnsop@core3.amsl.com>; Sat, 20 Mar 2010 07:26:36 -0700 (PDT)
Received: from fruitcake.ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU [192.150.186.11]) by core3.amsl.com (Postfix) with ESMTP id 1AA9E3A697B for <dnsop@ietf.org>; Sat, 20 Mar 2010 07:26:35 -0700 (PDT)
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id o2KEQkht008080; Sat, 20 Mar 2010 07:26:46 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
X-Priority: 3
In-Reply-To: <A919A34B654541468475464F0C794962@localhost>
Date: Sat, 20 Mar 2010 07:26:46 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <DB12142D-3A84-42AA-BEB0-844328AC5D28@ICSI.Berkeley.EDU>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost><0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca><alpine.LSU.2.00.1003081614480.1897@hermes-2.csi.cam.ac.uk><A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca><43FC3F50679F458A869F99D72ECD1237@localhost><20100309151726.GC5108@dul1mcmlarson-l1-2.local> <6C56581E-D4F4-4A49-A3B4-CB7F1CF42E29@icsi.berkeley.edu> <183BEF785A9844F186558A87848A6698@localhost> <061F30F4-E0EE-40E6-A54D-246D9E9A9D77@ICSI.Berkeley.EDU> <6D6F580F8CFB4DB5AB32566FB608088D@localhost> <57BC5F21-B1EE-4D06-BB1B-3DC8582D0D87@ICSI.Berkeley.EDU> <03CF4A3B5B374C4C858DEEB2D66C0702@localhost> <AA116C2A-CCFC-4177-A43A-B3AA066B3C3C@ICSI.Berkeley.EDU> <7F872C0CAA544F9480BF49438AAFA3BF@localhost> <68584293-648A-4F4E-8731-785E8F4D38B7@ICSI.Berkeley.EDU> <662061674DB34DB395F519F52B0C4C35@localhost> <9B17C765-036B-40BD-B05A-E1A3E4582D91@ICSI.Berkeley.EDU> <A919A34B654541468475464F0C794962@localhost>
To: George Barwood <george.barwood@blueyonder.co.uk>
X-Mailer: Apple Mail (2.1077)
Cc: dnsop@ietf.org, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2010 14:26:37 -0000

On Mar 20, 2010, at 1:50 AM, George Barwood wrote:
>> Enshrining "tho shalt never fragment" into the Internet Architecture is dangerous, and will cause far MORE problems. Having something which >regularly exercises fragmentation as critical to the infrastructure and we wouldn't have this problem where 10% of the resolvers are broken WRT >fragmentation.
> 
> I'm not suggesting that. If the higher level protocol has definite security checks, or security is not important,
> fragmentation is ok. But for DNSSEC neither of these is true.

Then what you're arguing here is don't request stuff with DO unless you are willing to validate.  Given the exercise of DO requesting is done (the firewalls have figured it out), drop DO on unvalidated traffic, don't drop fragmentation.