IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

Bob Harold <rharolde@umich.edu> Mon, 11 May 2015 16:19 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51BAE1A8F3A for <dnsop@ietfa.amsl.com>; Mon, 11 May 2015 09:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5knaPvDRbnr for <dnsop@ietfa.amsl.com>; Mon, 11 May 2015 09:19:20 -0700 (PDT)
Received: from mail-yk0-f174.google.com (mail-yk0-f174.google.com [209.85.160.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EE6D1A8AC8 for <dnsop@ietf.org>; Mon, 11 May 2015 09:19:20 -0700 (PDT)
Received: by ykft189 with SMTP id t189so38944689ykf.1 for <dnsop@ietf.org>; Mon, 11 May 2015 09:19:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=oGMkNUuviOxFACA/HUekG2pJqD9Wz+GYde5gNo579Go=; b=DLASMQR3IeS1zEwddAz13Y6mBK9ZS8BZDPN1nXmAVP/lta1febCPr0iQz+y2+1HFSQ rL6856w+3ZL8IyigLHnC3F3z+I+hRGouHsmy/E66i9rl6s1oxFAkMom9QX+XHgZRH+6q eJMiQ1NFTy4/eslDXod79P0xiW/RId+MZi7XolvDNp4ANIqNMAZZBjFUfQBpD8aoV7mA O/kQAgrWH4LVWvoooHoLDFuNjQL0vUVwllG+wSKo/+MHGr/iPJryn/ROuY156fTS43Bh yrtfIO/WU6eaM1jJKo+F1izd1CV/rrw3Bis19Ue7KRKU3xWw2fdRCASLy21gUUIKIO+g HtGA==
X-Gm-Message-State: ALoCoQl/LeChIkHpvda01ua4dIII5TsJdnXP34Uv/8aEPX5BbZdJq087+WyhdN+8yZqjvfMWcdGB
MIME-Version: 1.0
X-Received: by 10.170.127.7 with SMTP id t7mr12213408ykb.41.1431361159467; Mon, 11 May 2015 09:19:19 -0700 (PDT)
Received: by 10.13.226.194 with HTTP; Mon, 11 May 2015 09:19:19 -0700 (PDT)
In-Reply-To: <CAJE_bqcJN+RL8NF5NoLTL2y6-mpC1Maf8y_msie7MgYxkV4B3A@mail.gmail.com>
References: <553EBF02.3050703@gmail.com> <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com> <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com> <CAJE_bqesFPG6d3UsFmtFRjUBQqfifHkaBMR0sXAaNKuN10HL4A@mail.gmail.com> <CAHw9_iLbx_soi1+LaSwMKarLcT1kBCrFdaX8diwMVZp70KeePA@mail.gmail.com> <20150509185028.GB74933@isc.org> <CAJE_bqcJN+RL8NF5NoLTL2y6-mpC1Maf8y_msie7MgYxkV4B3A@mail.gmail.com>
Date: Mon, 11 May 2015 12:19:19 -0400
Message-ID: <CA+nkc8A7SgQS6FNaXOGx1f4qKhSYTsGvR2keTWiksB6H47J=AQ@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a1139504874a51b0515d0bd79"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/XkjYdoog_NQgcv05QKBEb4UFOSk>
Cc: Evan Hunt <each@isc.org>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2015 16:19:22 -0000

On Mon, May 11, 2015 at 12:10 PM, 神明達哉 <jinmei@wide.ad.jp> wrote:

> At Sat, 9 May 2015 18:50:28 +0000,
> Evan Hunt <each@isc.org> wrote:
>
> > Actually, weirdly enough, after I implemented NTA's in BIND, one of the
> > very first applications somebody came up with for them was to temporarily
> > disable DNSSEC validation by setting an NTA for ".".  This was seen as
> > better than "rndc validation off" because he didn't have to send "rndc
> > validation on" afterward; it would just quiety switch itself back on
> > after a minute.  It's... actually a pretty clever hack, and I don't
> > really want to disable it.
> >
> > May I suggest: "An NTA placed at a node where there is a configured
> > positive trust anchor takes precendence over that trust anchor,
> effectively
> > disabling it.  Implementations MAY issue a warning when this occurs."
>
> Does this mean:
>
> A: All implementations that conform to this document should prefer the
>    NTA over the positive anchor in such a case, or
> B: This is implementation-dependent, but if an implementation allows
>    the coexistence of positive and negative anchors, it should prefer
>    the NTA, or
> C: something else?
>
> I don't have a strong opinion between A and B, but I'd like this
> document to be clear on this.  And, if it means A, I'd use an RFC2119
> keyword (it's probably a SHOULD).
>
> --
> JINMEI, Tatuya
>

I think "A" is the right answer.  Otherwise you run into situations where
you need an NTA, but it won't work.
I am not even sure there is a good reason for a  warning.  The zone is
supposed to be signed, but the signing is broken, and the resolver operator
has determined that it is due to a mistake, and decided to apply an NTA,
same as any other situation.  Whether the signing comes from the root or a
positive anchor seems irrelevant to me.

-- 
Bob Harold

v2.23.0 | Report a Bug | By Email