Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD
Evan Hunt <each@isc.org> Tue, 03 April 2018 16:08 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0914129C53 for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 09:08:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gNup6a8hX9AT for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 09:08:48 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DFD9127909 for <dnsop@ietf.org>; Tue, 3 Apr 2018 09:08:48 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 3C3953AB03B; Tue, 3 Apr 2018 16:08:46 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 245F6216C1C; Tue, 3 Apr 2018 16:08:46 +0000 (UTC)
Date: Tue, 03 Apr 2018 16:08:46 +0000
From: Evan Hunt <each@isc.org>
To: Geoff Huston <gih902@gmail.com>
Cc: Mark Andrews <marka@isc.org>, dnsop <dnsop@ietf.org>
Message-ID: <20180403160846.GA27326@isc.org>
References: <039408B0-89EE-4038-B9C9-CBCC35EC24EC@isc.org> <64816369-700A-4413-B1F0-160FB145EE6C@gmail.com> <2294986E-D515-470C-8232-9EA7646729EC@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <2294986E-D515-470C-8232-9EA7646729EC@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZWp4jw-DFytpBWCRL4boVmlu9uY>
Subject: Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 16:08:50 -0000
On Tue, Apr 03, 2018 at 06:32:49PM +1000, Geoff Huston wrote: > So this text is saying that the AD bit is set if the resolver considers all > RRsets in the Answer section to be authentic. Fair enough. More correctly, the bit is cleared if the resolver *doesn't* consider all RRsets to be validly signed, but the distinction probably isn't that important here. > What happens when neither DO nor AD is set in the request? "dig +noends +noadflag" will produce such a query, if you want to try it out. > Do you get a response that is authentic (but without any explicit signalling > in the response that would indicate that authentication has occurred) or the > Servfail response in the case where authentication fails? This. The resolver attempts validation and returns a plain-looking answer if the response was valid or provably insecure, SERVFAIL if bogus. > Or do you get a response that is not necessarily authenticated even though > the CD bit is not set? > > If its the former then the AD bit may or may not be set on responses even > though they have been "DNSSEC validated” That's correct. (Also the AD flag can easily be turned on or off by an intermediate proxy, so you should never rely on it for much of anything, really.) -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Paul Hoffman
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Evan Hunt
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Evan Hunt
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Warren Kumari
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Paul Hoffman
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Petr Špaček