IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback

Evan Hunt <each@isc.org> Mon, 17 November 2014 07:12 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D331A0169 for <dnsop@ietfa.amsl.com>; Sun, 16 Nov 2014 23:12:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.495
X-Spam-Level:
X-Spam-Status: No, score=-2.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZEXrmUDre8Gh for <dnsop@ietfa.amsl.com>; Sun, 16 Nov 2014 23:12:52 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E9791A0161 for <dnsop@ietf.org>; Sun, 16 Nov 2014 23:12:52 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id C9F7B34950D; Mon, 17 Nov 2014 07:12:50 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id B56EB216C3D; Mon, 17 Nov 2014 07:12:50 +0000 (UTC)
Date: Mon, 17 Nov 2014 07:12:50 +0000
From: Evan Hunt <each@isc.org>
To: Doug Barton <dougb@dougbarton.us>
Message-ID: <20141117071250.GA55492@isc.org>
References: <54691B0A.6060508@gmail.com> <54692F7A.6030803@dougbarton.us>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54692F7A.6030803@dougbarton.us>
User-Agent: Mutt/1.4.2.3i
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/bIn1XI50FI3svtxKBFpw_1bYKDE
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 07:12:54 -0000

On Sun, Nov 16, 2014 at 03:12:58PM -0800, Doug Barton wrote:
> Before commenting further I'd love the authors to flesh
> out their reasoning for not simply slaving the zone where possible.

I'm not one of the authors, but I can give you an answer: in BIND,
and I believe in other DNS implementations as well, local authoritative
data isn't subject to DNSSEC validation. 

> (And yes, I'm aware that one of the primary motivators is DNSSEC, but the
> only thing in the root that we care about are the DS records, and a
> validating resolver is going to chase those up to its trust anchor
> anyway.)

No. If the root zone is slaved locally in the same view as the
validator, then the server (correctly) sees the top level DS as
local authoritative data, and presumes it to be valid.

(I just tested BIND to confirm this.  The log shows that org/DNSKEY,
isc.org/DS, and isc.org/DNSKEY were validated, but org/DS wasn't.)

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.31.3 | Report a Bug | By Email | System Status