IETF Logo Mail Archive

Re: [DNSOP] Definition of "validating resolver"

Tony Finch <dot@dotat.at> Mon, 09 March 2015 14:30 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1011A8A28 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 07:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nycdnWt37aQx for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 07:29:53 -0700 (PDT)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C3871A89A7 for <dnsop@ietf.org>; Mon, 9 Mar 2015 07:29:34 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:52411) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1YUygW-0001m2-Wo (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 09 Mar 2015 14:29:32 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1YUygW-0002U6-35 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 09 Mar 2015 14:29:32 +0000
Date: Mon, 09 Mar 2015 14:29:32 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <4ED4C5C6-9F32-4C16-9755-650B1F724C7F@vpnc.org>
Message-ID: <alpine.LSU.2.00.1503091403130.23307@hermes-1.csi.cam.ac.uk>
References: <DED3D224-C507-4751-808C-3D881A238942@vpnc.org> <alpine.LSU.2.00.1503091035500.23307@hermes-1.csi.cam.ac.uk> <4ED4C5C6-9F32-4C16-9755-650B1F724C7F@vpnc.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/bMztfx6TmNHtntr3GfBRnv5bIxc>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Definition of "validating resolver"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 14:30:00 -0000

Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> On Mar 9, 2015, at 3:45 AM, Tony Finch <dot@dotat.at> wrote:
> >
> > Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> >>
> >> My personal interpretation is that "validating resolver" is a synonym
> >> for "security-aware resolver". Do others agree? If not, how would you
> >> differentiate them?
> >
> > No, "security-aware" means that the doftware understands the special
> > semantics of RRSIG, NSEC, DS, etc. but does not necessarily validate.
>
> What does "understand" mean in that sentence?

The software has to implement the parts of DNSSEC which are incompatible
with security-oblivious DNS.

RRSIG records are part of the RRset they sign, not a separate RRset of
their own.

Proof of nonexistence requires returning NSEC(3) records in responses.

DS records have to be queried at the parent not the zone apex.

etc.

> > It is clear from RFC 4033 that validation is separate from security
> > awareness because of "Non-Validating Security-Aware Stub Resolver".
>
> Maybe. Note that this is the only defined term with "non-validating" in
> it. Was this possibly an artifact of the world-view that Ralf mentioned?

Maybe. I agree with most of what Ralf said. However while we may not think
it makes sense to deploy a non-validating resolver, a large proportion of
the resolvers out there are non-validating and security-aware.

> > For instance, by default, BIND is a security-aware validating resolver.
> > (Except it can't validate anything until you configure a trust anchor.)
> > You can turn off validation with "dnssec-validation no" and switch it into
> > security-oblivious mode with "dnssec-enable no".
>
> If you turn off validation with "dnssec-validation no", in what way is
> it security-aware any more?

It matters wrt the protocol support that is provided to downstream
clients.

All upstream servers of a validator have to be security-aware or the
validator will not work. So if I turn off validation on my recursive
server and flush its cache, I can still use a validating stub. The stub
will make DO=1 queries so the server will return the RRSIG and NSEC
records that the stub needs to be able to validate. If I turn off DNSSEC
support in my recursive server, my stub can no longer validate the
responses because the necessary information is not returned.

Obviously a non-validating recursive server isn't a good setup from the
DNSSEC point of view, but there is an important distinction between
working (security-aware but vulnerable to cache poisoning) and completely
broken (because security-oblivious).

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Tyne, Dogger, Fisher, German Bight, Humber: South veering west 5 to 7,
occasionally gale 8, except in Humber. Moderate or rough, becoming very rough
in Fisher. Rain for a time. Moderate or good.

v2.23.0 | Report a Bug | By Email