Re: [DNSOP] question regarding draft-ietf-dnsop-aname-03.txt/proof of non-existence of the ANAME record
Richard Gibson <richard.j.gibson@oracle.com> Thu, 30 May 2019 14:56 UTC
Return-Path: <richard.j.gibson@oracle.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 340EE120273 for <dnsop@ietfa.amsl.com>; Thu, 30 May 2019 07:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UG8Xy3fa6hAL for <dnsop@ietfa.amsl.com>; Thu, 30 May 2019 07:56:19 -0700 (PDT)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92D0B12024A for <dnsop@ietf.org>; Thu, 30 May 2019 07:56:19 -0700 (PDT)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4UEmi8W008065; Thu, 30 May 2019 14:56:17 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=2LAxtz1hdWAJ7Xl//0s+A7yQqyWMKcrb12phJ/bg0bU=; b=3kmV2Y1h3XsLzjhVENfrB4HhYctVcdZCABbvBcpgFlSoDztjcGV9tlhtQbp7kYEOWuFc uJomvHxL9Uz05xQGzwaI+lqPLCR4a2NfTPB9z7ucTZIcmhaeoA/0fL8i3MRBoHj3De9y Ii7JPXPS94FbudxeAfGB8xZ4F7xopI/4D1z3PHwm5GvtTzXhTSAjq7Wa+V+jgaWQFWwz w3H+8WOpNk/J2cQ1E62v0q7h+QSKeof8JoUq0gs8VJwr8DsDmwSJaoQoS9CLylxpwM9w Zilff74p0wO9c/m4G8tMiHhAD64DuDFHtiWNFxaDp7ClLj89INb1bPR8bPzv3aO0Bc8v Uw==
Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by aserp2130.oracle.com with ESMTP id 2spu7drvqt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 30 May 2019 14:56:17 +0000
Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4UEu4D3161352; Thu, 30 May 2019 14:56:16 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userp3020.oracle.com with ESMTP id 2sr31vwkg5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 30 May 2019 14:56:16 +0000
Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x4UEuFpq020404; Thu, 30 May 2019 14:56:15 GMT
Received: from [192.168.1.213] (/67.189.230.160) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 30 May 2019 07:56:15 -0700
To: Klaus Malorny <Klaus.Malorny@knipp.de>, dnsop@ietf.org
References: <99f63475-40dc-8e82-9acf-1311326dc9dc@knipp.de>
From: Richard Gibson <richard.j.gibson@oracle.com>
Message-ID: <d35c6f07-3891-e978-119b-30d8b786fd53@oracle.com>
Date: Thu, 30 May 2019 10:56:10 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <99f63475-40dc-8e82-9acf-1311326dc9dc@knipp.de>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9272 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905300106
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9272 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905300106
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ei09pZoCeF3ccE0GsdUjREiDIy4>
Subject: Re: [DNSOP] question regarding draft-ietf-dnsop-aname-03.txt/proof of non-existence of the ANAME record
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 14:56:23 -0000
When an authoritative server receives a request with QTYPE=AAAA (without loss of generality with respect to A or any future ANAME-affected address record) for a domain name in a signed zone, there is either a relevant ANAME or there is not. In the case where there a relevant ANAME, the server should include it with covering RRSIG(s) in the Additional section and AAAA records (whether static or derived from the ANAME) with covering RRSIG(s) in the Answer section. Intermediate servers may not replace the Answer section records with their own ANAME-derived data unless they can either cover them with valid RRSIG(s) or are responding to their own client without DNSSEC. In the case where there is no relevant ANAME, which is currently always the case, I don't think the server is under any obligation to make claims about records that could have affected the response if they existed. Its response should include RRSIG(s) proving either the authenticity of the AAAA RRSet or its nonexistence (as appropriate). On 5/29/19 03:52, Klaus Malorny wrote: > > > Hi all, > > while still struggling with the basic ANAME processing (as described > in my other mail), I wondered whether with DNSSEC, an authoritative > name server MAY, SHOULD or MUST prove the non-existence of an ANAME > record when it receives an A or AAAA query and no sibling ANAME record > exists for the delivered address records. > > My personal opinion is that there is no big harm if a > man-in-the-middle silently removes the ANAME record from the response, > as the returned address records should still point to some valid > hosts, so I would not include it. In the case that there are neither > address records nor an ANAME, the NSEC/NSEC3 record which covers the > non-existing address record would also cover the ANAME, so this case > is not a problem at all. > > Nevertheless, I wanted to bring this to your attention just in case > that you haven't considered that already (it is not clear from the > spec that you did). > > Regards, > > Klaus > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=PUSMRyGtOXnqCa18KWsTXNcKZ2vsDfzkAaUWJLf9W18&s=jB7ql9ejEIrE_BQZMnZT83PY05rG6hg0nrmQxbrhiwU&e= >
- [DNSOP] question regarding draft-ietf-dnsop-aname… Klaus Malorny
- Re: [DNSOP] question regarding draft-ietf-dnsop-a… Richard Gibson