IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback

Bob Harold <rharolde@umich.edu> Thu, 20 November 2014 17:28 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3029E1A1BD7 for <dnsop@ietfa.amsl.com>; Thu, 20 Nov 2014 09:28:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iFwmedbjqjin for <dnsop@ietfa.amsl.com>; Thu, 20 Nov 2014 09:28:11 -0800 (PST)
Received: from mail-oi0-f42.google.com (mail-oi0-f42.google.com [209.85.218.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 753B61A1BD6 for <dnsop@ietf.org>; Thu, 20 Nov 2014 09:28:11 -0800 (PST)
Received: by mail-oi0-f42.google.com with SMTP id v63so2387071oia.29 for <dnsop@ietf.org>; Thu, 20 Nov 2014 09:28:10 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=MRfjM3/hYDajw998o0BRWZmxdZ5gIm17oMp0E2NxmrM=; b=klFbramGfNSc0lZLND3wvbOGl3W486LqFIdtxtL+gePRxEqxr+uyelQju8DHBiNOlX EzrpzMcqOUxgXkrOwyh2q9wkSekZu72YudvagMnz/vcqvNTsHxMdaVb6aJgFaG9K9Wi4 XV5XYx+z4//ZvTo4mejZZLcNdRA4eNHrXaLndhcqPev+FdWfc61KP3oxsed5nqWqhehI 85hC/CjC0qvuunjPs6HruLuQpNVoENMYMoQbeAC+riDA07avFVO5kwY4mkcLSc/bg5Gy Xg9dsYqQzQNe0z/vxY/QiVnMXZMfFuDp38wfuOvBZj6oCnQvfM3DPsxagdj+6LEpOkPO IaEg==
X-Gm-Message-State: ALoCoQmcnllpM5NHt680gdJHCa07D3+QJbbOZ08XO6/39CMgY+PcWSulQto0y9LVCqpDjeuSfYe0
MIME-Version: 1.0
X-Received: by 10.182.241.195 with SMTP id wk3mr42716248obc.33.1416504490583; Thu, 20 Nov 2014 09:28:10 -0800 (PST)
Received: by 10.76.133.130 with HTTP; Thu, 20 Nov 2014 09:28:10 -0800 (PST)
In-Reply-To: <546E2287.7080909@dougbarton.us>
References: <54691B0A.6060508@gmail.com> <54692F7A.6030803@dougbarton.us> <20141117071250.GA55492@isc.org> <546A73B6.2060005@dougbarton.us> <20141117225045.GA35924@isc.org> <546A873F.8060402@dougbarton.us> <546E2287.7080909@dougbarton.us>
Date: Thu, 20 Nov 2014 12:28:10 -0500
Message-ID: <CA+nkc8ASDUe4TfTQ6SaiZxK6ctvN3VzR58Fdij6bcRgaW8Hx7g@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="089e01634b7efbf66605084da637"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/fJIeEF4Gb1oLF3BwZ8ed51A5qAQ
Subject: Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 17:28:14 -0000

I agree:   the "validate everything" knob seems like a win/win.

I would also like the option of verifying a DNSSEC domain when I do a zone
transfer, because that might be more efficient.

-- 
Bob Harold
University of Michigan

On 11/17/14 3:39 PM, Doug Barton wrote:
>
>> On 11/17/14 2:50 PM, Evan Hunt wrote:
>>
>>> On Mon, Nov 17, 2014 at 02:16:22PM -0800, Doug Barton wrote:
>>>
>>>> That seems like something that should be fixable in BIND, yes? (And
>>>> thanks for doing that testing, btw)
>>>>
>>>
>>> Yes, by using two views and slaving the root in one of them and
>>> validating
>>> in the other one, like it recommends in the draft. :)
>>>
>>
>> :)
>>
>>  With a single view, if you're authoritative for a zone, then you're
>>> the authority, period.  You *know* the corect answer.  Validating
>>> yourself
>>> to find out whether you're lying to yourself would be somewhat silly.
>>>
>>
>> ... except in the case where you're an authoritative slave, not the
>> authoritative master.
>>
>> But even as the master, let's say you do off-line signing, and now the
>> file is sitting on the name server. I would still like to see a knob
>> that says "validate everything, even if I'm authoritative for it" since
>> that data file may have been tampered with. Perhaps that's needlessly
>> paranoid (if they can attack the file they can probably attack other
>> things as well), but in the case of a validating resolver that is also
>> slaving signed data, "validate everything just in case" makes a lot of
>> sense to me.
>>
>> I would even go so far as to argue that the fact this isn't done is an
>> oversight, since even if you're authoritative for a given strata there
>> is always a signer a level above you. In the case of the root zone
>> that's the root KSK, so even if I'm "authoritative" for the root zone I
>> would still want the data in it to be validated when it's used.
>>
>> ... and yes, I realize that the different views (or different instances)
>> trick will work, but now you're doing more work than you would have to
>> do if there was a "validate everything" knob, PLUS you have the
>> disadvantage of your resolving view caching data for long periods even
>> though that data has changed in the slave view. So to me the "validate
>> everything" knob seems like a win/win. Am I missing something?
>>
>
>

v2.23.0 | Report a Bug | By Email