Re: [DNSOP] Definition of "validating resolver"
Ralf Weber <dns@fl1ger.de> Sun, 08 March 2015 22:32 UTC
Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 734771A01D5 for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2015 15:32:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.746
X-Spam-Level: **
X-Spam-Status: No, score=2.746 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_NET=0.611, HOST_EQ_STATICB=1.372, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nw-mz0fvvcH0 for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2015 15:32:06 -0700 (PDT)
Received: from smtp.guxx.net (static.85-10-208-173.clients.your-server.de [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id 138251A01C6 for <dnsop@ietf.org>; Sun, 8 Mar 2015 15:32:06 -0700 (PDT)
Received: by nyx.guxx.net (Postfix, from userid 107) id 6CE425F40EA2; Sun, 8 Mar 2015 23:32:03 +0100 (CET)
Received: from PorcupineTree (cpe-66-27-183-230.dc.res.rr.com [66.27.183.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 08D575F40E53; Sun, 8 Mar 2015 23:32:01 +0100 (CET)
Date: Sun, 08 Mar 2015 15:31:57 -0700
From: Ralf Weber <dns@fl1ger.de>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20150308223157.GA2770@PorcupineTree>
References: <DED3D224-C507-4751-808C-3D881A238942@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DED3D224-C507-4751-808C-3D881A238942@vpnc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/fwDqT7qomhZLndWnqcuskjY8oxk>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Definition of "validating resolver"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2015 22:32:07 -0000
Moin! On Sun, Mar 08, 2015 at 12:21:49PM -0700, Paul Hoffman wrote: > Greetings again. Paul Wouters noticed an inconsistency in the terminology > draft, and upon investigation, I believe it is a problem (hopefully > fixable) with the definitions in RFC 4033. RFC 4033 and 4035 use the term > "validating resolver" in a few places. However, RFC 4033 never defines > that. RFC 4033 *does* define "security-aware resolver": > > Security-Aware Resolver: An entity acting in the role of a resolver > (defined in section 2.4 of [RFC1034]) that understands the DNS > security extensions defined in this document set. In particular, > a security-aware resolver is an entity that sends DNS queries, > receives DNS responses, supports the EDNS0 ([RFC2671]) message > size extension and the DO bit ([RFC3225]), and is capable of using > the RR types and message header bits defined in this document set > to provide DNSSEC services. > > My personal interpretation is that "validating resolver" is a synonym for > "security-aware resolver". Do others agree? If not, how would you > differentiate them? I was told that the difference is that a security aware resolver does not validate, but instead relies on the "Validating Stub Resolver" to protect the user. So it would handle all the DNSSEC processing to the authoritative and would store the records with signatures in the cache, but it wouldn't check if they are valid. The people who told me that interpreation of the RFC never did deploy DNSSEC and thankfully most of the people who did and deployed DNSSEC used validating and security aware resolvers. I don't think it makes sense to deploy a caching resolver without validation. So would be ok if we define it as you suggest. So long -Ralf
- [DNSOP] Definition of "validating resolver" Paul Hoffman
- Re: [DNSOP] Definition of "validating resolver" Paul Wouters
- Re: [DNSOP] Definition of "validating resolver" Ralf Weber
- Re: [DNSOP] Definition of "validating resolver" Tony Finch
- Re: [DNSOP] Definition of "validating resolver" Ted Lemon
- Re: [DNSOP] Definition of "validating resolver" Paul Hoffman
- Re: [DNSOP] Definition of "validating resolver" Tony Finch
- Re: [DNSOP] Definition of "validating resolver" Willem Toorop
- Re: [DNSOP] Definition of "validating resolver" Mark Andrews
- Re: [DNSOP] Definition of "validating resolver" Florian Weimer