Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt
Paul Wouters <paul@nohats.ca> Mon, 04 April 2016 21:23 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2B312D8DA for <dnsop@ietfa.amsl.com>; Mon, 4 Apr 2016 14:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.11
X-Spam-Level:
X-Spam-Status: No, score=-1.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PWx8lCbfMskx for <dnsop@ietfa.amsl.com>; Mon, 4 Apr 2016 14:23:29 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF30D12D8D7 for <dnsop@ietf.org>; Mon, 4 Apr 2016 14:23:27 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3qf4jB1Y3Bz1Kh for <dnsop@ietf.org>; Mon, 4 Apr 2016 23:23:26 +0200 (CEST)
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id w2qJ75ZNuA7a for <dnsop@ietf.org>; Mon, 4 Apr 2016 23:23:24 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Mon, 4 Apr 2016 23:23:24 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D477A600BAE6; Mon, 4 Apr 2016 17:23:23 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca D477A600BAE6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D2C7318D6E for <dnsop@ietf.org>; Mon, 4 Apr 2016 17:23:23 -0400 (EDT)
Date: Mon, 04 Apr 2016 17:23:23 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <20160404033239.9766.8255.idtracker@ietfa.amsl.com>
Message-ID: <alpine.LFD.2.20.1604041720120.7069@bofh.nohats.ca>
References: <20160404033239.9766.8255.idtracker@ietfa.amsl.com>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/g99zMcvMlrWzJNlWYVj0M5pfsXA>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2016 21:23:30 -0000
On Sun, 3 Apr 2016, internet-drafts@ietf.org wrote: > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dnssec-roadblock-avoidance-04 The new text states: If the resolver is labeled as "Validator" or "DNSSEC aware" Send query through this resolver and perform local validation on the results. If validation fails, try the next resolver Else if the resolver is labeled "Not a DNS Resolver" or "Non-DNSSEC capable" Mark it as unusable and try next resolver Else if no more resolvers are configured and if direct queries are supported 1. try iterating from Root 2. If the answer is SECURE/BOGUS: Return the result of the iteration 3. If the query is INSECURE: Re-query "Non-DNSSEC capable" servers and return answers from them w/o the AD bit set to the client. This will increase the likelihood that spit-view unsigned answers are found. Else return an useful error code Should item 3. be "if the answer is INSECURE" instead of "If the query is INSECURE" ? And should it be "w/o the DO and AD bit set" instead of "w/o the AD bit set" ? Paul
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-r… Wes Hardaker
- [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadb… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-r… Paul Wouters