IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt

Paul Wouters <paul@nohats.ca> Mon, 04 April 2016 21:23 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2B312D8DA for <dnsop@ietfa.amsl.com>; Mon, 4 Apr 2016 14:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.11
X-Spam-Level:
X-Spam-Status: No, score=-1.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PWx8lCbfMskx for <dnsop@ietfa.amsl.com>; Mon, 4 Apr 2016 14:23:29 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF30D12D8D7 for <dnsop@ietf.org>; Mon, 4 Apr 2016 14:23:27 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3qf4jB1Y3Bz1Kh for <dnsop@ietf.org>; Mon, 4 Apr 2016 23:23:26 +0200 (CEST)
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id w2qJ75ZNuA7a for <dnsop@ietf.org>; Mon, 4 Apr 2016 23:23:24 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Mon, 4 Apr 2016 23:23:24 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D477A600BAE6; Mon, 4 Apr 2016 17:23:23 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca D477A600BAE6
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D2C7318D6E for <dnsop@ietf.org>; Mon, 4 Apr 2016 17:23:23 -0400 (EDT)
Date: Mon, 04 Apr 2016 17:23:23 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <20160404033239.9766.8255.idtracker@ietfa.amsl.com>
Message-ID: <alpine.LFD.2.20.1604041720120.7069@bofh.nohats.ca>
References: <20160404033239.9766.8255.idtracker@ietfa.amsl.com>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/g99zMcvMlrWzJNlWYVj0M5pfsXA>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadblock-avoidance-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2016 21:23:30 -0000

On Sun, 3 Apr 2016, internet-drafts@ietf.org wrote:

> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dnssec-roadblock-avoidance-04

The new text states:

        If the resolver is labeled as "Validator" or "DNSSEC aware"

            Send query through this resolver and perform local
            validation on the results.

            If validation fails, try the next resolver

        Else if the resolver is labeled "Not a DNS Resolver" or
           "Non-DNSSEC capable"

            Mark it as unusable and try next resolver

        Else if no more resolvers are configured and if direct queries
        are supported
            1.  try iterating from Root

            2. If the answer is SECURE/BOGUS:
                 Return the result of the iteration
            3.  If the query is INSECURE:
                  Re-query "Non-DNSSEC capable" servers and return
                  answers from them w/o the AD bit set to  the client.
            This will increase the likelihood that spit-view unsigned
            answers are found.

        Else return an useful error code


Should item 3. be "if the answer is INSECURE" instead of "If the query is INSECURE" ?

And should it be "w/o the DO and AD bit set" instead of "w/o the AD bit set" ?


Paul

v2.23.0 | Report a Bug | By Email