Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors

Edward Lewis <> Thu, 02 November 2017 15:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8308413F82F for <>; Thu, 2 Nov 2017 08:41:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IRdcSgyXdtyZ for <>; Thu, 2 Nov 2017 08:41:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E92E113F44D for <>; Thu, 2 Nov 2017 08:41:52 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 2 Nov 2017 08:41:51 -0700
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Thu, 2 Nov 2017 08:41:51 -0700
From: Edward Lewis <>
To: Warren Kumari <>, Bob Harold <>
CC: Ólafur Guðmundsson <>, Matt Larson <>, Moritz Muller <>, Paul Wouters <>, "" <>
Thread-Topic: [Ext] Re: [DNSOP] Resolver behaviour with multiple trust anchors
Thread-Index: AQHTU+i9bgXp0SADEEG6x6vd1yaJ3qMBpWUAgAAGKACAAAQsAA==
Date: Thu, 02 Nov 2017 15:41:51 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3592467710_1414157198"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Nov 2017 15:41:54 -0000

On 11/2/17, 11:27, "DNSOP on behalf of Warren Kumari" < on behalf of> wrote:
> Having a (per-TA) knob sounds like a nice compromise, but I'd really
> like implementors to chime in on how much complexity this adds. If *I*
> added a local TA for .example (or I'd automatically
> assume that this is a closest encloser / Negative Trust Anchor /
> longest match type operation and would be very surprised if that
> wasn't the behavior -- this *may* be a combination of being primarily
> a routing person, and also the fact that if I create a local zone for
> (in a non-DNSSEC world) I'd expect it to take
> priority...

This is an interesting viewpoint.  I understand that in the routing world, longest match prefix is the way the outgoing interface is chosen.  This doesn't translate into the design of DNSSEC though.  (Like a pun in English isn't quite the same in any other language and vice versa.)

The issue in routing is that you have to choose one solution and go with it.  Unless you are multi/broadcasting, the packet is going to go on to one outgoing buffer/queue.

The issue in DNSSEC is to retain as much robustness as possible because the decision will have a long-lasting impact (sitting in cache, opening an ssh connection, etc.)  This mirrors what Paul said in an earlier message regarding PKIX.

On 11/2/17, 11:11, "DNSOP on behalf of Paul Hoffman" < on behalf of> wrote:

>The consensus conclusion was that any performance penalty was worth the consistency of answers, since the relying part (the stub resolver in our case) had no control over the order of evaluation.

Consistency is the objective there, not robustness, but I'd hand-wave the two are closely related.  Consistency, in terms of coherence, has historically been part of the DNS rhetoric, which (I'll claim) is a/one foundation for DNSSEC's robustness.

So, I get that from a routing backdrop, the longest match expectation is reasonable but not what was written into the DNSSEC documents because DNS and DNSSEC have different objectives than routing (or forwarding, whichever is more appropriate).