Re: [DNSOP] Resolver behaviour with multiple trust anchors

"Paul Hoffman" <paul.hoffman@vpnc.org> Thu, 02 November 2017 15:11 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D85AE13F996 for <dnsop@ietfa.amsl.com>; Thu, 2 Nov 2017 08:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-UJcQypVLTM for <dnsop@ietfa.amsl.com>; Thu, 2 Nov 2017 08:11:07 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10B3D13F92E for <dnsop@ietf.org>; Thu, 2 Nov 2017 08:11:07 -0700 (PDT)
Received: from [10.32.60.113] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id vA2F9faK039806 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 2 Nov 2017 08:09:42 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.113]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Bob Harold" <rharolde@umich.edu>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Date: Thu, 02 Nov 2017 08:11:04 -0700
Message-ID: <A1F19B08-DD23-41A7-8FF9-CACB0613527D@vpnc.org>
In-Reply-To: <CA+nkc8CqoX87L9YPoJfx7dSOZY4Pm5RXKNvKVBkFB_KX+EK4KQ@mail.gmail.com>
References: <121CDBC2-D68C-48EE-A56E-46C61FC21538@sidn.nl> <CAN6NTqxy4SWxsUNZyBA=1TZxdhWtVxaTDYLoA1qO2nKf202g9w@mail.gmail.com> <E94AE36A-CA69-47DB-A2B7-41D0C3644855@nohats.ca> <4678D8A8-1AA0-4684-BFD1-40C969305C49@icann.org> <alpine.LRH.2.21.1710311541090.23568@bofh.nohats.ca> <54030D6D-0B7D-4408-A50A-FDBD66A940B4@kahlerlarson.org> <CA+nkc8CqoX87L9YPoJfx7dSOZY4Pm5RXKNvKVBkFB_KX+EK4KQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.7r5425)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nuqh0FG4DelRU2yAFNmRQlqUolk>
Subject: Re: [DNSOP] Resolver behaviour with multiple trust anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2017 15:11:08 -0000

On 2 Nov 2017, at 8:04, Bob Harold wrote:

> I generally agree with you, but wonder if there is a performance 
> penalty to
> searching every possible path before failing.  Is that a reasonable 
> concern?

These are reasonable questions, ones that were actively discussed in the 
PKIX world 20+ years ago. The consensus conclusion was that any 
performance penalty was worth the consistency of answers, since the 
relying part (the stub resolver in our case) had no control over the 
order of evaluation.

> Also, if an operator does not configure DLV or local trust anchors, 
> then is
> root the only path?

All trust anchors are "local", so the question becomes "if an operator 
does not configure DLV or any trust anchors". The former is now moot, 
and the latter goes against a bunch of MUST statements in the standard.

--Paul Hoffman