IETF Logo Mail Archive

Re: [DNSOP] Resolver behaviour with multiple trust anchors

Michael StJohns <msj@nthpermutation.com> Tue, 31 October 2017 21:04 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FF3013F70B for <dnsop@ietfa.amsl.com>; Tue, 31 Oct 2017 14:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kovzuo2gYflD for <dnsop@ietfa.amsl.com>; Tue, 31 Oct 2017 14:04:00 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B1E013F6F0 for <dnsop@ietf.org>; Tue, 31 Oct 2017 14:03:59 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id p1so453553qtg.2 for <dnsop@ietf.org>; Tue, 31 Oct 2017 14:03:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=GcdfD0+bHRAm2eJnHr665H+PUN92XmEnW6RK81osEgM=; b=pZqO95KEfxUwMNF+w81QxMMKPtcCQATJ31JwWOj/E0qiBhkQqHScoVyTM2LNhEe/yp 6Yi8nLFe7ftJSX3uDPFjGN/+b1zwnEUzS57bAtP884te/YCz3SJCtaCmkRaaPTBGrqkR dpHRNuVIQLbnkV1WxGTnkvqPOQxoQqLGNDlgtfVJ43nPgB1kXE/X8CgkW6PYvP37FcLu W+Mt+b7px2bsmRcFmQUor+yhLZiAA/MID3c4mFJB+tZkUag1iIzVL3iNwcCaRPTHeDuY 0pSKRvwwz8mCE0ogzjiCeMFKH/s+VPjrEg/exaKm7iVUfsvrUkvV3HKw08B+YahOaYl1 vzig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=GcdfD0+bHRAm2eJnHr665H+PUN92XmEnW6RK81osEgM=; b=dIdXDhaZ1W3HAZjbPvNUZkyiA8L7t9mIu26OmqCGWMH47wsDXpPW+3oVoBHb9ZctlQ XBmJOI6QdWBzzpWr9TlpLcUPftCcEmPCwFRg1yIrcUpf4vLEQtWB6UAtnwXC1RuhaSEG 0k3M7xghr2LOyUeVWGhWh8t23wAhFNxVERQ1wu+NgTFVSdGQhiOzFYAQUHcYqshun2ZX T1lrc6ieBvsGOwn7t6Wo7nzTFakLvrd59TZX3uyStxSdxPyWyQphXpKtb9x5V+y/VJZI lWRzDfxfp5RP9tQHI4lcsHdd2Vvf9sChXXBznkzZ3Hq1/OSYZzwDN/6nBSj9Nr95JDdO Cl0g==
X-Gm-Message-State: AMCzsaVmnEndvLNs56vjfTvOruIfgeN3jDgYJgXcNuo0gBcMWTLNnxns l61kbawKwAwtvPtj/M8mKUfNIB4J
X-Google-Smtp-Source: ABhQp+QjZfGyR661xKOnjhhdGermvC9MYSefeC1RHcgbX+q7zTVgxl6B5+AZRWKn1lA33Y3/Slgs7Q==
X-Received: by 10.200.55.253 with SMTP id e58mr5106221qtc.234.1509483837968; Tue, 31 Oct 2017 14:03:57 -0700 (PDT)
Received: from ?IPv6:2601:152:4400:720f::146e? ([2601:152:4400:720f::146e]) by smtp.gmail.com with ESMTPSA id l1sm1559360qtf.5.2017.10.31.14.03.56 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Oct 2017 14:03:57 -0700 (PDT)
To: dnsop@ietf.org
References: <121CDBC2-D68C-48EE-A56E-46C61FC21538@sidn.nl> <d85db292-47fa-f146-a908-add09a8f6bdc@nthpermutation.com> <148C88F0-FEED-4759-8026-F3FB95B44252@vpnc.org>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <c5dfc13a-e196-97c2-521b-3809b0147c23@nthpermutation.com>
Date: Tue, 31 Oct 2017 17:03:54 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <148C88F0-FEED-4759-8026-F3FB95B44252@vpnc.org>
Content-Type: multipart/alternative; boundary="------------638A584F5362DFF6DC96BEFB"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pV_qxogLpdOTbxpQIlKdIGQ1sU0>
Subject: Re: [DNSOP] Resolver behaviour with multiple trust anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 21:04:12 -0000

On 10/31/2017 4:51 PM, Paul Hoffman wrote:
>> And once again we see the folly of the words "implementation choice" 
>> when trying to come up with a coherent DNS.
>
> The full quote makes the situation murkier: it is a combination of 
> implementation choice plus configuration options. Some folks on this 
> list strongly prefer that, others strongly don't.


My main and only desire when querying the DNS is that given the same 
inputs to the system you should always get the same output. Getting 
different answers on something that's as important as security because 
you queried different implementations  continues to seem to be to be a 
bad idea.

Having a standard default (which was not what this was) and having 
configuration options to change it for good reason is different than 
"which to use is a matter of implementation choice".

Later, Mike

v2.23.0 | Report a Bug | By Email