Re: [DNSOP] Resolver behaviour with multiple trust anchors

Tony Finch <dot@dotat.at> Thu, 02 November 2017 15:49 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE377139504 for <dnsop@ietfa.amsl.com>; Thu, 2 Nov 2017 08:49:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ESe9vNPatZ1y for <dnsop@ietfa.amsl.com>; Thu, 2 Nov 2017 08:49:32 -0700 (PDT)
Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E78E13F967 for <dnsop@ietf.org>; Thu, 2 Nov 2017 08:49:31 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:56916) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1eAHk8-000yTL-0n (Exim 4.89) (return-path <dot@dotat.at>); Thu, 02 Nov 2017 15:49:20 +0000
Date: Thu, 2 Nov 2017 15:49:20 +0000
From: Tony Finch <dot@dotat.at>
To: Bob Harold <rharolde@umich.edu>
cc: Matt Larson <matt@kahlerlarson.org>, Ed Lewis <edward.lewis@icann.org>, Moritz Muller <moritz.muller@sidn.nl>, =?UTF-8?Q?=C3=93lafur_Gu=C3=B0mundsson?= <olafur@cloudflare.com>, Paul Wouters <paul@nohats.ca>, "dnsop@ietf.org" <dnsop@ietf.org>
In-Reply-To: <CA+nkc8CqoX87L9YPoJfx7dSOZY4Pm5RXKNvKVBkFB_KX+EK4KQ@mail.gmail.com>
Message-ID: <alpine.DEB.2.11.1711021537220.3122@grey.csi.cam.ac.uk>
References: <121CDBC2-D68C-48EE-A56E-46C61FC21538@sidn.nl> <CAN6NTqxy4SWxsUNZyBA=1TZxdhWtVxaTDYLoA1qO2nKf202g9w@mail.gmail.com> <E94AE36A-CA69-47DB-A2B7-41D0C3644855@nohats.ca> <4678D8A8-1AA0-4684-BFD1-40C969305C49@icann.org> <alpine.LRH.2.21.1710311541090.23568@bofh.nohats.ca> <54030D6D-0B7D-4408-A50A-FDBD66A940B4@kahlerlarson.org> <CA+nkc8CqoX87L9YPoJfx7dSOZY4Pm5RXKNvKVBkFB_KX+EK4KQ@mail.gmail.com>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qVut8s3pJPMSGhrtAqCg9e_a2aY>
Subject: Re: [DNSOP] Resolver behaviour with multiple trust anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2017 15:49:34 -0000

Bob Harold <rharolde@umich.edu>; wrote:
>
> How many paths are there?  I can think of:
> 1. To the root
> 2. To a local trust anchor

These are actually the same path since you'll find the relevant local
trust anchors in the process of walking down from or up to the root.
(Or, down from or up to the closest enclosing validated DNSKEY.)

> 3. To a DLV provider (gone as of Sept 30?)

I have a half-formed evil plan to use DLV to distribute trust anchors for
reverse DNS zones that lack DS records (RFC 1918 and others). One managed
key is easier than c. 20 keys!

As Mark said, DLV only applies when the normal path says insecure.

> Also, if an operator does not configure DLV or local trust anchors, then is
> root the only path?  So "Closest Encloser" and "Accept Any Success" are the
> same?

Closest encloser implies to me that you don't fall back to looking at the
DS records if you can't validate a DNSKEY that has a local trust anchor.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>;  http://dotat.at/  -  I xn--zr8h punycode
Fisher, German Bight: Northwest 5 or 6, occasionally 7 in Fisher, backing
southwest 4 or 5 later. Moderate, occasionally rough for a time. Showers.
Good.