Re: [DNSOP] Definition of "validating resolver"
Mark Andrews <marka@isc.org> Tue, 10 March 2015 00:13 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB6431A908C for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 17:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJvfSy6vIoOv for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 17:13:49 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C208E1A01F9 for <dnsop@ietf.org>; Mon, 9 Mar 2015 17:13:47 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 47A471FCCFD; Tue, 10 Mar 2015 00:13:43 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 77BA0160067; Tue, 10 Mar 2015 00:20:45 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-175-41.carlnfd1.nsw.optusnet.com.au [211.30.175.41]) by zmx1.isc.org (Postfix) with ESMTPSA id 0E13E16005B; Tue, 10 Mar 2015 00:20:45 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 2A3752B1D555; Tue, 10 Mar 2015 11:13:40 +1100 (EST)
To: Willem Toorop <willem@nlnetlabs.nl>
From: Mark Andrews <marka@isc.org>
References: <DED3D224-C507-4751-808C-3D881A238942@vpnc.org> <20150308223157.GA2770@PorcupineTree> <54FDB221.8020903@nlnetlabs.nl>
In-reply-to: Your message of "Mon, 09 Mar 2015 15:45:53 +0100." <54FDB221.8020903@nlnetlabs.nl>
Date: Tue, 10 Mar 2015 11:13:39 +1100
Message-Id: <20150310001340.2A3752B1D555@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/qvrwxM5yg9UP3DvIo_oUjTuyM20>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Definition of "validating resolver"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 00:13:51 -0000
In message <54FDB221.8020903@nlnetlabs.nl>, Willem Toorop writes: > I'd like to maintain the term exactly as specified in RFC4033 > (understanding DNSSEC but not validating), because it comes in use when > talking about validating stubs. > > Some network operators don't know or care about DNSSEC and do not equip > their network's resolver with a trust anchor. Such a resolver is > obviously not validating, but if it is a modern resolver it is very > likely to be security-aware. > > An application using a validating stub can leverage such a resolver to > get DNSSEC answers from the cache which it can then validate itself. > For example to get an authenticated TLSA and bootstrap an encrypted channel. Which works most of the time as there are very few attacks and the resolvers do a pretty good job of dealing with the broken authoritative servers and poorly configured firewalls that block legitimate replies. If you want reliable DNSSEC then these resolvers also need to validate. > I have presented measurements on the amount of security-aware resolvers > in RIPE ATLAS in the context of this use case at ICANN50: > > https://london50.icann.org/en/schedule/wed-dnssec/presentation-dnssec-validat > ion-deployment-25jun14-en.pdf > > Though in the research we called those DNSSEC-aware instead of > security-aware. > > -- Willem > > Op 08-03-15 om 23:31 schreef Ralf Weber: > > Moin! > > > > On Sun, Mar 08, 2015 at 12:21:49PM -0700, Paul Hoffman wrote: > >> Greetings again. Paul Wouters noticed an inconsistency in the terminology > >> draft, and upon investigation, I believe it is a problem (hopefully > >> fixable) with the definitions in RFC 4033. RFC 4033 and 4035 use the term > >> "validating resolver" in a few places. However, RFC 4033 never defines > >> that. RFC 4033 *does* define "security-aware resolver": > >> > >> Security-Aware Resolver: An entity acting in the role of a resolver > >> (defined in section 2.4 of [RFC1034]) that understands the DNS > >> security extensions defined in this document set. In particular, > >> a security-aware resolver is an entity that sends DNS queries, > >> receives DNS responses, supports the EDNS0 ([RFC2671]) message > >> size extension and the DO bit ([RFC3225]), and is capable of using > >> the RR types and message header bits defined in this document set > >> to provide DNSSEC services. > >> > >> My personal interpretation is that "validating resolver" is a synonym for > >> "security-aware resolver". Do others agree? If not, how would you > >> differentiate them? > > I was told that the difference is that a security aware resolver does > > not validate, but instead relies on the "Validating Stub Resolver" to > > protect the user. So it would handle all the DNSSEC processing to the > > authoritative and would store the records with signatures in the cache, > > but it wouldn't check if they are valid. > > > > The people who told me that interpreation of the RFC never did deploy DNSSE > C > > and thankfully most of the people who did and deployed DNSSEC used > > validating and security aware resolvers. I don't think it makes sense to > > deploy a caching resolver without validation. So would be ok if we define > > it as you suggest. > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] Definition of "validating resolver" Paul Hoffman
- Re: [DNSOP] Definition of "validating resolver" Paul Wouters
- Re: [DNSOP] Definition of "validating resolver" Ralf Weber
- Re: [DNSOP] Definition of "validating resolver" Tony Finch
- Re: [DNSOP] Definition of "validating resolver" Ted Lemon
- Re: [DNSOP] Definition of "validating resolver" Paul Hoffman
- Re: [DNSOP] Definition of "validating resolver" Tony Finch
- Re: [DNSOP] Definition of "validating resolver" Willem Toorop
- Re: [DNSOP] Definition of "validating resolver" Mark Andrews
- Re: [DNSOP] Definition of "validating resolver" Florian Weimer