Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key lengths...)

Colm MacCárthaigh <> Wed, 02 April 2014 05:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C57B51A0118 for <>; Tue, 1 Apr 2014 22:24:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.077
X-Spam-Status: No, score=-1.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_47=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OOWO3DwORUIe for <>; Tue, 1 Apr 2014 22:24:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BBB9E1A0116 for <>; Tue, 1 Apr 2014 22:24:38 -0700 (PDT)
Received: by with SMTP id wo20so11936978obc.36 for <>; Tue, 01 Apr 2014 22:24:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QodMoNGLFLIQkDySOUhJlgUsFnNM7iaNpbBRKL0TL6I=; b=kbrtGkPcBGaP1b7GHLWUEx9qlGVzjcjqcn93L+Q71sHicFcMFoZ6fX6COdoNqFIBXw FQBHRB6CdCv5liMTouKU5n9CfLZB7G0CKlT2HKMuZTH0JzWnESElnXLfPneQXXYmX0V6 V5OzkGiP76EFWH24R2coDrlWQ0TFjuHGGdDt97AJ6S8B++iRVGreKKt7ZsRLbbWK/JRW kKK+NRv6BiMmarKHvJ/FUzIrV8t+vCnimX03P4EzdnAsCjdVYJN0PIXpz4Fh06UpXv7c NfLw/mRBBHgCDnbIr+mYDSu0r5z3S4lAsFodSDUm8PkLC6laGNiUbNU6fg9gLSD9oVvm B1pA==
X-Gm-Message-State: ALoCoQmnW9Kt8h4A8bFYTJiD40cuEhYhnY5o+Jsh+ZF5IkDhLsqAUZ01y/1Zhe+M+hnITq+PL3AA
MIME-Version: 1.0
X-Received: by with SMTP id s5mr32744123obf.35.1396416274755; Tue, 01 Apr 2014 22:24:34 -0700 (PDT)
Received: by with HTTP; Tue, 1 Apr 2014 22:24:34 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
Date: Tue, 1 Apr 2014 22:24:34 -0700
Message-ID: <>
From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <>
To: Evan Hunt <>
Content-Type: multipart/alternative; boundary=001a11c2a20c040b1504f60880b6
Cc: Phillip Hallam-Baker <>, "" <>, Nicholas Weaver <>, Matth?us Wander <>, Bill Woodcock <>
Subject: Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key lengths...)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Apr 2014 05:24:43 -0000

On Tue, Apr 1, 2014 at 7:49 PM, Evan Hunt <> wrote:

> On Tue, Apr 01, 2014 at 06:25:12PM -0700, Colm MacC?rthaigh wrote:
> > DNSSEC is a mitigation against spoofed responses, man-in-the-middle
> > interception-and-rewriting and cache compromises. These threats are
> > endpoint and path specific, so it's entirely possible that one of your
> > resolvers (or its path) has been compromised, but not others. If all of
> > your paths have been compromised, then there is no recovery; only
> > detection. But that is always true for DNSSEC.
> Consider the scenario in which one authoritative server for a zone
> has been compromised and the others have not, and that one happens to
> have the lowest round-trip time, so it's favored by your resolver.

> If you query with CD=0, a validating resolver detects the problem
> and tries again with another auth server.  It doesn't give up until
> the whole NS RRset has failed.

> If you query with CD=1, you get the bogus data and it won't validate.

I don't think this makes much sense for a coherent resolver. If I were
writing a resolver, the behaviour would instead be;  try really hard to
find a valid response, exhaust every reasonable possibility. If it can't
get a valid response, then if CD=1 it's ok to pass back the invalid
response and its supposed signatures - maybe the stub will no better, at
least fail open. If CD=0, then SERVFAIL, fail closed.

Although CD means "checking disabled", I wouldn't actually disable
checking, simply because that's stupid (I don't mean to be impolite, but I
don't have a better word to use here). But by preserving the on-the-wire
semantics of the CD bit, I'd preserve effectiveness as a cache, and pass on
what's needed to validate even the failure cases.