Re: [DNSOP] additional section, was Over on the dbound list: draft-dcrocker-dns-perimeter-00
Ted Lemon <mellon@fugue.com> Sun, 14 April 2019 15:29 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEB36120058 for <dnsop@ietfa.amsl.com>; Sun, 14 Apr 2019 08:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ox-ooev7pyA0 for <dnsop@ietfa.amsl.com>; Sun, 14 Apr 2019 08:29:58 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17C6F120006 for <dnsop@ietf.org>; Sun, 14 Apr 2019 08:29:58 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id z17so16439005qts.13 for <dnsop@ietf.org>; Sun, 14 Apr 2019 08:29:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HveHQ5EIQ0+kHG4ApwJ4NaAGCWXtto904qyt1ZH01HY=; b=BACoyx0njvmSaPic4fZZp4N1z1mj2/+u8rH0m3sDx3QPEybIFg64PK/ypXn/2wYgiJ EN0YpUELdaL7wflJ6ORESMLrSY9mZBpytzgX2ITtREi1YNGXdFssvza3vVK2FuA9OjBZ WqtysYd6Udr1m1cESV88FFVkilV5bXbVludlpJA9+GPkp38jUUxZEX7A4WILQvRKtFSo 8mJ4x+JtB/kbmaecWdFLSH2G/IF7WhPUknL2B14OdxrudsSbC17Ht2ujymL60zwGtVV7 9eCvbOfMkiS1vKLL6ndTtQXAIyzCsZ3sGwoB81MBiDW14yMN6WZ36s9OnZUIAmCqm/BA axrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HveHQ5EIQ0+kHG4ApwJ4NaAGCWXtto904qyt1ZH01HY=; b=Y0pB+k4VuTEA3fpvW2v+u5oWqT1j7z9tS3EXQnopHr3NjkPx4OmFTQSsAxxz4H2+Dq acK4daTUOt3KwysMPvLhEEKIjTV/wj8eqc2Sru7C6LvQ6/v9/Dw7Cx3JDRcx2RPH9YaO 9H22Em2lxpWeQ3xIW6STcwpWeom3i7a6w7dQ0IVBkTzOddEie/rQDjDorR/yvlITP4mK N5HegsAQexUAAEmODqiVj56y/9xoNqVcFpqqc8ocBIMiuPkXo3LPnrzdpm5jMuDm/rAY +2nbqfe879xvoywcAiP9QJWFyH3XZv8nISk5ANmFG86M5hdFmrOFsM+h4axhPTv6iFH/ tuLg==
X-Gm-Message-State: APjAAAXIRPdrTTWuRScly66M/ccYPX3l4nrVFnCkHBr4dUzoCqP/ILka a01F6fDSj77uI9zMIdU7jXi2WpY47f7UBw==
X-Google-Smtp-Source: APXvYqy6xRAouRDmOlKRgwerHWkKF0lMUXtqGRAyckEKTm1exwls/9XqvUwqDziuhZGD84tnLGxLIQ==
X-Received: by 2002:ac8:348d:: with SMTP id w13mr58670183qtb.329.1555255796967; Sun, 14 Apr 2019 08:29:56 -0700 (PDT)
Received: from [10.0.100.12] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id x184sm17332593qke.35.2019.04.14.08.29.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 14 Apr 2019 08:29:56 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <alpine.OSX.2.21.1904111712180.22307@ary.local>
Date: Sun, 14 Apr 2019 11:29:55 -0400
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FAAB50C1-BB5C-4A5F-971B-7FB5DB173E3C@fugue.com>
References: <20190404012010.64DB6201162C3F@ary.qy> <alpine.OSX.2.21.1904111712180.22307@ary.local>
To: John R Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3445.104.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xryG6uKxVN6znGE1HgEAYkCn_Ns>
Subject: Re: [DNSOP] additional section, was Over on the dbound list: draft-dcrocker-dns-perimeter-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2019 15:30:00 -0000
On Apr 14, 2019, at 11:13 AM, John R Levine <johnl@taugh.com> wrote: > Although it is legal to put an additional section in an NXDOMAIN response, it's uncommon and I don't know how the bailiwick checks would work. We already do something like this when looking for the zone apex, and it potentially has the same problem. If I look for the zone apex of a nonexistent name under a zone that does exist, I’ll get back an SOA record in the authority section. How do I know that that’s the real zone apex? If I look up a.b.c.d.example.com and get back an SOA for example.com, how do I know that there is no SOA for c.d.example.com? The answer is that I don’t, without validating the answer. And that requires traversing the trust anchors to the root, so as you say, this doesn’t save any work. Clearly, this validation should be done—we shouldn’t just assume that what’s in the additional section is correct. I think that this means that in the case of a query with DNSSEC enabled, the additional section should contain as much of the chain of trust as will fit, in the order the client resolver can be expected to need it.
- [DNSOP] Over on the dbound list: draft-dcrocker-d… Dave Crocker
- Re: [DNSOP] Over on the dbound list: draft-dcrock… John Levine
- Re: [DNSOP] additional section, was Over on the d… John R Levine
- Re: [DNSOP] additional section, was Over on the d… Ted Lemon