Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Paul Vixie <> Tue, 21 March 2017 05:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8A7B8129462 for <>; Mon, 20 Mar 2017 22:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mvX0MdKvvik1 for <>; Mon, 20 Mar 2017 22:23:45 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BF2D2128C82 for <>; Mon, 20 Mar 2017 22:23:45 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc] (unknown [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 4FF1261F96 for <>; Tue, 21 Mar 2017 05:23:45 +0000 (UTC)
Message-ID: <>
Date: Mon, 20 Mar 2017 22:23:44 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.11 (Windows/20170302)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Mar 2017 05:23:48 -0000

Paul Vixie wrote:
> Viktor Dukhovni wrote:
>> ...
>> What's attractive here, is that real resolvers (local to the same
>> device) already have the requisite feature-set, and there's no need
>> to augment stub resolvers with features already handled by local
>> recursive resolvers.  If a device is too dumb to run a separate
>> resolver process, I don't expect it'll have a trustworthy DNSSEC
>> implementation in its stub resolver.
> trusting a dns response's AD bit to tell you that the responder has done
> careful signature checking all the way back to a trust anchor you have
> confidence in, doesn't fit the hotel or coffee shop scenario -- you do
> not want your hotel or coffee shop in the role of making a secure
> introduction between you and your bank, for example.

since the hotel is unlikely to transmit on an interface that's local to
the same device, let me amend this as follows:

trusting the AD bit just because the packet appears to have been
generated locally is a dangerous model. if the specification requires
that the stub have explicit and non-default cause for confidence in the
sender's identity and fidelity, then there's no way to test for this,
and since there's no way to test for it, it won't be widely implemented.
time to market is the primary driver for a product or service's lifetime
revenue envelope, and any requirement that won't face acceptance and/or
interoperability testing, WILL be left out.

the thing you CAN test for is whether the signatures are valid. which is
why first dan kaminsky and later paul wouters wanted to send the full
signature chain. perhaps that can be merged in here: if the stub
resolver can see the full signature chain and do its own validation,
then it ought to believe that the data is authentic. this would put the
burden on system vendors to put signature chain gathering/expansion into
their on-device RDNS or DNS Proxy, so that local stubs saw same.

P Vixie