Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error
Evan Hunt <each@isc.org> Mon, 31 July 2017 17:11 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C421326D7 for <dnsop@ietfa.amsl.com>; Mon, 31 Jul 2017 10:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3iHGKS2VHdq for <dnsop@ietfa.amsl.com>; Mon, 31 Jul 2017 10:11:09 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BFC31326D6 for <dnsop@ietf.org>; Mon, 31 Jul 2017 10:11:09 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 797403498BD; Mon, 31 Jul 2017 17:11:07 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 6CBD7216C1E; Mon, 31 Jul 2017 17:11:07 +0000 (UTC)
Date: Mon, 31 Jul 2017 17:11:07 +0000
From: Evan Hunt <each@isc.org>
To: Paul Wouters <paul@nohats.ca>
Cc: Joe Abley <jabley@hopcount.ca>, Shane Kerr <shane@time-travellers.org>, dnsop@ietf.org
Message-ID: <20170731171107.GA42492@isc.org>
References: <CADyWQ+Ffu8JOn6co184PC-Uvv4G1qYU3d0ZchupRJEDDmfYKaw@mail.gmail.com> <CAJE_bqf7R7ZW5ixcZdOcaHDso+C5QbtGbz+Z1mOs+p9_C2_cAg@mail.gmail.com> <alpine.LRH.2.21.1707290851010.26738@bofh.nohats.ca> <53F8E12A-85F9-44F1-9CA5-F546244832D0@time-travellers.org> <8506D4D8-E31B-4AEB-AC7E-4C89EAEEA9DC@hopcount.ca> <20170730074253.GA33522@isc.org> <alpine.LRH.2.21.1707310953260.21291@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.21.1707310953260.21291@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zgbZshPtyfK2_v3U4QwTYEDnxUs>
Subject: Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 17:11:11 -0000
On Mon, Jul 31, 2017 at 09:57:11AM -0400, Paul Wouters wrote: > But we know people are already building software and systems that DO > trust the AD bit, even with non-localhost resolv.conf entries. This > saves them the overhead of adding a dnssec library to their application, > and saves them from running a system resolving understanding dnssec. Are there applications specifically trusting AD=1 and behaving differently than with AD=0? Or are they just ignoring it and trusting every answer equally? I would have expected the latter, but I confess to being surprised if there are people going out of their way to implement "DNSSEC validation" by just buying whatever magic beans some dude in the forest has for sale. > > Some of the error codes might be trustworthy enough if you're using COOKIE > > or TCP; that would enusre at least that it wasn't an off-path forgery. > > That's a very small use case with pervasive monitoring and > coffeeshop and hotel wifi. In case I wasn't clear, I'm suggesting that TCP and COOKIE would be adequate protection for any error code where the worst case scenario is no worse than what any MITM can do. If you've already got control of the channel, then I can't see how sending the client "Prohibited" or "Lame" messages gives you any more of an advantage than you already had. However, any response that says anything about DNSSEC validity should be presumed guilty until proven innocent. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] Call for Adoption: draft-wkumari-dnsop-ex… tjw ietf
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Bob Harold
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Carlos M. Martinez
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Peter DeVries
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… George Michaelson
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Mark Andrews
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… George Michaelson
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Ondřej Surý
- Re: [DNSOP] [Ext] Call for Adoption: draft-wkumar… Edward Lewis
- Re: [DNSOP] [Ext] Call for Adoption: draft-wkumar… Paul Vixie
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Shane Kerr
- Re: [DNSOP] [Ext] Call for Adoption: draft-wkumar… Petr Špaček
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Mark Andrews
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… 神明達哉
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Francis Dupont
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Shane Kerr
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Evan Hunt
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Francis Dupont
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Evan Hunt
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Viktor Dukhovni
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Viktor Dukhovni
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… 神明達哉
- Re: [DNSOP] Call for Adoption: draft-wkumari-dnso… Tim Wicinski
- Re: [DNSOP] [Ext] Call for Adoption: draft-wkumar… Wes Hardaker