Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
Mark Andrews <marka@isc.org> Tue, 01 August 2017 01:42 UTC
Return-Path: <marka@isc.org>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECFA2127601 for <homenet@ietfa.amsl.com>; Mon, 31 Jul 2017 18:42:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jeRyU8EL36Ud for <homenet@ietfa.amsl.com>; Mon, 31 Jul 2017 18:42:06 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CAE1127337 for <homenet@ietf.org>; Mon, 31 Jul 2017 18:42:06 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 1788F24AE3D; Tue, 1 Aug 2017 01:41:55 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 25905160047; Tue, 1 Aug 2017 01:42:00 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 099A116004F; Tue, 1 Aug 2017 01:42:00 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fOCTt9pji0OU; Tue, 1 Aug 2017 01:41:59 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 81E09160047; Tue, 1 Aug 2017 01:41:59 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id E9A498081EDB; Tue, 1 Aug 2017 11:41:53 +1000 (AEST)
To: Ted Lemon <mellon@fugue.com>
Cc: homenet@ietf.org
From: Mark Andrews <marka@isc.org>
References: <150127266271.25329.18484770769960144@ietfa.amsl.com> <20170731050206.1A431806F1C2@rock.dv.isc.org> <916EEEB9-3709-492B-8E19-5C832B11AFC2@fugue.com>
In-reply-to: Your message of "Mon, 31 Jul 2017 05:36:39 -0400." <916EEEB9-3709-492B-8E19-5C832B11AFC2@fugue.com>
Date: Tue, 01 Aug 2017 11:41:53 +1000
Message-Id: <20170801014153.E9A498081EDB@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/aygIW14o0J0f4whoG42RHX6dMn0>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 01:42:08 -0000
In message <916EEEB9-3709-492B-8E19-5C832B11AFC2@fugue.com>, Ted Lemon writes: > On Jul 31, 2017, at 1:02 AM, Mark Andrews <marka@isc.org> wrote: > > The delegatation is INSECURE and SIGNED not UNSIGNED. The wording > > here is *important*. > > Can you explain what the distinction is, and what the problem is that you > see in point five? The reason I ask is that we explicitly changed the > wording from "insecure" to "not signed" because someone else said that it > wasn't clear what "insecure" meant. It seems to me that the current > language is explicit and unambigious; I think this is better than being > "correct." So what is the bad outcome that might occur as a result of > using the term "not signed" rather than "insecure"? The delegation has *signed* NEC/NSEC3 records that prove that there is no DS record at the delegation *and* that the delegation *exists* unless OPTOUT is also set in the covering NSEC3 record. The presence of the NS bits without a SOA and DS bits in the validated NSEC/NSEC3 record proved that the child zone is insecurely delegated. Note this does not work if the delegation is unsigned. All delegations from a signed zone are signed. These is no such thing as a unsigned delegation. There are only secure (with signed DS) and insecure (without DSi but with signed NSEC/NSEC3). This is different to a unsigned delegation in a unsigned zone where there is no proof of anything. RFC 4033 Insecure: The validating resolver has a trust anchor, a chain of trust, and, at some delegation point, signed proof of the non-existence of a DS record. This indicates that subsequent branches in the tree are provably insecure. A validating resolver may have a local policy to mark parts of the domain space as insecure. RFC 4035 Insecure: An RRset for which the resolver knows that it has no chain of signed DNSKEY and DS RRs from any trusted starting point to the RRset. This can occur when the target RRset lies in an unsigned zone or in a descendent of an unsigned zone. In this case, the RRset may or may not be signed, but the resolver will not be able to verify the signature. Then add to that "insecure delegation" is the existing term for this type of delegation. RFC 6063 As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA namespaces, the zones listed above will need to be delegated as insecure delegations, or be within insecure zones. This will allow DNSSEC validation to succeed for queries in these spaces despite not being answered from the delegated servers. RFC 7719: Insecure delegation: a name containing a delegation (NS RRSet), but lacking a DS RRSet, signifying a delegation to an unsigned child zone. Opt-out: "The Opt-Out Flag indicates whether this NSEC3 RR may cover unsigned delegations." (Quoted from [RFC5155], Section 3.1.2.1.) Opt-out tackles the high costs of securing a delegation to an insecure zone. When using Opt-Out, names that are an insecure delegation (and empty non-terminals that are only derived from insecure delegations) don't require an NSEC3 record or its corresponding RRSIG records. Opt-Out NSEC3 records are not able to prove or deny the existence of the insecure delegations. (Adapted from [RFC7129], Section 5.1) As for point 5 the delegation for "home.arpa." will exist once IANA adds it to the ARPA zone. The content of the delegation won't match but it will exist. Note any server that performs such tests is already broken as STD 13 requires that the child zone be setup before the delegation is made. I know there are DNS hosters that require the delegation exists and list the server but they are actually wrong to do this. DNS delegations are make before break. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [homenet] I-D Action: draft-ietf-homenet-dot-10.t… internet-drafts
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Mark Andrews
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Warren Kumari
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Mark Andrews
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Toke Høiland-Jørgensen
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… STARK, BARBARA H
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Juliusz Chroboczek
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Juliusz Chroboczek
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Michael Richardson
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.