Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Viktor Dukhovni <> Fri, 06 March 2015 09:05 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 698D61ACD3C for <>; Fri, 6 Mar 2015 01:05:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R66RFyymfVbr for <>; Fri, 6 Mar 2015 01:05:07 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BDCB41ACD30 for <>; Fri, 6 Mar 2015 01:05:07 -0800 (PST)
Received: by (Postfix, from userid 1034) id 21475282FC0; Fri, 6 Mar 2015 09:05:06 +0000 (UTC)
Date: Fri, 6 Mar 2015 09:05:06 +0000
From: Viktor Dukhovni <>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Mar 2015 09:05:09 -0000

On Fri, Mar 06, 2015 at 02:28:44AM -0500, John C Klensin wrote:

> That said, if the IETF considers it to be a valid implementation
> of DNSSEC to have the closest-to-user validating system be an
> ISP-based forwarder rather than a machine on the user's LAN,
> there isn't a lot of point in building DNSSEC capability into
> zeroconf stuff that is mostly applicable intra-LAN or otherwise
> within a trust perimeter that the DNSSEC validator is outside of.

Where did this notion come from?  I've seen no documents that
suggest this.  On the contrary, there is even some push back to
using a security-aware non-validating stub resolver that chains to
a trusted loopback-net validating cache.  *Trusting* the ISP's
validating resolver is indeed pointless and I've not seen anyone
suggest this.

If grandma had wheels, she'd be a wagon.

Of course once can still *use* an ISP's validating resolver as an
untrusted cache, with or without "CD" as appropriate.

> Put differently, any time a DNSSEC-based trust model comes down
> to "trust your ISP", then it is pointless overhead for any of us
> who already know our ISPs can't be trusted.  And _that_ is why
> I'm reluctant to see it oversold in circumstances like the
> current document.

In any case nobody's suggesting over-selling DNSSEC here, all the
suggested changes have been about the claims for DNSSEC being
originally too strong.

Nevertheless if a URI RR is to be trusted to change the authenticated
authority (RFC6125 reference identifier), then one should at least
do DNSSEC or else (when DNSSEC is not fit for purpose) not change
the authority (and fail authentication when the target's certificate
fails to match the original domain).  In the latter case complications
may arise with SNI (which domain goes in the client's SNI extension
and may it differ from the HTTP request Host: header?).

All the document has to do is avoid claiming that trusting DNSSEC
is *equivalent* to trusting the application's "usual" PKIX
trust-anchors (whatever they might be).  Sometimes DNSSEC is worse,
sometimes it is better.  It should also caution against accepting
completely unauthenticated redirection, so given that the redirection
is via DNS you either use DNSSEC or don't trust the redirection
choose one.

Nothing controversial, just basic tautologies that may not be
obvious to all.