Re: [dnsext] Issues in WGLC of dnssec-bis-updates
Mohan Parthasarathy <suruti94@gmail.com> Wed, 08 February 2012 23:27 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF97A11E809B; Wed, 8 Feb 2012 15:27:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328743669; bh=E7Bx1cURqxftQ+4Y191WBi1Wi3FEoyTwf+G1mzXEdaM=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=FlAOB9slGwMkE3gCHe2dGQ86H1WxduIwb7cIJRv9Whwg3DIZxOtwnCr/bYfj/4HRv Ft7Xu1l2Kd2rfZrRJ6lFvnLJJFI0Ci7n5xuXlYkJ4T4//OVFT/7DTXG7CR3oYEtAk1 fbytiG05wEDaKJ15NbLszlPjvZzi6ridzBLE/sYI=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65E6E21F84E4 for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 15:27:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.477
X-Spam-Level:
X-Spam-Status: No, score=-3.477 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Phw10GVuI-qF for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 15:27:47 -0800 (PST)
Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 790EB21F84DF for <dnsext@ietf.org>; Wed, 8 Feb 2012 15:27:47 -0800 (PST)
Received: by obbwd15 with SMTP id wd15so1737655obb.31 for <dnsext@ietf.org>; Wed, 08 Feb 2012 15:27:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=IMzyD+RrAqA3niP5r1TGitTOf+dYjE72TzBSbeIn4Yc=; b=HB+tQ6nS2IJmkAgq+oTITfO8r68oZx7l2zoVIJv6dtjBxxwdGZpD/517oXd3cAT8K/ oyo6ilvihsHQGa7F/Cp05wwOOswGgT0DksTJQ0lOywKNQgeV91j1zuR5D84Cxlsu3BPU LTDm84WneALSQI3ILcr5CqHO2E+05zK9FYCYc=
MIME-Version: 1.0
Received: by 10.182.119.73 with SMTP id ks9mr27902006obb.45.1328743667065; Wed, 08 Feb 2012 15:27:47 -0800 (PST)
Received: by 10.182.147.105 with HTTP; Wed, 8 Feb 2012 15:27:47 -0800 (PST)
In-Reply-To: <20120208230511.2440F1D0601B@drugs.dv.isc.org>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143> <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com> <4F3232B6.3060505@nlnetlabs.nl> <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com> <20120208230511.2440F1D0601B@drugs.dv.isc.org>
Date: Wed, 08 Feb 2012 15:27:47 -0800
Message-ID: <CACU5sDnrz8ivLR6nMGvX0+gFvmU2k6V7HLrb8MYLtvAs2DODgQ@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Wed, Feb 8, 2012 at 3:05 PM, Mark Andrews <marka@isc.org> wrote: > > In message <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>, > Mohan Parthasarathy writes: >> On Wed, Feb 8, 2012 at 12:30 AM, W.C.A. Wijngaards <wouter@nlnetlabs.nl> wr= >> ote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > Hi Mohan, >> > >> > The definition of indeterminate was wrong in RFC4035, and you now seem >> > to think DNSSEC is riddled with downgrade. =A0There is no downgrade, >> > because the security-states are the outcome of the chain-of-trust >> > algorithm, not implemented from its definitions in RFC4035. >> > >> Okay, after reading your response and re-reading 4035 and 4033, I >> think 4033 definitions for Bogus, Insecure and Indeterminate capture >> the discussion below more clearly. >> >> <snip> >> >> > On 02/07/2012 08:51 PM, Mohan Parthasarathy wrote: >> >> On Tue, Feb 7, 2012 at 9:14 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrot= >> e: >> >>> At 16:34 +0100 2/7/12, W.C.A. Wijngaards wrote: >> >>> >> >>>> insecure, or bogus. =A0Note that with the root trust anchor the >> >>>> indeterminate state no longer occurs, since we know everything is >> >>>> covered by that trust anchor. >> >>> >> >>> >> >>> I disagree with that. >> >>> >> >>> The Internet that we usually think about as being the only one is what I >> >>> call the "global public Internet". =A0For the global public Internet, t= >> he DNS >> >>> in common use does have a trust anchor for it's root zone so the assert= >> ion >> >>> holds for the majority of cases, but then again only for recursive serv= >> ers >> >>> that have the trust anchor. >> >>> >> >>> There are other inter-networks that use the DNS protocol. =A0In at leas= >> t one >> >>> of these, DNSSEC has not been deployed. >> >>> >> >>> And, you can stretch this to the case of a recursive server, on the glo= >> bal >> >>> public Internet, that does not have the root anchor configured - and may >> >>> have another anchor. =A0To such a server, validating some DNS data is >> >>> impossible (incalculable). >> >>> >> >>> The protocol cannot be defined assuming one particular mode of operatio= >> n. >> >>> >> >> Before getting to define this precisely, we should try to understand >> >> the different cases that can occur and see whether we all agree on the >> >> error status for the different cases. >> > >> > Why data cannot be fetched is not a factor in the end result. =A0This >> > simplifies the cases to: cannot get the proper DNSSEC data, can get >> > proper DNSSEC data but it's invalid, can get proper DNSSEC data and it's >> > ok. =A0And the results are bogus, bogus, secure. =A0If you find an insecu= >> re >> > delegation it is insecure. =A0If there is no applicable trust anchor, the >> > result is indeterminate (that is effectively just like insecure). >> > >> >> Ok, Bogus, Secure and Insecure applies only when there is an >> applicable trust anchor. When it is absent, it is indeterminate. That >> simplifies a lot. > > Absolutely wrong. > > Step 1 of validation. > Is there a potential covering trust anchor? > Yes. Goto step 2. > No. Mark as insecure. > > Step 2 .... > >From RFC 4033: Insecure: The validating resolver has a trust anchor, a chain of trust, and, at some delegation point, signed proof of the non-existence of a DS record. This indicates that subsequent branches in the tree are provably insecure. A validating resolver may have a local policy to mark parts of the domain space as insecure. So, I don't understand what you mean. -mohan >> <snip> >> >> >> >> 1) We get some DNSSEC RRs back but can't validate. Just being able to >> >> partially validate without tracing back to the trust anchor is equally >> >> bad as not being able to validate the signatures. >> > >> > Yes, that is bogus in today's implementations. >> > >> >> 2) We get no DNSSEC RRs back. This could be a problem in the path or >> >> the zone is not signed. We can't tell the difference without some >> >> extra configuration. >> > >> > You can tell the difference because the chain-of-trust is signed itself, >> > and this extends from the trust anchor to the data you just got, and >> > thus you know if this zone is signed or not. =A0And thus in your question, >> > the unsigned zone is ok(insecure), and the signed-zone-missing-DNSSEC >> > RRs is not ok(bogus). >> > >> >> How does it help the application to make this more fine grained ? >> > >> > No, the application just wants all bogus data to be removed. =A0Data that >> > is secure and data that is not DNSSEC signed is what it wants. =A0Because >> > of the chain-of-trust the validator knows which parts of the space below >> > a trust anchor is signed (and must have DNSSEC available) and which part >> > is unsigned. =A0This property could be the cause that made insecure and >> > indeterminate terms exist, as indeterminate is not really processed but >> > simply the absence of a covering trust anchor, just like in the case >> > where you had no trust anchors at all. =A0But then insecure needs >> > processing: you have to validate the chain of trust from the trust >> > anchor to the insecure-delegation point, and only then can you conclude >> > that the data is insecure. =A0This is something internal to the DNSSEC >> > validator, and not particularly impressive to the application, that >> > likely just wants to know if the data was DNSSEC-signed (if so: secure >> > or bogus) or if the data was not DNSSEC-signed (as determined with the >> > configured set of trust anchors). >> > >> That was very useful discussion. >> >> regards >> mohan >> >> > Best regards, >> > =A0 Wouter >> > -----BEGIN PGP SIGNATURE----- >> > Version: GnuPG v2.0.15 (GNU/Linux) >> > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ >> > >> > iQIcBAEBAgAGBQJPMjK2AAoJEJ9vHC1+BF+NxVUQAIyQ4nPk7Syogn9uh4z890yJ >> > kmPxslbpvHru47OxKd0tYvozldnP32z1+JToGSZR8qRU+w9SAQLutnFkqCU28x95 >> > QUAot8G157kxZT95zhdjVqpbyUYDYwKKUY4jqplq4IuyIm1ewEOcwAS8Sak1o9Gr >> > 17Xs4aCpl55QmTCZAlP+r6SwCDY738Py9I51BJhifAB9HdkT6XK1+bsbMSiFhG+o >> > koICUhKaLDthmFvBrHBVCiW4xD5uk8ww2jlMNXv2LaRT05tfVjLC0EfboFn3kEkg >> > +c39M8Bm4GlkQvB1Wr37AEPn/m0PYbsC2lOEQL/04QRGiAcDTtjo4bzzsKb6yFFi >> > cWg8mUsldcSikZB+YFVS0RRLGcKCWhOVHxxMqKlA/IdzBU02JiGaYqZU9SKaakkc >> > 8AEFJkQdUYerh4BPeiwlzpy4uS3kiJU7A8hKnQSIuRR1xo7r28NKuvrxLnw5b3es >> > kExf4pyb5zitBPx6c0ERQ1SJrw9VU3DipJb6dY/QW5uceHvfJlYQiXN6nGGKUkvw >> > FlupnGef8TvHvgnHieiD9t3WRh+7WNKdMCs627U/Ym8VC0gcTXK3WORMdwrAVq7j >> > I7wEkXH4ms9sJD09ZGysNjlRylKvMzHlxxIjl3kpFmvGwus//BxMq8GCT+08cJ9Z >> > 5AOnYo5AWqWqa8nipilZ >> > =3DdpSm >> > -----END PGP SIGNATURE----- >> > _______________________________________________ >> > dnsext mailing list >> > dnsext@ietf.org >> > https://www.ietf.org/mailman/listinfo/dnsext >> _______________________________________________ >> dnsext mailing list >> dnsext@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsext > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] What is indeterminate Mark Andrews
- Re: [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates bmanning
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Eric Brunner-Williams
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Samuel Weiler
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Wes Hardaker