IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 08 February 2012 19:49 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4153D11E808E; Wed, 8 Feb 2012 11:49:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328730541; bh=/2R/D8bp39uWgbjgAwOn5XlJ6MbImnT7hubKbf9luhk=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=Pp510ow3WrU3MDqwb5J5eHpZqHvLfR5x4IKLiIqh54xvkYhnX5fePvtGA3q0J0OON nSkVndVlcoruyolsGd1mjLaTYcQEF4qgvu7cjDID7GhN1iVGirBg9w91zZHVNxJVBU I4ffOO3UdNBfR/t+YVGcHrGSlBimPMjv5LZfp88M=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 333FB11E808E for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 11:49:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.56
X-Spam-Level:
X-Spam-Status: No, score=-102.56 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPASM1E9gaR4 for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 11:48:59 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id B6A0711E8080 for <dnsext@ietf.org>; Wed, 8 Feb 2012 11:48:59 -0800 (PST)
Received: from [10.20.30.100] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q18JmvmW047397 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 8 Feb 2012 12:48:58 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1257)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20120208185617.GH11475@mail.yitter.info>
Date: Wed, 08 Feb 2012 11:48:57 -0800
Message-Id: <D1AA03C9-DAEA-4374-AA51-A05F0738026A@vpnc.org>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143> <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com> <4F3232B6.3060505@nlnetlabs.nl> <20120208185617.GH11475@mail.yitter.info>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
X-Mailer: Apple Mail (2.1257)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Feb 8, 2012, at 10:56 AM, Andrew Sullivan wrote:

> No hat.
> 
> On Wed, Feb 08, 2012 at 09:30:46AM +0100, W.C.A. Wijngaards wrote:
>> 
>> On 02/07/2012 08:51 PM, Mohan Parthasarathy wrote:
>> 
>>> How does it help the application to make this more fine grained ?
>> 
>> No, the application just wants all bogus data to be removed.  Data that
>> is secure and data that is not DNSSEC signed is what it wants. 
> 
> It seems to me that the above is either a matter of policy or a matter
> of implementation.  That is, some applications will surely only want
> data that they can know for sure is valid, and in particular will not
> want any unsigned data no matter what.
> 
> This could be implemented in more than one way.  One is to hand the
> application everything that is validated and unsigned, and let the
> application work out which it wants.  But another would be for the
> application to be able to signal this choice to the resolver.  No?


In specific, the current proposal for DANE wants to know if it is getting bogus data. It treats bogus data as quite different than "no record received". See the bulleted list in section 5 of draft-ietf-dane-protocol-16.txt.

If the DNSEXT WG thinks that it is going to change dnssec-bis to make the change Wouter suggests, the DANE WG needs to hear about it *very soon*.

--Paul Hoffman

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email