Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dnsext-dnssec-bis-updates-16]
Andrew Sullivan <ajs@anvilwalrusden.com> Wed, 01 February 2012 15:16 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B002911E8073; Wed, 1 Feb 2012 07:16:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328109377; bh=gHdMfPvRZRhiXMr9E7sQZYVgdSUPObnDsJH9PwxYMmM=; h=Date:From:To:Message-ID:References:MIME-Version:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=jm4lqzRWWeybJB9qFfBiDSUOS3a7krFkPljb+0h76b3A+312Nlz9rLUpIN7GpnUBg n0s6p12PWfWd2q23BTuh3qk2RX4YtQZgPgMQ80nT372AfnHBbvBDUycZeMjs+6Yd3b XGM0dL1aH2aTzxM+YwdlNaskCP8QhOLri5WTbAEk=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD29C11E80D3 for <dnsext@ietfa.amsl.com>; Wed, 1 Feb 2012 07:16:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.66
X-Spam-Level:
X-Spam-Status: No, score=-2.66 tagged_above=-999 required=5 tests=[AWL=-0.061, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1R742vkdzo9 for <dnsext@ietfa.amsl.com>; Wed, 1 Feb 2012 07:16:16 -0800 (PST)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 2974111E8073 for <dnsext@ietf.org>; Wed, 1 Feb 2012 07:16:16 -0800 (PST)
Received: from crankycanuck.ca (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 2EA431ECB41C for <dnsext@ietf.org>; Wed, 1 Feb 2012 15:16:15 +0000 (UTC)
Date: Wed, 01 Feb 2012 10:16:13 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsext@ietf.org
Message-ID: <20120201151613.GE22825@crankycanuck.ca>
References: <4f292fa5.a874ec0a.330e.28b4SMTPIN_ADDED@mx.google.com> <002101cce0e8$71676de0$cb01a8c0@computer>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <002101cce0e8$71676de0$cb01a8c0@computer>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dnsext-dnssec-bis-updates-16]
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Hi, No hat. > " > When validating the CNAME, if the CNAME has not matching RRSIG and > the validator can not decide whether the CNAME is the synthesis of > other names such as the DNAME, this CNAME should be neglected." In the case of DNAME, you shouldn't need to worry about the synthetic CNAME because if you are validating you already know about DNSSEC. Therefore, you can validate the DNAME and know that the CNAME is synthetic. So I don't think this text is necessary. If you're talking about some future example, then I don't think it will work. Suppose that we invented RRTYPE FOO that was an xNAME. FOO did backward compatibility by synthesizing CNAMEs for FOO-unaware resolvers of some type (let's pretend we signalled awareness using EDNS0). Now, imagine a FOO-unaware validating resolver that follows the advice you suggest. It queries a signed zone with a FOO record. The resolver doesn't know about FOO. Therefore, it doesn't know that there could be a synthetic CNAME at that name, resulting from the FOO record. Therefore, it will treat the unsigned CNAME as bogus, and the backwards compatibility doesn't happen. Ok, so let's suppose we went further than you did, and said any time you see a CNAME in a signed zone that is not signed, you should assume that the unsigned CNAME is synthetic rather than bogus. This of course would be a massive hole in DNSSEC: anyone who could convince you to accept a CNAME any time could undermine your validation. Therefore, it wouldn't be acceptable. Is there some other scenario you can see that I haven't outlined above? Best, A -- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] CNAME check Re: [WGLC: draft-ietf-dnsext… Yao Jiankang
- Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dn… Andrew Sullivan
- Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dn… Andrew Sullivan
- Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dn… Yao Jiankang