IETF Logo Mail Archive

Re: [dnsext] Fwd: RFC 2308 & RFC 4035

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 25 February 2011 20:47 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AB1B3A6A3B; Fri, 25 Feb 2011 12:47:54 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A2BB3A6A3B for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 12:47:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_56=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n-+7rwDW1S2s for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 12:47:52 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 044763A6830 for <dnsext@ietf.org>; Fri, 25 Feb 2011 12:47:51 -0800 (PST)
Received: by fxm15 with SMTP id 15so2128665fxm.31 for <dnsext@ietf.org>; Fri, 25 Feb 2011 12:48:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=I+DGuVYQ9gzMhb7vKgAHPz1tnFQU762u4mOTsmUGZZ0=; b=dur4x120M0JrmThtapni/eOaD0+3vzabR1hbNLRDYQvN45q4MQHtkuP0MithFwrcDP wetJzhPvCOmGCGML6zlz0fk0jya/clBkLcH5E4uEUQ4l/dlYZceHgvo7FjYVdBb/m2Zn xL5ytpvNu9FfUB/3NQT02CNC5qYCPKdpi9kNY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=hKu1xicJY0jiMzpkEx/mNWQdinvOIM1I48VgauFCQygEe79Q4iLrrZV1DFcoQnj11O ETEv5OArVlXi1g+4GTAef+jzTV922wMu+2dNG6tXgGwLCGOZOy31rubI6PVSH6zJiaVF MaW664Oy0v6a/s6oqx8w5/MDy0qTKPN5T7tps=
MIME-Version: 1.0
Received: by 10.223.83.144 with SMTP id f16mr3246014fal.4.1298666923292; Fri, 25 Feb 2011 12:48:43 -0800 (PST)
Received: by 10.223.107.132 with HTTP; Fri, 25 Feb 2011 12:48:43 -0800 (PST)
In-Reply-To: <a06240806c98dbfdd4bc4@10.31.200.114>
References: <a06240805c98db61801c2@10.31.200.114> <976A5FBE345E43FDA7A17D7148B96189@local> <a06240806c98dbfdd4bc4@10.31.200.114>
Date: Fri, 25 Feb 2011 16:48:43 -0400
Message-ID: <AANLkTimZAd3CcN8rvgsdvS1HfqWHzmQ8hTBq4Cp8dM9n@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Fwd: RFC 2308 & RFC 4035
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Fri, Feb 25, 2011 at 4:24 PM, Edward Lewis <Ed.Lewis@neustar.biz> wrote:
> At 20:08 +0000 2/25/11, George Barwood wrote:
>
>> I think this is addressed by
>>
>> http://tools.ietf.org/html/rfc4035#section-4.5
>>
>> <<
>>   In theory, a resolver could use wildcards or NSEC RRs to generate
>>   positive and negative responses (respectively) until the TTL or
>>   signatures on the records in question expire.  However, it seems
>>   prudent for resolvers to avoid blocking new authoritative data or
>>   synthesizing new data on their own.  Resolvers that follow this
>>   recommendation will have a more consistent view of the namespace.

However, this is immediately following (in 4.5):
   2.  NSEC RRs received to prove the non-existence of a name could be
       reused by a security-aware resolver to prove the non-existence of
       any name in the name range it spans.

So, I'd say there are two distinct cases:
- the NSEC *might* be used to deny the existence of a double
(QNAME,QCLASS) in the range
  (e.g. if "next domain name" were b.example.net, and the QNAME were
a.example.net)
- the NSEC is used to deny the existence of an RRTYPE not listed in the NSEC

The former falls in the "it seems prudent" category.

The latter, I think, does not, in which case, using the NSEC to
generate a NODATA answer is appropriate.
It would never be *wrong* to query the authority server, but it might
be unnecessary, e.g. 99.9999% of the time.

There is one other conflict, I think, which could occur - if an NSEC
is cached, but an RRTYPE not found in the NSEC, is also cached at the
same QNAME,QCLASS.
Is that bad or broken? (Should adding/removing an RRTYPE, or
adding/removing a name, result in selective re-generation of
NSEC/NSEC3 records and their signatures)?
Does it matter which order the two responses arrive? (If it does, I
think that indicates that there's a protocol problem....)
Should it trigger discarding or non-caching of the NSEC record? (I
think not, modulo the question on re-generation/re-signing NSEC/NSEC3
data)

> Good observation.  Question to those who've written caches, what strategy
> seemed best.
>
> It's passages like the quoted that should be firmed up when and if DNSSEC is
> ever a Draft Standard/Full Standard.
>
> And getting back to the resimprove draft, I'd wager that a BCP shouldn't
> disagree with a Standards Track document.

Agree.

Brian
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email