IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Thu, 09 February 2012 09:25 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 840F921F86C2; Thu, 9 Feb 2012 01:25:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328779554; bh=COBGRFRWiKHlAB/xooJ6+2sXm8ki5oJsn/2gOOHSqD0=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=m1rONHKO2U2iEbO97Ws8TT6jzMSJZ4wuozf32zDp5if9+dd2fOGhHeAtMqQXE/2yi Bc/ZCYx+l8ImjjCuranv0+uVUwTPjRcnut2IRRynnOav7b9iTRrN+GSlpk0OBOehqc t247WVh8Axf9RVNxEYCs10marSatDivCP/TYG0JI=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E748821F86C3 for <dnsext@ietfa.amsl.com>; Thu, 9 Feb 2012 01:25:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AiCBZQLiQXWD for <dnsext@ietfa.amsl.com>; Thu, 9 Feb 2012 01:25:52 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id B2D9621F86C1 for <dnsext@ietf.org>; Thu, 9 Feb 2012 01:25:51 -0800 (PST)
Received: from axiom.nlnetlabs.nl (axiom.nlnetlabs.nl [IPv6:2001:7b8:206:1:222:4dff:fe55:4d46]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id q199PmfY040349 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsext@ietf.org>; Thu, 9 Feb 2012 10:25:49 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1328779550; bh=sX5Nnt3nHkQydpgKFF2IZjom/HRHTKS5sAij5ABoSLE=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=omM6ElWjKIiCenzK858NVG7AzhP7o48rPDXZjmkd3P7jkGzoYvpsCDTt28VD3oldk 1x0qpSIXTsV7sfjCG2/iyjj4Z9EtubNyHS4aY40wB7vuCT4hwOZK6hM4pjeH3gsvks IH7fVV4+UGA4wpHV6Z9Zv+CX1qoZEau+2jePUIpA=
Message-ID: <4F33911C.2080601@nlnetlabs.nl>
Date: Thu, 09 Feb 2012 10:25:48 +0100
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0
MIME-Version: 1.0
To: dnsext@ietf.org
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143> <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com> <4F3232B6.3060505@nlnetlabs.nl> <20120208185617.GH11475@mail.yitter.info> <D1AA03C9-DAEA-4374-AA51-A05F0738026A@vpnc.org>
In-Reply-To: <D1AA03C9-DAEA-4374-AA51-A05F0738026A@vpnc.org>
X-Enigmail-Version: 1.3.5
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Thu, 09 Feb 2012 10:25:49 +0100 (CET)
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul, Andrew,

On 02/08/2012 08:48 PM, Paul Hoffman wrote:
> On Feb 8, 2012, at 10:56 AM, Andrew Sullivan wrote:
> 
>> No hat.
>> 
>> On Wed, Feb 08, 2012 at 09:30:46AM +0100, W.C.A. Wijngaards
>> wrote:
>>> 
>>> On 02/07/2012 08:51 PM, Mohan Parthasarathy wrote:
>>> 
>>>> How does it help the application to make this more fine
>>>> grained ?
>>> 
>>> No, the application just wants all bogus data to be removed.
>>> Data that is secure and data that is not DNSSEC signed is what
>>> it wants.
>> 
>> It seems to me that the above is either a matter of policy or a
>> matter of implementation.  That is, some applications will surely
>> only want data that they can know for sure is valid, and in
>> particular will not want any unsigned data no matter what.
>> 
>> This could be implemented in more than one way.  One is to hand
>> the application everything that is validated and unsigned, and
>> let the application work out which it wants.  But another would
>> be for the application to be able to signal this choice to the
>> resolver.  No?
> 
> 
> In specific, the current proposal for DANE wants to know if it is
> getting bogus data. It treats bogus data as quite different than
> "no record received". See the bulleted list in section 5 of
> draft-ietf-dane-protocol-16.txt.
> 
> If the DNSEXT WG thinks that it is going to change dnssec-bis to
> make the change Wouter suggests, the DANE WG needs to hear about it
> *very soon*.

Let me state that I do not want to make such a change.  For backwards
compatibility DNSSEC has this facility to figure out which zones are
signed and validatable by the validator, and this backwards
compatibility can be used for DANE too.  Thus it wants to know the
precise secure, insecure and bogus validation results.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPM5EcAAoJEJ9vHC1+BF+NZZ8P/A1qquwHtxibDeRAAoDOZm6m
pO8/n1wiO7JeTf8RlU5aWrLOCv0oejwOtzp68kV2Xgb+G+yJtgWrhMWizxhnDWxR
NY+FJeHrNGGs8GATPjT6j9t079k+VlCdp5lxrdLV7k05tpkbCHOAWmnrBvSqC7AC
Uicf78Iwt3aailho4UawrCiWkWCZTZliXbWQtVqlXis51i4I4g1WScc+Dbwz2xHZ
GWvWBZpZce5XuyprBeZKlzuQCGcBHMc+mcJ5crdaFF5M/m0QIRThpzGEyPDhPPUR
3YXBXBM4cxUZUxbg3mOlbzdcIgQR3vNOSMbP470cVdc10e3304kmKP9IvHCWqnEY
TauAteTRusowRFOFDIVzguocC+tfz/7V2Q0+VWay2qT2BhnnS75LXUYZ4JjHIxJh
3dzQjyMBDqZldChXcDJq08KZNMsJjdrgnDOSZfzZB2ii4n/DJ09jha2AkN4QS5tD
0G4VCDt/IGOYva4XLdi+qHZ843Skj3sP5BZyJ52TQ1yKjIfJ0pfVa7xPtdoXXRzD
5ctkJqNkIHKjkeGie7OACtwWRBgggRJgEnQXj569GZxWSUevTZ2Pv5BRmCI8aodL
y1yx6cvPFiXJSfHg+rEWgHWMZqI9QgoJIkVU+AX3n5ph3dvfL5lDuMvC8KRQHpL2
7Zd//f4hL3W3Ay6JpT0G
=70uC
-----END PGP SIGNATURE-----
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email