IETF Logo Mail Archive

Re: [dnsext] [dane] Aiming towards some specific wording

Matt McCutchen <matt@mattmccutchen.net> Tue, 22 November 2011 04:11 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C698221F8B55; Mon, 21 Nov 2011 20:11:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1321935062; bh=RRhGGJLh0DVOxmMIZD+06otgFyQSTfKfVqXwzrBo0Eo=; h=Message-ID:From:To:In-Reply-To:References:Date:Mime-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=vyD0QUfmiUXsk8Ux0C5wb+AKPjrQMcPYoH3jy2bn4sKpLxq8NdL0aVY0ZvTlEDGLK ChGwt87ZH8m14KlfmkwOQpJAB6AsNpmdhnKC3px4ZRK88XTTt7LTcB5/048DDvEZXA 8zPji5r+Q0JYsISXN/drNDzMlJX1UxTLxJYSzQYA=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8DF21F886A; Mon, 21 Nov 2011 20:11:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8a3-zA-9yM2k; Mon, 21 Nov 2011 20:10:55 -0800 (PST)
Received: from homiemail-a3.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 4845A21F86D0; Mon, 21 Nov 2011 20:10:55 -0800 (PST)
Received: from homiemail-a3.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a3.g.dreamhost.com (Postfix) with ESMTP id 31A0A28408C; Mon, 21 Nov 2011 20:10:46 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=message-id :subject:from:to:cc:in-reply-to:references:content-type:date :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=Mux7HzYkwPCXbebarPq4KixxBiP/W/fFpdmGCS5wVp0 ZeO3O+NvGYxFXxpUqm04S3XY1Yutc1pP4vUt64+i5wGZ0DvoeY/EVwnR8ccLQd9i 8B/7fhRVY0CNLpUT+pdrgZ7AziLOmbQiCltjjR3XZGCX/9pB2a4Jfx8OT77t7wYU =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= message-id:subject:from:to:cc:in-reply-to:references :content-type:date:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=dhFD+q1cfo7K4aL3T1SiNzPFrzM=; b=LAiyhUf73s siziapGe3baYrTcnpOS0+aKIwBt2MWKDWsl0lzal8Z91yymFIAauGRYzLDeKbrjO govRrn8SBKbda9EXnchCEMxpNhGSN6VTzpjTEMxgy7AR1NSRIabd6WCTvgtKl4mg UTIhdm9yYv2O5kBHsZ5cuhvBfLZB2jSE0=
Received: from [IPv6:::1] (ps7180.dreamhost.com [75.119.218.76]) (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a3.g.dreamhost.com (Postfix) with ESMTPSA id F111C284081; Mon, 21 Nov 2011 20:10:45 -0800 (PST)
Message-ID: <1321935016.1657.19.camel@mattlaptop2.local>
From: Matt McCutchen <matt@mattmccutchen.net>
To: dane@ietf.org, dnsext@ietf.org
In-Reply-To: <a06240803caf071b97c5c@[10.31.200.137]>
References: <45EA694E-096C-41A1-B60E-BF7B3832FE2A@vpnc.org> <4EC70173.9090106@sv.cmu.edu> <247CAE36-68FB-4048-B07C-9B4C0903434D@vpnc.org> <92AA2445-000C-44CF-8CA5-9796528EA946@checkpoint.com> <0536F82C-346C-4ABE-81E6-3B008219DBD9@kirei.se> <773BAA00-22B9-43A6-BB36-8E3CB6166E38@nic.cz> <4B541E04-4A37-4402-AD01-EA95F69C8FB1@vpnc.org> <6CA2C172-4BE7-479C-B305-E454B15EA9FA@nic.cz> <20111121211312.6692917DB0E8@drugs.dv.isc.org> <a06240803caf071b97c5c@[10.31.200.137]>
Date: Mon, 21 Nov 2011 20:10:16 -0800
Mime-Version: 1.0
X-Mailer: Evolution 3.2.3
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] [dane] Aiming towards some specific wording
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Mon, 2011-11-21 at 16:28 -0500, Edward Lewis wrote:
> Answering only to DNSEXT...
> 
> > At 8:13 +1100 11/22/11, Mark Andrews wrote:
> >"insecure" and "indeterminate" zones are logically the same.  Dane
> >should just treat them as !secure.
> 
> No, they are not the same.
> 
> Insecure means I get records indicating there's no possible trust
> chain that can be constructed from the data to anything I have.
> 
> Indeterminate means when I try to get records for part of the chain I
> "time-out".  ("No servers could be reached.")
> 
> There's a significant semantic difference between the two.  Apart from
> the fact that you won't succeed in constructing a chain, "insecure"
> means it is definitively impossible and "indeterminate" means "not
> with the data at hand, at this time."  The former would be data that
> is not protected, the latter could be declared a service failure.
> 
> Here's the definition in RFC 4035 I'm pointing to:
> 
> 4.3.  Determining Security Status of Data
> ...
>    Indeterminate: An RRset for which the resolver is not able to
>       determine whether the RRset should be signed, as the resolver is
>       not able to obtain the necessary DNSSEC RRs.  This can occur
> when
>       the security-aware resolver is not able to contact
> security-aware
>       name servers for the relevant zones.

That's great, RFC 4035 has a totally different definition of
"indeterminate" than RFC 4033.

RFC 4033 "indeterminate" is equivalent to "insecure" for DANE's purpose
and likely other purposes as well.  RFC 4035 "indeterminate" is not a
separate group of cases; those cases are better described as "SERVFAIL",
or possibly "bogus" if the resolver successfully retrieves the target
RRset (but not the DNSSEC RRs).

Ultimately, DANE needs three cases:

1. Secure: Process the RRset.
2. Insecure or RFC 4033 indeterminate: Fall back to pre-DANE behavior,
or (maybe -- under discussion) process the restrictive part of the
assertion without the additive part.
3. Bogus or query failed (RCODE other than NOERROR or NXDOMAIN, no
response from DNS servers, etc.): Fail closed.

-- 
Matt


_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email