Re: [dnsext] Issues in WGLC of dnssec-bis-updates
Mark Andrews <marka@isc.org> Wed, 08 February 2012 23:05 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A2111E8080; Wed, 8 Feb 2012 15:05:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328742342; bh=L4wLQd/+h9qV4bCP23mhAq/dP4yajQ01uMBOyoCvUn4=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=IhLAXN05eIziW4FMrcORmB4vzVC5fDfywA//nn6RqqG2LKB8XitvI1nrU3rF721rC lSta4cfz/+IaM/itlmSolA3rmLKbaLmI1Fi1ZLHdmBtjC1CNOfd4H3OhlBiLiWIS4y hyj03g6a11J4hO+3+C6VFjOWj6mKd5bUb/CC9HPg=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F224211E8080 for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 15:05:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.554
X-Spam-Level:
X-Spam-Status: No, score=-2.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8YO1K5nx82eL for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 15:05:40 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 9DFB121F8562 for <dnsext@ietf.org>; Wed, 8 Feb 2012 15:05:32 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 84E2C5F98E5; Wed, 8 Feb 2012 23:05:16 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:3981:7370:f4ed:515c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 486D3216C6A; Wed, 8 Feb 2012 23:05:14 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 2440F1D0601B; Thu, 9 Feb 2012 10:05:11 +1100 (EST)
To: Mohan Parthasarathy <suruti94@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143> <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com> <4F3232B6.3060505@nlnetlabs.nl> <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>
In-reply-to: Your message of "Wed, 08 Feb 2012 10:45:46 -0800." <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>
Date: Thu, 09 Feb 2012 10:05:10 +1100
Message-Id: <20120208230511.2440F1D0601B@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In message <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>, Mohan Parthasarathy writes: > On Wed, Feb 8, 2012 at 12:30 AM, W.C.A. Wijngaards <wouter@nlnetlabs.nl> wr= > ote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi Mohan, > > > > The definition of indeterminate was wrong in RFC4035, and you now seem > > to think DNSSEC is riddled with downgrade. =A0There is no downgrade, > > because the security-states are the outcome of the chain-of-trust > > algorithm, not implemented from its definitions in RFC4035. > > > Okay, after reading your response and re-reading 4035 and 4033, I > think 4033 definitions for Bogus, Insecure and Indeterminate capture > the discussion below more clearly. > > <snip> > > > On 02/07/2012 08:51 PM, Mohan Parthasarathy wrote: > >> On Tue, Feb 7, 2012 at 9:14 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrot= > e: > >>> At 16:34 +0100 2/7/12, W.C.A. Wijngaards wrote: > >>> > >>>> insecure, or bogus. =A0Note that with the root trust anchor the > >>>> indeterminate state no longer occurs, since we know everything is > >>>> covered by that trust anchor. > >>> > >>> > >>> I disagree with that. > >>> > >>> The Internet that we usually think about as being the only one is what I > >>> call the "global public Internet". =A0For the global public Internet, t= > he DNS > >>> in common use does have a trust anchor for it's root zone so the assert= > ion > >>> holds for the majority of cases, but then again only for recursive serv= > ers > >>> that have the trust anchor. > >>> > >>> There are other inter-networks that use the DNS protocol. =A0In at leas= > t one > >>> of these, DNSSEC has not been deployed. > >>> > >>> And, you can stretch this to the case of a recursive server, on the glo= > bal > >>> public Internet, that does not have the root anchor configured - and may > >>> have another anchor. =A0To such a server, validating some DNS data is > >>> impossible (incalculable). > >>> > >>> The protocol cannot be defined assuming one particular mode of operatio= > n. > >>> > >> Before getting to define this precisely, we should try to understand > >> the different cases that can occur and see whether we all agree on the > >> error status for the different cases. > > > > Why data cannot be fetched is not a factor in the end result. =A0This > > simplifies the cases to: cannot get the proper DNSSEC data, can get > > proper DNSSEC data but it's invalid, can get proper DNSSEC data and it's > > ok. =A0And the results are bogus, bogus, secure. =A0If you find an insecu= > re > > delegation it is insecure. =A0If there is no applicable trust anchor, the > > result is indeterminate (that is effectively just like insecure). > > > > Ok, Bogus, Secure and Insecure applies only when there is an > applicable trust anchor. When it is absent, it is indeterminate. That > simplifies a lot. Absolutely wrong. Step 1 of validation. Is there a potential covering trust anchor? Yes. Goto step 2. No. Mark as insecure. Step 2 .... > <snip> > >> > >> 1) We get some DNSSEC RRs back but can't validate. Just being able to > >> partially validate without tracing back to the trust anchor is equally > >> bad as not being able to validate the signatures. > > > > Yes, that is bogus in today's implementations. > > > >> 2) We get no DNSSEC RRs back. This could be a problem in the path or > >> the zone is not signed. We can't tell the difference without some > >> extra configuration. > > > > You can tell the difference because the chain-of-trust is signed itself, > > and this extends from the trust anchor to the data you just got, and > > thus you know if this zone is signed or not. =A0And thus in your question, > > the unsigned zone is ok(insecure), and the signed-zone-missing-DNSSEC > > RRs is not ok(bogus). > > > >> How does it help the application to make this more fine grained ? > > > > No, the application just wants all bogus data to be removed. =A0Data that > > is secure and data that is not DNSSEC signed is what it wants. =A0Because > > of the chain-of-trust the validator knows which parts of the space below > > a trust anchor is signed (and must have DNSSEC available) and which part > > is unsigned. =A0This property could be the cause that made insecure and > > indeterminate terms exist, as indeterminate is not really processed but > > simply the absence of a covering trust anchor, just like in the case > > where you had no trust anchors at all. =A0But then insecure needs > > processing: you have to validate the chain of trust from the trust > > anchor to the insecure-delegation point, and only then can you conclude > > that the data is insecure. =A0This is something internal to the DNSSEC > > validator, and not particularly impressive to the application, that > > likely just wants to know if the data was DNSSEC-signed (if so: secure > > or bogus) or if the data was not DNSSEC-signed (as determined with the > > configured set of trust anchors). > > > That was very useful discussion. > > regards > mohan > > > Best regards, > > =A0 Wouter > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.15 (GNU/Linux) > > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ > > > > iQIcBAEBAgAGBQJPMjK2AAoJEJ9vHC1+BF+NxVUQAIyQ4nPk7Syogn9uh4z890yJ > > kmPxslbpvHru47OxKd0tYvozldnP32z1+JToGSZR8qRU+w9SAQLutnFkqCU28x95 > > QUAot8G157kxZT95zhdjVqpbyUYDYwKKUY4jqplq4IuyIm1ewEOcwAS8Sak1o9Gr > > 17Xs4aCpl55QmTCZAlP+r6SwCDY738Py9I51BJhifAB9HdkT6XK1+bsbMSiFhG+o > > koICUhKaLDthmFvBrHBVCiW4xD5uk8ww2jlMNXv2LaRT05tfVjLC0EfboFn3kEkg > > +c39M8Bm4GlkQvB1Wr37AEPn/m0PYbsC2lOEQL/04QRGiAcDTtjo4bzzsKb6yFFi > > cWg8mUsldcSikZB+YFVS0RRLGcKCWhOVHxxMqKlA/IdzBU02JiGaYqZU9SKaakkc > > 8AEFJkQdUYerh4BPeiwlzpy4uS3kiJU7A8hKnQSIuRR1xo7r28NKuvrxLnw5b3es > > kExf4pyb5zitBPx6c0ERQ1SJrw9VU3DipJb6dY/QW5uceHvfJlYQiXN6nGGKUkvw > > FlupnGef8TvHvgnHieiD9t3WRh+7WNKdMCs627U/Ym8VC0gcTXK3WORMdwrAVq7j > > I7wEkXH4ms9sJD09ZGysNjlRylKvMzHlxxIjl3kpFmvGwus//BxMq8GCT+08cJ9Z > > 5AOnYo5AWqWqa8nipilZ > > =3DdpSm > > -----END PGP SIGNATURE----- > > _______________________________________________ > > dnsext mailing list > > dnsext@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsext > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] What is indeterminate Mark Andrews
- Re: [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates bmanning
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Eric Brunner-Williams
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Samuel Weiler
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Wes Hardaker