[dnsext] some words
Mark Andrews <marka@isc.org> Wed, 08 February 2012 01:54 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD91B11E8073; Tue, 7 Feb 2012 17:54:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328666071; bh=+gxl6r3+tOPRbDJa+Hvd/WiPd0k1l6DjloBfBJiKKZU=; h=To:From:Date:Message-Id:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:MIME-Version: Content-Type:Content-Transfer-Encoding:Sender; b=iiBp18YrzHCzML+sA4h1MmlzeLwN01M2xz71jfuftSm0vm2kGMXhJD/uEnna+1tIh XN5ohWvlBfvS/eZUa+8fszHr0wx005G0BDNH0Sv2rktJXDUunBBXC0a1mJ3UJAeMvk 9JZ4SvIXIJYKn/ZX9ZmJNK+oO/OwBW8EHckApsHc=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27E7821F860D for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 17:54:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIOiZbcZBO7U for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 17:54:30 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 2530621F8602 for <dnsext@ietf.org>; Tue, 7 Feb 2012 17:54:15 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 339D0C941E for <dnsext@ietf.org>; Wed, 8 Feb 2012 01:54:04 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:b866:ffc:24d5:68f1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id EAC60216C6A for <dnsext@ietf.org>; Wed, 8 Feb 2012 01:54:03 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id EC7BD1CF9568 for <dnsext@ietf.org>; Wed, 8 Feb 2012 12:54:01 +1100 (EST)
To: dnsext@ietf.org
From: Mark Andrews <marka@isc.org>
Date: Wed, 08 Feb 2012 12:54:01 +1100
Message-Id: <20120208015401.EC7BD1CF9568@drugs.dv.isc.org>
Subject: [dnsext] some words
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
CD bit handling is in a couple of places in 4035. The alternative to this is defining a way to pass trust anchors and time from the stub to the recursive server to be used to find answers which will pass validation on the stub resolver. I'll see if I can come up with similar words for the recursive server that is talking to another recursive server. Section 4.9.2 of RFC 4035 is hereby replaced with the following: Old: 4.9.2. Handling of the CD Bit A non-validating security-aware stub resolver SHOULD NOT set the CD bit when sending queries unless it is requested by the application layer, as by definition, a non-validating stub resolver depends on the security-aware recursive name server to perform validation on its behalf. A validating security-aware stub resolver SHOULD set the CD bit, because otherwise the security-aware recursive name server will answer the query using the name server's local policy, which may prevent the stub resolver from receiving data that would be acceptable to the stub resolver's local policy. New: 4.9.2. Handling of the CD Bit A non-validating security-aware stub resolver SHOULD NOT set the CD bit when sending queries unless it is requested by the application layer, as by definition, a non-validating stub resolver depends on the security-aware recursive name server to perform validation on its behalf. A validating security-aware stub resolver SHOULD first try queries with the CD bit clear, then if SERVFAIL is returned, retry the query with the CD bit set. The CD=0 query allow the recursive server to reject answers from misconfigured / stale authorititative servers. The CD=1 query allows the stub resolver to talk though a recursive server with stale trust anchors or a misconfigured clock. In either case it validates the answer it receives from the recursive server prior to passing it to the application. It is RECOMMENDED that the recursive server be configured with a super-set of the trust anchors used by its clients. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] some words Mark Andrews