IETF Logo Mail Archive

Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16

Mark Andrews <marka@isc.org> Tue, 01 May 2012 01:27 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA97921E8048; Mon, 30 Apr 2012 18:27:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1335835630; bh=y5YWvvDjn8IFHhP46ihlBP/9cxSsr/GOaDDWrzWHz04=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=PmaKi0tfEbANB6hp+3dX7axO+YaPw4XDDm98CSDXiq/9/+oez2/RcobFUoKd/GiNi K9R/4Sa5s9I3cd8HgQX6pW5SmZvUYc8e6YofcW3kqwL5kTwpqYYPDpkZsDNsT2K+B0 xz1S9H/Tz16JclOLljZfvKcYPPRgtNC3NZD2Y4DA=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC3BC21E8048 for <dnsext@ietfa.amsl.com>; Mon, 30 Apr 2012 18:27:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.486
X-Spam-Level:
X-Spam-Status: No, score=-2.486 tagged_above=-999 required=5 tests=[AWL=0.113, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j85FTSAavHdE for <dnsext@ietfa.amsl.com>; Mon, 30 Apr 2012 18:27:08 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 2A65B21E8011 for <dnsext@ietf.org>; Mon, 30 Apr 2012 18:27:08 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id E70395F9925; Tue, 1 May 2012 01:26:51 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:4c27:d59:8c27:a78b]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 26A06216C31; Tue, 1 May 2012 01:26:50 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id B94E52045DE7; Tue, 1 May 2012 11:26:41 +1000 (EST)
To: Samuel Weiler <weiler@watson.org>
From: Mark Andrews <marka@isc.org>
References: <20120120054939.GD4365@mail.yitter.info> <20120120142243.GE4944@mail.yitter.info> <a06240801cb3f4c060c50@[192.168.129.98]> <alpine.BSF.2.00.1203121455450.39342@fledge.watson.org> <alpine.BSF.2.00.1204301341240.95708@fledge.watson.org>
In-reply-to: Your message of "Mon, 30 Apr 2012 13:43:37 -0400." <alpine.BSF.2.00.1204301341240.95708@fledge.watson.org>
Date: Tue, 01 May 2012 11:26:41 +1000
Message-Id: <20120501012641.B94E52045DE7@drugs.dv.isc.org>
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, dnsext@ietf.org
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <alpine.BSF.2.00.1204301341240.95708@fledge.watson.org>, Samuel Weiler writes:
> On Mon, 12 Mar 2012, Samuel Weiler wrote:
> 
> > On Fri, 20 Jan 2012, Edward Lewis wrote:
> ...
> >> 5.9's title is misleading.  The content is good, it's about answering from 
> >> cache in the face of a CD query.  But "always doing CD" only applies to 
> >> elements that will do their own validation.
> >
> > Doesn't it also apply to a non-validating box in the middle?  That box may 
> > still need to return +CD data if something downstream wants it.
> >
> > The only place I see it not applying is stub resolvers.  Rather than alter 
> > the title (since I couldn't think of a good way to do it), I propose adding a 
> > paragraph saying "this doesn't apply to stub resolvers".
> 
> During his PROTO review, Andrew observed that the CD bit appendix 
> mentions validating stub resolvers and, indeed, it seems to me that 
> section 5.9 would apply to validating stub resolvers also.  At least 
> for the moment, I've removed the sentence saying the section doesn't 
> apply to stub resolvers.  If there's a better way to fix this, please 
> speak up.

The advice to always set +CD is just *bad*.  If you are talking
*directly* to the authoritative servers it doesn't hurt.  If you
are talking through another recursive server it leaves the client
unable to get at good data when bad data is being presented to the
recursive server.  All element of the resolution path SHOULD be
validating responses.

> -- Sam
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email