Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dnsext-dnssec-bis-updates-16]
Andrew Sullivan <ajs@anvilwalrusden.com> Wed, 01 February 2012 16:05 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F40C11E8093; Wed, 1 Feb 2012 08:05:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328112312; bh=9xSsVeghIyf1ID3J3MXRM08S96SjzFujHOfgrXDY5Rc=; h=Date:From:To:Message-ID:References:MIME-Version:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=gTUrDlUQyMNrJrm95erTKUfrqv8RdqSdb4O2iM7Ry3YyjseRbzR8ahNvBEA+IQcbe iSn/PkkhGbgibnrcrLl/0O+eWnr8qUWMm1xuJzsDU2NBrNVbAOVSew/IfxAVowBc6E 7zaqL3OBzRqVZ01xcvXJdsUtT1tpw/xwmKgh3Omg=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED74111E8076 for <dnsext@ietfa.amsl.com>; Wed, 1 Feb 2012 08:05:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.359
X-Spam-Level:
X-Spam-Status: No, score=-2.359 tagged_above=-999 required=5 tests=[AWL=-0.360, BAYES_00=-2.599, J_CHICKENPOX_84=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5ilEhT+OhKp for <dnsext@ietfa.amsl.com>; Wed, 1 Feb 2012 08:05:09 -0800 (PST)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 7C13311E8080 for <dnsext@ietf.org>; Wed, 1 Feb 2012 08:05:09 -0800 (PST)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 8BF851ECB41C for <dnsext@ietf.org>; Wed, 1 Feb 2012 16:05:08 +0000 (UTC)
Date: Wed, 01 Feb 2012 11:05:01 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsext@ietf.org
Message-ID: <20120201160500.GA23020@mail.yitter.info>
References: <4f292fa5.a874ec0a.330e.28b4SMTPIN_ADDED@mx.google.com> <002101cce0e8$71676de0$cb01a8c0@computer> <20120201151613.GE22825@crankycanuck.ca> <006c01cce0f7$d22250f0$cb01a8c0@computer>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <006c01cce0f7$d22250f0$cb01a8c0@computer>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dnsext-dnssec-bis-updates-16]
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Hi, No hat. On Wed, Feb 01, 2012 at 11:40:23PM +0800, Yao Jiankang wrote: > >Now, imagine a FOO-unaware validating resolver that follows the advice > >you suggest. It queries a signed zone with a FOO record. The > >resolver doesn't know about FOO. Therefore, it doesn't know that > >there could be a synthetic CNAME at that name, resulting from the FOO > >record. Therefore, it will treat the unsigned CNAME as bogus, and the > >backwards compatibility doesn't happen. > > My suggested word is that "this CNAME should be neglected". It means > that the FOO-unaware validating resolver(when doing DNSSEC checking) > will see this unsigned CNAME as nothing, not accept it, and also not > report it as bogus. When a unsigned CNAME appears, the FOO-unaware > validating resolver(when doing DNSSEC checking) just sees nothing > and negelcts this CNAME. So I do not think that it will cause any > hole in DNSSEC. Ok, so the resolver ignores the unsigned CNAME (i.e. it's as though it wasn't received), and returns what to the initiator of the query (i.e. the originating resolver or the application or whatever)? NOERROR with an empty answer? I don't understand how this is any better than treating the result as bogus; the originator of the query still can't get to the destination it was querying for, right? Best, A -- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] CNAME check Re: [WGLC: draft-ietf-dnsext… Yao Jiankang
- Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dn… Andrew Sullivan
- Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dn… Andrew Sullivan
- Re: [dnsext] CNAME check Re: [WGLC: draft-ietf-dn… Yao Jiankang