IETF Logo Mail Archive

Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16

Mohan Parthasarathy <suruti94@gmail.com> Mon, 30 January 2012 02:12 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 714A121F84BF; Sun, 29 Jan 2012 18:12:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1327889536; bh=GVU6x0RHWDDwlYMWPhCqNeHdInQNgT88hpl1EvRT5so=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=B2CG9m0HsKhO6Ua1h1wdX+PUPhWxw66ISHUnju1h4XGlbSQWleeLjcLBZSDvDxSlK qs4aJPX4uHkDqqTBrim+GeiHiDC+kS02X6pn8TQ5l/XzWEg3sggHXNf4uSPT/fhssR swq4FGvJZc+kS2N7zY+znvFfRnfTNRzb+DQgr+i4=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 621AB21F84BF for <dnsext@ietfa.amsl.com>; Sun, 29 Jan 2012 18:12:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.354
X-Spam-Level:
X-Spam-Status: No, score=-3.354 tagged_above=-999 required=5 tests=[AWL=0.245, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oVvpYQglrLvN for <dnsext@ietfa.amsl.com>; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id B476821F8471 for <dnsext@ietf.org>; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
Received: by qan41 with SMTP id 41so110142qan.10 for <dnsext@ietf.org>; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ITh6O3D7dK+oCGYH7Bdaq8wnjkYxfxjMMNrfYIcHajk=; b=x+EIAiAzFqlYkjGwSMci8MX/YZnbpl0H0Xc/VV/iWfRX7g0leNcOPh3zE3uSU18iWG KLwP+uLwjQtx9PwKu6aIRQJcH94aRaJHl3bNMTAlT1rBMbOmfaYpwXWdU0VSKAnk+TTR +LIORzDAkoneso7bDkk65uSqyTZvoTLcZiz9E=
MIME-Version: 1.0
Received: by 10.224.198.3 with SMTP id em3mr18775221qab.23.1327889534195; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
Received: by 10.229.20.193 with HTTP; Sun, 29 Jan 2012 18:12:14 -0800 (PST)
In-Reply-To: <20120128134331.819221C33944@drugs.dv.isc.org>
References: <20120120054939.GD4365@mail.yitter.info> <CACU5sDnS-3V26yKyvTGObR67H2LPiBjWxCZAbMpHPZrgXJeNFg@mail.gmail.com> <20120128052029.618CE1C32BFA@drugs.dv.isc.org> <CACU5sD=P-agE2oOqvAiCs=bcX3Off6cCubW-f=skKP54-1oQaQ@mail.gmail.com> <20120128134331.819221C33944@drugs.dv.isc.org>
Date: Sun, 29 Jan 2012 18:12:14 -0800
Message-ID: <CACU5sDnuW7hUkYAoyyBY=W2yN0EgYiuX3wY8gBryDGN5LxUkSw@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Sat, Jan 28, 2012 at 5:43 AM, Mark Andrews <marka@isc.org> wrote:
>
> In message <CACU5sD=P-agE2oOqvAiCs=bcX3Off6cCubW-f=skKP54-1oQaQ@mail.gmail.com>
> , Mohan Parthasarathy writes:
>> On Fri, Jan 27, 2012 at 9:20 PM, Mark Andrews <marka@isc.org> wrote:
>> >
>> > In message <CACU5sDnS-3V26yKyvTGObR67H2LPiBjWxCZAbMpHPZrgXJeNFg@mail.gmai=
>> l.com>
>> > , Mohan Parthasarathy writes:
>> >
>> >> - Section 5.7 setting the AD bit on queries. Is CD=0,DO=0 in the que=
>> ry
>> >> same as AD=1,DO=0 ?
>> >
>> > The question doesn't make sense.
>> >
>> > AD=0,DO=1 and AD=1,DO=1 produce the same result.
>> > AD=0,DO=0 and AD=1,DO=0 produce different results.
>> > AD=0,DO=0 and AD=0,DO=1 produce different results.
>> > AD=1,DO=0 and AD=0,DO=1 produce different results.
>> >
>> Thanks for the clarification. I realized after I posted that not
>> setting CD and DO is pre-DNSSEC.
>>
>> >> missed the discussion on this earlier. If there is a valid reason,
>> >> that needs to be stated explicitly as to why we are introducing this
>> >> new option.
>> >
>> > Section 5.7 explains why this option exists.
>> >
>> >                This allows a requestor to indicate that i=
>> t understands
>> >   the AD bit without also requesting DNSSEC data via the DO bit.
>> >
>> >
>> So, "understands" here means "Please do the validation for me " ?
>> Then, is  CD=1, AD=1 a invalid option ?
>
> No.  AD will be 1 if the answer + authority sections come from
> cached data that has validated as secure.  That said I don't think
> there is much use unless you are trying to check if a lookup failure
> was due to DNSSEC errors.
>
Okay.

>> So, there are implementations out there that want to know whether
>> validation was successful or not but just not want to handle any
>> DNSSEC records?
>
> I will put it this way.  I doubt if there is a application that
> cares about AD that *wants* the DNSSEC records.  At the moment they
> have no choice unless they are using the draft.
>
Agreed that those DNSSEC records are not of much use. For
non-validating resolvers, there is now a choice of setting the DO bit
or AD bit and setting both does not make sense. Perhaps, this should
be explained.

>> My question was more on what prompted the addition of this new feature ?
>
> 1. It reduces the response size.
> 2. You can apply DNS64, NXDOMAIN redirection, bad site filtering, etc. with
>   AD=1 which you can't with DO=1.
>
Why does the extra DNSSEC records affect DNS64 ?

If AD=1 seems better for non-validating resolvers, perhaps that should
be recommended in the draft ?

-mohan

>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email