IETF Logo Mail Archive

Re: [dnsext] [dane] Aiming towards some specific wording

Edward Lewis <Ed.Lewis@neustar.biz> Mon, 21 November 2011 21:29 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FCC411E810B; Mon, 21 Nov 2011 13:29:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1321910941; bh=WF6AYiMrQW9F/Uz27E08OYb5a8dFznfkzfTzrmOb744=; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=fq+dzljTZD2+iqZjHdW2y7VilcS/oFWgXCifhWP9dKF+uw82m/qBbzocigUAKbqgl Zy6fMdOpjyiY0TQSQu+TXu4grbYHKfH+aGU6qtC1TMOo8IbOkT4MN+wtwJz3lXpY5E qgR9xCL+ZKImtZSjLcR9gnDtpqlVHTQoOBu8ZM9s=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8711511E80FD for <dnsext@ietfa.amsl.com>; Mon, 21 Nov 2011 13:29:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.468
X-Spam-Level:
X-Spam-Status: No, score=-106.468 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMvPjxYpC7DB for <dnsext@ietfa.amsl.com>; Mon, 21 Nov 2011 13:28:59 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 6593311E80FC for <dnsext@ietf.org>; Mon, 21 Nov 2011 13:28:59 -0800 (PST)
Received: from work-laptop-2 (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id pALLSt2k002459; Mon, 21 Nov 2011 16:28:56 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.137] by work-laptop-2 (PGP Universal service); Mon, 21 Nov 2011 16:28:57 -0500
X-PGP-Universal: processed; by work-laptop-2 on Mon, 21 Nov 2011 16:28:57 -0500
Mime-Version: 1.0
Message-Id: <a06240803caf071b97c5c@[10.31.200.137]>
In-Reply-To: <20111121211312.6692917DB0E8@drugs.dv.isc.org>
References: <45EA694E-096C-41A1-B60E-BF7B3832FE2A@vpnc.org> <4EC70173.9090106@sv.cmu.edu> <247CAE36-68FB-4048-B07C-9B4C0903434D@vpnc.org> <92AA2445-000C-44CF-8CA5-9796528EA946@checkpoint.com> <0536F82C-346C-4ABE-81E6-3B008219DBD9@kirei.se> <773BAA00-22B9-43A6-BB36-8E3CB6166E38@nic.cz> <4B541E04-4A37-4402-AD01-EA95F69C8FB1@vpnc.org> <6CA2C172-4BE7-479C-B305-E454B15EA9FA@nic.cz> <20111121211312.6692917DB0E8@drugs.dv.isc.org>
Date: Mon, 21 Nov 2011 16:28:52 -0500
To: <dnsext@ietf.org>
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: ed.lewis@neustar.biz, dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] [dane] Aiming towards some specific wording
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6721199760951813314=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

Answering only to DNSEXT...

At 8:13 +1100 11/22/11, Mark Andrews wrote:
>"insecure" and "indeterminate" zones are logically the same.  Dane
>should just treat them as !secure.

No, they are not the same.

Insecure means I get records indicating there's no possible trust 
chain that can be constructed from the data to anything I have.

Indeterminate means when I try to get records for part of the chain I 
"time-out".  ("No servers could be reached.")

There's a significant semantic difference between the two.  Apart 
from the fact that you won't succeed in constructing a chain, 
"insecure" means it is definitively impossible and "indeterminate" 
means "not with the data at hand, at this time."  The former would be 
data that is not protected, the latter could be declared a service 
failure.

Here's the definition in RFC 4035 I'm pointing to:

4.3.  Determining Security Status of Data
...
    Insecure: An RRset for which the resolver knows that it has no chain
       of signed DNSKEY and DS RRs from any trusted starting point to the
       RRset.  This can occur when the target RRset lies in an unsigned
       zone or in a descendent of an unsigned zone.  In this case, the
       RRset may or may not be signed, but the resolver will not be able
       to verify the signature.
...
    Indeterminate: An RRset for which the resolver is not able to
       determine whether the RRset should be signed, as the resolver is
       not able to obtain the necessary DNSSEC RRs.  This can occur when
       the security-aware resolver is not able to contact security-aware
       name servers for the relevant zones.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

Vote for the word of the day:
"Papa"razzi - father that constantly takes photos of the baby
Corpureaucracy - The institution of corporate "red tape"
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email