IETF Logo Mail Archive

Re: [dnsext] [dane] Aiming towards some specific wording

Mark Andrews <marka@isc.org> Mon, 21 November 2011 23:21 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6ECA11E814C; Mon, 21 Nov 2011 15:21:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1321917688; bh=GJOL0CD1HJS0jk18KpM/QTYQVYSyvQuImW7IzH87U94=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=vt3/+YeBjHGLi1aLQmBmDUhXZTCYjSPMOJ4FULXv/jkoQiosxoBWRZQ7Ze137FvSy IgnerzIQZctmnH0REBt+kTKWKoaPYjgBtL7vJ5+x1Mi5N1MLq6ZY82lqOLYrnXt6oT ToVibd2YRaifuxjj9M0yjQzguGfrF8elCGkkN+7A=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B79011E814C for <dnsext@ietfa.amsl.com>; Mon, 21 Nov 2011 15:21:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.453
X-Spam-Level:
X-Spam-Status: No, score=-2.453 tagged_above=-999 required=5 tests=[AWL=0.146, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMFvqe7bF+D9 for <dnsext@ietfa.amsl.com>; Mon, 21 Nov 2011 15:21:26 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB3F11E8146 for <dnsext@ietf.org>; Mon, 21 Nov 2011 15:21:26 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 8FF7A5F98AF; Mon, 21 Nov 2011 23:21:01 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 33638216C6A; Mon, 21 Nov 2011 23:20:59 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id B6D5D17DD132; Tue, 22 Nov 2011 10:20:55 +1100 (EST)
To: Edward Lewis <Ed.Lewis@neustar.biz>
From: Mark Andrews <marka@isc.org>
References: <45EA694E-096C-41A1-B60E-BF7B3832FE2A@vpnc.org> <4EC70173.9090106@sv.cmu.edu> <247CAE36-68FB-4048-B07C-9B4C0903434D@vpnc.org> <92AA2445-000C-44CF-8CA5-9796528EA946@checkpoint.com> <0536F82C-346C-4ABE-81E6-3B008219DBD9@kirei.se> <773BAA00-22B9-43A6-BB36-8E3CB6166E38@nic.cz> <4B541E04-4A37-4402-AD01-EA95F69C8FB1@vpnc.org> <6CA2C172-4BE7-479C-B305-E454B15EA9FA@nic.cz> <20111121211312.6692917DB0E8@drugs.dv.isc.org> <a06240803caf071b97c5c@[10.31.200.137]>
In-reply-to: Your message of "Mon, 21 Nov 2011 16:28:52 CDT." <a06240803caf071b97c5c@[10.31.200.137]>
Date: Tue, 22 Nov 2011 10:20:55 +1100
Message-Id: <20111121232055.B6D5D17DD132@drugs.dv.isc.org>
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] [dane] Aiming towards some specific wording
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <a06240803caf071b97c5c@[10.31.200.137]>7]>, Edward Lewis writes:
> At 8:13 +1100 11/22/11, Mark Andrews wrote:
> >"insecure" and "indeterminate" zones are logically the same.  Dane
> >should just treat them as !secure.
> 
> No, they are not the same.
> 
> Insecure means I get records indicating there's no possible trust 
> chain that can be constructed from the data to anything I have.
> 
> Indeterminate means when I try to get records for part of the chain I 
> "time-out".  ("No servers could be reached.")
> 
> There's a significant semantic difference between the two.  Apart 
> from the fact that you won't succeed in constructing a chain, 
> "insecure" means it is definitively impossible and "indeterminate" 
> means "not with the data at hand, at this time."  The former would be 
> data that is not protected, the latter could be declared a service 
> failure.
> 
> Here's the definition in RFC 4035 I'm pointing to:
> 
> 4.3.  Determining Security Status of Data
> ...
>     Insecure: An RRset for which the resolver knows that it has no chain
>        of signed DNSKEY and DS RRs from any trusted starting point to the
>        RRset.  This can occur when the target RRset lies in an unsigned
>        zone or in a descendent of an unsigned zone.  In this case, the
>        RRset may or may not be signed, but the resolver will not be able
>        to verify the signature.
> ...
>     Indeterminate: An RRset for which the resolver is not able to
>        determine whether the RRset should be signed, as the resolver is
>        not able to obtain the necessary DNSSEC RRs.  This can occur when
>        the security-aware resolver is not able to contact security-aware
>        name servers for the relevant zones.

And the difference between that and bogus is?   It got data and no
signature so it is bogus.  If got data and bad signatures it is
bogus.  It didn't get a response then it has no data.

There are are only 3 states the data can be in.  Secure, insecure and bogus.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email