IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

Mohan Parthasarathy <suruti94@gmail.com> Tue, 07 February 2012 19:51 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 490E121F873B; Tue, 7 Feb 2012 11:51:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328644293; bh=aONZGII8fyu9woPvwQTGc32NHDpmRJxeTWGQbp2dWv8=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=tw/GhHSfRQWbX3IeKXILqIxgGa0I1U5cWFAbyuR42flc4d0kbQ1SlIYO1zJvDk2wm M9n6sIqt9ZHBYo79YJhxT44LeRIKsaL3LPXtOkuMPVSdZocua0/H8Pae6TvzgFZEJG uNd7HW/hRW8u1nXi2r+8TjMS++cELiML6qAL7SHw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6459221F873B for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 11:51:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.436
X-Spam-Level:
X-Spam-Status: No, score=-3.436 tagged_above=-999 required=5 tests=[AWL=0.163, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ByHLXXLkquzm for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 11:51:29 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2AE7B21F8638 for <dnsext@ietf.org>; Tue, 7 Feb 2012 11:51:29 -0800 (PST)
Received: by qafi29 with SMTP id i29so2938435qaf.10 for <dnsext@ietf.org>; Tue, 07 Feb 2012 11:51:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=kdBSC4WunUJnocG7QqlUBjSuUhvmd052x8mkqRwh7XA=; b=TxZAaEDCBoHayGmzfv+p3L7rgYYtpHifT0D8OvccpYV0xRZ5ElqJPp3OT3ZSogg8y0 cBXqGK3lYhPC5trNJS97TmLhJQsMU+GU66RmAqzeBt3LXS3dX9OhRuQl5d6THLKu7dTj gOCJKo/lGNwg1Y917vxBDxEKB6QzyoNTWCLZg=
MIME-Version: 1.0
Received: by 10.224.188.140 with SMTP id da12mr23817816qab.49.1328644288533; Tue, 07 Feb 2012 11:51:28 -0800 (PST)
Received: by 10.229.20.193 with HTTP; Tue, 7 Feb 2012 11:51:28 -0800 (PST)
In-Reply-To: <a06240801cb570a945202@192.168.128.143>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143>
Date: Tue, 07 Feb 2012 11:51:28 -0800
Message-ID: <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Tue, Feb 7, 2012 at 9:14 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrote:
> At 16:34 +0100 2/7/12, W.C.A. Wijngaards wrote:
>
>> insecure, or bogus.  Note that with the root trust anchor the
>> indeterminate state no longer occurs, since we know everything is
>> covered by that trust anchor.
>
>
> I disagree with that.
>
> The Internet that we usually think about as being the only one is what I
> call the "global public Internet".  For the global public Internet, the DNS
> in common use does have a trust anchor for it's root zone so the assertion
> holds for the majority of cases, but then again only for recursive servers
> that have the trust anchor.
>
> There are other inter-networks that use the DNS protocol.  In at least one
> of these, DNSSEC has not been deployed.
>
> And, you can stretch this to the case of a recursive server, on the global
> public Internet, that does not have the root anchor configured - and may
> have another anchor.  To such a server, validating some DNS data is
> impossible (incalculable).
>
> The protocol cannot be defined assuming one particular mode of operation.
>
Before getting to define this precisely, we should try to understand
the different cases that can occur and see whether we all agree on the
error status for the different cases.

Some RRSet needs to be validated. The RRSet was fetched with the DO bit set.

- We are able to get the RRSIGs back for the RRset. But unable to
validate completely because we are not able to get the DNSKEY RRSET or
not able to fetch the DS record. Going by 4035, this is Insecure. Two
problems here. First, it is also possible that you talked to the
DNSSEC-unaware server which does not know how to fetch the DS record.
Secondly, this could be a fake signature for which you can never
establish the trust. Do we want to declare Insecure in both these
cases ?

- We are able to get the RRSIGs back for the RRSet. But unable to
validate the signatures because it is expired. This is Bogus as per
4035.

- We are unable to get the RRSIGs back, but we got some response from
the server i.e., the main RRSet itself. Missing signatures. As per
4035, this is Bogus. But then this could be a bad CPE. Do we want to
declare this Bogus ?

We can create more examples, but it looks to me that there are only
two error cases.

1) We get some DNSSEC RRs back but can't validate. Just being able to
partially validate without tracing back to the trust anchor is equally
bad as not being able to validate the signatures.

2) We get no DNSSEC RRs back. This could be a problem in the path or
the zone is not signed. We can't tell the difference without some
extra configuration.

How does it help the application to make this more fine grained ?

-mohan


> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar                    You can leave a voice message at +1-571-434-5468
>
> 2012...time to reuse those 1984 calendars!
>
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email