IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

Edward Lewis <Ed.Lewis@neustar.biz> Tue, 07 February 2012 17:15 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02FF321F885B; Tue, 7 Feb 2012 09:15:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328634900; bh=Vn2sTacWSmUY3NaqWGf4SZ/ymGDkqgyTvS1ZkJnwHP4=; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=AMSc+sYgf65zd71qnNo9WQtHeC+bIImGCS0X70pD6CpdCyZFEjB2oHOfIRkvw141h JQ6naFm30n4YlvCUJ8cS43xJT+yAD73YBlXYjQhTr4Ufe6NdmtmaZj7yrMnJaCLlze LVsmd0jcY5zskqOB1dqu9khxVIB+VS0SYLULl0WA=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F2021F885B for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 09:14:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.142
X-Spam-Level:
X-Spam-Status: No, score=-106.142 tagged_above=-999 required=5 tests=[AWL=0.457, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AXaYWvmpK4Cz for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 09:14:58 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 4241A21F8800 for <dnsext@ietf.org>; Tue, 7 Feb 2012 09:14:58 -0800 (PST)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q17HEt05056341; Tue, 7 Feb 2012 12:14:56 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [172.17.20.117] by Work-Laptop-2.local (PGP Universal service); Tue, 07 Feb 2012 09:14:56 -0800
X-PGP-Universal: processed; by Work-Laptop-2.local on Tue, 07 Feb 2012 09:14:56 -0800
Mime-Version: 1.0
Message-Id: <a06240801cb570a945202@[192.168.128.143]>
In-Reply-To: <4F31449C.9040604@nlnetlabs.nl>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl>
Date: Tue, 07 Feb 2012 09:14:53 -0800
To: dnsext@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: ed.lewis@neustar.biz
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

At 16:34 +0100 2/7/12, W.C.A. Wijngaards wrote:

>insecure, or bogus.  Note that with the root trust anchor the
>indeterminate state no longer occurs, since we know everything is
>covered by that trust anchor.

I disagree with that.

The Internet that we usually think about as being the only one is 
what I call the "global public Internet".  For the global public 
Internet, the DNS in common use does have a trust anchor for it's 
root zone so the assertion holds for the majority of cases, but then 
again only for recursive servers that have the trust anchor.

There are other inter-networks that use the DNS protocol.  In at 
least one of these, DNSSEC has not been deployed.

And, you can stretch this to the case of a recursive server, on the 
global public Internet, that does not have the root anchor configured 
- and may have another anchor.  To such a server, validating some DNS 
data is impossible (incalculable).

The protocol cannot be defined assuming one particular mode of operation.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

2012...time to reuse those 1984 calendars!
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email