IETF Logo Mail Archive

Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16

Mohan Parthasarathy <suruti94@gmail.com> Sat, 28 January 2012 06:11 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EBD321F85E7; Fri, 27 Jan 2012 22:11:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1327731106; bh=pYC2HMJfI169+FVcJT2kJFoFOz1genwp9t76VQPFDzY=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=ySoEesxATj1+buXnbt4bXWWYT8kH/UL1x2LK3X26PAb017vyyVJX6+7wm6MHtWWke a8t9B7dQukhrxPCd3mvku4XNwL/jwu+vlFQN6BhTFq23Z8f1jS+6H+9fgGSHEOlkPl vmqjnCln+MDGbtCeUAt4mmlsS2L9PJMcYjsDhYVQ=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A436621F85E7 for <dnsext@ietfa.amsl.com>; Fri, 27 Jan 2012 22:11:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.272
X-Spam-Level:
X-Spam-Status: No, score=-3.272 tagged_above=-999 required=5 tests=[AWL=0.327, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULkgaMdZXfdu for <dnsext@ietfa.amsl.com>; Fri, 27 Jan 2012 22:11:43 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id B387721F858F for <dnsext@ietf.org>; Fri, 27 Jan 2012 22:11:43 -0800 (PST)
Received: by qcsf16 with SMTP id f16so1551116qcs.31 for <dnsext@ietf.org>; Fri, 27 Jan 2012 22:11:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Dp9BckQPNagW1Iscd+vPcXzCAniTwMbZTM2ahaPuDpo=; b=iO/zCTkSYqSC6dW6AtA+Bz4mLQTsGagZ4a1vQI+Ro3arxaPJjoCes+XjUo0MQWEqA6 QaEbJ3iOuj9xi9sVP/5j0x6MQqIlnNE2msd6yHFeJu9Rs2VKBgxSb03UPNi0vqzuwKtq PUSdycEotroYvCXsUN63I3/x+m+Zs/ZmdIO7Q=
MIME-Version: 1.0
Received: by 10.229.105.159 with SMTP id t31mr3637197qco.57.1327731103193; Fri, 27 Jan 2012 22:11:43 -0800 (PST)
Received: by 10.229.20.193 with HTTP; Fri, 27 Jan 2012 22:11:43 -0800 (PST)
In-Reply-To: <20120128052029.618CE1C32BFA@drugs.dv.isc.org>
References: <20120120054939.GD4365@mail.yitter.info> <CACU5sDnS-3V26yKyvTGObR67H2LPiBjWxCZAbMpHPZrgXJeNFg@mail.gmail.com> <20120128052029.618CE1C32BFA@drugs.dv.isc.org>
Date: Fri, 27 Jan 2012 22:11:43 -0800
Message-ID: <CACU5sD=P-agE2oOqvAiCs=bcX3Off6cCubW-f=skKP54-1oQaQ@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Fri, Jan 27, 2012 at 9:20 PM, Mark Andrews <marka@isc.org> wrote:
>
> In message <CACU5sDnS-3V26yKyvTGObR67H2LPiBjWxCZAbMpHPZrgXJeNFg@mail.gmail.com>
> , Mohan Parthasarathy writes:
>
>> - Section 5.7 setting the AD bit on queries. Is CD=0,DO=0 in the query
>> same as AD=1,DO=0 ?
>
> The question doesn't make sense.
>
> AD=0,DO=1 and AD=1,DO=1 produce the same result.
> AD=0,DO=0 and AD=1,DO=0 produce different results.
> AD=0,DO=0 and AD=0,DO=1 produce different results.
> AD=1,DO=0 and AD=0,DO=1 produce different results.
>
Thanks for the clarification. I realized after I posted that not
setting CD and DO is pre-DNSSEC.

>> missed the discussion on this earlier. If there is a valid reason,
>> that needs to be stated explicitly as to why we are introducing this
>> new option.
>
> Section 5.7 explains why this option exists.
>
>                This allows a requestor to indicate that it understands
>   the AD bit without also requesting DNSSEC data via the DO bit.
>
>
So, "understands" here means "Please do the validation for me " ?
Then, is  CD=1, AD=1 a invalid option ?

So, there are implementations out there that want to know whether
validation was successful or not but just not want to handle any
DNSSEC records ? My question was more on what prompted the addition of
this new feature ?

-mohan

> Examples of AD=1 vs DO=1.
>
> % dig +adflag soa . +noauth +noadd
>
> ; <<>> DiG 9.7.3-P3 <<>> +adflag soa . +noauth +noadd
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41997
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;.                              IN      SOA
>
> ;; ANSWER SECTION:
> .                       86382   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2012012701 1800 900 604800 86400
>
> ;; Query time: 2 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Jan 28 16:03:34 2012
> ;; MSG SIZE  rcvd: 285
>
> % dig +dnssec soa . +noauth +noadd
>
> ; <<>> DiG 9.7.3-P3 <<>> +dnssec soa . +noauth +noadd
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61859
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;.                              IN      SOA
>
> ;; ANSWER SECTION:
> .                       86372   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2012012701 1800 900 604800 86400
> .                       86372   IN      RRSIG   SOA 8 0 86400 20120203000000 20120126230000 51201 . nhFWtVAAdecUyYiGqvYYLprczaXbhsR+XK2S+OPBrBWMAk9fPyNjRH7A rSu7I1qIBNstxAlUJ/ncn+lL5o88wDD2PZW4GXolzFc3LslvmyEcEhVe wHhPETDJEsR9rrpx1yt1o5EqhjzBrQNT4FPbmqse0z+r9v9uPCZlB+KQ OvE=
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Jan 28 16:03:44 2012
> ;; MSG SIZE  rcvd: 612
>
> %
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email