IETF Logo Mail Archive

Re: [dnsext] [dane] Aiming towards some specific wording

Mohan Parthasarathy <suruti94@gmail.com> Fri, 03 February 2012 20:47 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C095A21F85DA; Fri, 3 Feb 2012 12:47:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328302079; bh=TggINBBYSm22IXGFBiO+HWBICDV+ue30KJvRScWFXto=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=rkC9Hkkunv9ljMma7VHUwj5XeFiikqX1nPlJHINKtR8fMI56yXWAJts5FwuKQPfma 7XwFpE8Z3tUrwT2VQMnb0AjIBSCQdGLq29pZKoRjDgU+fkoNK3xkf4KvGVzpcOMXQ0 7HZIyCTcv1nM8FylYHRHWjSa8wEVZASkqlLDyz6A=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2757F21F85A3 for <dnsext@ietfa.amsl.com>; Fri, 3 Feb 2012 12:47:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.403
X-Spam-Level:
X-Spam-Status: No, score=-3.403 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNYtB20e3ypH for <dnsext@ietfa.amsl.com>; Fri, 3 Feb 2012 12:47:57 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF7521F85DA for <dnsext@ietf.org>; Fri, 3 Feb 2012 12:47:57 -0800 (PST)
Received: by qan41 with SMTP id 41so2527049qan.10 for <dnsext@ietf.org>; Fri, 03 Feb 2012 12:47:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=1/tRD0swqEap9IxBKMu9bbj8Ctl71IFreAgNqL+mFzw=; b=BBaU6h76v43oV/xfVl61zP63tGX38kEQX/ZsTZfJd9S2Q101QssF3mgvYqhEfPfvls NrT35OS7E1plBNl6ByMIfyFZATk6lcnBoWn01B/s+/TCXZadz91HtT+MXnb7WmS6OSa1 gQNTZwsaf+oIe+cUl5G0nfD1Buv7YMKcuL2bo=
MIME-Version: 1.0
Received: by 10.224.198.3 with SMTP id em3mr10687476qab.23.1328302076706; Fri, 03 Feb 2012 12:47:56 -0800 (PST)
Received: by 10.229.20.193 with HTTP; Fri, 3 Feb 2012 12:47:56 -0800 (PST)
In-Reply-To: <a06240801caf158f7c28f@10.31.200.137>
References: <45EA694E-096C-41A1-B60E-BF7B3832FE2A@vpnc.org> <4EC70173.9090106@sv.cmu.edu> <247CAE36-68FB-4048-B07C-9B4C0903434D@vpnc.org> <92AA2445-000C-44CF-8CA5-9796528EA946@checkpoint.com> <0536F82C-346C-4ABE-81E6-3B008219DBD9@kirei.se> <773BAA00-22B9-43A6-BB36-8E3CB6166E38@nic.cz> <4B541E04-4A37-4402-AD01-EA95F69C8FB1@vpnc.org> <6CA2C172-4BE7-479C-B305-E454B15EA9FA@nic.cz> <20111121211312.6692917DB0E8@drugs.dv.isc.org> <a06240803caf071b97c5c@10.31.200.137> <1321935016.1657.19.camel@mattlaptop2.local> <a06240801caf158f7c28f@10.31.200.137>
Date: Fri, 03 Feb 2012 12:47:56 -0800
Message-ID: <CACU5sDncU9Tz7-tGNjCfYshzb=dYAB0wn9dhf4RsAwRL3QhxJg@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] [dane] Aiming towards some specific wording
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Tue, Nov 22, 2011 at 5:55 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrote:
> (Took DANE off because I'm not on the list.)
>
> At 20:10 -0800 11/21/11, Matt McCutchen wrote:
>
>>That's great, RFC 4035 has a totally different definition of
>>"indeterminate" than RFC 4033.
>
> You're right.  When I answered I went to 4035 because it is the "protocol
> mod" and not 4034 because it was "records".  I usually ignore 4033 because
> it's "intro" and has no requirements language in it.  That's just to explain
> why I quoted 4035 (because these kind of terminology things run rampant in
> RFCs) and why I didn't quote 4033.
>
> Not that 4033 is any less wrong than 4035.  I just ordinarily look at
> 4034/4035 more.
>
> Here's what '33 says:
>
> #   Indeterminate: There is no trust anchor that would indicate that a
> #   specific portion of the tree is secure.  This is the default
> #   operation mode.
>
> Certainly different from 4035 and what I would assume was the right way to
> define indeterminate.
>

This is an old thread but may be relevant now. As we are in the last
call of dnssec-bis updates, we should clarify this.

Even the definition of Insecure is different. 4033 says that you have
the signed proof of the non-existence of a DS record where as 4035
says you declare insecure if you can't construct the chain which could
be because of the missing DNSKEY/DS RRs. I may not  be able to obtain
them because of the bad CPE device. Can it not be Bogus as per the
definition in 4035 ?

If the application is going to be sensitive and react differently
based on these status codes, then this should either be simplified or
clarified in the dnssec-bis updates.

-mohan

> --
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar                    You can leave a voice message at +1-571-434-5468
>
> Vote for the word of the day:
> "Papa"razzi - father that constantly takes photos of the baby
> Corpureaucracy - The institution of corporate "red tape"
>
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
>
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email