Re: [dnsext] Issues in WGLC of dnssec-bis-updates
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Wed, 08 February 2012 10:40 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBE4221F85D7; Wed, 8 Feb 2012 02:40:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328697603; bh=TCHS8bNGHQrp6tHTzotgV28x4EHh4L1WYNQEY0t+hFo=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=AOPioroUVbmCHv07wzl7y4Y/nTGiUBcUHnqs0BJqah+lXm6bJJm7BLSgs2jlt18/T 5jD47WbOyEQc45MKkNaEDQIuAixx0ro90OcXTpNMfVatwirp4BztJp4Qiy/2Zipaxu b2jXtRK54pLv84Smujjb2M7dvYono8LlnGUCsw+g=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0840721F85D7 for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 02:40:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.71
X-Spam-Level:
X-Spam-Status: No, score=-1.71 tagged_above=-999 required=5 tests=[AWL=-0.206, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYc9N3ii0w5k for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 02:40:02 -0800 (PST)
Received: from rotring.dds.nl (rotring.dds.nl [85.17.178.138]) by ietfa.amsl.com (Postfix) with ESMTP id 6433121F85D2 for <dnsext@ietf.org>; Wed, 8 Feb 2012 02:40:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by rotring.dds.nl (Postfix) with ESMTP id 8060458498; Wed, 8 Feb 2012 11:40:01 +0100 (CET)
Received: from [192.168.254.3] (195-241-9-117.adsl.dds.nl [195.241.9.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rotring.dds.nl (Postfix) with ESMTPSA id A7B2D58CEF; Wed, 8 Feb 2012 11:39:55 +0100 (CET)
Message-ID: <4F3250FA.5020709@nlnetlabs.nl>
Date: Wed, 08 Feb 2012 11:39:54 +0100
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111101 SUSE/3.1.16 Thunderbird/3.1.16
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143> <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com> <4F3232B6.3060505@nlnetlabs.nl> <20120208100834.B904D1D02863@drugs.dv.isc.org>
In-Reply-To: <20120208100834.B904D1D02863@drugs.dv.isc.org>
X-Enigmail-Version: 1.1.2
X-Virus-Scanned: clamav-milter 0.97.3 at rotring
X-Virus-Status: Clean
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mark, On 02/08/2012 11:08 AM, Mark Andrews wrote: > More correctly it knows if it should be able to get a signed answer > with signatures it is capable of verifying or not. A zone can be > insecure, as far as the validator is concerned, even if there are > DS records in the parent zone and the validator treats the parent > zone as secure. You are more correct in applying the validation implementation support rules. > No, you can conclude that you don't expect to be able to validate > it. The break point may or may not be at a insecure delegation (no > DS records in parent zone). Thus the set of trust anchors that is configured, and their chains of trust, determine a number of zones that the validator can securely determine that are signed and it has the implementation for to dnssec-validate it. If dnssec data needed to securely determine this is unavailable or invalid then the result is bogus Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMlD6AAoJEJ9vHC1+BF+NJ+kP/jT8sktzUbrrQwWAFw3fpRqm ePWDlBFew3f+pS43Zp206ETae/64vVcDMd2KNOtF5lhEOKZZlx9tu6V8Xx+ZT7hZ OPuuhC/z4JyQ4FL7WF1zQaXgpwXhhOgyLMo1VtyxxUz1eJnsJLNGUWEm3CH7JBT1 Cb6FaDftQ3q1ca/sq+gqFQCfwSyOOpfegDTwLUv8ja8zCg2Z30DMnWCjEwJGdppC +tYBV3w6gitDW7wIlheyfcFdbIpxr/zwo3Afvs51KDFLt5ybV9A3VeoEEvbagr+d mz+VPSR8lD5H/M0/gzRIof7kIJhkIh7nE8lGyH4m5QATltREbRluNH3SpXv97ZaJ i7+cumiCp+B6iR84r7YWqEcmpcOBNk5uglUEdVS2J91APjkunPMK+tVzXk+bocXY USS7ze88ZexZkdFKIMM1dd2Ui0ttjfpdJ2LAg64cDzLtBHw3JtyXxKNfvsSEOd5h v3Cm+JfDfpo7nNGTL/G86lpVi222zsB49lPlg2TnjRS2q4Q60O7uPNpUJpd6EMbf MPabfnTbnOic37+N11BFPo6bDFZHsVGjxxgLPxiIF6yPYZsMxeZR/1cI2qb1x+mC 3ejfPa2ibffN1RKhtnut/+0QJ3R16Jlal189/ZMMSwRe3BMncAuCgMgYkJDEg1hT GVVdJl5qv5/efTX1mec8 =bWgT -----END PGP SIGNATURE----- _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] What is indeterminate Mark Andrews
- Re: [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates bmanning
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Eric Brunner-Williams
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Samuel Weiler
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Wes Hardaker