[dnsext] What is indeterminate

[Paul Hoffman <paul.hoffman@vpnc.org>]

On Feb 7, 2012, at 10:18 AM, Andrew Sullivan wrote:

> ISSUE 1: Indeterminacy of Indeterminate
> 
> In http://www.ietf.org/mail-archive/web/dnsext/current/msg12176.html,
> Mohan Parthasarathy argues that RFC 4033 and RFC 4035 have
> inconsistent definitions of "Indeterminate".  RFC 4033 says this is
> what Indeterminate means, in section 5:
> 
>   Indeterminate: There is no trust anchor that would indicate that a
>      specific portion of the tree is secure.  This is the default
>      operation mode.
> 
> RFC 4035 has this definition in section 4.3: 
> 
>   Indeterminate: An RRset for which the resolver is not able to
>      determine whether the RRset should be signed, as the resolver is
>      not able to obtain the necessary DNSSEC RRs.  This can occur when
>      the security-aware resolver is not able to contact security-aware
>      name servers for the relevant zones.
> 
> These two do seem to be inconsistent.  In particular, the latter
> apparently can happen when a security-aware resolver with an
> appropriate trust anchor can't find an upstream that can handle the DO
> bit.  Does anyone have an opinion on what to do about this?  We will
> need to come to some very strong agreement quickly, or it will not be
> addressed in this document.
> 
>    DEFAULT ACTION: none.  Without proposed text that finds strong
>    support, this issue will be left out of the document.  

A request to the folks who have done DNSSEC much longer than I have: please do resolve this somehow. It affected the development of DANE, and will probably nail others later.

--Paul Hoffman

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext