Re: [dnsext] [dane] Aiming towards some specific wording
Mohan Parthasarathy <suruti94@gmail.com> Tue, 22 November 2011 00:59 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id BDC791F0C5B; Mon, 21 Nov 2011 16:59:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
t=1321923567; bh=mFLdx6IdHB2A6AoGY3Hcyu1YT1yT11dkn9QfIB9+XKg=;
h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:
List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender;
b=Rqc5VwScB1dBOyhaSQz4/7/VCFFP/FkYg3Tfox7UTT//QMI/G9lN5YCv/scg+Rurf
QNmgsu805TJ09RX1/eFOxcSCyoPW81zKsbvJKfGrVtRFDlZhMFr+7D93oV80TE6WN8
dx25ZFVMxcSflUxkt0AvSbnXFrJlc2vBD1Y+3ko4=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 234391F0C5B for <dnsext@ietfa.amsl.com>;
Mon, 21 Nov 2011 16:59:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HpTa9ywsgjPV for
<dnsext@ietfa.amsl.com>; Mon, 21 Nov 2011 16:59:23 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com
[209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 985231F0C55 for
<dnsext@ietf.org>; Mon, 21 Nov 2011 16:59:16 -0800 (PST)
Received: by yenm7 with SMTP id m7so3257841yen.31 for <dnsext@ietf.org>;
Mon, 21 Nov 2011 16:59:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc:content-type:content-transfer-encoding;
bh=jn1Pn/2vC1iwtKHNf/iasIGb+bkHbA2inKF4RNHu+QQ=;
b=QG3ZE82r/SFBVN5WWXbALIEnWrCQ9Y5bNNIVOzvpX+M9DgET5TP6rS3HVVAebyLOJe
yFWJYoa/vf5PsDOTCIQO+DkJ/5+yLxOuHaIy7bXVpb0QsOwMxQ4aVoneSHpuqlLRkKT3
yu2ASFq+HKjF7k5Z7IyrmZrta26MYdnUnTutY=
MIME-Version: 1.0
Received: by 10.182.2.136 with SMTP id 8mr3541243obu.71.1321923554986;
Mon, 21 Nov 2011 16:59:14 -0800 (PST)
Received: by 10.182.159.98 with HTTP; Mon, 21 Nov 2011 16:59:14 -0800 (PST)
In-Reply-To: <20111121232055.B6D5D17DD132@drugs.dv.isc.org>
References: <45EA694E-096C-41A1-B60E-BF7B3832FE2A@vpnc.org>
<4EC70173.9090106@sv.cmu.edu> <247CAE36-68FB-4048-B07C-9B4C0903434D@vpnc.org>
<92AA2445-000C-44CF-8CA5-9796528EA946@checkpoint.com>
<0536F82C-346C-4ABE-81E6-3B008219DBD9@kirei.se>
<773BAA00-22B9-43A6-BB36-8E3CB6166E38@nic.cz>
<4B541E04-4A37-4402-AD01-EA95F69C8FB1@vpnc.org>
<6CA2C172-4BE7-479C-B305-E454B15EA9FA@nic.cz>
<20111121211312.6692917DB0E8@drugs.dv.isc.org>
<a06240803caf071b97c5c@10.31.200.137>
<20111121232055.B6D5D17DD132@drugs.dv.isc.org>
Date: Mon, 21 Nov 2011 16:59:14 -0800
Message-ID: <CACU5sDmHW1TGpGoKmB5E940tXAKxt9uULYrXTsMbE=s=60cNbQ@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, dnsext@ietf.org,
Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] [dane] Aiming towards some specific wording
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>,
<mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>,
<mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Mon, Nov 21, 2011 at 3:20 PM, Mark Andrews <marka@isc.org> wrote: > > In message <a06240803caf071b97c5c@[10.31.200.137]>7]>, Edward Lewis writes: >> At 8:13 +1100 11/22/11, Mark Andrews wrote: >> >"insecure" and "indeterminate" zones are logically the same. Dane >> >should just treat them as !secure. >> >> No, they are not the same. >> >> Insecure means I get records indicating there's no possible trust >> chain that can be constructed from the data to anything I have. >> >> Indeterminate means when I try to get records for part of the chain I >> "time-out". ("No servers could be reached.") >> >> There's a significant semantic difference between the two. Apart >> from the fact that you won't succeed in constructing a chain, >> "insecure" means it is definitively impossible and "indeterminate" >> means "not with the data at hand, at this time." The former would be >> data that is not protected, the latter could be declared a service >> failure. >> >> Here's the definition in RFC 4035 I'm pointing to: >> >> 4.3. Determining Security Status of Data >> ... >> Insecure: An RRset for which the resolver knows that it has no chain >> of signed DNSKEY and DS RRs from any trusted starting point to the >> RRset. This can occur when the target RRset lies in an unsigned >> zone or in a descendent of an unsigned zone. In this case, the >> RRset may or may not be signed, but the resolver will not be able >> to verify the signature. >> ... >> Indeterminate: An RRset for which the resolver is not able to >> determine whether the RRset should be signed, as the resolver is >> not able to obtain the necessary DNSSEC RRs. This can occur when >> the security-aware resolver is not able to contact security-aware >> name servers for the relevant zones. > > And the difference between that and bogus is? It got data and no > signature so it is bogus. If got data and bad signatures it is > bogus. It didn't get a response then it has no data. > Bogus is defined like this: Bogus: An RRset for which the resolver believes that it ought to be able to establish a chain of trust but for which it is unable to do so, either due to signatures that for some reason fail to validate or due to missing data that the relevant DNSSEC RRs indicate should be present. This case may indicate an attack but may also indicate a configuration error or some form of data corruption. So, the resolver knows a priori that there *is* a chain of trust but it can't establish that for the reasons that you mentioned above. . It is different from Insecure/Indeterminate where the resolver does not know beforehand. Within Indeterminate/Insecure, you still need something to say that "I can't reach the servers or I am behind a crappy CPE device" Vs. "I received an NSEC". I have been having problems understanding what this really means and this is just my interpretation.. -regards mohan > > There are are only 3 states the data can be in. Secure, insecure and bogus. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext > _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] [dane] Aiming towards some specific … Mark Andrews
- Re: [dnsext] [dane] Aiming towards some specific … Edward Lewis
- Re: [dnsext] [dane] Aiming towards some specific … Mark Andrews
- Re: [dnsext] [dane] Aiming towards some specific … Paul Hoffman
- Re: [dnsext] [dane] Aiming towards some specific … Mohan Parthasarathy
- Re: [dnsext] [dane] Aiming towards some specific … Matt McCutchen
- Re: [dnsext] [dane] Aiming towards some specific … Edward Lewis
- Re: [dnsext] [dane] Aiming towards some specific … Edward Lewis
- Re: [dnsext] [dane] Aiming towards some specific … Mohan Parthasarathy