Re: [dnsext] Issues in WGLC of dnssec-bis-updates
Mohan Parthasarathy <suruti94@gmail.com> Wed, 08 February 2012 18:45 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B0FF21F85F7; Wed, 8 Feb 2012 10:45:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328726749; bh=yu1rKdoCEJNgpOu9NwoMj1DMa2vhThkWIFzFmUaGO3c=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=iGVdp74l/z0S8pKua8CAPXC+kLtZMYBiozIWR1EZRe30jnOED9ZxuSmPX4KndLczJ M6S7rFpP4ZmP1nFQA2Wrq61+jlBgGxt2XpCbA7dOcTTb3kre/IwN49vSZtf/nAyjIQ BmKvx9lqtuccIYW6YTZymGJd5fWZ9zb2AJuM+4m8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B43C721F85FB for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 10:45:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.459
X-Spam-Level:
X-Spam-Status: No, score=-3.459 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aOK7BjCPh3cL for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 10:45:47 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7607721F85F7 for <dnsext@ietf.org>; Wed, 8 Feb 2012 10:45:47 -0800 (PST)
Received: by qcsg13 with SMTP id g13so573048qcs.31 for <dnsext@ietf.org>; Wed, 08 Feb 2012 10:45:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=gT+q8yVahPfoLXKtWAb9GCAS3V5QxlFvJnTwR7HIj9A=; b=iuGe86+e2h8l4PzD0dUGdi+cCkOQgOQ4EU3+mt2O1UQTGGuX/DkZwt8EJEqt5Q+iN+ KR8vjYsUmqUA39xyzaG8A+C/Ub0LsJzI/u72ez+9MV7sRielJXhE9W9ilfnfNy8hK6Cb V8YoTV2v/q+aCXVIs6w8u1b0BCh9Lc0utErxY=
MIME-Version: 1.0
Received: by 10.224.33.14 with SMTP id f14mr4590973qad.49.1328726747027; Wed, 08 Feb 2012 10:45:47 -0800 (PST)
Received: by 10.229.20.193 with HTTP; Wed, 8 Feb 2012 10:45:46 -0800 (PST)
In-Reply-To: <4F3232B6.3060505@nlnetlabs.nl>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143> <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com> <4F3232B6.3060505@nlnetlabs.nl>
Date: Wed, 08 Feb 2012 10:45:46 -0800
Message-ID: <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Wed, Feb 8, 2012 at 12:30 AM, W.C.A. Wijngaards <wouter@nlnetlabs.nl> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Mohan, > > The definition of indeterminate was wrong in RFC4035, and you now seem > to think DNSSEC is riddled with downgrade. There is no downgrade, > because the security-states are the outcome of the chain-of-trust > algorithm, not implemented from its definitions in RFC4035. > Okay, after reading your response and re-reading 4035 and 4033, I think 4033 definitions for Bogus, Insecure and Indeterminate capture the discussion below more clearly. <snip> > On 02/07/2012 08:51 PM, Mohan Parthasarathy wrote: >> On Tue, Feb 7, 2012 at 9:14 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrote: >>> At 16:34 +0100 2/7/12, W.C.A. Wijngaards wrote: >>> >>>> insecure, or bogus. Note that with the root trust anchor the >>>> indeterminate state no longer occurs, since we know everything is >>>> covered by that trust anchor. >>> >>> >>> I disagree with that. >>> >>> The Internet that we usually think about as being the only one is what I >>> call the "global public Internet". For the global public Internet, the DNS >>> in common use does have a trust anchor for it's root zone so the assertion >>> holds for the majority of cases, but then again only for recursive servers >>> that have the trust anchor. >>> >>> There are other inter-networks that use the DNS protocol. In at least one >>> of these, DNSSEC has not been deployed. >>> >>> And, you can stretch this to the case of a recursive server, on the global >>> public Internet, that does not have the root anchor configured - and may >>> have another anchor. To such a server, validating some DNS data is >>> impossible (incalculable). >>> >>> The protocol cannot be defined assuming one particular mode of operation. >>> >> Before getting to define this precisely, we should try to understand >> the different cases that can occur and see whether we all agree on the >> error status for the different cases. > > Why data cannot be fetched is not a factor in the end result. This > simplifies the cases to: cannot get the proper DNSSEC data, can get > proper DNSSEC data but it's invalid, can get proper DNSSEC data and it's > ok. And the results are bogus, bogus, secure. If you find an insecure > delegation it is insecure. If there is no applicable trust anchor, the > result is indeterminate (that is effectively just like insecure). > Ok, Bogus, Secure and Insecure applies only when there is an applicable trust anchor. When it is absent, it is indeterminate. That simplifies a lot. <snip> >> >> 1) We get some DNSSEC RRs back but can't validate. Just being able to >> partially validate without tracing back to the trust anchor is equally >> bad as not being able to validate the signatures. > > Yes, that is bogus in today's implementations. > >> 2) We get no DNSSEC RRs back. This could be a problem in the path or >> the zone is not signed. We can't tell the difference without some >> extra configuration. > > You can tell the difference because the chain-of-trust is signed itself, > and this extends from the trust anchor to the data you just got, and > thus you know if this zone is signed or not. And thus in your question, > the unsigned zone is ok(insecure), and the signed-zone-missing-DNSSEC > RRs is not ok(bogus). > >> How does it help the application to make this more fine grained ? > > No, the application just wants all bogus data to be removed. Data that > is secure and data that is not DNSSEC signed is what it wants. Because > of the chain-of-trust the validator knows which parts of the space below > a trust anchor is signed (and must have DNSSEC available) and which part > is unsigned. This property could be the cause that made insecure and > indeterminate terms exist, as indeterminate is not really processed but > simply the absence of a covering trust anchor, just like in the case > where you had no trust anchors at all. But then insecure needs > processing: you have to validate the chain of trust from the trust > anchor to the insecure-delegation point, and only then can you conclude > that the data is insecure. This is something internal to the DNSSEC > validator, and not particularly impressive to the application, that > likely just wants to know if the data was DNSSEC-signed (if so: secure > or bogus) or if the data was not DNSSEC-signed (as determined with the > configured set of trust anchors). > That was very useful discussion. regards mohan > Best regards, > Wouter > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.15 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJPMjK2AAoJEJ9vHC1+BF+NxVUQAIyQ4nPk7Syogn9uh4z890yJ > kmPxslbpvHru47OxKd0tYvozldnP32z1+JToGSZR8qRU+w9SAQLutnFkqCU28x95 > QUAot8G157kxZT95zhdjVqpbyUYDYwKKUY4jqplq4IuyIm1ewEOcwAS8Sak1o9Gr > 17Xs4aCpl55QmTCZAlP+r6SwCDY738Py9I51BJhifAB9HdkT6XK1+bsbMSiFhG+o > koICUhKaLDthmFvBrHBVCiW4xD5uk8ww2jlMNXv2LaRT05tfVjLC0EfboFn3kEkg > +c39M8Bm4GlkQvB1Wr37AEPn/m0PYbsC2lOEQL/04QRGiAcDTtjo4bzzsKb6yFFi > cWg8mUsldcSikZB+YFVS0RRLGcKCWhOVHxxMqKlA/IdzBU02JiGaYqZU9SKaakkc > 8AEFJkQdUYerh4BPeiwlzpy4uS3kiJU7A8hKnQSIuRR1xo7r28NKuvrxLnw5b3es > kExf4pyb5zitBPx6c0ERQ1SJrw9VU3DipJb6dY/QW5uceHvfJlYQiXN6nGGKUkvw > FlupnGef8TvHvgnHieiD9t3WRh+7WNKdMCs627U/Ym8VC0gcTXK3WORMdwrAVq7j > I7wEkXH4ms9sJD09ZGysNjlRylKvMzHlxxIjl3kpFmvGwus//BxMq8GCT+08cJ9Z > 5AOnYo5AWqWqa8nipilZ > =dpSm > -----END PGP SIGNATURE----- > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] What is indeterminate Mark Andrews
- Re: [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates bmanning
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Eric Brunner-Williams
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Samuel Weiler
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Wes Hardaker