Re: IESG feedback on dnsext-ad-is-secure

[Greg Hudson <ghudson@MIT.EDU>]

On Wed, 2002-06-12 at 02:37, Robert Elz wrote:
> It seems likely that a stub resolver (as defined 2 paragraphs ago) would
> like to know whether or not its (presumably trusted) back end has validated
> signatures or not.

Uh, I'm not quite sure what you're saying here, but this statement makes
me a little nervous.  AD=1 means the back end has validated signatures,
*and* all the required signatures were present and valid.  AD=0 means
the back end has not validated signatures, *or* the required signatures
were absent or invalid.  AD doesn't give you a way to determine if the
back end is DNSSEC-aware or not, unless you happen to know of a record
with a valid signature.

It's important that everyone be on the same page here, so that we don't
get AD-is-confused.  People (including area directors) in the opt-in
discussion have already raised the possibility that a query for an
unsigned record in an opt-in zone might come back with the AD bit set,
which could only happen with a completely different meaning for the AD
bit.  Sure, you can cryptographically determine that the requested
record wouldn't be signed if it does exist, but the record clearly fails
the test:

   "The AD bit MUST NOT be set on a response unless all of the RRsets in
   the answer and authority sections of the response are Authenticated."


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>