[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEXT Yokohama Minutes

To: Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: DNSSEXT Yokohama Minutes
From: Roy Arends <roy@logmess.com>
Date: Wed, 4 Sep 2002 00:20:24 +0200 (CEST)
Cc: David Blacka <davidb@verisignlabs.com>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, namedroppers <namedroppers@ops.ietf.org>
In-reply-to: <20020903171221.W94281-100000@hlid.dc.ogud.com>

On Tue, 3 Sep 2002, Olafur Gudmundsson wrote:

> On Tue, 3 Sep 2002, Roy Arends wrote:
>
> > As I recall, we need to write:
.....
> > - The current issues:
> >                  Clear AD-bit on an opt-in response.
> >                  (I think this will be taken care of by the "AD-bit is
> >                  secure" authors ).
>
> This is for Opt-in to specify, not AD due to dependancy reasons, this
> definition is only needed if both AD and Opt-in are part of the standard.

Okay.

> For the record: this relates to use of NXT between the two names
> on the NXT (record name and the target name).
> In DNSSEC where AD bit is used (either RFC2535 or AD-secure definition),
> the AD bit can be set on responce if it is authenticated denial with NXT,
> for the QNAME if the
> 	NXTNAME  == QNAME or (NXTNAME < QNAME and QNAME < NXTargetNAME )
>
> Opt-in NXT must define that this that NXT can only be used when
> NXTNAME == QNAME to set the AD bit.

I don't understand what you just wrote.

This issue is as follows:

"AD-is-secure" states that the AD bit may be set when _all_ resource
records in a [negative] response are cryptographically verified to be
valid.

An Opt-in negative response reaching the resolver only has signed records.
This implies AD=1.

But, this negative response might have been a positive Opt-In response
when it has left the authoritative server.

When AD=1 is sent to an application/stub/whatever which places trust in
this bit, the application/stub/whatever is effectively misled. So, AD=0 on
an Opt-In response effectively takes care of this situation.

> > Some of the above were stated by Olafur last week during the DS workshop,
> > others were a result of research by Rob Austein and me (which was
> > presented at Yokohama).
>
> Then there is the minor issue of bytes on the wire, are responses
> from Opt-in zones smaller/same/larger than from regular DNSSEC zones.
>
> And then there is the issue on memory usage in caches, there was an
> assertation that opt-in zones cause more memory consumption than other
> DNSSEC zones.

This is true,

A positive response with Opt-in holds:    QTYPE+NXT+SIG(NXT).

A positive response without Opt-in holds: QTYPE+SIG(QTYPE).

Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: DNSSEXT Yokohama Minutes
  - From: Brian Wellington <Brian.Wellington@nominum.com>

References:
- Re: DNSSEXT Yokohama Minutes
  - From: Olafur Gudmundsson <ogud@ogud.com>

Prev by Date: Re: DNSSEXT Yokohama Minutes
Next by Date: Re: DNSSEXT Yokohama Minutes
Previous by thread: Re: DNSSEXT Yokohama Minutes
Next by thread: Re: DNSSEXT Yokohama Minutes
Index(es):
- Date
- Thread