[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN

To: Roy Arends <roy@logmess.com>
Subject: RE: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN
From: Sam Weiler <weiler@tislabs.com>
Date: Wed, 30 Apr 2003 14:24:40 -0400 (EDT)
Cc: <namedroppers@ops.ietf.org>
In-reply-to: <Pine.LNX.4.53.0304301641220.18218@elektron.atoom.net>

On Wed, 30 Apr 2003, Roy Arends wrote:
>
> Protection against your deletion ("spoof a zone out of existence") attack:
> sign the delegated zone.
>
> A secured delegation to an unsecured zone is as practical as an unsecured
> delegation.

Roy,

As Dan so ably points out, signing a child zone won't protect it from
someone corrupting the NS glue, whether or not there's a DS in the
parent.  But adding the NXT to the parent, with or without a DS,
signals the existence of the delegation.  A client seeing an NXT at
least knows that the delegation exists.  It may not know how to find
it, for inability to get the glue or because it was fed bad glue, but
it knows that it's there.  That's a different and more informative
failure mode, and there may be ways of recovering from it.

In an opt-in zone (in an unsecure span), you're telling the client to
fallback to the current state of the world: there's no reason to
believe that there's anything in the span.  Without opt-in, you know
something should be there, and you can try to recover (not that we
know how, yet).  And whether or not the child is signed makes no
difference.

Yes, this would be much more interesting if the parent signed the
glue.  Too bad we're not redoing delegations at this point in the
process.

Yesterday, you wrote:
> All authoritative records are signed, with or without opt-in, and
> can be verified to be valid or not.

Correct, but misleading.  The parent is authoritative for the
existence of a delegation, and the existence is proved with an NXT and
SIG(NXT).

So while the parent isn't authoritative for the NSset, it is making an
authoritative statement by the inclusion of a NXT.  Without opt-in, it
makes an authoritative statement by the omission of a NXT ("there's
nothing to see here, move along").  With opt-in, omission of the NXT
is ambiguous.

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN
  - From: Daniel Massey <masseyd@ISI.EDU>
- RE: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN
  - From: Roy Arends <roy@logmess.com>

References:
- RE: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN
  - From: Roy Arends <roy@logmess.com>

Prev by Date: Re: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN
Next by Date: RE: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN
Previous by thread: RE: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN
Next by thread: RE: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN
Index(es):
- Date
- Thread