[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: MagicType draft

To: Scott Rose <scottr@nist.gov>
Subject: RE: MagicType draft
From: Edward Lewis <Ed.Lewis@neustar.biz>
Date: Tue, 23 Nov 2004 14:42:30 -0500
Cc: namedroppers <namedroppers@ops.ietf.org>
In-reply-to: <ANECIHCPCBDLLEJLCOPGGENBDBAA.scottr@nist.gov>
References: <ANECIHCPCBDLLEJLCOPGGENBDBAA.scottr@nist.gov>

Why can't a zone that purports to do both in the DS RRSet do both?

Why can't both a BERT RRSet and a NSEC RRSet be returned?

(Will a non-BERT RR verifier choke on the presence of an unknown type in the authority section?)

What would the size of a message containing both be (order of magnitude)?

Always keep in mind that DNSSEC is for the benefit of the resolver - doing anything punitive would be shooting itself in the bootstrap loader.

IMHO - if someone gave me a package which indicated multiple ways to verify it's authenticity and included all of the credentials for each of the multiple paths, you can bet that I would try the easiest verification first, trying successively harder ones until I succeed or run out of options.

The last thing I'd want to do is throw away an accepted package - that's why I'd progress through them all.

At 12:36 -0500 11/23/04, Scott Rose wrote:

 -----Original Message-----
 From: Samuel Weiler [mailto:weiler@tislabs.com]

 What does the auth server do when it's advertising (via DS/DS') that
 both kinds of non-existence proofs are available?  On name errors,
 return both a BERT RR and an NSEC RR (proving that the BERT RR doesn't
 exist)?  It doesn't know whether the resolver asking the query wants
 NSEC-type proofs or BERT-type proofs -- it has to provide an answer
 that works for both.  And that answer has to be completely
 backwards-compatible with DNSSECbis resolvers.

I don't know, kind of why I asked.  If I read that correctly, you believe
that magic type and DNSSECbis can't co-exist in a zone?  I think that might
be the case as well.  My comment was that it would be nice to have a way for
a DNSSECbis resolver to get/validate positive DNSSEC responses from a zone
that does magic type.  If we use an algorithm code in the DS, the resolver
will make the zone as "unsecure" (I hope) and continue, but be unable to
verify even if the response was positive and uses a RRSIG algorithm the
validator understands normally.

 I think the answer to Ed's question of "What happens if there is a mix
 of DNSSECbis and 'this method' keys in a DS set" is: the world ends.
 Depending on the resolver's mood, do something either kind and gentle
 (treat the zone as unsigned), colorful (treat the zone as not
 existing), or punitive (see draft-ietf-dnsop-bad-dns-res-03.txt, now
 in WGLC, for creative ideas).


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

I think my jabber client and SMS phone are talking about me behind my back.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- RE: MagicType draft
  - From: "Scott Rose" <scottr@nist.gov>

Prev by Date: RE: MagicType draft
Next by Date: Re: DNS-EPD Updates [was Re: New Internet-Draft: DNS-Endpoint Discovery (http://www.ietf.org/internet-drafts/draft-snell-dnsepd-00.txt)]
Previous by thread: RE: MagicType draft
Index(es):
- Date
- Thread