[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnssec-deployment] some observations about .SE's DNSSEC

To: IETF DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: [dnssec-deployment] some observations about .SE's DNSSEC
From: "Olaf M. Kolkman" <olaf@NLnetLabs.nl>
Date: Thu, 27 Sep 2007 10:25:57 +0200
Cc: Jakob Schlyter <jakob@rfc.se>, Mark Andrews <Mark_Andrews@isc.org>, Mats Dufberg <Mats.Dufberg@teliasonera.com>, Peter Koch <pk@denic.de>
In-reply-to: <list-15587790@execdsl.com>
References: Your message of "Thu, 27 Sep 2007 08:27:46 +0200." <4AB9B2D0-3FCE-40F1-AF2F-D861E64618A2@rfc.se> <list-15587517@execdsl.com> <list-15587790@execdsl.com>


Colleagues,

Below is a mail from Mats Sufberg, its part of a thread on the DNSSECdeployment list (http://mail.shinkuro.com:8100/Lists/dnssec-deployment/).

The background to this story is that a popular implementation startedshipping code that sets the AD bit on validated responses even thoughthe DO bit was not set on the query. These answers are getting stuckin the filters of popular DSL modems. The result being that data fromsecured zones would not be resolved.

The case is made that when there is a trust relation between the stubresolver and the validating nameserver you do not need to have allthe DNSSEC information that you receive when you set the DO bit. Onthe other hand it was observed that a resolving nameserver should notjust set bits in query headers without being instructed to do so.

The suggestion is that the AD bit is used in the query to signal thereadiness to deal with AD bits in the answer.

I think its a fine idea and would support such text in draft-ietf-dnsext-dnssec-bis-updates.


If folk think this needs an I-D then I'd be willing to edit it.

--Olaf



On 27Sep 2007, at 9:51 AM, <Mats.Dufberg@teliasonera.com> wrote:

From: DNSSEC deployment
[mailto:dnssec-deployment@shinkuro.com] On Behalf Of Mark Andrews
Sent: den 27 september 2007 08:48

(...)

On 27 sep 2007, at 00.41, Mark Andrews wrote:

	As AD is only supposed to be used where you trust the server
	could we use AD itself to signal that we want AD to be set in
	the response when DO is not set.


if you can set AD, why not set DO and just ignore the

signatures in

the response? that's how we do it in the stand-alone

implementation

of getrrsetbyname() used by OpenSSH-portable.

	jakob


	Why ask for more than you need?


Either of the two solutions would probably work. The lesson we should
learn from the broadband router problem is that a DNSsec enhanced
nameserver (resolving or hosting) should behave just like a non-DNSsec
nameserver unless being asked to include DNSsec information.

The AD flag in query has no other meaning and could be interpreted as
"Authentication check Desired".






-----------------------------------------------------------
Olaf M. Kolkman
NLnet Labs
http://www.nlnetlabs.nl/

Attachment: PGP.sig
Description: This is a digitally signed message part

Follow-Ups:
- Re: [dnssec-deployment] some observations about .SE's DNSSEC
  - From: Samuel Weiler <weiler@tislabs.com>
- Re: [dnssec-deployment] some observations about .SE's DNSSEC
  - From: Mark Andrews <Mark_Andrews@isc.org>
- Re: [dnssec-deployment] some observations about .SE's DNSSEC
  - From: bert hubert <bert.hubert@netherlabs.nl>

Prev by Date: Re: Call for consensus: Re: Reviving RSA/SHA256
Next by Date: Re: [dnssec-deployment] some observations about .SE's DNSSEC
Previous by thread: I-D ACTION:draft-ietf-dnsext-rfc2672bis-dname-05.txt
Next by thread: Re: [dnssec-deployment] some observations about .SE's DNSSEC
Index(es):
- Date
- Thread