dnssec: resolver - application communication

[Miek Gieben <miekg@atoom.net>]

Hello,

[I'm using this list to start the discussion about it, rathen than
starting a new list (i'm on too many ML already :) )]


At the last RIPE meeting I've given a presentation on wether an application
needs to know the security status of answers the resolver got from a secured
DNS.  link: http://www.nlnetlabs.nl/prespub/RIPE-48/html-miek/index.html
This is related to: 
http://www.nlnetlabs.nl/dnssec/draft-gieben-resolver.txt

This essentially leads to the case whereby every application will do it's own
validation. When you are validating DNSSEC data, it is very handy to directly
talk to the authoritative server. Thus this, in turn, will lead to increased
pounding on the authoritative servers on the Internet. Most notably the secure
entry points, which will be root in some future. In short: this will most
probably break the DNS.

The other solution is to do what we do now: SERVFAIL when data is bogus, but
then the app. doesn't know the security status. Our new thinking at labs is now that
this is not that bad. DNSSEC is created to _detect_ attacks, when giving back
SERVFAIL we indicate an attack - I don't care what kind of attack. I only need
to know there is one going on right now. Then I can fire up my dig++ and look
what is really happening. 

So basically it comes down to answering the question:

      * Must applications know the security status of DNS answers? *

(last week we thought: yes, now we (labs) think no)

grtz,
--Miek

--
today's fortune:
I'll show you MY telex number if you show me YOURS ...