To:
miekg@atoom.net (Miek Gieben)
Cc:
dnssec@cafax.se
From:
Bill Manning <bmanning@isi.edu>
Date:
Mon, 10 May 2004 11:58:06 -0700 (PDT)
In-Reply-To:
<20040510132357.GA28493@atoom.net> from "Miek Gieben" at May 10, 2004 03:23:57 PM
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
% Hello, % % [I'm using this list to start the discussion about it, rathen than % starting a new list (i'm on too many ML already :) )] retro-fitting an old list to discuss the things the list was created for... how very odd :) % http://www.nlnetlabs.nl/dnssec/draft-gieben-resolver.txt % % This essentially leads to the case whereby every application will do it's own % validation. When you are validating DNSSEC data, it is very handy to directly % talk to the authoritative server. Thus this, in turn, will lead to increased % pounding on the authoritative servers on the Internet. Most notably the secure % entry points, which will be root in some future. In short: this will most % probably break the DNS. Not at all. you only need to "get more" if the validation fails. This was hammered home to me @ the SLC IETF. If the validation works, then where the data comes from is of less concern (thanks to Liman for hearing me out on this) The "extra" hits should only occur during transition. % SERVFAIL we indicate an attack - I don't care what kind of attack. I only need % to know there is one going on right now. Then I can fire up my dig++ and look % what is really happening. dig++ needs access to more data than you wish to mask w/ SERVFAIL, no? % So basically it comes down to answering the question: % * Must applications know the security status of DNS answers? * % (last week we thought: yes, now we (labs) think no) Which apps? Some yes, some(most) we don't know. Based on the straw-poll in the RIPE TECHSEC wg, no one was able to think of an app that could not use knowledge of the security status of the DNS answers. Some other discussion points were raised: http://www.ripe.net/ripe/meetings/ripe-48/presentations/ripe48-techsec-sro.pdf one, perhaps novel approach, is to have the validator function as a caching entity (much like the caching nameserver/resolver). certainly changes the dynamics of validation and the placement of validator code... :) % grtz, % --Miek --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).