DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: dnssec@cafax.se
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 10 May 2004 15:22:31 -0400
In-Reply-To: Message from Mike StJohns <Mike.StJohns@nominum.com> of "Mon, 10 May 2004 13:48:56 EDT." <6.0.1.1.2.20040510133423.0353bec0@localhost>
Sender: owner-dnssec@cafax.se
Subject: Re: dnssec: resolver - application communication

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Mike" == Mike StJohns <Mike.StJohns@nominum.com> writes:
    >> I also think the app should know the difference between:
    >> 
    >> - signed, signature is good.  - signed, but the signature
    >> expired.  - signed, but the signature did not validate.  -
    >> unsigned - unsigned, but should be signed
    >> 
    >> Am I missing cases here?

    Mike> signed, but expired, signed but not validated, and unsigned
    Mike> but should be signed are all variations of "bogus" - I should
    Mike> have been able to validate it, but for some reason I wasn't
    Mike> able to.  Not clear whether the app can do anything with the
    Mike> variants here given that an attacker can use replay to
    Mike> duplicate all of these. (signed but expired is replay the old

  But, the difference between them means something to the human
repairing things.

    Mike> secure - signed, validated and there was a trust anchor that

    Mike> unsecure - the unsecured delegation of a zone was signed and

    Mike> bogus - the resolver had a trust anchor superior to the name

    Mike> indeterminate - the resolver has no trust anchor superior to

    Mike> There may be a fifth one - error.  SERVFAIL is a valid error

  
  Consider the situation where the user calls up the IT department, and
says "I was SSHing to foo.example, and it said 'bogus'". 
  How does this get resolved?

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQJ/WdoqHRg3pndX9AQGfFQQAlCXOHR5Yew+BQJsNYg2zXaoDsf9Z3sQU
gDUC7bfdwNUPOsYK5f/hf9R5+lU+E63G0D2U3F1PF0msJZeH/pcJjJ+TOh/zIvw+
+QBre+6HbOx8ZMI1dYjx2hwDx26RVHb7RcrAWMXrW9TsFxPBxURSVQBiTbQabew5
vZcT7Ju1vkY=
=8YeI
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: dnssec: resolver - application communication
  - From: Mike StJohns <Mike.StJohns@nominum.com>

References:
- dnssec: resolver - application communication
  - From: Miek Gieben <miekg@atoom.net>
- Re: dnssec: resolver - application communication
  - From: Derek Atkins <warlord@MIT.EDU>
- Re: dnssec: resolver - application communication
  - From: Mike StJohns <Mike.StJohns@nominum.com>

Prev by Date: Re: dnssec: resolver - application communication
Next by Date: Re: dnssec: resolver - application communication
Prev by thread: Re: dnssec: resolver - application communication
Next by thread: Re: dnssec: resolver - application communication
Index(es):
- Date
- Thread

Home | Date list | Subject list