DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: dnssec@cafax.se
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 11 May 2004 15:56:47 -0400
In-Reply-To: Message from David Blacka <davidb@verisignlabs.com> of "Tue, 11 May 2004 10:12:42 EDT." <200405111012.42325.davidb@verisignlabs.com>
Sender: owner-dnssec@cafax.se
Subject: Re: dnssec: resolver - application communication

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "David" == David Blacka <davidb@verisignlabs.com> writes:
    >> If I ask: c.b.example. CD=1
    >> 
    >> and my resolver fails to validate b.example, does it continue?

    David> Yes.

    >> Consider the question again from the point of view of a broken NS
    >> (vs a broken DS).

    David> What do you mean by "broken"?

  If example. has only lame NS records for b.example. then one can't get c.b.example.

  Now, if the DS records that example. has are broken in some way (wrong
hash, SIG over them expired, etc.) how is this different than if the NS
records are broken?

    David> My point is that SASRs do not need to bypass their full
    David> resolver, nor do they need to get the entire validation chain
    David> back in one round trip.  I am not making a statement as to
    David> what security aware resolvers should return to applications.

  I'm not in the camp that wants to bypass.

  If CD=1 will work the way that you describe (I have little experience
with it at this point, btw), then it is possible that one can do what I
want.

  However, since I want to do it on EVERY lookup (successful *OR*
failed), it seems a waste.  Since I expect SASRs to primarily use a
local channel to talk to security-aware full resolvers (SAFRs?
pronounced like Safron maybe. Or is there a better term already), I
don't understand the objection to having all of the records returned. 
  This is a local matter (i.e. not necessarily for the IETF to care
about, or standardize), except to the extent that reusing as much of DNS
as possible makes sense. I.e. I'm imagining an EDNSx to enable this.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQKEv/IqHRg3pndX9AQFh7wQAgSA91sCaX8fkBDjxXDPhy3LGGu7kX92d
RrYFSzv25qWtINCt3gleVClmnTpBiTFI7mxcdjfdIBRawWiabbprOfLrVVPUvSHH
GvLnSGOM4YPsO3gVcYCMVzPRtOTpLTBcwMHxqtrXtLxKGAvIvHmwLIH3+OCk4Lqd
LiidY7LpMZc=
=y6eC
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: dnssec: resolver - application communication
  - From: David Blacka <davidb@verisignlabs.com>

References:
- dnssec: resolver - application communication
  - From: Miek Gieben <miekg@atoom.net>
- Re: dnssec: resolver - application communication
  - From: David Blacka <davidb@verisignlabs.com>
- Re: dnssec: resolver - application communication
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: dnssec: resolver - application communication
  - From: David Blacka <davidb@verisignlabs.com>

Prev by Date: RE: dnssec: resolver - application communication
Next by Date: Re: dnssec: resolver - application communication
Prev by thread: Re: dnssec: resolver - application communication
Next by thread: Re: dnssec: resolver - application communication
Index(es):
- Date
- Thread

Home | Date list | Subject list