Paul Hoffman <paul.hoff...@vpnc.org> wrote: > On Mar 9, 2015, at 3:45 AM, Tony Finch <d...@dotat.at> wrote: > > > > Paul Hoffman <paul.hoff...@vpnc.org> wrote: > >> > >> My personal interpretation is that "validating resolver" is a synonym > >> for "security-aware resolver". Do others agree? If not, how would you > >> differentiate them? > > > > No, "security-aware" means that the doftware understands the special > > semantics of RRSIG, NSEC, DS, etc. but does not necessarily validate. > > What does "understand" mean in that sentence?
The software has to implement the parts of DNSSEC which are incompatible with security-oblivious DNS. RRSIG records are part of the RRset they sign, not a separate RRset of their own. Proof of nonexistence requires returning NSEC(3) records in responses. DS records have to be queried at the parent not the zone apex. etc. > > It is clear from RFC 4033 that validation is separate from security > > awareness because of "Non-Validating Security-Aware Stub Resolver". > > Maybe. Note that this is the only defined term with "non-validating" in > it. Was this possibly an artifact of the world-view that Ralf mentioned? Maybe. I agree with most of what Ralf said. However while we may not think it makes sense to deploy a non-validating resolver, a large proportion of the resolvers out there are non-validating and security-aware. > > For instance, by default, BIND is a security-aware validating resolver. > > (Except it can't validate anything until you configure a trust anchor.) > > You can turn off validation with "dnssec-validation no" and switch it into > > security-oblivious mode with "dnssec-enable no". > > If you turn off validation with "dnssec-validation no", in what way is > it security-aware any more? It matters wrt the protocol support that is provided to downstream clients. All upstream servers of a validator have to be security-aware or the validator will not work. So if I turn off validation on my recursive server and flush its cache, I can still use a validating stub. The stub will make DO=1 queries so the server will return the RRSIG and NSEC records that the stub needs to be able to validate. If I turn off DNSSEC support in my recursive server, my stub can no longer validate the responses because the necessary information is not returned. Obviously a non-validating recursive server isn't a good setup from the DNSSEC point of view, but there is an important distinction between working (security-aware but vulnerable to cache poisoning) and completely broken (because security-oblivious). Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Tyne, Dogger, Fisher, German Bight, Humber: South veering west 5 to 7, occasionally gale 8, except in Humber. Moderate or rough, becoming very rough in Fisher. Rain for a time. Moderate or good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
