On 11/25/15, 13:05, "Wessels, Duane" <dwess...@verisign.com> wrote:
>Can you say more about how limited you think it should be? Never? (Probably) as much as possible. I can't see the benefit of telling a third party this. (First party being the validator/querier, second party being the authority of the trust anchor set, third party including the upstream.) >In what I'm proposing the stub also would send the option only for DNSKEY >queries >and only for trust anchor zones (i.e. root). Is that limited enough? And to the IP addresses for the zone's advertised name servers. >Do you have particular concerns about who knows about the stub's trust >anchors? >Are you thinking of on-path attackers or the recursive operator or >something else? Nothing in particular. I'm not even clear if it's attackers I am worried about, it's just general leakage. I don't see damage in leaking, per se, outside of the "if someone knows trust anchor #4 was reverse engineered, then the verifier using it is vulnerable." It's more that I don't see a benefit in allowing leakage. >Is it okay for a recursive to expose old trust anchors, but not okay for >a stub? Hmmm, I don't think the two (stub and recursive) are different for this option. (In the sense that EDNS is hop-by-hop and not end-to-end, and the only query handler that can make any use of this information is the authority.) >I actually like the suggestion I heard from someone (sorry, can't remember >exactly who right now) that instead of intersection or union, the >recursive >could just forward a second instance of the option. Not commenting directly on that, but, I'm leaning towards this never being an issue - that is - there should be no middlebox of any kind that would forward/relay the option. >I'd say there is a benefit to the zone operator in knowing what trust >anchors >are in use by stubs. Zone operator would be the one plowing through the packets seen at the authoritative addresses, I think. (Me being fully aware that zone operators aren't always DNS operators.) >> (If there's a conflict between the two (which could >> also be sever clock skew), use 'CD' in queries.) > >Sorry I didn't follow that. I was thinking - if a validator is forwarding all traffic to a recursive server that is also DNSSEC validating, and there is a conflict because the "upstream" is SERVFAIL'ing some data because of, say, the trust anchor not right, the "downstream" ought to revert to "+CD" to avoid the buggy in-validation. >Forgive me for saying, but it sounds to me like you might've misunderstood >a little about what I proposed. I'm saying the edns-key-tag option rides >along with a DNSKEY query. So the response is a normal DNSKEY response. > >The draft currently says: > > A responder MUST NOT include the edns-key-tag option in any DNS >response. Missed that. (Yes, I did read the draft, twice,...still missed it. ;)) >So what I've proposed is one-way, passive data collection only. Note I >modeled this >after RFC 6975, which works the same way.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
