Re: Draft DNSEXT @ IETF62 Minutes

[Edward Lewis <Ed.Lewis@neustar.biz>]

Mostly to clean up characters in the WCard 
discussion, just one rewrite for clarity.  (Put 
my suggested replacement paragraph after the 
original for cut and paste ease.)

At 12:05 +0100 3/21/05, Olaf M. Kolkman wrote:

> Minutes of the DNSEXT working group
> 62nd IETF, Minneapolis, USA
> 9 March 2005

> Wildcard Document
> =================
...
> (Discussion)
>
> Rob Austein: In what way couldn't DNSSEC sign it?
>
> Ed Lewis: Lets say I am going through the algorithm for answering
> ?a.example? and the qtype is ?NS?. What is would do in that situation
> is go through the zone and fine no a, then I?d go to star and then I?d
> match the * NS. According to wildcard normal rules, a.example NS will
> expand into the answer section. I am required to have a signature there,
> I cant put the signature in there. To make this legal I have to change
> the protocols document so that signers would have to sign this
> particular case.. if there was a signature there, the problem is the sig
> would be signed by the wrong authority.

Ed Lewis: Lets say I am going through the algorithm for QNAME
"a.example." and the QTYPE is NS.  What would be done in that situation
is go through the zone and fine no "a" label so I'd go to star("*") and
match the * NS.  According to wildcard normal rules, "a.example NS" will
expand into the answer section. I am required to have a signature there,
but there is no signature to put there.  To make this legal I have to change
the  DNSSECbis protocols document so that signers would have to sign this
particular case.  If there was a signature there, the problem is the sig
would be signed by the wrong authority.

> Rob Austein: My problem is this seems to be a special case to deal with
> garbage input. I'd rather not have special case rules to handle zones
> like these.
>
> Lars Liman:  What you?re looking at is an NS record in the parent zone,
> and you are worrying about the signature of that, but it is not going to
> be signed in the parent zone. If you ask the parent server for a deleg
> NS, are you supposed to get an answer, or a referral?
>
> Ed Lewis: If you look at the algorithm, there are three parts: (a) a
> direct match, (b) a delegation point, and (c) a closest encloser. Then I
> answer with a wildcard, no wildcard etc. When I come down I  don?t see
> the cut point, it is not on my search point, so B doesn?t work.

Ed Lewis: If you look at the algorithm, there are three parts: (a) a
direct match, (b) a delegation point, and (c) a closest encloser., where I
answer with a wildcard or no wildcard.  When I come down I don't see
the cut point, it is not on my search point, so B doesn't work.

(To rewrite this more...The reason that the "* 
NS" does not result in a referral message when 
seeking "a.example. NS" is this.  Following the 
4.3.2 algorithm, I would fall into part C, which 
is the part in which my last matching label is at 
the closest encloser, so I am in a "wildcard or 
not situation."  Referrals are in part B, but I 
didn't enter there.)

> This is written in the draft when we enter step (a), (b) or (c), we
> don't jump across.
>
> Rob Austein: You are going to have to have a case in the ordinary
> processing for the authorittive nameserver ?I know what is supposed to
> be in the zone but it wasn?t there?. As far as I can tell this covers
> this mess. It is general purpose error processing. I don?t see why we
> need a special case.

Rob Austein: You are going to have to have a case in the ordinary
processing for the authoritative nameserver "I know what is supposed to
be in the zone but it wasn't there". As far as I can tell this covers
this mess. It is general purpose error processing. I don't see why we
need a special case.

> Ed Lewis: I see what you mean ? in Washington we talked of the same
> thing. I made a mistake then thinking there would be a signature there.
> With no sig there we would have to let the validator know it is a weird
> case. We have to do some editing somewhere and the group on Monday felt
> this is the best place to do the edits. Text will be coming to describe it.

Ed Lewis: I see what you mean, in Washington we talked of the same
thing. I made a mistake then thinking there would be a signature there.
With no sig there we would have to let the validator know it is a weird
case. We have to do some editing somewhere and the group on Monday felt
this is the best place to do the edits. Text will be coming to describe it.

> If the type is not NS, there is no problem. Only when it is an NS or a
> DS do we get anything back and there is where there is a concern.
>
> This is how the rule would be changed in 1034. If some label has an
> impossible match, look for existence of the star label, and does not own
> an NS RRSet nor a DNAME RRSet. Treat a * NS or * DNAME as ?not there?.

This is how the rule would be changed in 1034. If some label has an
impossible match, look for existence of the star label, and does not own
an NS RRSet nor a DNAME RRSet. Treat a * NS or * DNAME as name "not there".

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Achieving total enlightenment has taught me that ignorance is bliss.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>