[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

To: namedroppers@ops.ietf.org
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
From: "Roy Arends" <roy@nominet.org.uk>
Date: Sat, 26 Jul 2008 01:14:08 +0200
Domainkey-signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Subject: MIME-Version:X-Mailer:Message-ID:From:Date:X-MIMETrack: Content-Type; b=lo+Ibx0HHfpW5ePqTgdm0XvVf0OITy/Lr5e/INLWAJS9IzhF4yq4XFbd LkndFh+v3ABRfUjOjeq011jLQXlvDoMEfv/pLalshpMngNSY4bmYIfAZr oLNcUiAAleEs5cf;
In-reply-to: <20080725221002.GK29775@commandprompt.com>
References: <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info> <20080725193101.GB8193@outpost.ds9a.nl> <BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info> <20080725221002.GK29775@commandprompt.com>

When a validator has a trust anchor configured for root, it _expects_ 
signatures for root. 

No signatures -> no validation -> data marked bogus -> client/stub gets 
servfail (*).

When a validator has a trust anchor configured for root, it expects 
signatures for root and _everything_ below until it hits a proof of 
absence of DS. This proof is given by NSEC/NSEC3 records and its 
signatures.

If something mucks in the middle, is either removing a sig or does fondles 
the data even one single teeny bit, ->

failed validation -> data marked bogus -> client/stub gets a servfail (*).

DNSSEC is perfect that way, in Berts terms.

Roy Arends
Nominet UK

(*) The client/stub has the option to query the validating resolver with 
the CD bit set, in which case the resolver may return bad/bogus data.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>

References:
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Ted Lemon <Ted.Lemon@nominum.com>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: David Conrad <drc@virtualized.org>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Brian Dickson <briand@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Jelte Jansen <jelte@NLnetLabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Andrew Sullivan <ajs@commandprompt.com>

Prev by Date: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Next by Date: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Previous by thread: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Next by thread: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Index(es):
- Date
- Thread