Re: [DNSOP] on "Negative Trust Anchors"

Mark Andrews Fri, 13 Apr 2012 16:50:25 -0700

In message <[email protected]>, Jaap Akkerhuis wr
ites:
>       <...>
>       More pragmatically, while I understand the theory behind rejecting NTAs
> ,
>       I have to admit it feels a bit like the IETF rejecting NATs and/or DNS
>       redirection. I would be surprised if folks who implement NTAs will stop
>       using them if they are not accepted by the IETF.
> 
> Doing the validation on my machine makes it easy for me to realize
> who to blame when things break but I realize others don't have that
> insight or run validators, so I see the pain for the validating
> ISP. However, it is still not a reason for the IETF to standardize
> this.
> 
>       (paf)
>       > But, all of this thinking leads me to think about DNSSEC validation
>       > "risks" are very similar to the risk with deploying IPv6?
>       > We have an IPv6 day, but why not a DNSSEC day? One day where
>       > *many* players at the same time turn on DNSSEC validation?
> 
>       (drc)
>       Definitely a good idea.
> 
> It is seems a nice idea but a problem is that a single day is
> probably not enough.  IPv6 problems are (nearly) instantaneous but
> with DNSSEC problems start to arise when things expire.
> 
>       jaap
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop


What one needs to do is validate answers from one's own zones
internally as well as answers from the rest of the world.  That way
you detect when you have stuffed up as it effects you as well as
everyone else.

I've been running with a config like this for several months now.  The
recursive clients see "ad".  The non-recursive clients see the raw zone.

Mark

% dig drugs.dv.isc.org

; <<>> DiG 9.9.0rc2 <<>> drugs.dv.isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36493
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;drugs.dv.isc.org.              IN      A

;; ANSWER SECTION:
drugs.dv.isc.org.       2371    IN      A       192.168.191.240
drugs.dv.isc.org.       2371    IN      A       192.168.191.223

;; AUTHORITY SECTION:
dv.isc.org.             50822   IN      NS      bsdi1.dv.isc.org.
dv.isc.org.             50822   IN      NS      drugs.dv.isc.org.

;; ADDITIONAL SECTION:
drugs.dv.isc.org.       60      IN      AAAA    
2001:470:1f00:820:ea06:88ff:fef3:4f9c
drugs.dv.isc.org.       60      IN      AAAA    
2001:470:1f00:820:6233:4bff:fe01:7585

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 14 09:43:34 2012
;; MSG SIZE  rcvd: 167

% dig drugs.dv.isc.org +norec

; <<>> DiG 9.9.0rc2 <<>> drugs.dv.isc.org +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48679
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;drugs.dv.isc.org.              IN      A

;; ANSWER SECTION:
drugs.dv.isc.org.       3600    IN      A       192.168.191.240
drugs.dv.isc.org.       3600    IN      A       192.168.191.223

;; AUTHORITY SECTION:
dv.isc.org.             86400   IN      NS      bsdi1.dv.isc.org.
dv.isc.org.             86400   IN      NS      drugs.dv.isc.org.

;; ADDITIONAL SECTION:
bsdi1.dv.isc.org.       86400   IN      A       192.168.191.233
drugs.dv.isc.org.       3600    IN      AAAA    
2001:470:1f00:820:6233:4bff:fe01:7585
drugs.dv.isc.org.       3600    IN      AAAA    
2001:470:1f00:820:ea06:88ff:fef3:4f9c

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 14 09:43:41 2012
;; MSG SIZE  rcvd: 183

% 

managed-keys {
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0
O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37N
ZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7
ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};

view "secure" {
        match-clients { localnets; };
        match-recursive-only yes;

        zone "." IN {
                type hint;
                file "named.ca";
        };

        zone dv.isc.org {
                type static-stub;
                server-addresses { 127.0.0.1; };
        };

        zone "0.0.0.0.e.8.b.0.5.6.0.7.2.9.d.f.ip6.arpa" {
                type static-stub;
                server-addresses { 127.0.0.1; };
        };
};

view "internal" {
        match-clients { localnets; };
        recursion no;

        zone "." IN {
                type hint;
                file "named.ca";
        };

        zone dv.isc.org {
                type slave;
                file "slave/dv.isc.org";
                masters { bsdi.dv.isc.org; };
        };

        zone "0.0.0.0.e.8.b.0.5.6.0.7.2.9.d.f.ip6.arpa" {
                type slave;
                file "slave/0.0.0.0.e.8.b.0.5.6.0.7.2.9.d.f.ip6.arpa";
                masters { bsdi.dv.isc.org; };
        };
};

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] on "Negative Trust Anchors"

Reply via email to