Re: [DNSOP] CDS/CDNSKEY RRSet authentication

2017-07-29 Thread Mark Andrews
In message , Tony Finch writes: > I think I have spotted a lacuna or possibly erratum in RFC 7344. > > In section 4.1 bullet 2 it says: > >o Signer: MUST be signed with a key that is represented in both the > current DNSKEY and

Re: [DNSOP] CDS/CDNSKEY RRSet consistency

2017-07-29 Thread Tony Finch
Another one: It isn't clear to me if the preamble paragraphs in RFC 7344 section 4 are supposed to describe requirements on the publisher or the processor or both. In particular, is the parental agent supposed to check this? - If the Child

[DNSOP] CDS/CDNSKEY RRSet authentication

2017-07-29 Thread Tony Finch
I think I have spotted a lacuna or possibly erratum in RFC 7344. In section 4.1 bullet 2 it says: o Signer: MUST be signed with a key that is represented in both the current DNSKEY and DS RRsets, unless [unusual case] This allows a setup where * the DNSKEY RRset contains a ZSK and a

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

2017-07-29 Thread Joe Abley
Hi Shane, On Jul 29, 2017, at 09:05, Shane Kerr wrote: > I guess that I understand your concern, but we don't have any way to > authenticate servers in DNS today and we already send error messages back. > > I'm happy with error codes that are informational, but

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

2017-07-29 Thread Francis Dupont
+1 (in favor) francis.dup...@fdupont.fr ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

2017-07-29 Thread Tony Finch
神明達哉 wrote: > > - One possible idea of another extended error code: one that indicates > a type-ANY query is responded with just one type of RRset when there > can be more. Note that it is almost always the case that ANY answers from non-authoritative servers are a subset

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

2017-07-29 Thread Shane Kerr
I guess that I understand your concern, but we don't have any way to authenticate servers in DNS today and we already send error messages back. I'm happy with error codes that are informational, but don't change client behavior. Yes, I realize that users may be tricked, but that's also the

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

2017-07-29 Thread Paul Wouters
This starts a Call for Adoption for draft-wkumari-dnsop-extended-error I have reviewed the draft, and while I think it could be useful, I'm seriously worried about sending unauthenticated errors back to the user, and fear that software will start using these without first validating the