[dns-operations] Online DNSSEC debugging tool now availalbe

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Jul 19 15:04:36 UTC 2010 

On Mon, Jul 19, 2010 at 09:52:13AM -0400, Andrew Sullivan wrote:
> On Sun, Jul 18, 2010 at 05:15:37AM +0000, bmanning at vacation.karoshi.com wrote:
> 
> > 	I guess the reason that you think that trusting the closest enclosing key is wrong
> > 	is that we may have some divergent views on the use of the term "closest"...
> > 	Are you thinking that its wrong to trust a key closest to the validator or closest to
> > 	the root?
> 
> I was avoiding the term "closest enclosing" exactly because that's
> already got some other uses, but my point is that certain
> implementations prefer the most specific key -- that is, the one
> closer in the tree to the domain to be validated -- to the exclusion
> of other keys.  Suppose one is trying to validate www.example.org and
> one has two trust anchors configured: the one for . and the one for
> .org.  In some deployed validators, the TA for .org will be used and
> the one for . will not be, _even if_ the path from . validates
> successfully and the path from the .org TA does not.


	i am having some trouble visualising this example, in part
	because I don't know where the one trying to validate is coming from.

	if the origin of the validation request (the I in "I want to 
	validate www.example.org") is  laptoy.example.org, then I 
	can't see how the TA for . would validate and the TA for .org would
	not.

	additionally, if the origin of the validation request is laptoy.example.NET,
	then the "closest" TA for www.example.org would not be the TA for .org,
	it would be the TA for .  -- right?  (the iterative/recursive mode of DNS tree walking)

	under what construct would your example exist?

--bill


> 
> In my reading of the RFCs, the above interpretation is at least
> strained.  I suppose it is reasonable to be able to configure such an
> arrangement, but in my opinion it is just wrong as the default.
> 
> In particular, I note downthread you talk about "degrees of trust".
> In my reading, the very idea of degrees of trust is foreign to the
> DNSSEC scheme.  If degrees of trust were something people had really
> wanted, it should have been possible to set bits to indicate such
> trust degrees for a given trust anchor.  It certainly should not be a
> consequence of some other property.
> 
> Best,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs at shinkuro.com
> Shinkuro, Inc.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list