[dns-operations] .mm off the air for anyone who validates

Vernon Schryver vjs at rhyolite.com
Fri Jan 18 23:19:02 UTC 2013

> From: Mark Andrews <marka at isc.org>

> sign the zone two weeks ago they should have gone insecure by having
> the DS records pulled from the root.  There is no valid excuse for
> letting your zone go to invalid.

That's as true saying there's no valid excuse for making any error.
A better way to state that truth is that excuses are irrelevant except
to judges delivering sentences, and DNS clients aren't judges.

As far as DNS clients concerned, either the DNSSEC chain is valid or
they have a sign of evil.  Maybe bad guys are doing something that
depends on preventing the publication of new DNSSEC RRs.  Maybe it's
some kind of replay attack to allow exploiting a DANE TLSA cert whose
private key has been compromised.

> > I think this comes under "be liberal in what you accept."
> No it doesn't.

Indeed, "be liberal in what you accept" generally never has and should
not apply to security.  Who is liberal enough to accept passwords that
are 90% right and public keys that were revoked only 10% of something
ago?  Should it be enough that 90% of a DNSSEC chain verifies?  Expired
keys are not the same as signatures that don't verify, but the principle
is the same.  Either the chain is valid, or all of the security proofs
that depend on it are invalid.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list