Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled

[Florian Weimer <fweimer at redhat dot com>]

On 02/23/2015 04:30 PM, Carlos O'Donell wrote:
> Just to be clear, you mean to say:
> 
> * The DO bit was reused in DNSSECbis.

Yes.

> * DNSSECbis itself is changed significantly from DNSSEC.
> 
> 	- Uses new RRs.

Right.

> 	- Should not confuse NSEC3-unaware resolvers.

That would be “old DNSSEC-aware resolvers” (NSEC3 came later).

> 	- Should not cause NSEC-aware resolvers to mark
> 	  NSEC3-aware systems from being marked as invalid
> 	  signatures.

In DNSSEC terminology, DNSSECbis-signed zones should be marked as
Insecure (unsigned) by DNSSEC-gold (the original standard)-aware
resolvers.  I.e., they would still return data to clients, but wouldn't
indicate it is signed.  The other implementation choice would have been
claim there has been an attack and not return any data.  (In practice,
there were bugs here, same thing happened with NSEC3.)

> * The semantics of the DO bit remain roughly the same.

That depends what the semantics are.  If “DO” means “DNSSEC OK”, then
the semantics did change significantly.  If it means “you can send along
random garbage, and I will cope”, semantics remained unchanged.

> * The DO bit can continue to be used as expected.

Yes, this mostly worked.  The interop failure (Insecure vs Bogus) was
not caused by DO interpretation conflicts.

-- 
Florian Weimer / Red Hat Product Security