This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled

On 02/23/2015 10:36 AM, Florian Weimer wrote:
>> 	- Should not cause NSEC-aware resolvers to mark
>> 	  NSEC3-aware systems from being marked as invalid
>> 	  signatures.
> In DNSSEC terminology, DNSSECbis-signed zones should be marked as
> Insecure (unsigned) by DNSSEC-gold (the original standard)-aware
> resolvers.  I.e., they would still return data to clients, but wouldn't
> indicate it is signed.  The other implementation choice would have been
> claim there has been an attack and not return any data.  (In practice,
> there were bugs here, same thing happened with NSEC3.)

>> * The semantics of the DO bit remain roughly the same.
> That depends what the semantics are.  If “DO” means “DNSSEC OK”, then
> the semantics did change significantly.  If it means “you can send along
> random garbage, and I will cope”, semantics remained unchanged.

Why? The original RFC says simply that the DO bit means "can accept DNSSEC
security RRs" but says nothing about needing to understand them.

>> * The DO bit can continue to be used as expected.
> Yes, this mostly worked.  The interop failure (Insecure vs Bogus) was
> not caused by DO interpretation conflicts.



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]