From: Simon Kelley <simon@thekelleys.org.uk>
To: Dave Taht <dave.taht@gmail.com>, Jim Gettys <jg@freedesktop.org>,
dnsmasq-discuss <Dnsmasq-discuss@lists.thekelleys.org.uk>,
"cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
Date: Thu, 01 May 2014 19:37:21 +0100 [thread overview]
Message-ID: <53629461.6020500@thekelleys.org.uk> (raw)
In-Reply-To: <CAA93jw7O8btE9nUuRVJpcU+QVyENRv5mAFax5BCwdk3pR0QvRw@mail.gmail.com>
On 30/04/14 18:26, Dave Taht wrote:
> On Tue, Apr 29, 2014 at 1:57 PM, Phil Pennock
> <cerowrt-devel+phil@spodhuis.org> wrote:
>> On 2014-04-29 at 14:22 +0100, Simon Kelley wrote:
>>> secure no DS means that the original unsigned answer should be accepted,
>>> except that it shouldn't. There's no way to distinguish between secure
>>> lack of DS because we've reached an unsigned branch of the tree, and
>>> secure lack of DS because we're not at a zone cut, except if we know
>>> where the zone cuts are, and we don't.
>>
>> Fair point.
>>
>>> That's why dnsmasq works up from the bottom. The first secure no-DS
>>> answer we find marks the boundary between signed and unsigned tree.
>>>
>>> Dnsmasq is acting as a validating stub resolver here. That's a supported
>>> role for DNSSEC, so this must be possible. If it's not then we have a
>>> standards problem.
>>
>> You have a standards vs reality problem: lots of loadbalancer appliances
>> suck at DNS and are only just now managing to return errors, instead of
>> dropping the query (hanging), when queried for AAAA records instead of A
>> records.
>>
>> ( This has led to no end of pain in the IPv6 world; Happy Eyeballs,
>> expectations around improved _client_ behaviour, handle other parts of
>> the puzzle and tends to require the concurrency that a client also
>> needs to handle DNS problems, but it's still distinct. )
>>
>> You're not going to get such loadbalancers responding sanely to a DS
>> query any time soon, and with the other DNS client software all being
>> recursors which work fine because they know where zone cuts are, you're
>> going to be fighting a long hard battle with vendors and sites to get
>> them to fix their brokenness when "it works for everyone else".
>>
>> So the standards 100% support what you're doing, but they don't match
>> common stupidity in deployed (high end, expensive) equipment.
>
> The only idea I have is to adopt some sort of whitelisting technology,
> and simultaneously nag the folk with busted implementations.
>
>>
>> To support DNSSEC in the real world without changing from being a
>> forwarder, you're going to need new insight. My only thoughts are
>> around whether or not this might provide impetus for TKEY-based TSIG for
>> forwarders to establish trust links to recursors elsewhere, in which
>> case once you have a TSIG key (whether TKEY-derived or OOB manual) then
>> you might delegate trust to the remote recursor.
>
> I see there have been a few commits to dnsmasq that address some stuff.
>
>>
>> Sorry to be the bearer of bad news,
>
> I'm delighted to have got this far.
>
> Is the consensus to not run with negative proofs on at this juncture?
If you want stuff to just work, turn off negative proofs, if you want to
push the envelope, leave them on and complain to domain-admins.
I had some feeling that something like this might be a problem, hence
the discrete controls.
Cheers,
Simon
>
>> -Phil
>
>
>
next prev parent reply other threads:[~2014-05-01 18:37 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-28 16:55 [Cerowrt-devel] " Jim Gettys
2014-04-28 17:03 ` Dave Taht
2014-04-28 18:37 ` Dave Taht
2014-04-28 18:56 ` Dave Taht
2014-04-28 19:32 ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-28 19:45 ` Aaron Wood
2014-04-28 23:24 ` Phil Pennock
2014-04-29 13:22 ` Simon Kelley
2014-04-29 20:57 ` Phil Pennock
2014-04-30 17:26 ` Dave Taht
2014-05-01 18:37 ` Simon Kelley [this message]
2014-05-01 20:26 ` Rich Brown
2014-05-01 22:27 ` Dave Taht
2014-05-02 14:30 ` Sebastian Moeller
2014-05-01 18:35 ` Simon Kelley
2014-05-02 16:40 ` James Cloos
2014-10-03 9:28 ` [Cerowrt-devel] " Anders Kaseorg
2014-10-03 17:28 ` Valdis.Kletnieks
2014-10-03 21:35 ` Anders Kaseorg
2014-10-04 21:45 ` Anders Kaseorg
2015-01-08 16:34 ` Simon Kelley
2015-01-08 17:44 ` Dave Taht
2015-01-08 18:07 ` Simon Kelley
2015-01-08 19:52 ` Dave Taht
2015-01-09 8:52 ` Dave Taht
2015-01-09 15:36 ` Simon Kelley
2015-01-09 16:49 ` Simon Kelley
2015-01-09 21:34 ` Dave Taht
2015-01-10 15:37 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53629461.6020500@thekelleys.org.uk \
--to=simon@thekelleys.org.uk \
--cc=Dnsmasq-discuss@lists.thekelleys.org.uk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
--cc=jg@freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox