From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by huchra.bufferbloat.net (Postfix) with ESMTP id 996F121F459 for ; Fri, 3 Oct 2014 14:35:12 -0700 (PDT) X-AuditID: 12074422-f79436d000000c21-aa-542f168f633a Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id C9.88.03105.F861F245; Fri, 3 Oct 2014 17:35:11 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s93LZAxx000982; Fri, 3 Oct 2014 17:35:11 -0400 Received: from localhost (buzzword-bingo.mit.edu [18.9.64.24]) (authenticated bits=0) (User authenticated as andersk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s93LZ8cP027595 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 3 Oct 2014 17:35:09 -0400 Date: Fri, 3 Oct 2014 17:35:08 -0400 (EDT) From: Anders Kaseorg To: Valdis.Kletnieks@vt.edu In-Reply-To: <47625.1412357285@turing-police.cc.vt.edu> Message-ID: References: <535EACCB.7090104@thekelleys.org.uk> <20140428232459.GA55372@redoubt.spodhuis.org> <535FA793.8020502@thekelleys.org.uk> <542E6C43.9030002@mit.edu> <47625.1412357285@turing-police.cc.vt.edu> User-Agent: Alpine 2.10 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnleLIzCtJLcpLzFFi42IR4hRV1u0X0w8x+H5S2aLv604WiyO/uhkt Th8Nt7j0/gOLA4vH9otnmDz29j9k8zi0/Q1bAHMUl01Kak5mWWqRvl0CV8be8xIFCzgq1h3d wdjA+ICti5GTQ0LARGLRx2nsELaYxIV764HiXBxCArOZJLZ0bGGHcDYwSnz+fo8RwtnFJLHw 7TdGkBYWAS2JadOfs4LYbAJqEh+OfgWzRQSkJZbvfQM2llmgWuJF7yWwemGBVInFz36B1XAK mEs0f/nJBGLzCnhItE3/ywqx4BWzxK/7fWD3iQroShz694cNokhQ4uTMJywQQ9UlDny6yAhh a0vcv9nGNoFRcBaSsllIymYhKVvAyLyKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI11QvN7NELzWl dBMjKLzZXZR2MP48qHSIUYCDUYmH98MN3RAh1sSy4srcQ4ySHExKorwPmPRDhPiS8lMqMxKL M+KLSnNSiw8xSnAwK4nwsjzSCxHiTUmsrEotyodJSXOwKInzbvrBFyIkkJ5YkpqdmlqQWgST leHgUJLgnSUKNFSwKDU9tSItM6cEIc3EwQkynAdo+CqQGt7igsTc4sx0iPwpRkUpcd5JIAkB kERGaR5cLyz9vGIUB3pFmLcVpIoHmLrgul8BDWYCGvzOXhdkcEkiQkqqgdHtCw+vmUprW71s 0WO1jOCrq3jVLOsEFr9bkKsU//9Hp+zzQ/3xKU8+GocduGdoZnXtO1tsvlNwTNF//vZTkrWy 4TOOWCa9b9+yJMjBay+TkSdnXZlOQH/jrzCNzXcnWEsxK0r78vwPkT11/dB9xao5U3+FSG39 9GRP4GR7wbKLp7c1JQZ1KbEUZyQaajEXFScCALSU+FIaAwAA Cc: cerowrt-devel@lists.bufferbloat.net, dnsmasq-discuss@thekelleys.org.uk Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2014 21:35:41 -0000 On Fri, 3 Oct 2014, Valdis.Kletnieks@vt.edu wrote: > On Fri, 03 Oct 2014 05:28:35 -0400, Anders Kaseorg said: > > This bottom-up algorithm also seems to have a security problem that=E2= =80=99s=20 > > just as bad as one with the top-down algorithm that you rejected=20 > > below. Consider the same department.campus.university.edu example,=20 > > where campus and edu are signed zones, and university is not a zone. >=20 > This issue is why trust anchors were devised so people could start=20 > deploying DNSSEC before stuff like .COM got signed. No, you=E2=80=99re misreading. Trust anchors address the case where=20 campus.university.edu is a signed zone and university.edu is an unzigned=20 zone. We=E2=80=99re talking about the case where university.edu is not a z= one at=20 all, so that campus.university.edu is served directly from the edu zone. Obviously this won=E2=80=99t happen at the real edu zone, but real examples= exist:=20 env.state.ma.us, state.ma.us, us are signed zones, and ma.us is not a=20 zone. Anders