From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id B917F21F3DE for ; Sat, 4 Oct 2014 14:45:52 -0700 (PDT) X-AuditID: 1209190d-f79c06d000006f95-cd-54306a8e7b25 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 22.F2.28565.E8A60345; Sat, 4 Oct 2014 17:45:50 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s94Ljn1T012657; Sat, 4 Oct 2014 17:45:49 -0400 Received: from localhost (buzzword-bingo.mit.edu [18.9.64.24]) (authenticated bits=0) (User authenticated as andersk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s94LjkR6004506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 4 Oct 2014 17:45:47 -0400 Date: Sat, 4 Oct 2014 17:45:46 -0400 (EDT) From: Anders Kaseorg To: Simon Kelley In-Reply-To: <542E6C43.9030002@mit.edu> Message-ID: References: <535EACCB.7090104@thekelleys.org.uk> <20140428232459.GA55372@redoubt.spodhuis.org> <535FA793.8020502@thekelleys.org.uk> <542E6C43.9030002@mit.edu> User-Agent: Alpine 2.10 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsUixG6nrtuXZRBicH+ujEXf150sFns2nmSx OPKrm9Gic/FjdovTR8MdWD1WzdnA6rFz1l12j+0XzzB57O1/yBbAEsVlk5Kak1mWWqRvl8CV 8eLfB/aCZo6Kh4cWMjUwrmbrYuTkkBAwkeg78oIJwhaTuHBvPVCci0NIYDaTxMqfv1kgnA2M Eqsuz4LK7GKSaFt4mRGkhUVAS+L3k/UsIDabgJrEh6NfWUFsEaD40Q8dTCANzAJTGSVWHN8G ViQskCqx+NkvsCJOAXWJD5cXge3mFfCQ2PxoKyPEhi3MEh8fTAU7UFRAV+LQvz9sEEWCEidn PgEbxAzUfODTRUYIW1vi/s02tgmMgrOQlM1CUjYLSdkCRuZVjLIpuVW6uYmZOcWpybrFyYl5 ealFukZ6uZkleqkppZsYQWHPKcm7g/HdQaVDjAIcjEo8vIkeBiFCrIllxZW5hxglOZiURHnf uQOF+JLyUyozEosz4otKc1KLDzFKcDArifBeTQbK8aYkVlalFuXDpKQ5WJTEeTf94AsREkhP LEnNTk0tSC2CycpwcChJ8C7KBGoULEpNT61Iy8wpQUgzcXCCDOcBGm6YBTK8uCAxtzgzHSJ/ ilFRSpy3AKRZACSRUZoH1wtLS68YxYFeEeb9DVLFA0xpcN2vgAYzAQ02naMPMrgkESEl1cCY bOconfyj7MLTN92WjGzL99Wrn12/4XeD4G2DC03vLXRW6k1u0Vli4Xf6wuScHO8MN86vs09U vFiZ+EDDcT3fTcnnL8+J+Zn837xuXej6Vde2b7hgvy3PYVnLrXvnHkXtmP3UOkFV9Orp3dke S7l/WM5d+HTHh7P9fxkMZky+GWwVkOp5UadFXImlOCPRUIu5qDgRANFbeCAmAwAA Cc: dnsmasq-discuss@thekelleys.org.uk, cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2014 21:46:21 -0000 On Fri, 3 Oct 2014, Anders Kaseorg wrote: > > secure no DS means that the original unsigned answer should be=20 > > accepted, except that it shouldn't. There's no way to distinguish=20 > > between secure lack of DS because we've reached an unsigned branch of= =20 > > the tree, and secure lack of DS because we're not at a zone cut,=20 > > except if we know where the zone cuts are, and we don't. >=20 > Having just looked through RFC 5155 for clues: isn=E2=80=99t that the pur= pose of=20 > the NS type bit in the NSEC3 record? In this example, DS university=20 > would give an NSEC3 record with the NS bit clear. That signals that we= =20 > should go down a level and query DS campus. In this case we find a=20 > signed DS there. But if we were to find an NSEC3 with the NS bit set,=20 > then we=E2=80=99d know that we=E2=80=99ve really found an unsigned zone a= nd can stop=20 > going down. Aha: and this is exactly the answer given at=20 http://tools.ietf.org/html/rfc6840#section-4.4 . Anders