[Dnssec-deployment] In-band DNSSEC explanations was Re: Analysis of NASA.GOV...
paul at redbarn.org
Mon Feb 6 20:56:22 EST 2012
On 2/6/2012 6:32 PM, Michael StJohns wrote:
> I actually considered a similar approach as a way of getting some of the "benefits" of SiteFinder without actually breaking the model. Basically, if a server would send a "NXDOMAIN" it could also send - in the additional section - an ALT record suggesting a mapping from the name asked to an existent name. Doesn't have to be signed as its a meta record. This puts the burden on the receiving end to decide whether to pursue the other name (e.g. via a pop up controlled by your browser, and ignored by things like email servers).
i've been proposing something like this as part of a last-mile dnssec
package, but as a policy based record not an alternative record. that
is, we want to express not only that it is an alternative but also the
server's reason for sending it. and, it must be signed, or it functions
as a downgrade vector. and, the signature must be from the server, so
SIG(0) or similar. happy to discuss further but maybe we need a new
thread if we do. and maybe on dnsext@ not here.
> For the validation error stuff, probably also a meta record in the additional section. I don't think the issues with size apply as the return is probably pretty tiny - unless you actually sign it. (But that return would need to be signed not by a zone originator, but by the server/resolver which leads you to a whole other set of problems with respect to how you find the keys to do chain validation).
i don't think an extended error indicator needs to be signed since it's
not actionable merely informative.
> With respect to the set of error messages - we figure them out and figure out which ones need additional info (like "failed to get the DNSKEY for zone foo.com"), and define the error set. Add a "other error, not further described" and you're pretty much done.
i agree with this but also with marka -- there's a set of errors not a
singular error when something does not validate.
More information about the Dnssec-deployment