Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt

[Roy Arends <roy@logmess.com>]

On Sun, 2 Mar 2003, Sam Weiler wrote:

> On Sun, 2 Mar 2003, Roy Arends wrote:
> >
> > Proposing new DNSSEC RR type codes implies upgrading resolvers,
> > which seems to be exactly what you wanted to avoid.
>
> DS already forces resolvers to upgrade if they want DNSSEC validation.
>
> I'm trying to make sure that resolvers that don't understand DS at
> least get (and don't discard) insecure answers.  The problem described
> causes legacy resolvers to discard good data from signed zones.  If
> that were likely to happen, some zones (cnn.com. being my favorite
> example) would REALLY not want their parent to be signed.  I don't
> want to see the CNN's of the world lobbying to keep .com from being
> signed.

Yes, I understand the problem involved. I also understand what your draft
is trying to accomplish.

The problem is caused by false negatives. Both DS, Opt-In and Wildcard
processing introduce false negatives (NXT!=NXDOMAIN) for legacy DNSSEC
resolvers.

The underlying issue is that a Flag Day was introduced while 'Flagging' is
currently done by implicit assertion instead of explicit notification.
Implicit assertions may lead to false negatives, higher bandwith use
(retransmits), and delay in processing messages (multiple transmissions
before an assertion can be made). Without proper implicit assertions or
explicit notifications (DO/DA bit), a flag day is no flag day.

I'd like to see some stats which 2535 legacy resolver brands and versions
have this false negative issue. I'd also like to see the exact problem
space documented (at least touch the problem in the abstract), _before_
wild (and _very_ expensive, in both time & money) solutions are given.

Anykey, just my opinion,

Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>