Re: [dane] [Trans] CT for DNSSEC

Linus Nordberg <linus@sunet.se> Fri, 17 March 2017 08:54 UTC

Return-Path: <linus@sunet.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEFC7126BF6; Fri, 17 Mar 2017 01:54:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yk5aqApHS75Q; Fri, 17 Mar 2017 01:54:47 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F791126B72; Fri, 17 Mar 2017 01:54:46 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id v2H8sgWZ010061 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 17 Mar 2017 09:54:43 +0100
Received: from flogsta (smtp.adb-centralen.se [IPv6:2001:6b0:8::129]) (authenticated bits=0) by smtp1.nordu.net (8.14.7/8.14.7) with ESMTP id v2H8sdei000524 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 17 Mar 2017 08:54:42 GMT
From: Linus Nordberg <linus@sunet.se>
To: Wei Chuang <weihaw@google.com>
Cc: trans@ietf.org, dane@ietf.org
Organization: Sunet
References: <CAAFsWK0bCDZmg0csCfXAJ1=jqbOBc7sUUvSg-6ZKjxuAQKmQPA@mail.gmail.com>
Date: Fri, 17 Mar 2017 09:54:46 +0100
In-Reply-To: <CAAFsWK0bCDZmg0csCfXAJ1=jqbOBc7sUUvSg-6ZKjxuAQKmQPA@mail.gmail.com> (Wei Chuang's message of "Thu, 16 Mar 2017 10:09:44 -0700")
Message-ID: <878to4qo4p.fsf@nordberg.se>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com)
X-Scanned-By: MIMEDefang 2.74
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-nordu-net:default, nordu-net:default, base:default, @@RPTN)
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=2001:6b0:8::129; country=SE; latitude=59.3247; longitude=18.0560; http://maps.google.com/maps?q=59.3247,18.0560&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aSUUSGCU - 86c8624a5734 - 20170317
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral (e-mailfilter02.sunet.se: 2001:6b0:8::129 is neither permitted nor denied by domain linus@sunet.se) receiver=e-mailfilter02.sunet.se; client-ip=2001:6b0:8::129; envelope-from=<linus@sunet.se>; helo=smtp1.nordu.net; identity=mailfrom
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/Rp-hvWQddgoXCfN6KLZT08hr0pY>
Subject: Re: [dane] [Trans] CT for DNSSEC
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 08:54:51 -0000

Wei Chuang <weihaw@google.com>; wrote
Thu, 16 Mar 2017 10:09:44 -0700:

> spoofing the child zone.  Is there still interest in this?  From the list
> archives, I can't see what the issues were though I'm guessing one of them
> was respecifying the DS resource record to use a SCT which might have
> caused compatibility concerns.  (But please correct me if I'm wrong)  Other
> than that, the draft seems pretty reasonable.  Were there other concerns?

I'm still interested in logging things DNSSEC. The test log set up at
the IETF Berlin hackathon [0] is still running [1]. We lack a client for
submission.

Protocol deviations from draft-zhang-trans-ct-dnssec-03 are summarized
in [2].

[0] https://lists.sunet.se/pipermail/dnssec-transparency/2016-July/000049.html
[1] curl -A "" -x socks4a://127.0.0.1:9050/ -s http://teowuafdvio2mip5.onion/dt/v1/get-sth | json_pp
--8<---------------cut here---------------start------------->8---
{
   "tree_head_signature" : "BAMARjBEAiA48+vqfg2O3ZbVYvlMxof2dzLwJ09gPtdY3FGtq1LbaAIgXWD4qfCOh38JzCz52E1B1cdkI+8+gHitA1DNMC4Zl2g=",
   "timestamp" : 1489739801931,
   "tree_size" : 1,
   "sha256_root_hash" : "OQFz17e1piHRfRRsAG3QkweRuq/jyrjViq+vZbkyY+I="
}
--8<---------------cut here---------------end--------------->8---
[2] https://git.nordu.net/?p=user/linus/catlfish.git;a=blob_plain;f=README-dnssec.md;hb=refs/heads/dnssec2