Re: [dbound] [art] Related Domains By DNS (RDBD) Draft

"John R Levine" <johnl@taugh.com> Tue, 26 February 2019 15:54 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71C80129532 for <dbound@ietfa.amsl.com>; Tue, 26 Feb 2019 07:54:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=ZKlf/C6j; dkim=pass (1536-bit key) header.d=taugh.com header.b=uUUQi5Xx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lx-XvmzqWQe6 for <dbound@ietfa.amsl.com>; Tue, 26 Feb 2019 07:54:48 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 413EF128CB7 for <dbound@ietf.org>; Tue, 26 Feb 2019 07:54:47 -0800 (PST)
Received: (qmail 13424 invoked from network); 26 Feb 2019 15:54:46 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=346d.5c756146.k1902; bh=oyRL0aLlAtrErYXRVu7BratYfrlSrA8xaKHQe5YPy4k=; b=ZKlf/C6jWBkgBicq9s49bPqgfmt/CNDGqNXI+qrTguPHgHGFWqaDx0R6kgtCA6EBT1VXjIGC4+eOsLWNGOdCRxG3bR8SQY9T/XJqBeAxeVbg9BMgh2SFZrW1cxh1tbrNtagrtlaCvA8MidtH8BVZUeYirPiBi5S1GN2sTLVJQubXzmr8eF6c0R1kIpvJY1q2VzAodFUYXAdWiNXfkF8zoPtX/GC81EEzZ87Zv6UigTJuBsVBIHojQJQuJs8hjZ4k
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=346d.5c756146.k1902; bh=oyRL0aLlAtrErYXRVu7BratYfrlSrA8xaKHQe5YPy4k=; b=uUUQi5XxNuLUHFwIJSqzuXdOchXXAFsIajAHzzUgiZZSMl2iNLpkZbY8bRL6TM+OnuzxU/2DSCPAmwpJvUeb46ZbHiS2cFipAft8OmXnF/Yl14Jw4GB5mNmnWHLpZ7d275SRE8RdrKjHRy6F+K1PMZU0WRW5v809JBoggGVvCgQ3h146ZX11GCSuHlOnhRncjRRhx1emFoYs0G+OJNayE4DH/Qw8r1OYcnjz8nkHoPoA//VNvcaBSR52MIv1ieKz
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 26 Feb 2019 15:54:46 -0000
Date: Tue, 26 Feb 2019 10:54:46 -0500
Message-ID: <alpine.OSX.2.21.1902261053030.10029@ary.local>
From: John R Levine <johnl@taugh.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Alexander_Brotman@comcast.com, dbound@ietf.org
In-Reply-To: <72c13f04-0a5c-53b0-a980-5cfb69ea866d@cs.tcd.ie>
References: <20190226032027.B52BE200EC0B38@ary.local> <250922de-26c5-da8d-0b25-c69bc6d56337@cs.tcd.ie> <alpine.BSF.2.21.9999.1902261021210.6114@gal.iecc.com> <72c13f04-0a5c-53b0-a980-5cfb69ea866d@cs.tcd.ie>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/Un1UaIcpD5MPZuUmdPvybREmYZw>
Subject: Re: [dbound] [art] Related Domains By DNS (RDBD) Draft
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 15:54:51 -0000

>> It does, but they don't prove anything that you wouldn't already know if
>> you can look stuff up in the DNS.
>
> Not sure I agree. While I accept a signature doesn't
> provide a strong "proof", it can provide evidence
> that the primary is ok with the secondary claiming
> that some relationship exists and that the primary
> was involved in creation of the RR values.

That's why the primary publishes a record pointing at the secondary.

> If the above existed, we could in any case define a way
> to digitally sign for the relationship separately, if
> there was support for doing so, and that could be done
> now or later.

Once again, if you have the record pointing at the secondary, what does 
the signature get you?  If you can hack the pointer record, you can hack 
the signature verification key, so they're equivalent.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly