Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Shumon Huque <> Tue, 19 June 2018 18:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 69AAD130DCA for <>; Tue, 19 Jun 2018 11:11:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DPz-SNNBEJLt for <>; Tue, 19 Jun 2018 11:11:14 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 80FE81311B1 for <>; Tue, 19 Jun 2018 11:11:14 -0700 (PDT)
Received: by with SMTP id w13-v6so221544ywa.5 for <>; Tue, 19 Jun 2018 11:11:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mJsjLpAD4UdMWOEUEywFhfmbsoDSZL4Vjk40T5u8OKo=; b=J555tfTkA/NVeFqFd0Zq6KnH3UwgiB3D3fmNJD8sJBhKJc+eWDZpFNjPyT816RvtAu 276U86CBmLcLbLJE6kzNaolvCYxonyKY5fsOjjwFiURpWzt8YCvFw2Zj1QsscCBQFl+K DpYndvtT18o8YUzkE2C4Ax5cKg9iZwlUzOAVfIMJUQDXoPFFPaWpfNNoGW40wOReg6ZF tTHhapIVuB9tqF2U4cepRn4UBLy0A/Q7gVkk7hlYrihWRJyzVrcvQt995nn29qDGb2kn mfQtD2VxWujk9BNsmoFvTSvPfH0lKti/GwtOy1tewi6HztpmSeWhTwo04lbWuJHyoaV7 vLDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mJsjLpAD4UdMWOEUEywFhfmbsoDSZL4Vjk40T5u8OKo=; b=Vl/emLE+4xcekGxRSKg2G9xU5RV12IFRO6eqrcYbihKba8A8Z+0XpsOLjPgKVPxLey vuiVFT2gUcAS0XXLSr//8a9XBxCdtran/L8vjLHDrdzeeh3zgSQEAUVCb8gvw4NQGDHr 4tShaMLB5/zGJeafeTJbNR3NfdFALGkzyfg8N9EkrN5QVRkHJTCT4hGQ6SAiJKvzoUsS VLuhlVIhQ7mF9NL7Q7h6TBiggpv9LKxvdh0z41VVQbwxzMLZNqUrxSeJWp31ACDd6NnM u6dlfQTuGBZBnpOBPF8hBMzyCV6IwpdFuHty2hzsKoihyx/FcZSOWD/KaeLxvv/4xg9L T21g==
X-Gm-Message-State: APt69E29RztSxV9VC64JSuuk+qlG2voklWi552PmauD+9ipchoviES/b qoce911JCqc/dInvGY7rukGkQEaab7Oyz1d73Jw=
X-Google-Smtp-Source: ADUXVKJzIwnyNzTJeub1j8NaN9R5TWloC5OGbTWof0nW8O32kSzdMne2m7zeaSQUQmdFZjhNfuNnN38AQ43oynJFC14=
X-Received: by 2002:a81:7d06:: with SMTP id y6-v6mr8355319ywc.371.1529431873767; Tue, 19 Jun 2018 11:11:13 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Shumon Huque <>
Date: Tue, 19 Jun 2018 14:11:02 -0400
Message-ID: <>
Cc: " WG" <>
Content-Type: multipart/alternative; boundary="0000000000008b4ff5056f029be1"
Archived-At: <>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jun 2018 18:11:18 -0000

On Tue, Jun 19, 2018 at 10:32 AM Petr Špaček <> wrote:

> I think we need to first answer question why existing technologies do
> not fit the purpose.

This is a reasonable question.

I noticed that the draft doesn't mention SIG(0) at all. One of the main
motivators of the draft is stated to be secure, wide scale distribution of
the root zone. To me, SIG(0) would have been an obvious candidate solution
for this problem. The zone owner can publish one public key to the world,
and signs zone transfers messages with the corresponding secret key. If the
zone owner supports IXFR, the incremental cost of these message signatures
is also quite small.

Possible issues with SIG(0):

* Although it is an existing technology, it isn't widely implemented or
used. I just learned on DNS twitter that BIND only supports SIG(0) for
UPDATE for example, and not XFR.

* If the goal is to support secure acquisition of the zone outside the DNS
protocol, then it can't do that. But neither is ZONEMD needed for that - we
can use an out of band signature using a variety of methods.

* And there is also the question of the status of SIG(0) which isn't clear
to me: Although RFC 2931 is not obsolete, it is based on the SIG record,
which is defined in an RFC that has been obsoleted by the DNSSEC-bis