IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

tjw ietf <tjw.ietf@gmail.com> Sat, 28 July 2018 19:57 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C23130E81 for <dnsop@ietfa.amsl.com>; Sat, 28 Jul 2018 12:57:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPhzrQ2MAIFh for <dnsop@ietfa.amsl.com>; Sat, 28 Jul 2018 12:57:56 -0700 (PDT)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D28BC1310A7 for <dnsop@ietf.org>; Sat, 28 Jul 2018 12:57:55 -0700 (PDT)
Received: by mail-it0-x233.google.com with SMTP id p81-v6so11866131itp.1 for <dnsop@ietf.org>; Sat, 28 Jul 2018 12:57:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Qo2A8svm1SdPVVNBzkWqp8NMHp/Z1mb/iHYPBnHCMXU=; b=Vr8DPTBhArbgGl0rAGXA2VtCUrVIovzw86xSv+fn3ybkssXgfTBgeGjZ2llzmSteE/ hI3cNCD4wSdQON/JkRu48YXxBz+nGUZAq3DbOGboQWP43cU3tnSUnVXA8TsvkMl94kAF PI+ds4PNlPn5nVmsJw7a72xHyWT/cNi2Y/F+RqIjpE1AMc9RHIrqWcNt6UyLTf1jM1wP AgWE1zczIibsbGl0WXRu5AtVKELOa5v/8J5MqvnzqHgm1aq7Vsq2yVlrq1M+MTrEjtDO MIA4xTa7J/IvP+4K+8pq5UVxuqvNUGz6ZB3xdXbX/72KG+fOJuUy0O6R8y31WGXD6hxv V5Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Qo2A8svm1SdPVVNBzkWqp8NMHp/Z1mb/iHYPBnHCMXU=; b=hG6dc3DNyMSM5FcGUP9k18Sedg8B2Fc0Hcxn3o1/zdldaZhIEj6O4MpLYAAuyfH5zl 6r1B61yTWJad4A4jYbVh8EV4akzt4+XaqBfBdHi86rnfPlDU1yYOw+3fodyvbV77vSKC BtQnmnjM/prKmBUTXHV9sdJ4GbHzrX5Nx5h8svfcafDCPYEGUn7cO4zPaycHIsiBZPhM 0rp9f606yfyRS/fiyf8v8Ef+VLxTxZVx1iTHPFn46Ji+rDCYTgfg72mT/JhfF+mnMMY5 +kKBLvHK2+7EwY8S1xvHJY+Zv3wMMA+CJliCO5D1fcQhb2Oauxn2tCWRxNdw3NeikYf1 dKvQ==
X-Gm-Message-State: AOUpUlHvSveLYfkgNqV++XpUNCh7ruQNl8sIgohuzFH5iE9GUHY6FSbo oQ5FVAWQT5KnWpFAuyfCHYhK1JmG
X-Google-Smtp-Source: AAOMgpdXNrs/pm2p/jk6d4HCJqR9812dR1J2CiYD7Ys8jqqc6MPpJrr9mxrkLq/eaTDJsVC5V+IUwg==
X-Received: by 2002:a02:5f92:: with SMTP id x18-v6mr10581235jad.22.1532807874910; Sat, 28 Jul 2018 12:57:54 -0700 (PDT)
Received: from [192.168.1.34] ([50.110.69.187]) by smtp.gmail.com with ESMTPSA id g198-v6sm2998034itg.4.2018.07.28.12.57.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Jul 2018 12:57:53 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-BB0EFA27-D393-44F7-9B56-4E511DBDA146"
Mime-Version: 1.0 (1.0)
From: tjw ietf <tjw.ietf@gmail.com>
X-Mailer: iPhone Mail (15G77)
In-Reply-To: <208F049B-B35A-4755-9A20-FA0C7F6855CF@isc.org>
Date: Sat, 28 Jul 2018 15:57:53 -0400
Cc: Bob Harold <rharolde@umich.edu>, "Song Linjian (Davey)" <songlinjian@gmail.com>, steve@shinkuro.com, IETF DNSOP WG <dnsop@ietf.org>, mweinberg=40verisign.com@dmarc.ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <144153BF-F260-4696-909A-F43C9FF77111@gmail.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <CAAObRXL2LoB3f=296ZPE1Pp1nHkG---pRPAmyO1trTROxneHDQ@mail.gmail.com> <FF0A0A24-705F-46E3-BF31-314078636EE2@isc.org> <84636548-60C4-40F5-8C05-E5AD70886CB4@isc.org> <B795E43C-E0A1-4965-995B-BD50606DCEB2@shinkuro.com> <9EF9C62B-896F-4A06-8C88-35D943D063DA@isc.org> <CA+nkc8BJN6_a2N8GmOLXsqvmYm-1UmVfX6-g2Kw_REtJ1N6GCA@mail.gmail.com> <208F049B-B35A-4755-9A20-FA0C7F6855CF@isc.org>
To: Ondřej Surý <ondrej@isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1SgJCo7SsFN9x3KUj3X0FPBtYyA>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jul 2018 19:57:59 -0000

Oh folks like my employer where half of the security teams scream and say no, and the other half want to see to collect threat intelligence information. 

From my high tech gadget

> On Jul 28, 2018, at 15:43, Ondřej Surý <ondrej@isc.org> wrote:
> 
> @ISC, we have been discussing this since we started implementing RZ local copy and it’s not that simple.
> 
> There are at least two problems with BitTorrent:
> 
> a) the hash has to be independent to zone, so either the hash has to reside outside of the root zone, or the root zone file would have to be reconstructed with “the torrent hash” and “the torrent data”; generally you would want the hash to be signed, so the TORRENT RR + RRSIG would have to be distributed outside of the data received via BitTorrent
> 
> b) to be effective, most of the peers would have to seed, and I am not sure if the places that would benefit the most would be the places where operators would be willing to seed
> 
> Ondrej
> --
> Ondřej Surý — ISC
> 
>> On 27 Jul 2018, at 16:57, Bob Harold <rharolde@umich.edu> wrote:
>> 
>> 
>>> On Thu, Jul 26, 2018 at 11:07 PM Mark Andrews <marka@isc.org> wrote:
>>> 
>>> 
>>> > On 27 Jul 2018, at 12:39 pm, Steve Crocker <steve@shinkuro.com> wrote:
>>> > 
>>> > The passage below puzzles me.  Why do you want servers to get the root zone from less trusted sources?
>>> 
>>> 1) to spread load.
>>> 2) not all recursive servers have direct access to authoritative sources.  Some times they need to go through intermediaries.  The same will be true with transfers of the root zone.
>> 
>> Maybe I am wrong, but having lots of servers all around the world asking for the same update at the same time looks like a good place to use bittorrent.  (Is that reasonable?)  So the 'sources' will be untrusted, and we do need some way to verify the resulting file that we get..
>> 
>> I like the XHASH idea, it seems to reduce the work required on each update.  But I would be ok with ZONEMD also.
>> 
>> -- 
>> Bob Harold
>>  
>>> >  And why does the source matter if the zone entries are DNSSEC-signed?
>>> 
>>> Steve please go and re-read the parts you cut out when quoting the previous message.  It gave several reasons.
>>> 
>>> Also please look at what is and isn’t signed in a zone and think about what can be done when you can change the unsigned parts.
>>> 
>>> Also think about what can be done when you change the signed parts but don’t individually verify the RRsets but rather just trust the zone content.
>>> 
>>> I have a local copy of the root zone.  It lives in a seperate view which is not accessed directly by clients  The name server validate its contents when performing recursive lookups on behalf of clients.  Such configurations are complicated and error prone.  It also doesn’t remove potential privacy leaks.
>>> 
>>> Having a way to verify the entire zone’s contents without having to verify every RRset individually after each zone transfer would make running such configurations easier.  It also removes threats that DNSSEC alone does not remove. 
>>> 
>>> > Thanks,
>>> > 
>>> > Steve
>>> > 
>>> > Sent from my iPhone
>>> > 
>>> >> On Jul 26, 2018, at 7:33 PM, Mark Andrews <marka@isc.org> wrote:
>>> >> 
>>> >> Additionally most nameservers treat zone data as fully trusted.  This is reasonable when you are getting data from a “trusted" source.  For the root zone we want servers to be able to get a copy of the zone from a untrusted / less trusted source.
>>> 
>>> -- 
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email