Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
"John R Levine" <johnl@taugh.com> Wed, 08 January 2020 20:13 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A5841201EA for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 12:13:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=fZ42OJSl; dkim=pass (1536-bit key) header.d=taugh.com header.b=Z4hSkdXc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUpxK7oQJW9s for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 12:13:10 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65F5112003E for <dnsop@ietf.org>; Wed, 8 Jan 2020 12:13:10 -0800 (PST)
Received: (qmail 80556 invoked by uid 100); 8 Jan 2020 20:13:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-id:user-agent:cleverness; s=13aaa.5e1637d4.k2001; i=johnl@user.iecc.com; bh=w9y7Q46++tyZtMUfrwl5e0qWdMRyELX/XF+JIFIHuYc=; b=fZ42OJSlsUm/OlUHT/WIc8KO2e2kbNaUFoYvFhQ6PZPe6aGl8uReuzt7D3dHru06G/OYBZ3g7hUVKv8NH4vNiln8wK4Jr3NUSeUm9FWW1eZTD5pe/RDDAZgyWhsmnnyGpUNekafItxB2convoWNYrnKg+7lXvkytqmYtaD4pCGdHTiaL3J1+TBHEA6uqKej9YfJ+SZdVebSzOi3hM37h+pb3F2I6c/fGji79mqx+RS4omfVxYn2uNKwg5CvCxJBQ
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-id:user-agent:cleverness; s=13aaa.5e1637d4.k2001; olt=johnl@user.iecc.com; bh=w9y7Q46++tyZtMUfrwl5e0qWdMRyELX/XF+JIFIHuYc=; b=Z4hSkdXcdbsA6vQBufYkrDPGnVrmVMSw5krzwr831sLA6pEFCZ/lWvjSz9H1VPTgpOvjgDh96ndINswxTPRxw8ccpTHlK5VPQDdfJZtleGUSt6xYxfm5awebQ+lWRN6R65avPk78sl8g5lqVQBc7HY5m4Hp+mh6aFohycarB2NfOOFHHgHV/dbEE7/xYE67fBDQZVKNGaoiT/qAkpH5SNvadhqEsq/CEKTU7WZYorUqCpWqSpbLCocS4/3OzzQrf
Date: Wed, 08 Jan 2020 15:13:07 -0500
Message-ID: <alpine.BSF.2.21.99999.352.2001081505180.78172@gal.iecc.com>
From: John R Levine <johnl@taugh.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: dnsop@ietf.org
In-Reply-To: <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
References: <20200107023630.628251208AAF@ary.qy> <ce52989c-f6cc-f4e5-0c49-d528d366e350@nthpermutation.com> <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy> <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
User-Agent: Alpine 2.21.99999 (BSF 352 2019-06-22)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="3168237118-1677514723-1578514109=:78172"
Content-ID: <alpine.BSF.2.21.99999.352.2001081508330.78172@gal.iecc.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2YZ9S0gcVCey_80oQ1ljabAiVzY>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 20:13:11 -0000
On Wed, 8 Jan 2020, Michael StJohns wrote: > I'm running a private copy of the root zone for my organization. I > (automated) check the SOA every so often, and arrange for a download of the > zone when it changes. I (automated) get a copy of the zone data, including > an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD RR is invalid > (hashes don't match). I do: > [ various things ] I know this isn't the answer you want, but it still depends. One size fits all error recovery is rarely possible. I also realize you're trying to tease out a single answer to the question of whether a ZONEMD failure is more likely to be a bogus zone or a broken signer, and it still depends. In the rather peculiar case of the root zone, ZONEMD for the first time covers the otherwise completely unauthenticated A/AAAA records for the root servers since root-servers.net remains unsigned, so it can detect tampering that we couldn't detect before. Since we happen to know that significant changes to the root are fairly rare, I'd keep using the old version of the root and flag the failure for someone to look at. In other applications, the risks and consequences are different, so I'd probably do something different. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY "I dropped the toothpaste", said Tom, crestfallenly.
- Re: [DNSOP] Working Group Last Call for: Message … Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for: Message … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] Working Group Last Call for: Message Dige… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Paul Vixie
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Joe Abley
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Brian Dickson
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Bob Harold
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] future-proofing (Re: Working Group Last C… Paul Vixie
- Re: [DNSOP] future-proofing (Re: Working Group La… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] future-proofing (Re: Working Group La… Michael StJohns
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Miek Gieben
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] future-proofing (Re: Working Group La… Shane Kerr
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Vixie
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… John Levine