Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones

"John R Levine" <johnl@taugh.com> Wed, 08 January 2020 20:13 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A5841201EA for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 12:13:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=fZ42OJSl; dkim=pass (1536-bit key) header.d=taugh.com header.b=Z4hSkdXc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUpxK7oQJW9s for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 12:13:10 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65F5112003E for <dnsop@ietf.org>; Wed, 8 Jan 2020 12:13:10 -0800 (PST)
Received: (qmail 80556 invoked by uid 100); 8 Jan 2020 20:13:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-id:user-agent:cleverness; s=13aaa.5e1637d4.k2001; i=johnl@user.iecc.com; bh=w9y7Q46++tyZtMUfrwl5e0qWdMRyELX/XF+JIFIHuYc=; b=fZ42OJSlsUm/OlUHT/WIc8KO2e2kbNaUFoYvFhQ6PZPe6aGl8uReuzt7D3dHru06G/OYBZ3g7hUVKv8NH4vNiln8wK4Jr3NUSeUm9FWW1eZTD5pe/RDDAZgyWhsmnnyGpUNekafItxB2convoWNYrnKg+7lXvkytqmYtaD4pCGdHTiaL3J1+TBHEA6uqKej9YfJ+SZdVebSzOi3hM37h+pb3F2I6c/fGji79mqx+RS4omfVxYn2uNKwg5CvCxJBQ
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-id:user-agent:cleverness; s=13aaa.5e1637d4.k2001; olt=johnl@user.iecc.com; bh=w9y7Q46++tyZtMUfrwl5e0qWdMRyELX/XF+JIFIHuYc=; b=Z4hSkdXcdbsA6vQBufYkrDPGnVrmVMSw5krzwr831sLA6pEFCZ/lWvjSz9H1VPTgpOvjgDh96ndINswxTPRxw8ccpTHlK5VPQDdfJZtleGUSt6xYxfm5awebQ+lWRN6R65avPk78sl8g5lqVQBc7HY5m4Hp+mh6aFohycarB2NfOOFHHgHV/dbEE7/xYE67fBDQZVKNGaoiT/qAkpH5SNvadhqEsq/CEKTU7WZYorUqCpWqSpbLCocS4/3OzzQrf
Date: 8 Jan 2020 15:13:07 -0500
Message-ID: <alpine.BSF.2.21.99999.352.2001081505180.78172@gal.iecc.com>
From: "John R Levine" <johnl@taugh.com>
To: "Michael StJohns" <msj@nthpermutation.com>
Cc: dnsop@ietf.org
In-Reply-To: <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
References: <20200107023630.628251208AAF@ary.qy> <ce52989c-f6cc-f4e5-0c49-d528d366e350@nthpermutation.com> <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy> <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
User-Agent: Alpine 2.21.99999 (BSF 352 2019-06-22)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="3168237118-1677514723-1578514109=:78172"
Content-ID: <alpine.BSF.2.21.99999.352.2001081508330.78172@gal.iecc.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2YZ9S0gcVCey_80oQ1ljabAiVzY>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 20:13:11 -0000

On Wed, 8 Jan 2020, Michael StJohns wrote:
> I'm running a private copy of the root zone for my organization. I 
> (automated) check the SOA every so often, and arrange for a download of the 
> zone when it changes.    I (automated) get a copy of the zone data, including 
> an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD RR is invalid 
> (hashes don't match). I do:
> [ various things ]

I know this isn't the answer you want, but it still depends.  One size 
fits all error recovery is rarely possible.  I also realize you're trying 
to tease out a single answer to the question of whether a ZONEMD failure 
is more likely to be a bogus zone or a broken signer, and it still 
depends.

In the rather peculiar case of the root zone, ZONEMD for the first time 
covers the otherwise completely unauthenticated A/AAAA records for the 
root servers since root-servers.net remains unsigned, so it can detect 
tampering that we couldn't detect before.  Since we happen to know that 
significant changes to the root are fairly rare, I'd keep using the old 
version of the root and flag the failure for someone to look at.

In other applications, the risks and consequences are different, so I'd 
probably do something different.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.