Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 8A5841201EA
 for <dnsop@ietfa.amsl.com>; Wed,  8 Jan 2020 12:13:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level: 
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
 autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key)
 header.d=iecc.com header.b=fZ42OJSl;
 dkim=pass (1536-bit key)
 header.d=taugh.com header.b=Z4hSkdXc
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id fUpxK7oQJW9s for <dnsop@ietfa.amsl.com>;
 Wed,  8 Jan 2020 12:13:10 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com
 [IPv6:2001:470:1f07:1126:0:43:6f73:7461])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 65F5112003E
 for <dnsop@ietf.org>; Wed,  8 Jan 2020 12:13:10 -0800 (PST)
Received: (qmail 80556 invoked by uid 100); 8 Jan 2020 20:13:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com;
 h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-id:user-agent:cleverness;
 s=13aaa.5e1637d4.k2001; i=johnl@user.iecc.com;
 bh=w9y7Q46++tyZtMUfrwl5e0qWdMRyELX/XF+JIFIHuYc=;
 b=fZ42OJSlsUm/OlUHT/WIc8KO2e2kbNaUFoYvFhQ6PZPe6aGl8uReuzt7D3dHru06G/OYBZ3g7hUVKv8NH4vNiln8wK4Jr3NUSeUm9FWW1eZTD5pe/RDDAZgyWhsmnnyGpUNekafItxB2convoWNYrnKg+7lXvkytqmYtaD4pCGdHTiaL3J1+TBHEA6uqKej9YfJ+SZdVebSzOi3hM37h+pb3F2I6c/fGji79mqx+RS4omfVxYn2uNKwg5CvCxJBQ
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com;
 h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-id:user-agent:cleverness;
 s=13aaa.5e1637d4.k2001; olt=johnl@user.iecc.com;
 bh=w9y7Q46++tyZtMUfrwl5e0qWdMRyELX/XF+JIFIHuYc=;
 b=Z4hSkdXcdbsA6vQBufYkrDPGnVrmVMSw5krzwr831sLA6pEFCZ/lWvjSz9H1VPTgpOvjgDh96ndINswxTPRxw8ccpTHlK5VPQDdfJZtleGUSt6xYxfm5awebQ+lWRN6R65avPk78sl8g5lqVQBc7HY5m4Hp+mh6aFohycarB2NfOOFHHgHV/dbEE7/xYE67fBDQZVKNGaoiT/qAkpH5SNvadhqEsq/CEKTU7WZYorUqCpWqSpbLCocS4/3OzzQrf
Date: 8 Jan 2020 15:13:07 -0500
Message-ID: <alpine.BSF.2.21.99999.352.2001081505180.78172@gal.iecc.com>
From: "John R Levine" <johnl@taugh.com>
To: "Michael StJohns" <msj@nthpermutation.com>
Cc: dnsop@ietf.org
In-Reply-To: <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
References: <20200107023630.628251208AAF@ary.qy>
 <ce52989c-f6cc-f4e5-0c49-d528d366e350@nthpermutation.com>
 <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy>
 <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
User-Agent: Alpine 2.21.99999 (BSF 352 2019-06-22)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: multipart/mixed;
 BOUNDARY="3168237118-1677514723-1578514109=:78172"
Content-ID: <alpine.BSF.2.21.99999.352.2001081508330.78172@gal.iecc.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2YZ9S0gcVCey_80oQ1ljabAiVzY>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>,
 <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
 <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 20:13:11 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--3168237118-1677514723-1578514109=:78172
Content-Type: text/plain; CHARSET=ISO-8859-15; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <alpine.BSF.2.21.99999.352.2001081508331.78172@gal.iecc.com>

On Wed, 8 Jan 2020, Michael StJohns wrote:
> I'm running a private copy of the root zone for my organization. I=20
> (automated) check the SOA every so often, and arrange for a download of t=
he=20
> zone when it changes.=A0=A0=A0 I (automated) get a copy of the zone data,=
 including=20
> an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD RR is inva=
lid=20
> (hashes don't match). I do:
> [ various things ]

I know this isn't the answer you want, but it still depends.  One size=20
fits all error recovery is rarely possible.  I also realize you're trying=
=20
to tease out a single answer to the question of whether a ZONEMD failure=20
is more likely to be a bogus zone or a broken signer, and it still=20
depends.

In the rather peculiar case of the root zone, ZONEMD for the first time=20
covers the otherwise completely unauthenticated A/AAAA records for the=20
root servers since root-servers.net remains unsigned, so it can detect=20
tampering that we couldn't detect before.  Since we happen to know that=20
significant changes to the root are fairly rare, I'd keep using the old=20
version of the root and flag the failure for someone to look at.

In other applications, the risks and consequences are different, so I'd=20
probably do something different.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.
--3168237118-1677514723-1578514109=:78172--