Re: [DNSOP] zonemd/xhash versus nothing new

Joe Abley <> Wed, 01 August 2018 16:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6A3CA130E58 for <>; Wed, 1 Aug 2018 09:57:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i4GEsJomrRNF for <>; Wed, 1 Aug 2018 09:57:49 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 41DF4130DDF for <>; Wed, 1 Aug 2018 09:57:49 -0700 (PDT)
Received: by with SMTP id d9-v6so10621085itf.2 for <>; Wed, 01 Aug 2018 09:57:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=2Vc1dWy2M/L3sAEnvmUwd2dKKefdd2z6GsrDMfvxhiM=; b=GUQ+y7jzSsvfwmVTxXNreZRA4qKq96SwsnasN8pVrHe5ICSyHCcA/TUhPuuch049sG Au2iDtPouPP2JtwP5inFtUrHTys9c2f/NhnLw+ITLDYTrCNRB0suZfJqOCMbmTJNYnRh N4cSlisfbdxcxzTik2XjwAJHdqSb0618FO1O4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=2Vc1dWy2M/L3sAEnvmUwd2dKKefdd2z6GsrDMfvxhiM=; b=fOSUjgA+4T/raO7JGYhEpHKFUFOnXtiS1nmoTju/V/s2Hnk1FIqmmlKDMsGu8xGive 42ZESfddbdjpz/TDDsBLldWk72TowmjyV6vGgMbxGuJMh3eDVIGcBtzFeIFZ0Dq1vKf8 ZHEudy1ml72OIjr5ck+7svpluHW0340KBG6dkTIV8ZZGCxmIvvJTNHGC2JYLKppFsPkZ EubAV5w5a7skKAQTK2Vd965dHZzYdiLdg2hiPYVBj+w2shbtVppJyp7ZHY4jV0eWcrye ZL7lZ7XSmpgZm8mWkeqTddDNqX7wfsw3aUgWR7HJ5cA6wb4Hhwb9X/hVsZW8zTG3vf7O bJ3A==
X-Gm-Message-State: AOUpUlFvWc0jVaHAnKgyjNXhhxpWy728IvHo+KY+TZV3ZstB2EjEwFAz mhk+rfzrL3FAiyj0g7JTJblydvfaMYo=
X-Google-Smtp-Source: AAOMgpd9b56epeim7L/mXl/3P7/roKKLefNQJf7NzW0oH74leyH2FPbQcRpc+BFo92nteULBvBrJxw==
X-Received: by 2002:a24:2e58:: with SMTP id i85-v6mr4179555ita.32.1533142668456; Wed, 01 Aug 2018 09:57:48 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:101:3:308e:160:c02c:2494? ([2607:f2c0:101:3:308e:160:c02c:2494]) by with ESMTPSA id 200-v6sm3197527itk.12.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Aug 2018 09:57:46 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Joe Abley <>
X-Mailer: iPad Mail (15G77)
In-Reply-To: <>
Date: Wed, 1 Aug 2018 12:57:45 -0400
Cc: =?utf-8?Q?Petr_=C5=A0pa=C4=8Dek?= <>, Tony Finch <>,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: Paul Hoffman <>
Archived-At: <>
Subject: Re: [DNSOP] zonemd/xhash versus nothing new
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Aug 2018 16:57:52 -0000

Hi Paul,

I agree that it would be foolish to change 4034/4035 without understanding the implications of doing so (e.g. breaking validators).

However, it's possible that it would be a fairly minor semantic change, e.g. if signing records with an owner name below a zone cut was optional and if validator code paths were not much affected (they could either validate when they saw the RRSIG or ignore the RRSIG, either way it's possible that things would not break).

Before the idea of using RRSIGs to sign records that are currently specified not to be signed is thrown away, is it perhaps worth exploring it a little more deeply?


> On Aug 1, 2018, at 12:14, Paul Hoffman <> wrote:
> Maybe changing RFC 4034 and RFC 4035 to have RRSIGs over non-authoritative data is not the right way to go. It could break some current validators, and it would be hard to let zones sign some but not all of the non-authoritative data. (For example, I could imagine a zone owner wanting to sign the child NS records but not the glue records.)
> Instead, of the WG wants this functionality, it might be cleaner to create a new record that acts like RRSIG but is used only on non-authoritative data. Think of it as NONAUTH-RRSIG. We would need to define the new RRtype (with a lot of pointers to RFC 4034), how it is used to sign (with a lot of pointers to RFC 4035), how authoritative servers would include those records in responses, and how validators would handle the records (this would probably be the trickiest part).
> This would lead to a cleaner upgrade path both for authoritative servers and resolvers, and thus maybe make it more palatable to the current DNSSEC-using population.
> --Paul Hoffman
> _______________________________________________
> DNSOP mailing list