Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
Michael StJohns <msj@nthpermutation.com> Mon, 13 January 2020 19:38 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64E071209FE for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 11:38:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEXaYW_CCm8Y for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 11:38:19 -0800 (PST)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599E4120110 for <dnsop@ietf.org>; Mon, 13 Jan 2020 11:38:19 -0800 (PST)
Received: by mail-qk1-x735.google.com with SMTP id d71so9719004qkc.0 for <dnsop@ietf.org>; Mon, 13 Jan 2020 11:38:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=QRN4tuMxR0u69PaW5FEwEF2FpiIoTJiV7dSAAVOcf7E=; b=VDxAbSKpYZmGoIFWmHvJ9adPbyKTglvO8TN9S1spYbsDQPQ99oASzx67wpUxm68kLr MRDAeDEM9DWO1vVzLRX3zcnBPSf2dW3pXRln0oYLDqpwSIgs/bp3kHnXc9WsXwTLpuJV 8C1tDMZm4FYDiZNjc8+E9SMV/yYWFrhGB6++O/RTNMow8AoRxJKzMrzGzcgX3IUTisiv HewVr2nJFa7NCk7xRb61leQXabLzly/uRGAQ3gf+45pB/XiCcS0fN+lCoOHyUQW/9mLT KWBwAIwgOJj95AC1t928kKg08CTdeyDnU1k8yDpzfAE2vM8zFNML9tG/Z+BkeouD6sDc VGvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=QRN4tuMxR0u69PaW5FEwEF2FpiIoTJiV7dSAAVOcf7E=; b=UJu0BLOzYpOy9ZV+pG3t+09IGSj0XdJbUUhhnqfRqzooDOcWxs9knQvO4Hdj0l6g6G PgfVKZkTp0C7R9xtjZO7Y/eEP6X0MoJ9jsMhCJMIQaH+4GncTsJPFV879cQNw6qGMfZA odk8DbZAA9im1R45WScy7zrooulW/w9vPsRoVew0nCCNxTekomzlyStVmuULANVxjzBX ZDguUOmU891Q8z1apUPHVEc7hWFZpQFKonmoOuDwMmb0CYU/uKp9dtZ/+ekQtkRPFO1z GcYRpswCtNubTyk2cW9x3q1vJsTDO4Ul5TucU3ftawOOIE1OoHsAY+3JuEEmF9sqTzEU g0GQ==
X-Gm-Message-State: APjAAAUgtS+txiR9dghsWMZYU7JSrHTzevv7vZhegoA9dFjgu4gzsXU1 ocOU9ASG2p5E4BQYaGrevtvH0LfDqts=
X-Google-Smtp-Source: APXvYqxaQYaMiT+tv3k8G5TyFNuG3evFRR/lSjc088teu0AtJk7QDgvjuXSlEN2vKo727fqpcKTmhw==
X-Received: by 2002:a37:9acb:: with SMTP id c194mr17399627qke.291.1578944297894; Mon, 13 Jan 2020 11:38:17 -0800 (PST)
Received: from ?IPv6:2601:152:4400:437c:2db9:9515:98bf:cec0? ([2601:152:4400:437c:2db9:9515:98bf:cec0]) by smtp.gmail.com with ESMTPSA id l33sm6304425qtf.79.2020.01.13.11.38.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jan 2020 11:38:17 -0800 (PST)
To: John R Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
References: <20200107023630.628251208AAF@ary.qy> <ce52989c-f6cc-f4e5-0c49-d528d366e350@nthpermutation.com> <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy> <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com> <alpine.BSF.2.21.99999.352.2001081505180.78172@gal.iecc.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <ed2c18b2-65f8-954d-7d2f-8102b08e9748@nthpermutation.com>
Date: Mon, 13 Jan 2020 14:38:12 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.21.99999.352.2001081505180.78172@gal.iecc.com>
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2sA29Z4zw85odBx31i9Jkzx-HBA>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 19:38:21 -0000
Thought I'd forgotten about this? :-) On 1/8/2020 3:13 PM, John R Levine wrote: > On Wed, 8 Jan 2020, Michael StJohns wrote: >> I'm running a private copy of the root zone for my organization. I >> (automated) check the SOA every so often, and arrange for a download >> of the zone when it changes. I (automated) get a copy of the zone >> data, including an ZONEMD RR, everything validates DNSSEC wise, but >> the ZONEMD RR is invalid (hashes don't match). I do: >> [ various things ] > > I know this isn't the answer you want, but it still depends. One size > fits all error recovery is rarely possible. I also realize you're > trying to tease out a single answer to the question of whether a > ZONEMD failure is more likely to be a bogus zone or a broken signer, > and it still depends. No - I'm trying to tease out what the receiver does without being able to determine why the zone didn't validate. AFAICT you're sticking with "there must be a human in the loop because we haven't a clue why it didn't validate and we mustn't do anything until we do". This sounds remarkably like the arguments related to DNSSEC and non-DNS dependence on validity. > > In the rather peculiar case of the root zone, ZONEMD for the first > time covers the otherwise completely unauthenticated A/AAAA records > for the root servers since root-servers.net remains unsigned, so it > can detect tampering that we couldn't detect before. Given that I said I'm using this for local publication of the root, those glue records are unlikely to be of any interest to me. In any event, the *right* way to verify those records is to actually try and make a connection with them. That gets you away from "the operation was successful (e.g. ZONEMD said these were fine), but the patient died (e.g. the addresses didn't actually point to a root instance because someone fat fingered the data entry)" problem. > Since we happen to know that significant changes to the root are > fairly rare, I'd keep using the old version of the root and flag the > failure for someone to look at. Would you or would you not add the additional records - e.g. new DS's or new names? Or if the serial was N+1 would you only use the records that were there at N? Keep in mind that DNSSEC says that all of the new records validate. It's just this damn ZONEMD RR that doesn't seem to have its act together. > > In other applications, the risks and consequences are different, so > I'd probably do something different. Given that - why do you think this is useful for more than a small set of DNS geeks? Yes, info is useful, but either you depend upon it or it's just a play thing. If the former, you have to then start assuming other people will depend upon it, which means you need to be serious about getting the provisioning right, and at the receiver, discarding "bad data". Something that does not require a human to spend costly man hours resolving over and over and over again. Never mind - I'm not convinced of the general utility of this scheme. It feels like DNS bloat and more a solution in search of a problem. That said, I appreciate Duane's willingness to make changes to fix some of the more egregious problems. Later, Mike > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY > "I dropped the toothpaste", said Tom, crestfallenly.
- Re: [DNSOP] Working Group Last Call for: Message … Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for: Message … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] Working Group Last Call for: Message Dige… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Paul Vixie
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Joe Abley
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Brian Dickson
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Bob Harold
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] future-proofing (Re: Working Group Last C… Paul Vixie
- Re: [DNSOP] future-proofing (Re: Working Group La… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] future-proofing (Re: Working Group La… Michael StJohns
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Miek Gieben
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] future-proofing (Re: Working Group La… Shane Kerr
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Vixie
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… John Levine