IETF Logo Mail Archive

Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02

Shumon Huque <shuque@gmail.com> Mon, 20 August 2018 14:18 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE18B130DC5 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 07:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4-XjA4Zadl-d for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 07:18:50 -0700 (PDT)
Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C71D4129619 for <dnsop@ietf.org>; Mon, 20 Aug 2018 07:18:49 -0700 (PDT)
Received: by mail-yb0-x22b.google.com with SMTP id d34-v6so4643841yba.3 for <dnsop@ietf.org>; Mon, 20 Aug 2018 07:18:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jQ4FEx2EkDNtPdXUM2V1Yl1VPukgLMs3DokVnQibIJI=; b=Zx+oysdICQtQymhZkyVTztowj8gPVPZkhJLfxDGMzmZ/bOL3UrnfHoJGBLgDtWzuyt gv+pO4g+E0Hoouzd9TtE2vbG+tveWU5r5yifLM7tOUiS7qVhECsvb6RZ43crpcgF4WpM TQkxkCqBv6nt1oEkf9jwyWa0qZ/asnJJimoBNJMQ8fy7FLvh4dRpP1l9yjrhTlR2vG3k X3aVRlvVGAoWV2y1AmLTXsPXGcNta/oUFeHpiDx3ZCYNWgc4ncdqx3Mur+b09uJazklR T8Nqu59woup3HwES6QJo4KXdwZHx0+2vqPBf/8UVISCgtkrOgT9/3+RJyHapx4gvn2AH 8ZeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jQ4FEx2EkDNtPdXUM2V1Yl1VPukgLMs3DokVnQibIJI=; b=gV3ei6SWdj9FmcUpcvUcXUJzVCIuFVM94ycFOTS8mNeAxto7nfC0T4YnLJoX73VvUz 9SDcP+BER+3gUFd9Y+/P/D8q9dklSpTUiyHzec9tbn2WdZKRg14f4KL1jYz6z14jEBe5 so5P8dm1xm76fFK12NtCi8bFe5b3570tfMTn/LafSgSrdEjW9wWFDUNbAQqjVlLKxau0 07f8pR4cRJu1GMIG+DDlXWpvKYq1Q4xcrpASueQyCuhoEIR+B54C1j/jG38G3xjRfaud xqH2EtzKPI8zRl1uO6n+TcIJy+p4NmD9LfugUW27ZfE19Y4jecGZ3pCTXwS44zqwru2f TE9w==
X-Gm-Message-State: AOUpUlGnO0tOi4mpYTngTX6sf9RthqwI5VDfo6rE0zwzUOzTmOK8wvr6 I+2iTnqC5jC+GqkSZ3W1ebUhKSFti8s/LWHhfIQ=
X-Google-Smtp-Source: AA+uWPzJS3jhWXmzf+cCXADNfeFfDyisVDLUMRdxDVW20Q/YVWYw21Nr3JJGV1RlSYf7MXS2in6+3fLgrgdSJSlmTkA=
X-Received: by 2002:a25:4557:: with SMTP id s84-v6mr13108680yba.43.1534774729041; Mon, 20 Aug 2018 07:18:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAH1iCir=GH0oAkR-RBYqQbPLVvrO1nvx8js7bg7FqGAA7MPKbA@mail.gmail.com> <alpine.LRH.2.21.1808191520010.21687@bofh.nohats.ca> <CA+nkc8Dgxtp4pxwHqaEbjdfpysOjAtLVJ_bPwFG02L10cTn6iA@mail.gmail.com>
In-Reply-To: <CA+nkc8Dgxtp4pxwHqaEbjdfpysOjAtLVJ_bPwFG02L10cTn6iA@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 20 Aug 2018 10:18:37 -0400
Message-ID: <CAHPuVdVj9YYnG8UbUYFVZZNBDFFEi+t2fM0Urugx0JxJzDgaVQ@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Cc: Paul Wouters <paul@nohats.ca>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000088ebe20573de96bf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2sDafrQHGBKAv36fwD3sqbH6Rr0>
Subject: Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 14:18:52 -0000

On Mon, Aug 20, 2018 at 9:53 AM Bob Harold <rharolde@umich.edu> wrote:

>
> On Sun, Aug 19, 2018 at 3:29 PM Paul Wouters <paul@nohats.ca> wrote:
>
>>
>> When using DNSSEC, the resolver should follow the glue and then perform
>> a query at the child zone to confirm the glue data. In unbound.conf
>> terms this is called harden-glue: yes
>>
>
> I had not thought of this, thanks for mentioning it.  So if I transfer a
> copy of the root (or other zone), I can verify the signed parts with
> DNSSEC, and the glue by resolving them and verifying from the child zone.
> Does that leave any unverified records (are glue the only unsigned records)?
> Note that the child might have different records than the parent glue, so
> my copy of the zone might end up different in that regard - is that ok?
>

This scheme won't work because in the general case glue records for signed
zones may live in unsigned zones and thus may not be validatable at all.
See glue for .COM, .NET, .ORG etc for prominent examples.

-- 
Shumon Huque

v2.23.0 | Report a Bug | By Email