IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Shumon Huque <shuque@gmail.com> Thu, 21 June 2018 16:41 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F4C13103B for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 09:41:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wlLGBe7tsPvl for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 09:40:58 -0700 (PDT)
Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 592EE120049 for <dnsop@ietf.org>; Thu, 21 Jun 2018 09:40:58 -0700 (PDT)
Received: by mail-yb0-x22b.google.com with SMTP id z12-v6so756309ybj.4 for <dnsop@ietf.org>; Thu, 21 Jun 2018 09:40:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pyFxmoMi6eoqLt3mT+UX9Pdatos+LVPiJ7ChORPLLRQ=; b=peV3vg6073/CALmKabWqlYSvihJQ0Ntm0fskIyKTs1NQA4WR+C1gC8H/7hNYO3DSr7 2lzM6UBRZNxlETZ3I3zZrQpdiqZl11SjTq3ApLJtRx/QyEWJA9X+YhKQUa63wbVuAgQr RwmQAbzpv/pTQTgbkpMdxMksZTzBDb8ynzbjVYmwYVaf0IND+Ii15wKIxAeL+DRBEVVs UVDYqJfnEqelmctXKNtLkECbFif9J4BekFY7JIpGBy5SmYiid84jqaYmVAJyk0zxH6OA B/ELX8kPrDmluYcvsj58B3b641s/4NWb21lzPioHOqAUBRyZEUO+GQ5/z25pJT97wTn8 26Jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pyFxmoMi6eoqLt3mT+UX9Pdatos+LVPiJ7ChORPLLRQ=; b=pB91gC0q0+FtEetLW/vSnvAi8H5HdpTISa/PVGV4mqjPXOcNG3BJgIxU+QFEFsuAP6 bs9eDZrbT4UCGc6ir3RqRSVhFaaa4vX6NkErrUttjQUH6D4Voj+RJtM0iWyLAJAy7n9U KeaemRQRTkt9zDhscD3rKtByTj4MSldGSI3Q1GWUg0ywJ5Y3j8zytBmC3MGNk08aL+bK /+T/Pf8RM0fOi6mjBGUrCb3QYnVMsnpjJcwbdwMA2QAkGWfxSEOmkvH9eQHPBoNC2mnX E9xXWlCHB0sNTlfTYbfwT/YwJ2xaRRr2tZsupYRU/krX9nB09CdkLjUGXLLBfl6S5Zzz NzHg==
X-Gm-Message-State: APt69E0bmuApk+eUydV0t6Lf1i2lazsHFs43i/QXRpghbgC2CQDbiwEV iOBzezFgGWWCPXI68uxOiP+5zL08tSEn+X51tD4=
X-Google-Smtp-Source: ADUXVKKTZGcW/FU4VKScD4XkgI+cXFnt+x4fA6a9avsPMZ29bp9w0F6h1V7o2KoNOe+mi4deQ5yZC56BFW+v6zylo0g=
X-Received: by 2002:a25:8686:: with SMTP id z6-v6mr1560760ybk.404.1529599257661; Thu, 21 Jun 2018 09:40:57 -0700 (PDT)
MIME-Version: 1.0
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <CAHPuVdWXBDHdiQ2Z1uFx=mZFRBpjndiki+6Eno-2qFoe6hAovw@mail.gmail.com> <20180619231512.GA26273@jurassic> <CAHPuVdVSXNKZEhZ_2-vV_9py_n5Dw+FaMXXBbQtORwGF2xuDQw@mail.gmail.com> <ebf643d5-a85d-2f72-88f3-3710acde4746@nic.cz> <30E5CEA0-F7D9-46B5-B262-599C2101D479@verisign.com>
In-Reply-To: <30E5CEA0-F7D9-46B5-B262-599C2101D479@verisign.com>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 21 Jun 2018 12:40:46 -0400
Message-ID: <CAHPuVdVWYiJNfWtNeuT_a86zdbjYRaWwbbuiPhLPEfqrk87PTw@mail.gmail.com>
To: dwessels=40verisign.com@dmarc.ietf.org
Cc: petr.spacek@nic.cz, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000066d71a056f2994ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4ODwMBJOk1XyoFuae82xIMEdpJA>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 16:41:01 -0000

On Thu, Jun 21, 2018 at 11:56 AM Wessels, Duane <dwessels=
40verisign.com@dmarc.ietf.org> wrote:

>
> The problem I'm seeking to solve is somewhat different, and its probably
> not clearly stated in the draft so I will add some text to rectify that.
>
> I'm not trying to solve the problem that SIG(0), SIG(AXFR), or TLS
> addresses
> -- that you're talking to the right server and that data wasn't modified
> in transit.
>
> My goal is to ensure that when you receive a zone file -- however you
> receive it (DNS, HTTPS, P2P file sharing, Avian Carrier) -- you get the
> data that the zone publisher actually published.
>

I can't argue with that goal (and yes, you should probably clarify it in
the draft).

The question for me is what are the use cases for this protocol
enhancement, and is this the only way to satisfy those use cases?

In my mind, the main compelling use case is secure distribution of the root
zone at scale to anyone on the Internet. For that, I'd bet that many
consumers would be quite okay with a channel security mechanism to a
"trusted" root zone operator, whatever that mechanism is (TSIG, SIG(0),
TLS, HTTPS, etc) as long as it could be done efficiently and at scale. A
full zone signature from the zone publisher/signer is ultimately more
secure of course. But if the security model is satisfied by trust in RSOs,
then that isn't needed.

The normal case of distributing a zone securely to all your authoritative
server operators, I believe, is adequately satisfied today by zone
transfers authenticated by pre-configured static TSIG keys provisioned
between the authorized parties. Do you see the full zone signature as a
replacement for this scenario too? (There are many zones much larger and
more frequently updated than the root zone, for which I believe the
computational cost of this is too prohibitive).

As noted earlier, out of band verification of the full zone using an
integrated signature that does not rely on an external keying
infrastructure, is also a plausible use case. I'm just wondering if it has
a compelling need.

Anyway, not trying to derail this effort, just asking questions. On
balance, I think I support this draft.

Shumon.

v2.23.0 | Report a Bug | By Email