IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

Evan Hunt <each@isc.org> Mon, 28 September 2015 17:40 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 630521AD37B for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 10:40:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LsqS-eZfl19Y for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 10:40:40 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 560B91AD378 for <dnsop@ietf.org>; Mon, 28 Sep 2015 10:40:40 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id B1D7A1FCAB7; Mon, 28 Sep 2015 17:40:37 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 3CB26216C57; Mon, 28 Sep 2015 17:40:36 +0000 (UTC)
Date: Mon, 28 Sep 2015 17:40:36 +0000
From: Evan Hunt <each@isc.org>
To: Paul Vixie <paul@redbarn.org>
Message-ID: <20150928174036.GA15052@isc.org>
References: <20150926191009.28433.58915.idtracker@ietfa.amsl.com> <20150926191551.GA32562@jurassic.l0.malgudi.org> <6944DF48-2A47-4E75-801F-37BEA19A1CCD@vpnc.org> <20150927000309.GA17973@jurassic.l0.malgudi.org> <F53FA522-E92B-420B-9C12-6D64AC9DD5D4@vpnc.org> <20150927025914.GA31910@jurassic.l0.malgudi.org> <alpine.LFD.2.20.1509281034040.25357@bofh.nohats.ca> <20150928154852.GA19077@jurassic.l0.malgudi.org> <56097146.3060208@redbarn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <56097146.3060208@redbarn.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/5IQAKXRowifsiqwJiFiw6ICEaMk>
Cc: dnsop <dnsop@ietf.org>, Mukund Sivaraman <muks@isc.org>, Paul Wouters <paul@nohats.ca>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 17:40:41 -0000

On Mon, Sep 28, 2015 at 09:56:38AM -0700, Paul Vixie wrote:
> so i think there's good cause to add a DNS-level checksum even as we add
> DNS-level cookies.

+1

I would prefer to use checksum and cookies in parallel rather than have
the checksum option recapitulate cookie functionality, though.  Unless I'm
overlooking something, the NONCE field in Mukund's proposal becomes
unnecessary if cookies are in use. Otherwise it seems like a very good
idea.

(It's a pity there's no version field in the COOKIE option format;
COOKIE version 1 could have been extended to include a checksum.)

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email