Re: [DNSOP] [Fwd: New Version Notification for draft-vandijk-dnsop-ds-digest-verbatim-00.txt]
Paul Wouters <paul@nohats.ca> Fri, 25 September 2020 21:13 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2291E3A09C1 for <dnsop@ietfa.amsl.com>; Fri, 25 Sep 2020 14:13:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-JXiE2rCh0P for <dnsop@ietfa.amsl.com>; Fri, 25 Sep 2020 14:13:43 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 283313A09C0 for <dnsop@ietf.org>; Fri, 25 Sep 2020 14:13:42 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Byl5H6VvHzDRT; Fri, 25 Sep 2020 23:13:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1601068419; bh=/hNWEd3nny5WK0BvMffzeLo1nbhPlWUISsK2vIGPfG0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=qlvDYHrcVUarsbvjPFI5YNH3LhU9sugIuPOJndJsx14do87K3pspCa0YpAnzJ5IOH IRSv2XTuruLNJpmw+LLzYvP9Ro1I+DLVBynRzGOJVBdsU6vvl1FM5P/GJTonMwLoTh /jKXmLVRGfVbnJ9YMsl8nqs3g0+bbbvdaEzM85yY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id TNzKlV10TWji; Fri, 25 Sep 2020 23:13:38 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 25 Sep 2020 23:13:38 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5741C6029B99; Fri, 25 Sep 2020 17:13:37 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4EC3466AF7; Fri, 25 Sep 2020 17:13:37 -0400 (EDT)
Date: Fri, 25 Sep 2020 17:13:37 -0400
From: Paul Wouters <paul@nohats.ca>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
cc: dnsop@ietf.org
In-Reply-To: <026e8a7b7db7279269a361c0fd526283062df212.camel@powerdns.com>
Message-ID: <alpine.LRH.2.23.451.2009251702570.1634044@bofh.nohats.ca>
References: <160103718726.30054.5094716283741232929@ietfa.amsl.com> <026e8a7b7db7279269a361c0fd526283062df212.camel@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7tTaGSHv1QUsgAL52MrHRPhVFvw>
Subject: Re: [DNSOP] [Fwd: New Version Notification for draft-vandijk-dnsop-ds-digest-verbatim-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 21:13:45 -0000
On Fri, 25 Sep 2020, Peter van Dijk wrote: > in this new episode of 'enabling future innovations that we perhaps > cannot even imagine today', please find below a link to a draft > proposing a DS digest type that does no digesting at all. This allows a > zone owner to publish information in the parent zone and have the > parent sign that data on the owner's behalf. > Abstract: > The VERBATIM DS Digest is defined as a direct copy of the input data > without any hashing. I could see a use of publishing a DNSKEY at the parent in a DS record that could be used for encrypted connections towards child nameservers. But we talked about this within the context of your other proposals, and the view of a number of people and some large operators was that this encryption is a per-nameserver thing, and not a per-zone thing. Another item not covered here we talked about before, is that child data published in the parent MUST have cryptographic confirmation at the child. Or else parents can coerce child data. It seems the setup of this record is geared towards a generic mechanism of "child publishes stuff at the parent" which muddles the clear child vs parent zone divider we have now. It would need a very strong use case, but the other use case offered is "might be handy in the future". While I agree that DNS infrastructure updates have been extremely slow, I do think in recent years it has been much better and is still improving. So I am less concerned about anything taking 5 years again. Paul
- [DNSOP] [Fwd: New Version Notification for draft-… Peter van Dijk
- Re: [DNSOP] [Fwd: New Version Notification for dr… Brian Dickson
- Re: [DNSOP] [Fwd: New Version Notification for dr… Paul Wouters
- Re: [DNSOP] [Fwd: New Version Notification for dr… Peter van Dijk