Re: [DNSOP] Incremental zone hash - XHASH

"Wessels, Duane" <dwessels@verisign.com> Wed, 25 July 2018 17:59 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFC9D130EBC for <dnsop@ietfa.amsl.com>; Wed, 25 Jul 2018 10:59:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tuk-GpMaEIxv for <dnsop@ietfa.amsl.com>; Wed, 25 Jul 2018 10:59:53 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 899DF130E87 for <dnsop@ietf.org>; Wed, 25 Jul 2018 10:59:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7569; q=dns/txt; s=VRSN; t=1532541593; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=XcHQkX5rs1Mb1GQcuDxZR6J10f3l/GJ77lXn+3ZQ4uY=; b=iuHuivJ/fov9Wt4070eReVnqGijChm+STJUTlf4e2YLTgbrXRjgH9Ioo xssDwXOBa82TYIUUHXfzoemro07UR/Zwj6tgFVV47pyjjkKopIlQEm2Nd pX9arZJOYNv6ZQTJEVGeHY7IXkLl3TlpmeNUV3KA8Fa0O8p/j1Yuo2T9t p63esd/PcMcuyjT2hYnnoTY0RC/2mKLOLlT1lExC7woK0wt/JEIRSYV5v V2tQbE62vLlouugi6EeauKeAqn/WAgQuCpsgotI0egh01bUJUs/Hb0ARc Ba30KHRPnHSO71UvzH8SKmQ3QBd/kaaywoSYVvhUkpRCktgzDWoa8thfd Q==;
X-IronPort-AV: E=Sophos; i="5.51,401,1526356800"; d="p7s'?scan'208"; a="5283819"
IronPort-PHdr: =?us-ascii?q?9a23=3AZEEdPh0sqw/TRTp5smDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?seMTI/ad9pjvdHbS+e9qxAeQG9mDtbQc06L/iOPJYSQ4+5GPsXQPItRndiQuro?= =?us-ascii?q?EopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZv?= =?us-ascii?q?JuTyB4Xek9m72/q99pHPYghEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+?= =?us-ascii?q?VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfM?= =?us-ascii?q?QA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okC?= =?us-ascii?q?YHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWpPUNhMWSxdDI2y?= =?us-ascii?q?bIUPAOgAPelEoIbwvFQOoQe7BQS2GO/j1iFEi3nr1qM6yeQhFgTG0RQuE90Orn?= =?us-ascii?q?vUt871O7kWUeCu1KXD0DvNb+5M1jf79ofEfA0qrPaRUrN+b8XR0lIvGB3BjlWL?= =?us-ascii?q?soHlIS2a1v4Ms2iA7upgWuSvh3Q7pAF2pzii38EhgZTKiIIN0l3I6Dl1zJwoKd?= =?us-ascii?q?C6RkN3e8OoHZteui2AOIZ7QdsuT3x0tCog17ELu4K3cDIXxJkoxBPTceGLfouQ?= =?us-ascii?q?7hLtSumcIit0iXdgdb2lhBu/9VOvx+jyW8WqzVlHry9IncLIu30M1RHe78aKR/?= =?us-ascii?q?V/80i83zuEyhrd5fteIU8ukKrWM5shwrktmZUNqUnDBSr2mFnujK+Ra0Uk5vCk?= =?us-ascii?q?6+T5bbXioZ+RL5J5hB3mPKgzmsOxGes2PQkSU2SG4+i8yqHs/UrjQLVSlPE5iL?= =?us-ascii?q?TWvIrEJcQBva65BRVZ3Zok6xa6Fzum0dIYkmcbLF9dZR6Lk5LlN0zMLf32F/uz?= =?us-ascii?q?nlShnTlxy/3JPbDtGpDNIWLCkLflc7Z98UlcyA8rwN9C6ZNbFKoBIOntVU/1r9?= =?us-ascii?q?zVFQE5PBKuw+bmE9V914weWWSVDqCFN6PStEeE5vgzLOmUeI8VpDH9JuA95/H0?= =?us-ascii?q?kH85nUQQfa+u3ZsXcn+4Au9mL1+FbnX2mt0BC3sFvhIiTOz2j12PSTBSaGyoX6?= =?us-ascii?q?Im+D47DpmrDYTeRoComrOBxia7EodQZm9YFlCGCW3oeJmcW/cQdCKSJddsnSEC?= =?us-ascii?q?Vbi6TI8hzQqjtA7kxLp7IOrY4CoYtYjs1Is92+qGrRgv8XRLCNmB3nuWBzVsl3?= =?us-ascii?q?4Mbzkx3Kljugp2wwHQ/7J/hqkSKtFI/P5NSUNyGYPVyeEwQ4T+RQ/aZdqNU364?= =?us-ascii?q?T8+nGjA+SJQ6xNpYMBU1IMmrkh2Wh3niOLQSjbHeQcVsqq8=3D?=
X-IPAS-Result: =?us-ascii?q?A2F+AQDJuVhb/zCZrQpcGgEBAQEBAgEBAQEIAQEBAYVXCpo?= =?us-ascii?q?dJJdDCAOBd4J1AoMIOBQBAgEBAQEBAQIBAQKBEYI1JAGCXgEBAQECAXkFCwIBC?= =?us-ascii?q?BguAjAlAgQOBQ6DEgGBd7FwhF2FYA+JGYFCPoE4DBOCTIRng0iCJAKMYY0UAwY?= =?us-ascii?q?Cg2SBWZd1kgYCBAIEBQIUgViBdHAVZQGCPoIkGI4Xb41WgRsBAQ?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Wed, 25 Jul 2018 13:59:52 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Wed, 25 Jul 2018 13:59:52 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Paul Wouters <paul@nohats.ca>
CC: Warren Kumari <warren@kumari.net>, dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] Incremental zone hash - XHASH
Thread-Index: AQHUJDpJMEHe3DppqkacIOaV4wLjfaSgfO+A
Date: Wed, 25 Jul 2018 17:59:51 +0000
Message-ID: <204056D2-7481-4631-8426-5338791BB60D@verisign.com>
References: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org> <CAKr6gn1axEztD06WoH0a+=WGjrzPNSiYWtk-qLzKY0BWprCVwA@mail.gmail.com> <alpine.LRH.2.21.1807221443170.5582@bofh.nohats.ca> <CAHw9_iK1W-CeA+ppJWggzCDhTwdi-jhGZOe6D44XfRJNeSginA@mail.gmail.com> <alpine.LRH.2.21.1807251300490.24159@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1807251300490.24159@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_8289FECC-FF95-4912-840E-934D0BE3E1F1"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8izVYsrdKubDE0XHdINxTSNy1fk>
Subject: Re: [DNSOP] Incremental zone hash - XHASH
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 17:59:56 -0000

> On Jul 25, 2018, at 10:09 AM, Paul Wouters <paul@nohats.ca> wrote:
> 
> If you do want all of that protected, which I don't think there are
> strong reasons for, why not place an OPENPGPKEY record in the zone and
> use pgp to sign it? No new custom software needed, and equally
> annoying validing the OPENPGPKEY as the ZONEMD data.

What new custom software are you thinking of?

One of my expectations is that ZONEMD would be implemented in name server software.  That software already includes code to calculate hashes and verify DNSSEC signatures.  AFAIK no name server software knows how to verify pgp signatures.

(Admittedly perhaps missing from some current name server software is code for canonical sorting.)

DW