IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Ondřej Surý <ondrej@isc.org> Sat, 28 July 2018 19:43 UTC

Return-Path: <ondrej@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CED8B131128 for <dnsop@ietfa.amsl.com>; Sat, 28 Jul 2018 12:43:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XuPKfT24MIO1 for <dnsop@ietfa.amsl.com>; Sat, 28 Jul 2018 12:43:19 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84AD21310C7 for <dnsop@ietf.org>; Sat, 28 Jul 2018 12:43:19 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 6D8B93AB003; Sat, 28 Jul 2018 19:43:18 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 2A32E16005B; Sat, 28 Jul 2018 19:43:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0E1DE16006C; Sat, 28 Jul 2018 19:43:18 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id I1_yRQFwJeXt; Sat, 28 Jul 2018 19:43:17 +0000 (UTC)
Received: from [10.10.0.183] (40.20.broadband5.iol.cz [88.100.20.40]) by zmx1.isc.org (Postfix) with ESMTPSA id 3EAC016005B; Sat, 28 Jul 2018 19:43:17 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-B0C54C0B-1844-43C1-A792-96AAFA15AB09"
Mime-Version: 1.0 (1.0)
From: Ondřej Surý <ondrej@isc.org>
X-Mailer: iPhone Mail (16A5327f)
In-Reply-To: <CA+nkc8BJN6_a2N8GmOLXsqvmYm-1UmVfX6-g2Kw_REtJ1N6GCA@mail.gmail.com>
Date: Sat, 28 Jul 2018 21:43:13 +0200
Cc: Mark Andrews <marka@isc.org>, "Song Linjian (Davey)" <songlinjian@gmail.com>, steve@shinkuro.com, IETF DNSOP WG <dnsop@ietf.org>, mweinberg=40verisign.com@dmarc.ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <208F049B-B35A-4755-9A20-FA0C7F6855CF@isc.org>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <CAAObRXL2LoB3f=296ZPE1Pp1nHkG---pRPAmyO1trTROxneHDQ@mail.gmail.com> <FF0A0A24-705F-46E3-BF31-314078636EE2@isc.org> <84636548-60C4-40F5-8C05-E5AD70886CB4@isc.org> <B795E43C-E0A1-4965-995B-BD50606DCEB2@shinkuro.com> <9EF9C62B-896F-4A06-8C88-35D943D063DA@isc.org> <CA+nkc8BJN6_a2N8GmOLXsqvmYm-1UmVfX6-g2Kw_REtJ1N6GCA@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/967aj7kyB-reW_sbEudGKksErUM>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jul 2018 19:43:22 -0000

@ISC, we have been discussing this since we started implementing RZ local copy and it’s not that simple.

There are at least two problems with BitTorrent:

a) the hash has to be independent to zone, so either the hash has to reside outside of the root zone, or the root zone file would have to be reconstructed with “the torrent hash” and “the torrent data”; generally you would want the hash to be signed, so the TORRENT RR + RRSIG would have to be distributed outside of the data received via BitTorrent

b) to be effective, most of the peers would have to seed, and I am not sure if the places that would benefit the most would be the places where operators would be willing to seed

Ondrej
--
Ondřej Surý — ISC

> On 27 Jul 2018, at 16:57, Bob Harold <rharolde@umich.edu> wrote:
> 
> 
>> On Thu, Jul 26, 2018 at 11:07 PM Mark Andrews <marka@isc.org> wrote:
>> 
>> 
>> > On 27 Jul 2018, at 12:39 pm, Steve Crocker <steve@shinkuro.com> wrote:
>> > 
>> > The passage below puzzles me.  Why do you want servers to get the root zone from less trusted sources?
>> 
>> 1) to spread load.
>> 2) not all recursive servers have direct access to authoritative sources.  Some times they need to go through intermediaries.  The same will be true with transfers of the root zone.
> 
> Maybe I am wrong, but having lots of servers all around the world asking for the same update at the same time looks like a good place to use bittorrent.  (Is that reasonable?)  So the 'sources' will be untrusted, and we do need some way to verify the resulting file that we get..
> 
> I like the XHASH idea, it seems to reduce the work required on each update.  But I would be ok with ZONEMD also.
> 
> -- 
> Bob Harold
>  
>> >  And why does the source matter if the zone entries are DNSSEC-signed?
>> 
>> Steve please go and re-read the parts you cut out when quoting the previous message.  It gave several reasons.
>> 
>> Also please look at what is and isn’t signed in a zone and think about what can be done when you can change the unsigned parts.
>> 
>> Also think about what can be done when you change the signed parts but don’t individually verify the RRsets but rather just trust the zone content.
>> 
>> I have a local copy of the root zone.  It lives in a seperate view which is not accessed directly by clients  The name server validate its contents when performing recursive lookups on behalf of clients.  Such configurations are complicated and error prone.  It also doesn’t remove potential privacy leaks.
>> 
>> Having a way to verify the entire zone’s contents without having to verify every RRset individually after each zone transfer would make running such configurations easier.  It also removes threats that DNSSEC alone does not remove. 
>> 
>> > Thanks,
>> > 
>> > Steve
>> > 
>> > Sent from my iPhone
>> > 
>> >> On Jul 26, 2018, at 7:33 PM, Mark Andrews <marka@isc.org> wrote:
>> >> 
>> >> Additionally most nameservers treat zone data as fully trusted.  This is reasonable when you are getting data from a “trusted" source.  For the root zone we want servers to be able to get a copy of the zone from a untrusted / less trusted source.
>> 
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email