IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Davey Song <songlinjian@gmail.com> Fri, 27 July 2018 04:13 UTC

Return-Path: <songlinjian@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA4A3130E27 for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 21:13:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ESiJxNT05WA2 for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 21:13:55 -0700 (PDT)
Received: from mail-ua0-x234.google.com (mail-ua0-x234.google.com [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C59F9130E26 for <dnsop@ietf.org>; Thu, 26 Jul 2018 21:13:54 -0700 (PDT)
Received: by mail-ua0-x234.google.com with SMTP id w7-v6so2534489uan.9 for <dnsop@ietf.org>; Thu, 26 Jul 2018 21:13:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/6sNUfoCGQ3XUUlwlloS2+O1dydDvBh+hNgOI8RezzA=; b=Jt1+4QD8EkKH1Hcem+YqsVYVG7dj931mjgUjCRCL5TXrwCHRe1neMIM3hjaSPMyaJp vZLTiZIX913pLotpWsvXvKlvmwRK3EXojR23b5G5lIWpQNzW53rwpcgKX/rNnjG0lGOU 5T8RXVhvjM/+2dBM2pocYE2G+HYSdXrGes3CafK0o8CHhxR/bxu2frNgVsK/3kcmJ+vE aBKAdyY2OdA9xnKx1bwlsPSiXwET20N2QH+y6YgpktAFAXaulDCtHO8cPqa4OuGY3pbq GRxJFY+78+36GgmvaeiZ6GBpCbVYEO0Vi+e0DU3IkHlAZnSUP//e6h1jSwQTsV6df7YQ p+vQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/6sNUfoCGQ3XUUlwlloS2+O1dydDvBh+hNgOI8RezzA=; b=EynwohMlLo77cqbqG667mKQ8AZqJo+12pG30oEyuEo/IBwaCW+qCUKUqqjIbfz1+X/ 2lkuVfJtjdyHvQAXKPEhPPXNXaW57qMyHSJuDOZRQg1UoDfExA8RQetehqPWYNQkVoO8 NtB2n8/Rq77YRNxgTcHmFtC1SwFItIY+nEzQ678S4ErSvEQfNBNj93OXmrQngbvZA6TA OT0YxKpOJR5qtI0R9OP+q6/urgsvLcOIF3t2HhtBLjusB/VF5C0z9aCnCqwq0laIsK4T SmoF5+clPCa0qHroaMTh3RWnUzLeXFuxwOTtRV7qvTmfeORinLk/ig7HTh7GfHbBdOXY ZLDA==
X-Gm-Message-State: AOUpUlFjGBKDmDbFEc/8DTShEK6N0/kWpxkufBXZRaWcZ5vBZpi074jq 12j8/sdrBUbjYz6r+7e9w2IM8b8ujt3tJOnDGCI=
X-Google-Smtp-Source: AAOMgpcOqt5/mf0weD4fxRrl6E1g2+eR2pEpaeO8IpAoOjyfFxgSeTtHe3O8Ry0zJX+PDGHMw0a60fiOrPJjwzriJ/A=
X-Received: by 2002:ab0:59c2:: with SMTP id k2-v6mr3360986uad.124.1532664833830; Thu, 26 Jul 2018 21:13:53 -0700 (PDT)
MIME-Version: 1.0
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <CAAObRXL2LoB3f=296ZPE1Pp1nHkG---pRPAmyO1trTROxneHDQ@mail.gmail.com> <CAHPuVdU8YjbnsVGP4qEVoMA4ZdBo3_bHjV+PxgAOEGsKd742Uw@mail.gmail.com> <CABf5zvKnV_YodJSE3UcEXVfJaew0enCzDg_T7Ni=D8xS=s8zAg@mail.gmail.com> <CAHPuVdX6XQbBBLnp180Pak==_J1MqtonskR7qFxh5nOhZ5Goiw@mail.gmail.com> <CAAObRXJSQinCN9=6fWydbmjnAPMJ54xZTkpwPrVp9A98MosCJw@mail.gmail.com> <20180727040406.GA15431@isc.org>
In-Reply-To: <20180727040406.GA15431@isc.org>
From: Davey Song <songlinjian@gmail.com>
Date: Fri, 27 Jul 2018 12:13:41 +0800
Message-ID: <CAAObRXJEFz0JC=mWvgrh2dadz_6dnhZuteADMFPmU+UkEE3cMw@mail.gmail.com>
To: each@isc.org
Cc: shuque@gmail.com, steve@shinkuro.com, dnsop <dnsop@ietf.org>, mweinberg=40verisign.com@dmarc.ietf.org
Content-Type: multipart/alternative; boundary="000000000000faf5340571f356be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CmBChochoLtSQs1zAtjiaKu-iro>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 04:13:57 -0000

On Fri, 27 Jul 2018 at 12:04, Evan Hunt <each@isc.org> wrote:

> On Fri, Jul 27, 2018 at 11:24:33AM +0800, Davey Song wrote:
> > The draft says zone digest is not for protecting zone transmition.
>
> Where did it say that? I didn't notice it.
>

 I mean zone digest is not for zone transimition with channel security. On
page 4, the authors compare zone digest and Channel security.

   Unfortunately, the protections provided by these channel security
   techniques are ephemeral and are not retained after the data transfer
   is complete.  They can ensure that the client receives the data from
   the expected server, and that the data sent by the server is not
   modified during transmission.  However, they do not guarantee that
   the server transmits the data as originally published, and do not
   provide any methods to verify data that is read after transmission is
   complete.  For example, a name server loading saved zone data upon
   restart cannot guarantee that the on-disk data has not been modified.
   For these reasons, it is preferable to secure the data itself.

 Davey

v2.23.0 | Report a Bug | By Email