Re: [DNSOP] zonemd/xhash versus nothing new
Evan Hunt <each@isc.org> Sat, 28 July 2018 02:57 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F989130DC7 for <dnsop@ietfa.amsl.com>; Fri, 27 Jul 2018 19:57:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77FkCwIcfdND for <dnsop@ietfa.amsl.com>; Fri, 27 Jul 2018 19:57:14 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C97FE130DC5 for <dnsop@ietf.org>; Fri, 27 Jul 2018 19:57:14 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id B54C73AB03C; Sat, 28 Jul 2018 02:57:14 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 9A957216C1C; Sat, 28 Jul 2018 02:57:14 +0000 (UTC)
Date: Sat, 28 Jul 2018 02:57:14 +0000
From: Evan Hunt <each@isc.org>
To: Paul Wouters <paul@nohats.ca>
Cc: dnsop <dnsop@ietf.org>
Message-ID: <20180728025714.GB20010@isc.org>
References: <alpine.LRH.2.21.1807271758580.22024@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.21.1807271758580.22024@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D0Njm2NMHczCObWCR7fpdI2vink>
Subject: Re: [DNSOP] zonemd/xhash versus nothing new
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jul 2018 02:57:17 -0000
On Fri, Jul 27, 2018 at 06:17:37PM -0400, Paul Wouters wrote: > we can do AXFR but that would keep the root servers mission critical. Also, the only currently practical channel security for AXFR is TSIG and it can't scale to hundreds of thousands of clients. Speaking as an implementer, I like AXFR from the traditional root servers as a method of distribution (despite the regrettable fact that half of them don't support AXFR; I wish they would). Reducing the root servers' central role isn't a major concern for me, and I don't think daily zone transfers from resolvers will overly tax them. The code's long-since implemented and mature and using it doesn't introduce a lot of new moving parts. However, the inability to verify a the correctness and completeness of a zone transfer (including the gluey bits) with an in-band signature *is* a problem. ZONEMD/XHASH solves it. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- Re: [DNSOP] zonemd/xhash versus nothing new Petr Špaček
- Re: [DNSOP] [Ext] Re: zonemd/xhash versus nothing… Edward Lewis
- Re: [DNSOP] zonemd/xhash versus nothing new Tony Finch
- Re: [DNSOP] zonemd/xhash versus nothing new Joe Abley
- Re: [DNSOP] zonemd/xhash versus nothing new Paul Hoffman
- Re: [DNSOP] zonemd/xhash versus nothing new Paul Wouters
- Re: [DNSOP] zonemd/xhash versus nothing new Paul Hoffman
- [DNSOP] zonemd/xhash versus nothing new Paul Wouters
- Re: [DNSOP] zonemd/xhash versus nothing new Evan Hunt
- Re: [DNSOP] zonemd/xhash versus nothing new Tony Finch
- Re: [DNSOP] zonemd/xhash versus nothing new Wes Hardaker
- Re: [DNSOP] zonemd/xhash versus nothing new David Conrad
- Re: [DNSOP] zonemd/xhash versus nothing new Petr Špaček
- Re: [DNSOP] zonemd/xhash versus nothing new Tony Finch