Re: [DNSOP] zonemd/xhash versus nothing new

Evan Hunt <each@isc.org> Sat, 28 July 2018 02:57 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F989130DC7 for <dnsop@ietfa.amsl.com>; Fri, 27 Jul 2018 19:57:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77FkCwIcfdND for <dnsop@ietfa.amsl.com>; Fri, 27 Jul 2018 19:57:14 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C97FE130DC5 for <dnsop@ietf.org>; Fri, 27 Jul 2018 19:57:14 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id B54C73AB03C; Sat, 28 Jul 2018 02:57:14 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 9A957216C1C; Sat, 28 Jul 2018 02:57:14 +0000 (UTC)
Date: Sat, 28 Jul 2018 02:57:14 +0000
From: Evan Hunt <each@isc.org>
To: Paul Wouters <paul@nohats.ca>
Cc: dnsop <dnsop@ietf.org>
Message-ID: <20180728025714.GB20010@isc.org>
References: <alpine.LRH.2.21.1807271758580.22024@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.21.1807271758580.22024@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D0Njm2NMHczCObWCR7fpdI2vink>
Subject: Re: [DNSOP] zonemd/xhash versus nothing new
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jul 2018 02:57:17 -0000

On Fri, Jul 27, 2018 at 06:17:37PM -0400, Paul Wouters wrote:
> we can do AXFR but that would keep the root servers mission critical.

Also, the only currently practical channel security for AXFR is TSIG and
it can't scale to hundreds of thousands of clients.

Speaking as an implementer, I like AXFR from the traditional root servers
as a method of distribution (despite the regrettable fact that half of them
don't support AXFR; I wish they would). Reducing the root servers' central
role isn't a major concern for me, and I don't think daily zone transfers
from resolvers will overly tax them.  The code's long-since implemented and
mature and using it doesn't introduce a lot of new moving parts.

However, the inability to verify a the correctness and completeness of a
zone transfer (including the gluey bits) with an in-band signature *is* a
problem. ZONEMD/XHASH solves it.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.