IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

"Wessels, Duane" <dwessels@verisign.com> Mon, 09 July 2018 21:39 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C072B131023 for <dnsop@ietfa.amsl.com>; Mon, 9 Jul 2018 14:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PcQseewrjwYO for <dnsop@ietfa.amsl.com>; Mon, 9 Jul 2018 14:39:46 -0700 (PDT)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8590130E67 for <dnsop@ietf.org>; Mon, 9 Jul 2018 14:39:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8781; q=dns/txt; s=VRSN; t=1531172386; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=3+/44LSoTP35S2tbfJcAEK6JvCk9pwYp0XtUm7QjW2Q=; b=GFv/KzzcNM2njvfiFt/oEWCiCjI4QMrro6TP+JaB7jlgYndAjlMf1Mps 2SxoJqIx2hv2MP2ijvzxmsVFCYrCXFFy2DBp5xdJd0B40xjlvzc+mRa39 qtV1O8HMjauhictwMwD7oX0LyO8fmyxoQqur2vCiNcFkciQKRpq4yAo/h 9WA6xHohgPRmMAYoO/MTNdoZvnpYVkMYWnHwar/Epp7Toh6v/Rlpah/n0 I/uteSwFuw42BH/kMpsG/i7EB4nqx4iphMoQ39Rhmm6lUVuIi0Re1f9uO ntB9XCDOqxW8nScQOZ6NXGpzAdnK3IHVFbuBQR+kcXCQILX0RAIS+OkAT A==;
X-IronPort-AV: E=Sophos; i="5.51,330,1526356800"; d="p7s'?scan'208"; a="5059290"
IronPort-PHdr: 9a23:bAM+1xLPQrfvHMOTVNmcpTZWNBhigK39O0sv0rFitYgfK/7xwZ3uMQTl6Ol3ixeRBMOHs6wC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwRFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJBUMhPSiJBHo2yYYgBD+UDPOZXs4byqkABrReiAAmhHv/jxiNKi3LwwKY00/4hEQbD3AE4Ed4BsGrbrM7uNKgMVeC117HExijNYfNLwzj97pbHfh48qvyLQL1xf9TeyVI0FwzbilWQspfoPy2L2eQXsmib9OtgVe2pi2I9tw5xpT2vy94qh4LUhYwV0kjJ+ThlzIovONG1SkB2bcS5HJZQuSyWLYR7T8c6T211pCo20KAKtJyncCQQ1ZgqyB3SZ+aaf4WL+h7jWvieLDRkiH9gfb+wnRW//Ey7xeD5WMS4zktFoytAn9bXsn0A1h7e582JR/Zz/EquxDCC3B3J5O5eO0A7j6/bJoYkwr43i5Ucr1zOHjTzmEXqlK+WcVgk+vSw5+TnfLrmopicOpdphw/iKqoih8ywD/w3PAcPQ2SX5/6w1KP/8k3+WrVKluc6nbPEv5zAO8QbvLW5AwlP3ok/7Ba/Ci+q0NUenXYZMFJIYA+Lg5TzN13TIv31A+2zj0msnTpl3fzLMbnsDo3ILnfZkbfhebh961RbyAo21d1Q+pxVBa8aIPLoREDxsMfYAwQnMwOq2ebnCc591oIRWWKJGKOWLKTSsVqQ6uI1P+aMfJMVuCr6K/U94P7ugmI5lkIGcKmu0psXdW23Eu56LEWeZHrmms0BHnsSvgoiUOzqj0WPXiNVZ3apWKI8/io2CIO4AoffSIChmruB3D20Hs4eWmcTLVSFH2ryP6qZV/IRbi6JOchn2mgDWqWtY4guyB3ovwj/nelJNO3Rr2cnuIn42dxuo6X/iBg0+HY8W8iC3nqWQmVvtn0FXT4t3a9550d6zwHQguBDn/VEGIkLtLtyWQAgOMuZlrQiBg==
X-IPAS-Result: A2EhAQCD1UNb/zGZrQpdGQEBAQEBAQEBAQEBAQcBAQEBAYQrgScKg3CWP5csCAOEbAKCZzcVAQIBAQEBAQECAQECgRGCNSQBgl4BAQEBAgEjVAIFCwIBCA4KKgICAjAlAgQKBAUODYMFAYF3qhSCHIRbg3GBKw+KRT6BDyeCaIRkgxcxgiQCiAGEUYEqi1MDBgKDWoFYgziHeowbh32JbAIEAgQFAhSBV4F1cBVlAYI+giQXEY4Gb40YgRoBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Mon, 9 Jul 2018 17:39:45 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Mon, 9 Jul 2018 17:39:45 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Olafur Gudmundsson <ogud@ogud.com>
CC: "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHUF81a+OBkn5t2s0mqxkFdThtdwQ==
Date: Mon, 09 Jul 2018 21:39:44 +0000
Message-ID: <AD5C2BDE-94BD-4F68-AE70-41E29A11EE58@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <e9f99fce-c240-7f23-c580-1fb8bd0a0687@time-travellers.org> <20180621203116.a7kv4ysotfe7kw5k@nic.cl> <3ba53c28-8895-b0ec-badc-7ce31a8df8fc@nic.cz> <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com>
In-Reply-To: <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_A148252D-12F2-45F6-9F1E-A6CE6EA8759E"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D4LI4AgbEHQYQETmnUEirWfJdGs>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 21:39:49 -0000

> On Jul 8, 2018, at 5:28 PM, Olafur Gudmundsson <ogud@ogud.com> wrote:
> 
> 
> +1 
> I spent lots of time earlier this century along with Johan Ihren trying to figure out how to 
> secure the transfer of a particular zone (the root) to any resolver. 
> The only sane way is to not transfer the zone over AXFR as any intermediary can mess with the zone contents mostly in the case of “glue” records,
> thus transferring the zone over HTTPS or RSYNC with a PGP signature over the zone file is the only viable solution going forward. 

I respectfully disagree. 

I dislike PGP (and S/MIME) for a couple of reasons.  For one, I think it limits the use cases to non-AXFR.  You would have to either keep the original file in-tact (not just ordering, but character-per-character) if to be redistributed, or you would have to define a sorting for the data.  Any reformatting of the data (whitespace etc) invalidates it.  Additionally, you'd have to choose between detached signatures (which I think are a bad idea) or use a PGP attached signature format, in which case you are no longer distributing a file that could be directly loaded into a name server. 

Regarding HTTPS/RSYNC, that would be irrelevant.  If the data is secured then the transport doesn't matter at all.


>  
> 
> Historical background: SIG(AXFR) was rejected because it required putting the zone into canonical order and calculating the signature, 

Thanks for that.  This little tidbit was lost in the process of editing those RFCs.

> in the case of dynamic update this is a real expensive operation, thus we got rid of it.
> 

I agree that dynamic updates complicate zone digests.  It could be made to work without sorting the whole zone, but some sorting would be required.  But in general I don't think the complexity of digests for dynamic zones is worth it.  

DW

v2.23.0 | Report a Bug | By Email