Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
"John R Levine" <johnl@taugh.com> Mon, 13 January 2020 19:52 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 754E6120113 for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 11:52:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=D3wv2LI9; dkim=pass (1536-bit key) header.d=taugh.com header.b=qgt9PvoT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIKsyKfuLdyI for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 11:52:49 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D160712096D for <dnsop@ietf.org>; Mon, 13 Jan 2020 11:52:47 -0800 (PST)
Received: (qmail 96951 invoked from network); 13 Jan 2020 19:52:46 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=17ab3.5e1cca8e.k2001; i=johnl-iecc.com@submit.iecc.com; bh=2IMcFjmoWLoCu2qLcLYdSQkfvC01lIUW6YTMbF/A/zo=; b=D3wv2LI9zASy1SlmyXvUws2g/FOE0KJflhcZBxmFrhyf2ihkezTKLbJiH0KANuZ8V70Ftm3d4HrnN7RzVqNnW2z6DvERybqCraitX6z5n7XQRCOwSs8IcOfqiS/F/PUjxqDDwv2kuL5ruEj0PoAhV9KKY4ytTVeoigIJm5WL3yE/jZpe/ms1J84gZhny2rbDyFRL8I2ydMUYvZEduak6jZw+Bi4SrGa35SHSai+slGKfjZrG05LCI8QcelqCGsWL
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=17ab3.5e1cca8e.k2001; olt=johnl-iecc.com@submit.iecc.com; bh=2IMcFjmoWLoCu2qLcLYdSQkfvC01lIUW6YTMbF/A/zo=; b=qgt9PvoTUXxWTMtxusgsoZNKvBtUfbGhtijTDHBWunfo7btBejghH1BgVG2ryU8v92wVsUUDshYCW0WBzFZjcxvYxEO6c/qyQc41z74McypcEf0ZtIiZ/uXIPXjP4GFIuq78jfdO6BYaVH0QfkaED6E174jpfjI4PU4HH/SJq1eGNHa3ki3Fwr1jnXPRVKCZh/DINK8CnEPFgZ4c+OQ+pdbA8jTAHjj6AeFKw+IZUruLWtDMpcoLg6/pmdPfxOrL
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 13 Jan 2020 19:52:46 -0000
Date: Mon, 13 Jan 2020 14:52:46 -0500
Message-ID: <alpine.OSX.2.21.99999.374.2001131452010.15982@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: dnsop@ietf.org
In-Reply-To: <ed2c18b2-65f8-954d-7d2f-8102b08e9748@nthpermutation.com>
References: <20200107023630.628251208AAF@ary.qy> <ce52989c-f6cc-f4e5-0c49-d528d366e350@nthpermutation.com> <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy> <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com> <alpine.BSF.2.21.99999.352.2001081505180.78172@gal.iecc.com> <ed2c18b2-65f8-954d-7d2f-8102b08e9748@nthpermutation.com>
User-Agent: Alpine 2.21.99999 (OSX 374 2019-10-27)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1353004278-1578945166=:15982"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EL_8d5-UF5aKc3ive_zG4nIcIEw>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 19:52:51 -0000
> Thought I'd forgotten about this? :-) No such luck, but I'm done. I don't see any benefit in further argument. > > On 1/8/2020 3:13 PM, John R Levine wrote: >> On Wed, 8 Jan 2020, Michael StJohns wrote: >>> I'm running a private copy of the root zone for my organization. I >>> (automated) check the SOA every so often, and arrange for a download of >>> the zone when it changes. I (automated) get a copy of the zone data, >>> including an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD >>> RR is invalid (hashes don't match). I do: >>> [ various things ] >> >> I know this isn't the answer you want, but it still depends. One size fits >> all error recovery is rarely possible. I also realize you're trying to >> tease out a single answer to the question of whether a ZONEMD failure is >> more likely to be a bogus zone or a broken signer, and it still depends. > > No - I'm trying to tease out what the receiver does without being able to > determine why the zone didn't validate. AFAICT you're sticking with "there > must be a human in the loop because we haven't a clue why it didn't validate > and we mustn't do anything until we do". This sounds remarkably like the > arguments related to DNSSEC and non-DNS dependence on validity. > >> >> In the rather peculiar case of the root zone, ZONEMD for the first time >> covers the otherwise completely unauthenticated A/AAAA records for the root >> servers since root-servers.net remains unsigned, so it can detect tampering >> that we couldn't detect before. > > Given that I said I'm using this for local publication of the root, those > glue records are unlikely to be of any interest to me. > > In any event, the *right* way to verify those records is to actually try and > make a connection with them. That gets you away from "the operation was > successful (e.g. ZONEMD said these were fine), but the patient died (e.g. the > addresses didn't actually point to a root instance because someone fat > fingered the data entry)" problem. > > >> Since we happen to know that significant changes to the root are fairly >> rare, I'd keep using the old version of the root and flag the failure for >> someone to look at. > > Would you or would you not add the additional records - e.g. new DS's or new > names? Or if the serial was N+1 would you only use the records that were > there at N? Keep in mind that DNSSEC says that all of the new records > validate. It's just this damn ZONEMD RR that doesn't seem to have its act > together. > > >> >> In other applications, the risks and consequences are different, so I'd >> probably do something different. > > Given that - why do you think this is useful for more than a small set of DNS > geeks? Yes, info is useful, but either you depend upon it or it's just a > play thing. If the former, you have to then start assuming other people will > depend upon it, which means you need to be serious about getting the > provisioning right, and at the receiver, discarding "bad data". Something > that does not require a human to spend costly man hours resolving over and > over and over again. > > Never mind - I'm not convinced of the general utility of this scheme. It > feels like DNS bloat and more a solution in search of a problem. That said, > I appreciate Duane's willingness to make changes to fix some of the more > egregious problems. > > Later, Mike > > > > >> >> Regards, >> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY >> "I dropped the toothpaste", said Tom, crestfallenly. > > > Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- Re: [DNSOP] Working Group Last Call for: Message … Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for: Message … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] Working Group Last Call for: Message Dige… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Paul Vixie
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Joe Abley
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Brian Dickson
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Bob Harold
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] future-proofing (Re: Working Group Last C… Paul Vixie
- Re: [DNSOP] future-proofing (Re: Working Group La… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] future-proofing (Re: Working Group La… Michael StJohns
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Miek Gieben
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] future-proofing (Re: Working Group La… Shane Kerr
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Vixie
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… John Levine