Re: [DNSOP] Incremental zone hash - XHASH

Joe Abley <jabley@hopcount.ca> Wed, 25 July 2018 17:03 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A60B1130ECA for <dnsop@ietfa.amsl.com>; Wed, 25 Jul 2018 10:03:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lNx3h_-Q86U for <dnsop@ietfa.amsl.com>; Wed, 25 Jul 2018 10:03:42 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4099130EDF for <dnsop@ietf.org>; Wed, 25 Jul 2018 10:03:42 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id h23-v6so9625561ita.5 for <dnsop@ietf.org>; Wed, 25 Jul 2018 10:03:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tMYBaWLTHtpLZ9f/KOeFAaWYBfZcgSjwBXlCCyH2wnw=; b=e8AtRbiChu3EBNE+Vy6Hs4XrNwMenlQPTwN5ax1t0kTb+9U2iPQb45mwJIi4vFynaZ v4TduK7Ek4O0JJUXXA23GUf8MS8kWm/d97Cw0L781houUAFTgDTAMsM4gtpRufp70+FZ KrUc4La44FRU7/hE5INpepFbAOMFbBDVm23dw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tMYBaWLTHtpLZ9f/KOeFAaWYBfZcgSjwBXlCCyH2wnw=; b=Y+7OyVjKQFaQ54Q+9GwSFERPhvww6EuIaVd7O7NNop5FaP/BtcXEsE/Jv3BtcTZ4K8 sjSEOAXqUCt2L5IqHoHEtAWwlhuX9dEGReXkSNj8V8ck1UMi0J7XMWvaOKzk/u8xRs93 yKdRsK06/oVCf9xag/l7jCx6URCNRYEFpACH4hSwLA4fkrxCai9Z1YHtZ4713P8qXq9E 76BsNdXTUy0anXsQTnJ+vHb+ZrBkcvT8wqHMbVIJ6zli6jqPcvyCh7OM24GGiq67VzJs D5JJyvTAgknOOUU1ZaUPnXDSHSC2j2VVMwQGm9K6tuktyTXsUXFyJRpaJFw6HGJ1iqin P5Eg==
X-Gm-Message-State: AOUpUlFMqLPr0UYfchat1fS+yuUMtjUaueAaOgioPFlwyNc8mqY+Iq92 DN00vnUtIyyTrfwKiq3dH5R7mTlH/MY=
X-Google-Smtp-Source: AAOMgpf7gvcWPRDzCFXIZY2Yma4j5jDJUqa4SX8DTEcmJTihwkK4tbmKwZbfaz8VgN7vmCgxMlHFcg==
X-Received: by 2002:a24:3c53:: with SMTP id m80-v6mr5130218ita.86.1532538222150; Wed, 25 Jul 2018 10:03:42 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:101:203:4123:32eb:17a9:3c? ([2607:f2c0:101:203:4123:32eb:17a9:3c]) by smtp.gmail.com with ESMTPSA id o134-v6sm2912029ito.9.2018.07.25.10.03.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jul 2018 10:03:40 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAHw9_iK1W-CeA+ppJWggzCDhTwdi-jhGZOe6D44XfRJNeSginA@mail.gmail.com>
Date: Wed, 25 Jul 2018 13:03:39 -0400
Cc: Paul Wouters <paul@nohats.ca>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4E6ABAE3-A918-48F0-9DED-8AF9E5B4AC5E@hopcount.ca>
References: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org> <CAKr6gn1axEztD06WoH0a+=WGjrzPNSiYWtk-qLzKY0BWprCVwA@mail.gmail.com> <alpine.LRH.2.21.1807221443170.5582@bofh.nohats.ca> <CAHw9_iK1W-CeA+ppJWggzCDhTwdi-jhGZOe6D44XfRJNeSginA@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/F462tfXbCEt_RE8w_bTv8_JKCVg>
Subject: Re: [DNSOP] Incremental zone hash - XHASH
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 17:03:50 -0000

On 25 Jul 2018, at 12:30, Warren Kumari <warren@kumari.net> wrote:

> One of the original promises of DNSSEC is that I'd be able to find a
> zonefile written on a napkin on a bar floor, and trust it -- currently
> I cannot do this.

I don't think this is correct.

The main thrust of DNSSEC (as finally standardised) was to protect caches from poisoning -- in other words, to protect responses with cryptography.

Zone files contain things that are not responses, but are used to obtain responses (like glue records, NS RRSets above a zone cut). I don't think it was ever a design goal to sign those, and hence it wasn't a design goal to sign zones in the way that you describe.


Joe