Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
"Wessels, Duane" <dwessels@verisign.com> Mon, 30 July 2018 22:24 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A382130EFC for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 15:24:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iw7AQHfTsB0r for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 15:24:46 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D25771311A8 for <dnsop@ietf.org>; Mon, 30 Jul 2018 15:09:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8633; q=dns/txt; s=VRSN; t=1532988553; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=fKn+VxcV4TG4eycRso/1jWKH+vvBfRohQcdykZV0BR8=; b=YuVGjg9vdoWHSA/BBj/tlsQ+bHa7WnX5Xs4DXMkeFEaPb3Z+mEyy+fOA WSLwlh8KlDWM8sBluV/lmYCkNZn9km9zhK0XVnQ/9AHnfuwutGEjETgP0 7WDU9h422w2NI1di2MD/YTC84wHW9yI3JNi34capb3ub23+Kv1bVek/YP 6CSCtzgMJVpdYw3Fo4dRRvLu+JnEqTj79PBtg2WJygVDpif8Yszyfa+wc ev3+U4PHvSx1NDMkqmtAaBpUKm/MngxBHdG9B8ax1Knep8DAMG6TivON8 AmTo0x1usQyERcFdIxm3zZg87G3xqRE3Ymh6s6TOO1QYJrolc1vFWQjrA Q==;
X-IronPort-AV: E=Sophos; i="5.51,424,1526342400"; d="p7s'?scan'208"; a="5346530"
IronPort-PHdr: 9a23:DiNbBBNXJztUVUVpoPAl6mtUPXoX/o7sNwtQ0KIMzox0K/z8pcbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOQBMuRZr4bhqFQDthS+CRWpBO711jNEmmH60Ksn2OohCwHG2wkgEsoAvHvUstr1L7wSXv6xzKnT1TnIcv1Y2Srn54jObB8tr+yHULVtfsvf10YvDBjFgUuUqYz+JD6VyPoCs3Ka7+p7VOKvhGgnpxttrTiow8chk4/EjZ8bxFDD8CV22oc1JdugRUFhfdKoCpxQtzuVN4duXswuX3tkuCEgyr0JoZK7fS4KyJogxxLFbPyHaYeI7gr5W+qPOzt4g2hleL2nixmp7USs0Or8VtO70FpStCVFnNjMtnQM1xPJ8ciLU/19/ly92TqV0ADT8O5ELVgpmqbHMZIhxaQwlpULvUvYACP6gkL2jLWZdkgi5+Om6Pznb637qpOALYN4lwPzP6o0lsCiAek1PBICUmef9OikybHv4Vf1TKhIg/EqiKXVrZ/XKMcBqqKkAAJZyogj5Ai8Aju61dkVmGMIIVFBdR2cioXkNU/CL+35APq6mFuhlDZmyvLDM7DvDJjALGXMnbH8drhn8UFc0hA8zdVH6pJRDbEOPez8V1fqtNzdEh85Kwu0w/v7CNll1oMRR2aPAqiBPa7PrVGG/v8jLOmUaoEauTnxN+Yp6+TwjXAlnl8dZ7Gp0YENZ3+lBPhmPV+ZYWHqgtsbDWgKuQ8+QPTriF2ETzFTe26/U78g6j0hFY6rD4nOSpqwjLGB0iq3BJJba2ReBlCJC3jodoGEW/kWaCKVJ89siiELVLa/RI86zhGhqgv6y6F8I+rK5CIYr5Pj1MN05+3ckxE+7yB7D8OY022VVWF7gnsIRyMq3KB4uUF90UuD3rZmg/NGDtFT/PNJUgY8NZ7f0ux6EdfyVhjdcdeOTVasWs+mDi0pTtIt398OZF5wFMikjhDY2CqqG6QYl72VC5wo/KLQxX/xJ9xyyyWO6K50tEUrXMYHHnehja1y7UCHHJLEjUixjKarc6cBximL/2CGmzmgpkZdBURPXL7eUHQEIgP6sN3/6wmKG7OxBK88Pw9a4dCPMKpRa9Lvy15BQaGwa5zlf2utljLoVl6zzbSWYd+vIj1F0Q==
X-IPAS-Result: A2F1AQAoi19b/zGZrQpcGQEBAQEBAQEBAQEBAQcBAQEBAYQxgScKmh4ll0sIAx+BEYM8AoM1OBQBAgEBAQEBAQIBAQKBBQyCNSQBgUJfPQEBAQECAXcCBQsCAQgYLgIwJQIEDgUOgxIBgXeuF4RehVkPhj6CW4FCPoESJwwTgkyEaC0ngnSCJAKMa40lAwYCg2WBWVeXKY8oAYJnAgQCBAUCFIFYgXRwFWUBgj4JgkSGDYI7hT5vAY0AK4EBgRsBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Mon, 30 Jul 2018 18:09:11 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Mon, 30 Jul 2018 18:09:11 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Steve Crocker <steve@shinkuro.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHUKFHxbNsf3clpX0iKUDaDVzSU+A==
Date: Mon, 30 Jul 2018 22:09:11 +0000
Message-ID: <87960245-32FD-41A7-AB36-D41E48B99789@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <CAAObRXL2LoB3f=296ZPE1Pp1nHkG---pRPAmyO1trTROxneHDQ@mail.gmail.com> <FF0A0A24-705F-46E3-BF31-314078636EE2@isc.org> <84636548-60C4-40F5-8C05-E5AD70886CB4@isc.org> <B795E43C-E0A1-4965-995B-BD50606DCEB2@shinkuro.com>
In-Reply-To: <B795E43C-E0A1-4965-995B-BD50606DCEB2@shinkuro.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_73B34EE2-F894-46DF-B639-ECCCFF9B4734"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FJVGmKdwIQb125A1Cml3S5Wgcuw>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 22:24:51 -0000
> On Jul 26, 2018, at 7:39 PM, Steve Crocker <steve@shinkuro.com> wrote: > > The passage below puzzles me. Why do you want servers to get the root zone from less trusted sources? Steve, I wouldn't put it that way. I'd say that the servers shouldn't have to trust the sources, they should have the ability to trust the data itself. > And why does the source matter if the zone entries are DNSSEC-signed? Because many records in the (root) zone are not signed. For example none of this is signed: org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. b0.org.afilias-nst.org. 172800 IN A 199.19.54.1 b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1 b2.org.afilias-nst.org. 172800 IN A 199.249.120.1 b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1 d0.org.afilias-nst.org. 172800 IN A 199.19.57.1 d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1 If you have an RFC7706 recursive name server you could be given a root zone with changed delegations for any TLD. If your recursive name server is validating (which it MUST be per 7706) then probably the worst that would happen is an attack on your privacy. The bad name servers can proxy DNS queries to the real ones and thus log your query traffic. If your name server is not validating then, of course, much worse is possible. DW
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Hugo Salgado-Hernández
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- [DNSOP] New Version Notification for draft-wessel… Weinberg, Matt
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… Roy Arends
- Re: [DNSOP] New Version Notification for draft-we… Jaap Akkerhuis
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Jim Reid
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Bob Harold
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Tim Wicinski
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… tjw ietf
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý