Re: [DNSOP] Incremental zone hash - XHASH

Wes Hardaker <> Mon, 30 July 2018 23:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C8B8130F61 for <>; Mon, 30 Jul 2018 16:52:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ryQ-UogfLhOo for <>; Mon, 30 Jul 2018 16:52:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D086130F25 for <>; Mon, 30 Jul 2018 16:52:50 -0700 (PDT)
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id B90E724645; Mon, 30 Jul 2018 16:52:49 -0700 (PDT)
From: Wes Hardaker <>
To: Paul Wouters <>
Cc: Warren Kumari <>, dnsop <>
References: <> <> <> <> <>
Date: Mon, 30 Jul 2018 16:52:49 -0700
In-Reply-To: <> (Paul Wouters's message of "Wed, 25 Jul 2018 13:09:14 -0400 (EDT)")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Subject: Re: [DNSOP] Incremental zone hash - XHASH
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Jul 2018 23:52:53 -0000

Paul Wouters <> writes:

> That leaves glue and NS, but there is a reason those aren't signed,
> and any attacker shouldn't get anything out of that by modifying it.

Yes, the glue isn't authoritative and thus not signed by DNSSEC.

But, if you're transferring a zone from an original source to any
secondary server that is redistributing the contents, then modification
by an attacker can certainly do damage (though with fully deployed
DNSSEC, it may be only a DOS; though without fully deployed it's much
worse, and we're a long way from fully deployed on both ends).

The question of need comes down to: regardless of how it's done, do we
need a global zone data signature across the entire set of distributed
data that survives multiple distribution hops.  From the perspective of
wanting to distribute data across a multitude of mechanisms (including
DNS but all git, bittorrent, http, and Warren's dirty napkin), then
there is value to having a verifiable checksum.  That's why software
packages are distributed in the same way: verify that what you got is
authentic before using it.

Wes Hardaker