Re: [DNSOP] SIG(0) useful (and used?)
Shumon Huque <shuque@gmail.com> Fri, 22 June 2018 16:12 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EB94130EA9 for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 09:12:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQmvoouWnGsx for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 09:12:20 -0700 (PDT)
Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4746E130EA2 for <dnsop@ietf.org>; Fri, 22 Jun 2018 09:12:20 -0700 (PDT)
Received: by mail-yb0-x231.google.com with SMTP id n23-v6so2735039ybg.1 for <dnsop@ietf.org>; Fri, 22 Jun 2018 09:12:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=q1tNYoooSKftNdfx7cZU4Xu7noWbx2NxyjGwuyY74Mk=; b=cunCN0PvEwsRMxQ6wTuXqMUFKyK/vcAY+STiv5Ks6qdh0nE8G36SeQ0+UYcjhotVPi yJjwJ0do+pSHhS9tG7mYqIjcrXehoId7JMU8wrxn7dYdoklEPK25veoUV6njIPAj/1SH U/1NvrH0yXls3Y7B3S1gwegiwRTsza33sGX/prXQFHF6v/Upb4K4KhRZHLeR5FPZ7oGM Stm/q5TllYBD5fDEF0HMvjFKrYR9/xBU/0t5llkyHlk9KRKgXrFSwoMac3ffWwsyOP+I otu1YqJPVzsa1YLqSTvTLe8kFucpHOnvEQPbqMvxv4sFEkbPSTfDBwoxO01JpoWyNjqI EP3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=q1tNYoooSKftNdfx7cZU4Xu7noWbx2NxyjGwuyY74Mk=; b=da746Jg1UVYwNKu84ArVyWNcY894fJgPtFKAJmM3bBlZJ0iVQ/bVkhDTEJinwWMGhf SzncADFwgcnUFBj1XgISW3PYFRgvjsf6E8VvPqn1NG1M8tc7+CQ0aJWWj2g0ITsRTm34 PFx7yFV+TtdswoF1LGZRpn6Ota73eg2qgsHTHYFui7x9nQ0tyYOqDn5K+T0dqAJjPudw hdlbJrAxuphcKLOEScAltewBnqmZSJ3SjEOJhn2u4Dva8dlRBRv7p5uqSmZ+LcfHfGmX YWbDSUlse7PU728rQ0k2hXHekVEMWFVq59hJRWn6S2c/kmnf8seoQplnG14rSyHKvyVK gacA==
X-Gm-Message-State: APt69E3Q8vGFo2WGlVaemawyRyvP+d/48p/UXHudTliehMHXPE1J6YBQ MGbq+2mt8ZfrZNNtyzF6MSVXRj6UBW58uy0wX3E=
X-Google-Smtp-Source: ADUXVKI97svj9+7OcnpFHKRQPa2U2qpKL5zhQr/Q3ptEh9dSFg/UqCeZ+KPJvJrwfCrqH0QuFR4J0i9h0UCCWPREVLQ=
X-Received: by 2002:a25:cc94:: with SMTP id l142-v6mr1168356ybf.121.1529683939597; Fri, 22 Jun 2018 09:12:19 -0700 (PDT)
MIME-Version: 1.0
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org> <6B764CF2-FC1F-4B55-B4A3-F49729847DCF@bangj.com> <b85eb6ec-8d4c-221a-35ac-4c4efb9bd5c4@nic.cz> <56702D15-B557-4A9E-BD18-5379105CCB30@bangj.com> <CAHPuVdWnm8nCHD4DbC=LnPoJgch7ZO7NuitHECnMxsrVLZExqA@mail.gmail.com> <ECDE3B3C-A865-41B9-B188-F6C6DED2467A@bangj.com> <CAPt1N1m+qx78K+2K80adA+nyOtjyyHkc2Ah2duq89a8L6kwjqA@mail.gmail.com> <CC42D2F0-5EB8-45FF-992D-92AEC9C13FE8@bangj.com>
In-Reply-To: <CC42D2F0-5EB8-45FF-992D-92AEC9C13FE8@bangj.com>
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 22 Jun 2018 12:12:08 -0400
Message-ID: <CAHPuVdVPKuUwk3=rhaXnzDQmBKk8DGRjiSptCwpzbwon6t6XHw@mail.gmail.com>
To: pusateri@bangj.com
Cc: mellon@fugue.com, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d6a2ba056f3d4b3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Hg40zM6Z9reqDcY15Grn6ugbjX0>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 16:12:23 -0000
On Fri, Jun 22, 2018 at 12:05 PM Tom Pusateri <pusateri@bangj.com> wrote: > What’s the point of using DNS to look up a KEY RR to verify a signature if > you can’t trust the KEY? The KEY resides in the senders zone so no > relationship with a resolver will help you here. > Yeah, this is a limitation in the SIG(0) spec as currently written, that I don't think needed to be there. If we consider the functionality of SIG(0) to be essentially a public key version of TSIG, then it should be possible to support a mode of operation where the key material is verified and pre-configured out-of-band, as is commonly the case with TSIG. If I were implementing SIG(0), I would have supported that. Shumon.
- Re: [DNSOP] SIG(0) useful (and used?) Ted Lemon
- Re: [DNSOP] SIG(0) useful (and used?) Vladimír Čunát
- Re: [DNSOP] SIG(0) useful (and used?) Ted Lemon
- Re: [DNSOP] SIG(0) useful (and used?) Tom Pusateri
- Re: [DNSOP] SIG(0) useful (and used?) Shumon Huque
- Re: [DNSOP] SIG(0) useful (and used?) Shumon Huque
- Re: [DNSOP] SIG(0) useful (and used?) ietf-dnsops
- Re: [DNSOP] SIG(0) useful (and used?) Warren Kumari
- Re: [DNSOP] SIG(0) useful (and used?) Tom Pusateri
- Re: [DNSOP] SIG(0) useful (and used?) Joe Abley
- Re: [DNSOP] SIG(0) useful (and used?) Vladimír Čunát
- Re: [DNSOP] SIG(0) useful (and used?) Shumon Huque
- Re: [DNSOP] SIG(0) useful (and used?) Joe Abley
- Re: [DNSOP] SIG(0) useful (and used?) Paul Vixie
- Re: [DNSOP] SIG(0) useful (and used?) Warren Kumari
- Re: [DNSOP] SIG(0) useful (and used?) Tom Pusateri
- Re: [DNSOP] SIG(0) useful (and used?) Shane Kerr
- Re: [DNSOP] SIG(0) useful (and used?) Tom Pusateri
- Re: [DNSOP] SIG(0) useful (and used?) Ted Lemon
- Re: [DNSOP] SIG(0) useful (and used?) Bjørn Mork
- Re: [DNSOP] SIG(0) useful (and used?) Tony Finch
- Re: [DNSOP] SIG(0) useful (and used?) Tony Finch
- Re: [DNSOP] SIG(0) useful (and used?) Mark Elkins
- Re: [DNSOP] SIG(0) useful (and used?) Mark Andrews
- Re: [DNSOP] SIG(0) useful (and used?) Wellington, Brian
- Re: [DNSOP] SIG(0) useful (and used?) Ondřej Surý
- Re: [DNSOP] SIG(0) useful (and used?) Mark Andrews
- Re: [DNSOP] SIG(0) useful (and used?) Ondřej Surý
- Re: [DNSOP] SIG(0) useful (and used?) Tony Finch
- [DNSOP] SIG(0) useful (and used?) Ondřej Surý
- Re: [DNSOP] SIG(0) useful (and used?) Viktor Dukhovni
- Re: [DNSOP] SIG(0) useful (and used?) Evan Hunt
- Re: [DNSOP] SIG(0) useful (and used?) Warren Kumari
- Re: [DNSOP] SIG(0) useful (and used?) Shumon Huque