Re: [DNSOP] SIG(0) useful (and used?)

Mark Andrews <marka@isc.org> Tue, 19 June 2018 21:47 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 081BD12785F for <dnsop@ietfa.amsl.com>; Tue, 19 Jun 2018 14:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ke11uLFISC7V for <dnsop@ietfa.amsl.com>; Tue, 19 Jun 2018 14:47:21 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0853A130E63 for <dnsop@ietf.org>; Tue, 19 Jun 2018 14:47:21 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id EBF0C3AB007 for <dnsop@ietf.org>; Tue, 19 Jun 2018 21:47:20 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id BC056160053; Tue, 19 Jun 2018 21:47:19 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A13FE16008D; Tue, 19 Jun 2018 21:47:19 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ku7uq_K3UJHD; Tue, 19 Jun 2018 21:47:19 +0000 (UTC)
Received: from [172.30.42.89] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 56386160053; Tue, 19 Jun 2018 21:47:19 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
From: Mark Andrews <marka@isc.org>
X-Mailer: iPhone Mail (15F79)
In-Reply-To: <D7C0BCA9-A5E1-4168-9601-209DF8B2902A@isc.org>
Date: Wed, 20 Jun 2018 07:47:16 +1000
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E78A662-D498-4117-85F5-2DB7D4979EC8@isc.org>
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org> <CD6DB8C1-108A-433E-8CD9-34F549844D10@isc.org> <D7C0BCA9-A5E1-4168-9601-209DF8B2902A@isc.org>
To: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JLZoJWf6lgp3rBosWEffHQ1V_wQ>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 21:47:23 -0000

SIG(0) has miles of potential.  Active Directory shows that hosts updating their own addresses is useful.

SIG(0) provides a similar mechanism without the overhead of AD.   It actually works well today if you spend the time to hook it into a system.  What’s needed is for OS vendors to ship machines with support enabled.

Use AD if the machine is part of  a AD domain and this if it isn’t.
It really isn’t that hard to do it just requires OS developers to do it.

-- 
Mark Andrews

> On 20 Jun 2018, at 07:33, Ondřej Surý <ondrej@isc.org>; wrote:
> 
> But if nobody uses that and nobody else implements this, it sort of beats the usefulness of the feature.
> 
> Ondrej
> --
> Ondřej Surý — ISC
> 
>> On 19 Jun 2018, at 23:20, Mark Andrews <marka@isc.org>; wrote:
>> 
>> SIG(0) is much superior for machines updating their own data  to TSIG as you don’t need a secondary storage for the TSIG key.   You can replace a master server without having to worry about transferring TSIG secrets off a dead machine. You just copy the zone from a slave and go.
>> 
>> There are other scenarios where it is also superior like automaton delegating  In the reverse tree.
>> 
>> No I don’t think it should go. 
>> 
>> It should be widely implemented so it can be used. There is a lot of self fulfilling prophecy in the DNS of people will never is this so we won’t implement it. 
>> 
>> -- 
>> Mark Andrews
>> 
>>> On 20 Jun 2018, at 06:48, Ondřej Surý <ondrej@isc.org>; wrote:
>>> 
>>> Hi,
>>> 
>>> as far as I could find on the Internet there are only SIG(0) implementation in handful DNS implementations - BIND, PHP Net_DNS2 PHP library, Net::DNS(::Sec) Perl library, trust_dns written in Rust and perhaps others I haven’t found; no mentions of real deployment was found over the Internet (but you can blame Google for that)...
>>> 
>>> Do people think the SIG(0) is something that we should keep in DNS and it will be used in the future or it is a good candidate for throwing off the boat?
>>> 
>>> Ondrej
>>> --
>>> Ondřej Surý
>>> ondrej@isc.org
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
>