Re: [DNSOP] zone contents digest and DNSSEC stuff

"libor.peltan" <> Tue, 29 September 2020 13:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 48B2B3A0CC7 for <>; Tue, 29 Sep 2020 06:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.111
X-Spam-Status: No, score=-2.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5J8_fo3q2dcG for <>; Tue, 29 Sep 2020 06:42:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 386973A0972 for <>; Tue, 29 Sep 2020 06:42:08 -0700 (PDT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 2F815140AA2; Tue, 29 Sep 2020 15:42:06 +0200 (CEST)
To: Joe Abley <>
References: <> <>
From: "libor.peltan" <>
Message-ID: <>
Date: Tue, 29 Sep 2020 15:42:05 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="iso-8859-2"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [DNSOP] zone contents digest and DNSSEC stuff
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Sep 2020 13:42:12 -0000

Hi Joe,

Dne 29.09.20 v 15:03 Joe Abley napsal(a):
> The other use case I seem to think you're implying is that a consumer of the signed zone could verify that it was intact using the signed-zone ZONEMD, then strip the DNSSEC RRs and retain the ability to verify that the result was an accurate representation of the unsigned zone using the unsigned-zone ZONEMD. This seems like a slightly odd thing to want to do, but perhaps I'm just not thinking hard enough?
> Joe

yes, something like this.

My initial thought was that the signer, which converts the un-signed 
zone by adding signatures and keys, might not be able to compute/update 
the ZONEMD record.

It might also be useful, when the zone is only re-signed and otherwise 
unchanged, if the zone checksum was unchanged.

I'm not sure. This is just a thing to be thought of.

I would love if there was a bit flag indicating if the checksum has been 
computed including DNSSEC records, or without them. This would let the 
freedom of choice on the users, while adding some complexity to software 

Thanks for consideration,