Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
"John Levine" <johnl@taugh.com> Fri, 03 August 2018 03:21 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B26130F5B for <dnsop@ietfa.amsl.com>; Thu, 2 Aug 2018 20:21:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3eL-B3lmc-bg for <dnsop@ietfa.amsl.com>; Thu, 2 Aug 2018 20:21:42 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D69130E10 for <dnsop@ietf.org>; Thu, 2 Aug 2018 20:21:41 -0700 (PDT)
Received: (qmail 85598 invoked from network); 3 Aug 2018 03:21:40 -0000
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 03 Aug 2018 03:21:40 -0000
Received: by ary.qy (Postfix, from userid 501) id 04FB2200338B53; Thu, 2 Aug 2018 23:21:39 -0400 (EDT)
Date: Thu, 02 Aug 2018 23:21:39 -0400
Message-Id: <20180803032140.04FB2200338B53@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul@nohats.ca
In-Reply-To: <alpine.LRH.2.21.1808022247150.6981@bofh.nohats.ca>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LGeqQmAhlqGBnbYSU_LL9YpqfGk>
Subject: Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 03:21:44 -0000
>> If the resolver is not validating, the ZONEMD assures that all the records >> are there. The strength of that assurance is the same as the second pre-image >> strength of the hash. However, the resolver cannot say "oh, look, now I can >> start resolving with what I got in the zone transfer": it still needs to >> validate every RRSIG all the way to the root. > >That's not what people are going to do. They are going to grab the >AXFR'ed data, check the checksum and throw it in the "validated" cache >and they won't revalidate every root zone entry they are about to serve. Why would my copy of nsd handle it differently than the copy of the root it AXFRs now? Also, still wondering about that second preimage downgrade attack. R's, John
- Re: [DNSOP] One Chair's comments on draft-wessels… John Levine
- [DNSOP] One Chair's comments on draft-wessels-dns… Tim Wicinski
- Re: [DNSOP] One Chair's comments on draft-wessels… Florian Weimer
- Re: [DNSOP] One Chair's comments on draft-wessels… Joe Abley
- Re: [DNSOP] One Chair's comments on draft-wessels… Evan Hunt
- Re: [DNSOP] One Chair's comments on draft-wessels… Mark Andrews
- Re: [DNSOP] One Chair's comments on draft-wessels… Tim Wicinski
- Re: [DNSOP] One Chair's comments on draft-wessels… John R Levine
- Re: [DNSOP] One Chair's comments on draft-wessels… Tim Wicinski
- Re: [DNSOP] One Chair's comments on draft-wessels… Jiankang Yao
- Re: [DNSOP] One Chair's comments on draft-wessels… Evan Hunt
- Re: [DNSOP] One Chair's comments on draft-wessels… Evan Hunt
- Re: [DNSOP] One Chair's comments on draft-wessels… John R Levine
- Re: [DNSOP] One Chair's comments on draft-wessels… Wessels, Duane
- Re: [DNSOP] One Chair's comments on draft-wessels… Wes Hardaker
- Re: [DNSOP] One Chair's comments on draft-wessels… Philip Homburg
- Re: [DNSOP] One Chair's comments on draft-wessels… Joe Abley
- Re: [DNSOP] One Chair's comments on draft-wessels… Wes Hardaker
- Re: [DNSOP] One Chair's comments on draft-wessels… Matt Larson
- Re: [DNSOP] One Chair's comments on draft-wessels… Philip Homburg
- Re: [DNSOP] One Chair's comments on draft-wessels… Philip Homburg
- Re: [DNSOP] distributing zones, was One Chair's c… John Levine
- Re: [DNSOP] lotsa TLDs, was One Chair's comments … John Levine
- Re: [DNSOP] lotsa TLDs, was One Chair's comments … Paul Hoffman
- Re: [DNSOP] lotsa TLDs, was One Chair's comments … Paul Wouters
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Wouters
- Re: [DNSOP] One Chair's comments on draft-wessels… John Levine
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Hoffman
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Wouters
- Re: [DNSOP] One Chair's comments on draft-wessels… Mark Andrews
- Re: [DNSOP] One Chair's comments on draft-wessels… John Levine
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Hoffman
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Wouters
- Re: [DNSOP] One Chair's comments on draft-wessels… Mark Andrews