IETF Logo Mail Archive

Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest

"John Levine" <johnl@taugh.com> Fri, 03 August 2018 03:21 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B26130F5B for <dnsop@ietfa.amsl.com>; Thu, 2 Aug 2018 20:21:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3eL-B3lmc-bg for <dnsop@ietfa.amsl.com>; Thu, 2 Aug 2018 20:21:42 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D69130E10 for <dnsop@ietf.org>; Thu, 2 Aug 2018 20:21:41 -0700 (PDT)
Received: (qmail 85598 invoked from network); 3 Aug 2018 03:21:40 -0000
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 03 Aug 2018 03:21:40 -0000
Received: by ary.qy (Postfix, from userid 501) id 04FB2200338B53; Thu, 2 Aug 2018 23:21:39 -0400 (EDT)
Date: Thu, 02 Aug 2018 23:21:39 -0400
Message-Id: <20180803032140.04FB2200338B53@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul@nohats.ca
In-Reply-To: <alpine.LRH.2.21.1808022247150.6981@bofh.nohats.ca>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LGeqQmAhlqGBnbYSU_LL9YpqfGk>
Subject: Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 03:21:44 -0000

>> If the resolver is not validating, the ZONEMD assures that all the records 
>> are there. The strength of that assurance is the same as the second pre-image 
>> strength of the hash. However, the resolver cannot say "oh, look, now I can 
>> start resolving with what I got in the zone transfer": it still needs to 
>> validate every RRSIG all the way to the root.
>
>That's not what people are going to do. They are going to grab the
>AXFR'ed data, check the checksum and throw it in the "validated" cache
>and they won't revalidate every root zone entry they are about to serve.

Why would my copy of nsd handle it differently than the copy of the
root it AXFRs now?

Also, still wondering about that second preimage downgrade attack.

R's,
John

v2.23.0 | Report a Bug | By Email