Re: [DNSOP] Incremental zone hash - XHASH
Paul Wouters <paul@nohats.ca> Sun, 22 July 2018 18:51 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6360F130FD4 for <dnsop@ietfa.amsl.com>; Sun, 22 Jul 2018 11:51:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5LzrkC_aZ5t for <dnsop@ietfa.amsl.com>; Sun, 22 Jul 2018 11:51:20 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1CBF130E23 for <dnsop@ietf.org>; Sun, 22 Jul 2018 11:51:20 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41YYcP587gzKDP for <dnsop@ietf.org>; Sun, 22 Jul 2018 20:51:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532285477; bh=crbV+xAn0+XzJCvvJej9wBnZ07xWMLay5TejSLnOqOo=; h=Date:From:To:Subject:In-Reply-To:References; b=twNEywRRNjH3Gbi4DiwX4T38N1VnScCxUgJ8YlKSw80aIiW0KWOg553AWu4rosdT6 iw/CQZD9bYcRlLr2AgufxDLpAhvwUetHc4/DOuF3an5RN/cEqjcTUI5Zu/AATZqYLJ D8RvobPaVqfvRgEGamNpINbIK26QhF3SMFY52O4U=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id uKDhMOAjg40G for <dnsop@ietf.org>; Sun, 22 Jul 2018 20:51:16 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Sun, 22 Jul 2018 20:51:13 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 89661A7E07; Sun, 22 Jul 2018 14:51:12 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 89661A7E07
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 7D8CD40008AB for <dnsop@ietf.org>; Sun, 22 Jul 2018 14:51:12 -0400 (EDT)
Date: Sun, 22 Jul 2018 14:51:12 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <CAKr6gn1axEztD06WoH0a+=WGjrzPNSiYWtk-qLzKY0BWprCVwA@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1807221443170.5582@bofh.nohats.ca>
References: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org> <CAKr6gn1axEztD06WoH0a+=WGjrzPNSiYWtk-qLzKY0BWprCVwA@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LR20LO6s0KKaqEOrzD2vy3uiLbA>
Subject: Re: [DNSOP] Incremental zone hash - XHASH
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jul 2018 18:51:24 -0000
On Fri, 20 Jul 2018, George Michaelson wrote: > The intent (to me at least) is to be able to use exterior fetch, *not* > DNS, to source this as a file. curl. wget. ncftp. rsync. So pull it over HTTPS/TLS and you are good? No bits will be allowed to be flipped without the transport security freaking out. If you are looking at additional trust on the data, we have DNSSEC. If you are concerned about glue/NS being unsigned and modified at the source, then you need some kind of signature over the data that the web server cannot modify. I see no reason why this should be an RRTYPE though. Especially one that can only work in weird automated ways of generating a signature over a file which you then modify to add the signature in. Especially since using an RRTYPE means you are fully relying on DNSSEC as the pubkey for signing the data. And if you use DNSSEC, why care about unsigned data? >> Verification of a AXFR .... Since you dont want to mandate the DNSSEC key on the server serving the data, it has to be some external key/checksum/transport security, which we already have for *XFR permissions? If *XFR doesn't use that for glue/NS, can we not just add a a checksum here based on the XFR keys? ZONEMD and XHASH seem to be the wrong hammers to use here, unless I misunderstood the problem? Paul
- Re: [DNSOP] Incremental zone hash - XHASH Mark Andrews
- [DNSOP] Incremental zone hash - XHASH Mark Andrews
- Re: [DNSOP] Incremental zone hash - XHASH George Michaelson
- Re: [DNSOP] Incremental zone hash - XHASH Mark Andrews
- Re: [DNSOP] Incremental zone hash - XHASH Paul Vixie
- Re: [DNSOP] Incremental zone hash - XHASH Wessels, Duane
- Re: [DNSOP] Incremental zone hash - XHASH Paul Wouters
- Re: [DNSOP] Incremental zone hash - XHASH Warren Kumari
- Re: [DNSOP] Incremental zone hash - XHASH Joe Abley
- Re: [DNSOP] Incremental zone hash - XHASH Paul Wouters
- Re: [DNSOP] Incremental zone hash - XHASH Wessels, Duane
- Re: [DNSOP] Incremental zone hash - XHASH Ondřej Surý
- Re: [DNSOP] Incremental zone hash - XHASH Wes Hardaker