[DNSOP] On Powerbind
Ben Schwartz <bemasc@google.com> Tue, 14 April 2020 16:10 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A197D3A0BB7 for <dnsop@ietfa.amsl.com>; Tue, 14 Apr 2020 09:10:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yMjg2nIytiAp for <dnsop@ietfa.amsl.com>; Tue, 14 Apr 2020 09:10:18 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 252D13A0BC3 for <dnsop@ietf.org>; Tue, 14 Apr 2020 09:08:08 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id f13so14968309wrm.13 for <dnsop@ietf.org>; Tue, 14 Apr 2020 09:08:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Q34Rfk30etc5ow/j1/wzspKE0RSybm/2RuqqVU3mfts=; b=SzXLtyeMByJtliDY7Y4TspURZBFftbnmwmtKp+3WuAo7XiRNrX4WHRYhE8jHt7o10g nJ4YP2qELBodcmGa9BZ7tLH4/PSQi1of3M8M8TUWZdUv+LiOrVycQHQj5G5cfjTZ51kw lQL0E+UENujuoXdnjoG/tIiYTjRfeRtdSfBenDFsM9qU1JJlEeO4i7H5ilyNqY0t62W4 ewNkHnLZwo0Fm8N1RkU1usD3jz5hQ0AawqpIQu3V6rq519Nv7dF5ZD/CDrdF0Wbj51zG QxtRiKnQTbplRnxKr53X6iaQZmt8UZm0XS9rep+uAfucOwmAsj9x6F/vd9t3CLv8cxMp d5og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Q34Rfk30etc5ow/j1/wzspKE0RSybm/2RuqqVU3mfts=; b=rphjSx91G+GSdC5ATta9beLevBSSZ3VBZN6AmYCNnhTNPWMj5s5yMlnC/0h6LwsuxS 1dHowMnoBBetu0GQ2CDiZPGMF0Vo81gFkjaxj1DbeAVbp1yIAt2kUtyTwEFltiaWH2YY UNdy1AwFPaX1N0+YHoIVQqR9qSdocmKu/VKiz9K0+ZGGCdRaR8MQVnLBhj7K4966r9YB 8z8IKCJ1YsNnHEHxGyQcQ0X0mLH6xkSSzk5Fwr2fdv3b27ULUM+/4zy23j9aWQ2qdyf+ l2HnA4BIuMtT2qw2L7AOkpAXZvWdWOYG3j0H5H0croajGSnM7IXqXIOE7hIbGY0n+d87 SsLA==
X-Gm-Message-State: AGi0PuYJcLIw78MV8jxK5MzHCAemIHR7yrJ9tldtCspt+0WS4beI5gVy DiG8ojCED6FLIALC5y4qzIeM8/FxLUj9I9JwJtQP0VAx
X-Google-Smtp-Source: APiQypLdb7BjVxIS6pGIyFvdca0A/6OhqMkTdX93y9Acc3uGXQFhLecPySPFjapmCHgQSSPYQmUn3qCSmOe93NGrbyk=
X-Received: by 2002:a5d:6310:: with SMTP id i16mr11806964wru.177.1586880485844; Tue, 14 Apr 2020 09:08:05 -0700 (PDT)
MIME-Version: 1.0
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 14 Apr 2020 12:07:54 -0400
Message-ID: <CAHbrMsAbHV8M2GR95nyZ-vCZOGghgxrdVD5NaTC=05q16HBd5Q@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000b410c205a3426733"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Mim94hUet2nQ2T7ZB3Q6Ex2D6h0>
Subject: [DNSOP] On Powerbind
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 16:10:25 -0000
If I understand correctly, the Powerbind draft is designed to reduce the amount of data that must be logged in order to verify appropriate use of a DNSKEY "K" for a delegation-only zone. I'm trying to compare the amount of logging required with and without Powerbind. Here's my current best guess: - With Powerbind, we need to log all DS records (to detect replacement) and NSEC and NSEC3 records (to detect repudiation) that are signed by K, along with their RRSIGs. Resolvers would reject any other records signed by K. - Without Powerbind, we need to log any record signed by K that is not on the apex, along with its RRSIG. But for a delegation-only zone, aren't these the same set? What else would a delegation-only zone be signing beyond the apex, other than DS, NSEC, and NSEC3? Thanks, Ben Schwartz P.S. Hostile zones can spam the log either way, so that problem is out of scope.
- [DNSOP] On Powerbind Ben Schwartz
- Re: [DNSOP] On Powerbind Wes Hardaker
- Re: [DNSOP] On Powerbind Ben Schwartz
- Re: [DNSOP] On Powerbind Mark Andrews
- Re: [DNSOP] On Powerbind Paul Wouters
- Re: [DNSOP] On Powerbind Paul Vixie
- Re: [DNSOP] On Powerbind Mark Andrews
- Re: [DNSOP] On Powerbind Ben Schwartz
- Re: [DNSOP] On Powerbind Petr Špaček
- Re: [DNSOP] On Powerbind Stephane Bortzmeyer
- Re: [DNSOP] On Powerbind Vittorio Bertola
- Re: [DNSOP] On Powerbind Warren Kumari
- Re: [DNSOP] On Powerbind Dick Franks
- Re: [DNSOP] On Powerbind Olaf Kolkman
- Re: [DNSOP] On Powerbind Dick Franks