IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Shumon Huque <shuque@gmail.com> Fri, 22 June 2018 14:57 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA32130ED4 for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 07:57:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSn2Td8f4JZq for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 07:57:05 -0700 (PDT)
Received: from mail-yb0-x22c.google.com (mail-yb0-x22c.google.com [IPv6:2607:f8b0:4002:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6779F130EC6 for <dnsop@ietf.org>; Fri, 22 Jun 2018 07:57:05 -0700 (PDT)
Received: by mail-yb0-x22c.google.com with SMTP id a16-v6so2643255ybm.2 for <dnsop@ietf.org>; Fri, 22 Jun 2018 07:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=+Im27uvZBEjVd9kvB8EC3LBvEtsuBNzK+cp5VUkyj0w=; b=Dp3C2N5gLgH29rGtFAy+yHEb1Bf8DOQJtTahwgFrfawZbjSdlMgs0BSxGjVfWyKnaK guwt+WoI8iOQrPVTmn1CMv8qcgIt3Frdvbs6hupoGkN19f6sW7uEhpNX5Ym1kbKz2AKS wi+TfTvms1NIpNxwq9izhW1FoXW46RBkLfktprit7wlz6sSbWNWgMHi8lwDT/mxIU/OZ YRNw8hHEzQImt8b84sGUyHXwsTolrDaeDrMHhtxsgTxpMCo6Wh8iXZWSgzSIPt9/tpnt oEVBQ7kPUzaOuigf8N0gBwue0F6kUmBhBkhY8ZJQik6gARVkjueFeaGPtnOxF9rUQn4e QlfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=+Im27uvZBEjVd9kvB8EC3LBvEtsuBNzK+cp5VUkyj0w=; b=TGyE1Tmdpx669KBzNQhZjBwIE1vgEsy0bnTA9jO45dVS6rsFFoh1quH5E+4YNzYgzg LKldGLyKDfL9MCMFb3IfSF12iRDjeRpOq/q58tlJ0plnVNMjqVrbjmtabFaFDqTD2GT7 OFREglHPiMZ4+QO2oVAutza+HrCZgxzdBiDgrT4HgbqFeUTCgNYMupeG5GqYA/oRRSt9 +bdU6AW57bmTOt15qE/OESAVXvGB8CCyxP6EfpBUeILQn/RkrftUQEDNs42u42BVZc9q B6oRAxH3M6W8rFzTGuFyL1vE8g6r3fI1F5wT+pDB4zcnnT0zgjy/T5piem1A/xrWXnKy jTQQ==
X-Gm-Message-State: APt69E2Ejdo0rvehDpwmlQ9yqMYHsqrQrLYV7uBXhv3wdW9Vc236chVA 6Z1QnAjZ0blcoSPSz/uyHj0YJEpf6uVSZ/8fL3FlIg==
X-Google-Smtp-Source: ADUXVKLXiHNDAjtleT+Ff/zJ0S/joa/XafbNhmH/KrIfI6tqXtGXkOXejrjQNDXJjGdN4aTpvGABLaW7/jttenzu7Ag=
X-Received: by 2002:a25:7583:: with SMTP id q125-v6mr984970ybc.475.1529679424298; Fri, 22 Jun 2018 07:57:04 -0700 (PDT)
MIME-Version: 1.0
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <CAHPuVdWXBDHdiQ2Z1uFx=mZFRBpjndiki+6Eno-2qFoe6hAovw@mail.gmail.com> <20180619231512.GA26273@jurassic> <CAHPuVdVSXNKZEhZ_2-vV_9py_n5Dw+FaMXXBbQtORwGF2xuDQw@mail.gmail.com>
In-Reply-To: <CAHPuVdVSXNKZEhZ_2-vV_9py_n5Dw+FaMXXBbQtORwGF2xuDQw@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 22 Jun 2018 10:56:52 -0400
Message-ID: <CAHPuVdVq+01iejOhjbU=tvHbJitQ=BWHUVAU7YT2OAyiXNwWcw@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b4a1de056f3c3e28"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ogli2kWaZ0t9H21Iyy_A7ZsoI60>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 14:57:10 -0000

On Wed, Jun 20, 2018 at 9:15 PM Shumon Huque <shuque@gmail.com> wrote:

> On Tue, Jun 19, 2018 at 7:15 PM Mukund Sivaraman <muks@mukund.org> wrote:
>
>>
>> There also seems to be a scalability problem with SIG(0) in that
>> generating the signature involves a public-key operation per DNS
>> message.
>>
>> For a zone transfer of the root zone from F, the AXFR contains 79
>> messages in the TCP continuation:
>>
>> ;; XFR size: 22554 records (messages 79, bytes 1335768)
>>
>
> Yup, I realize that. That was one fo the reasons is I mentioned that
> SIG(0) can
> also sign IXFR messages if they are available from the server, which could
> significantly reduce the performance impact. Thinking about it more now
> though,
> I recall that the current root zone management scheme isn't that conducive
> to
> incremental transfer, since the zone is signed monolithically twice a day
> (IIRC).
>

One other comment on this: Getting better performance than this requires
re-inventing
something akin to TLS key exchange, and I was wondering if anyone had
thought of that
during the development of SIG(0). And sure enough, RFC 2930 proposes (among
other
things) SIG(0) authenticated symmetric key establishment using TKEY, either
via
Diffie-Hellman or client chosen key transport.

So, together with AXFR-SIG (i.e. full zone signature), Don Eastlake appears
to have
long ago contemplated most of the design space around this draft and its
problem space!
:-)

Shumon.

v2.23.0 | Report a Bug | By Email