[DNSOP] Ghost of a zone signature effort from the long ago days...

Edward Lewis <edward.lewis@icann.org> Tue, 31 July 2018 17:51 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 00148130E60 for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 10:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id YSQKepKGGoMR for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 10:51:45 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05C0A130E5E for <dnsop@ietf.org>; Tue, 31 Jul 2018 10:51:45 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org ( by PMBX112-W1-CA-2.pexch112.icann.org ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 31 Jul 2018 10:51:43 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1367.000; Tue, 31 Jul 2018 10:51:42 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Ghost of a zone signature effort from the long ago days...
Thread-Index: AQHUKPcjDWydtbgOXEmuihPLE8gVhw==
Date: Tue, 31 Jul 2018 17:51:42 +0000
Message-ID: <65F3017E-3571-4517-9189-7D43E48DADBF@icann.org>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.d.0.180513
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <0E81F0876EA643408269432BE10B67F1@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PssswNybTxrLXBP5jM5sdwE79rY>
Subject: [DNSOP] Ghost of a zone signature effort from the long ago days...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jul 2018 17:51:47 -0000

I hear there are proposals to sign the entire contents of zones. zonemd/xhash in some subject lines.

(Forgive me if SIG(AXFR) was mentioned before...)

"Domain Name System Security Extensions", a'la RFC 2065, section 4.1.3 Zone Transfer (AXFR) SIG:

"However, to efficiently
   assure the completeness and security of zone transfers, a SIG RR
   owned by the zone name must be created with a type covered of AXFR
   that covers all zone signed RRs in the zone and their zone SIGs but
   not the SIG AXFR itself."

"Domain Name System Security Extensions", a'la RFC 2535, Appendix B: Changes from RFC 2065:

"3. ...In addition, the SIG covering type AXFR has been

I wish I could recall why.  (Anyone else recall why this was dropped?  I recall realizing it was a fool's errand but not the reasons.)  Yes, today's network is different.

I would think, if there is concern that the glue records were a mucked-with and a validator were misdirected by malicious glue, the DS record would provide evidence of a redirection.  For unsigned delegations, this would be an incentive to sign, for non-validating resolvers, an incentive to validate.

Now, pushing for universal deployment of DNSSEC might be improper at this juncture.

The option is to develop, implement, and operate a way to "sign the contents of a zone."  (Especially considering the pushback on full DNSSEC deployment.)

History isn't always the guide to follow, but we tried this once and gave up.

(Note: no comment on the merits of zonemd/xhash, just throwing in some history.)