IETF Logo Mail Archive

Re: [DNSOP] SIG(0) useful (and used?)

Bjørn Mork <bjorn@mork.no> Wed, 20 June 2018 11:27 UTC

Return-Path: <bjorn@mork.no>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BE8B130F3C for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 04:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mork.no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdkjJ768pXCW for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 04:27:24 -0700 (PDT)
Received: from canardo.mork.no (canardo.mork.no [IPv6:2001:4641::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E337613107A for <dnsop@ietf.org>; Wed, 20 Jun 2018 04:27:23 -0700 (PDT)
Received: from miraculix.mork.no ([IPv6:2a02:2121:289:3e2b:3458:5eff:fea9:6259]) (authenticated bits=0) by canardo.mork.no (8.15.2/8.15.2) with ESMTPSA id w5KBRIEI027221 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 20 Jun 2018 13:27:19 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mork.no; s=b; t=1529494040; bh=b3ybM2eOB4LuOgV+lqBUyG0HeJFHhPnN3hqP+Ljdqn4=; h=From:To:Cc:Subject:References:Date:Message-ID:From; b=AoA4tB3wuHYosDJn0j1oGX8Ow6rIS8tSJh4x9RlxM/CT15tp7C01CYDFlwn13C2IA 7DXhluO4KMj+qxU6y4sTLNdVelbSYAMqQHH3boUgpClMe3YSw0k0ork++T/gv3U+zJ r3UpJkmFA0Axs1B4t6LAuOYD0L6i8Q3SykrTTZ2c=
Received: from bjorn by miraculix.mork.no with local (Exim 4.89) (envelope-from <bjorn@mork.no>) id 1fVbGb-0001io-8u; Wed, 20 Jun 2018 13:27:13 +0200
From: Bjørn Mork <bjorn@mork.no>
To: Ondřej Surý <ondrej@isc.org>
Cc: Mark Andrews <marka@isc.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Organization: m
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org> <CD6DB8C1-108A-433E-8CD9-34F549844D10@isc.org> <D7C0BCA9-A5E1-4168-9601-209DF8B2902A@isc.org>
Date: Wed, 20 Jun 2018 13:27:13 +0200
In-Reply-To: <D7C0BCA9-A5E1-4168-9601-209DF8B2902A@isc.org> ("Ondřej Surý"'s message of "Tue, 19 Jun 2018 23:33:32 +0200")
Message-ID: <87wout4s1a.fsf@miraculix.mork.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: clamav-milter 0.99.3 at canardo
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QFUTvkx9fc8ePASwsaix7BEZX_A>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 11:27:27 -0000

Well....  Mark did propose this many years ago:
https://mailman.nanog.org/pipermail/nanog/2013-October/061619.html

And based on that, I created a half-assed implementation using Net::DNS.
Of course I never got around to polishing it up enough to actually put
it into production. And definitely not to let the public see it...

But it is still there on the TODO list in the back of my head, for one
of those days when you suddenly have 20 hours to spare and nothing
better to do.  Might happen.  You never know.  Or someone else will pick
up the idea.  That's more likely, I guess.

Anyway, I'd hate to see a potentionally useful feature like SIG(0) go
away for no obvious gain.



Bjørn


Ondřej Surý <ondrej@isc.org> writes:

> But if nobody uses that and nobody else implements this, it sort of beats the usefulness of the feature.
>
> Ondrej
> --
> Ondřej Surý — ISC
>
>> On 19 Jun 2018, at 23:20, Mark Andrews <marka@isc.org> wrote:
>> 
>> SIG(0) is much superior for machines updating their own data  to TSIG as you don’t need a secondary storage for the TSIG key.   You can replace a master server without having to worry about transferring TSIG secrets off a dead machine. You just copy the zone from a slave and go.
>> 
>> There are other scenarios where it is also superior like automaton delegating  In the reverse tree.
>> 
>> No I don’t think it should go. 
>> 
>> It should be widely implemented so it can be used. There is a lot of self fulfilling prophecy in the DNS of people will never is this so we won’t implement it. 
>> 
>> -- 
>> Mark Andrews
>> 
>>> On 20 Jun 2018, at 06:48, Ondřej Surý <ondrej@isc.org> wrote:
>>> 
>>> Hi,
>>> 
>>> as far as I could find on the Internet there are only SIG(0) implementation in handful DNS implementations - BIND, PHP Net_DNS2 PHP library, Net::DNS(::Sec) Perl library, trust_dns written in Rust and perhaps others I haven’t found; no mentions of real deployment was found over the Internet (but you can blame Google for that)...
>>> 
>>> Do people think the SIG(0) is something that we should keep in DNS and it will be used in the future or it is a good candidate for throwing off the boat?
>>> 
>>> Ondrej
>>> --
>>> Ondřej Surý
>>> ondrej@isc.org
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email