IETF Logo Mail Archive

Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02

Joe Abley <jabley@hopcount.ca> Fri, 10 August 2018 21:22 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D091130FD1 for <dnsop@ietfa.amsl.com>; Fri, 10 Aug 2018 14:22:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syXj7Nt8Bg7G for <dnsop@ietfa.amsl.com>; Fri, 10 Aug 2018 14:22:25 -0700 (PDT)
Received: from mail-lf1-x142.google.com (mail-lf1-x142.google.com [IPv6:2a00:1450:4864:20::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6085F130FCF for <dnsop@ietf.org>; Fri, 10 Aug 2018 14:22:25 -0700 (PDT)
Received: by mail-lf1-x142.google.com with SMTP id y200-v6so7515958lfd.7 for <dnsop@ietf.org>; Fri, 10 Aug 2018 14:22:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:mime-version:references:in-reply-to:date:message-id:subject:to :cc:content-transfer-encoding; bh=+0aGslgF4bmI+5MIuKrdC9aalL01rycKOhFLlh+QGP4=; b=DXQk4oESx199j/9Yap8RHWx8S7+Q1rH0OhQ+60Btpb7y4pRONSlpkghV6UMmfATOYL XnJUlyn4ccxq/zqq7h4D9CHFeh+h/+AHILqiZ40uoYymKlW4CM0Pv9JEA0eyrilFkoTr tr01MHcYd3S/wk4TB/TN2zlE21Xz/dtHiYJmo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:references:in-reply-to:date :message-id:subject:to:cc:content-transfer-encoding; bh=+0aGslgF4bmI+5MIuKrdC9aalL01rycKOhFLlh+QGP4=; b=SoF9wxH1HMudfTB0IVgAHrOzfFoMiyrNgUyZ62Ejxc3Q0o6qMGYenTnCK8NRN6J8j6 c0tC0azS1OkA/Y/0fhGLK5tR5OEL7qwsKuAWDBoVc4nb/KDAPIQTqqES/AAvdw1NyUCq v8hyC4eiHWid0u0nQGOkSt+bK7c6a4B/2xTQAP17Fcf8OIkpkScFNCmdrVodCmPrBKdl Hyjfbjz3/yawRFbGE2YaUY0FIC9rQis1IaSdjCrPFGGir/b5FgWMIJc3EaEEmnfLl0yz OQDcCvPKiOLi8pfjJK3KpdgPoKjHdZECfgIhvtlXqANPuPO6q0K3GroVVcqbSX/20YIx EfhA==
X-Gm-Message-State: AOUpUlG9kUL9xgAZPaeHz2E1KDDqEk9ONMgVU8OV1QZmVH2KjqwtFhTA zAsT26s3TQW5e/P/YfX0ad4DJZDENNLkDsZ107oASbBz
X-Google-Smtp-Source: AA+uWPwJ+0HVvCK7C6sSmF2ZgMLZfcK9tYbWxt0JdzvPFLKPsu1dcTCFRv3NQflTPrAMZ4X0J7dVovMXyxh7MTsfLMA=
X-Received: by 2002:a19:cd8c:: with SMTP id d134-v6mr2435876lfg.41.1533936143548; Fri, 10 Aug 2018 14:22:23 -0700 (PDT)
Received: from unknown named unknown by gmailapi.google.com with HTTPREST; Fri, 10 Aug 2018 23:22:22 +0200
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
References: <6D6060CF-FD20-4D79-BF98-A4BE77011741@icann.org> <BE28C979-797B-4B58-80E7-4B65287B2560@verisign.com> <alpine.LRH.2.21.1808101636200.18310@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1808101636200.18310@bofh.nohats.ca>
Date: Fri, 10 Aug 2018 23:22:22 +0200
Message-ID: <CAJhMdTM=pQYQGDQEkMDVL=_-J3wVNdcSPT_GqZ=F6UtVg=79gw@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SBoJlRzLL26djDitmy-mMm5uAlQ>
Subject: Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2018 21:22:28 -0000

Paul, you seem suspicious that there is some underhand camel attack
being planned, here, and that the forces of good must assemble to
reveal the ugly truth and save the caravan.

I think being able to verify the integrity of a zone as a complete
data structure is useful.

I think interop is useful.

I think this specification is pretty good.

I think stable specifications promote interop and make things like
this more useful.

Your objections seem to boil down to: I don't like this; I'd achieve
the kinds of things you want to achieve in other ways. That seems like
useful input to a document that discusses the relative merits of doing
things in many ways; that's not what this document is about, though.

So I must be missing something because I don't understand what you're
objecting to.

> On Aug 10, 2018, at 16:41, Paul Wouters <paul@nohats.ca> wrote:
>
> On Fri, 10 Aug 2018, Wessels, Duane wrote:
>
>>> But there are already mechanisms for this at the data set level.  (This is a "belts and suspenders" style argument.)  What if -err- when, in a zone's distribution, the glue records are either forged or simply fat-fingered?  That's covered, in a way that is more efficient - in a lazy evaluation way.  Mangled glue never referenced needs not be checked, when it is needed there's backup in the authoritative version.  If all else fails, DNSSEC will flag whatever response as suspect.
>>
>> Yes, certainly DNSSEC protects from modification of answers.  It generally protects recursives who validate.  But it doesn't protect consumers of zone files.
>
> By design....
>
>> Another limitation I've mentioned before, where DNSSEC doesn't protect you, is that a delegation could be falsified such that traffic goes to an eavesdropper that just records but doesn't modify messages.
>
> but on most networks you connect to that you don't trust, they could
> just be monitoring all your port 53 traffic anyway? I don't see this
> much as a use case. An attacker that cannot see your traffic, but could
> get to see your DNS root queries but only briefly if you cache or
> actually use the root zone you just transfered from them. Also query
> minimalization makes that use case very uninteresting.
>
>> I'd also argue that maybe applications shouldn't necessarily trust a file just because its "on disk." The application doesn't know how it got there, or what may have been done to it.
>
> Sure but applications should either validate or trust the local
> validator loading the zone. So that limits the discussion to
> glue/NS only.
>
>> I'm not sure this is what you mean by "speed of execution" but as an example, my implementation (which uses ldns) can calculate and verify a SHA256 signed root zone digest in under 100 msec.
>>
>> $ sort --random-sort root.zone.signed | ldns-zone-digest -t -p 2 -c -v .
>> Loading Zone...22539 records
>> Remove existing ZONEMD...
>> Add placeholder ZONEMD...
>> Calculating Digest...Done
>> Calculating Digest...Done
>> Found and calculated digests do MATCH.
>> TIMINGS: load  142.18 calculate   82.72 verify   52.24 update    0.00
>
> I don't see it validating the ZONEMD RRSIG here ? :P
>
> Paul
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email