IETF Logo Mail Archive

Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02 (fwd)

"John Levine" <johnl@taugh.com> Sat, 11 August 2018 14:44 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C29CE131032 for <dnsop@ietfa.amsl.com>; Sat, 11 Aug 2018 07:44:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uEW8dB0k5GjP for <dnsop@ietfa.amsl.com>; Sat, 11 Aug 2018 07:44:05 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F88613102E for <dnsop@ietf.org>; Sat, 11 Aug 2018 07:44:05 -0700 (PDT)
Received: (qmail 66660 invoked from network); 11 Aug 2018 14:44:04 -0000
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 11 Aug 2018 14:44:04 -0000
Received: by ary.local (Postfix, from userid 501) id 37F99200367B6B; Sat, 11 Aug 2018 10:44:03 -0400 (EDT)
Date: Sat, 11 Aug 2018 10:44:03 -0400
Message-Id: <20180811144404.37F99200367B6B@ary.local>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul@nohats.ca
In-Reply-To: <alpine.LRH.2.21.1808102138510.16524@bofh.nohats.ca>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SFglftM2NJB7sXnYonGMYaDBWjo>
Subject: Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02 (fwd)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Aug 2018 14:44:08 -0000

In article <alpine.LRH.2.21.1808102138510.16524@bofh.nohats.ca> you write:
>I am not objecting other then having 0 desire to help out unsigned zones replace origin
>security with transport security.

The way that ZONEMD is defined in the draft, it's not very useful if
the ZONEMD record isn't signed.  Otherwise the malicious party can
just recompute the hash over the tampered zone.

R's,
John

v2.23.0 | Report a Bug | By Email