IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Shumon Huque <shuque@gmail.com> Fri, 27 July 2018 03:00 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD984130DFD for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 20:00:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXjVZ6VU88N7 for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 20:00:06 -0700 (PDT)
Received: from mail-yb0-x232.google.com (mail-yb0-x232.google.com [IPv6:2607:f8b0:4002:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E430A127333 for <dnsop@ietf.org>; Thu, 26 Jul 2018 20:00:05 -0700 (PDT)
Received: by mail-yb0-x232.google.com with SMTP id e84-v6so1490376ybb.0 for <dnsop@ietf.org>; Thu, 26 Jul 2018 20:00:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RXwJGJH2SxnYr2zcfpSkHF6Krf4L0SakVJ6dIaC+4G8=; b=Ru2mcjnNldJm5M1N2MwTuzbFq2OfOOIVgciLH24oLh6OpQ41CxKT2Hvm8bsfro61Ye WUrxDTLu1/esRrShJD2cbdYKhHeASBj94zNRMZWis/98eFVtP+JbR6RPt+ap7TjYuTva L6r/d+GqHT9nFGkBgmI7iXAWwUq8JAuuh3Jpz32O+ThjciLKTC6wI9kZ5bFzGxmmEVAW KR4mRwV1kzoiBieuFy5rvcC5qT6EMLKqkrXpncr+rUPk5P26ziIyyFmZZydwkAcu6jga SNEV6tqWh9ILQeEAOquMof2l2QpKSAgh2dIL24Py/YARf4gAjBz5UODfTpLTrmuh9fmv Jeaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RXwJGJH2SxnYr2zcfpSkHF6Krf4L0SakVJ6dIaC+4G8=; b=eqqPeob24hWup7BtDDDv7z59z5+Q3SMvLhhCWTbtWsEcR/IffsxkNwDNZNn/UUBYRa +lUWWGIceD73UtZHQMtSu9GxjO7wBzW9UbOShmflZJo6FI97VIz/x5/F1EnOUep3u01A USk598yd6i+HgzCzb8KkTbsVAEscp+jqLLN3sX35IF+GTae/PZ5pR/1nJJEHGXQoqZ+G 9wLMfUjsBgubK+x1xB/+/aeSm3vCznXLFOpi2wrY3U4KDauwE5kkwCE+BnNXWciAvQqF pA8LBhBOGD9LF1g+ebZGLuVh+4jYudBDZox0IEh+FepxIr3Wzvnz9Snhmjkl1gQTv3jC n9Rw==
X-Gm-Message-State: AOUpUlHbjxo6kLPMbsi2sRsq2KVkgRJLVtbMmPEde94E6eJYDl/mNQTc J2jkwElZE+Hbw1Z0TlLwSALVj8N2M+GSvUc116E=
X-Google-Smtp-Source: AAOMgpdSahoVrrdl+fPZN3KSqTE+5IjapuRyX0At55SMdKcdnC6tfYRYyZnkis5A2Q3vh/bsaf2FXU3syxv3XJYC00w=
X-Received: by 2002:a25:d485:: with SMTP id m127-v6mr2385822ybf.432.1532660405135; Thu, 26 Jul 2018 20:00:05 -0700 (PDT)
MIME-Version: 1.0
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <CAAObRXL2LoB3f=296ZPE1Pp1nHkG---pRPAmyO1trTROxneHDQ@mail.gmail.com> <CAHPuVdU8YjbnsVGP4qEVoMA4ZdBo3_bHjV+PxgAOEGsKd742Uw@mail.gmail.com> <CABf5zvKnV_YodJSE3UcEXVfJaew0enCzDg_T7Ni=D8xS=s8zAg@mail.gmail.com>
In-Reply-To: <CABf5zvKnV_YodJSE3UcEXVfJaew0enCzDg_T7Ni=D8xS=s8zAg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 26 Jul 2018 22:59:53 -0400
Message-ID: <CAHPuVdX6XQbBBLnp180Pak==_J1MqtonskR7qFxh5nOhZ5Goiw@mail.gmail.com>
To: Steve Crocker <steve@shinkuro.com>
Cc: Davey Song <songlinjian@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>, mweinberg=40verisign.com@dmarc.ietf.org
Content-Type: multipart/alternative; boundary="000000000000026f8b0571f24fff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T4cKY_5PdckC7lF3Jhp-MbLYTJw>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 03:00:09 -0000

On Thu, Jul 26, 2018 at 10:53 PM Steve Crocker <steve@shinkuro.com> wrote:

> Let me play Candide and stumble into this naively.  If we’re imagining
> very wide spread distribution of the root zone, say 100,000 or 1,000,000
> local copies distributed twice a day, I would expect the evolution of a set
> of trusted sources and the use of some existing secure transport protocol
> to protect the transmission.  No new protocol or data types, just a way of
> finding the address of one more trusted sources.  And the existing set of
> root servers seems like a perfectly good set of trusted sources.
>

Hi Steve,

Yes, I've made precisely the same argument previously in this very thread:

https://www.ietf.org/mail-archive/web/dnsop/current/msg23094.html

"> In my mind, the main compelling use case is secure distribution of the
> root zone at scale to anyone on the Internet. For that, I'd bet that
> many consumers would be quite okay with a channel security mechanism
> to a "trusted" root zone operator, whatever that mechanism is (TSIG,
> SIG(0), TLS, HTTPS, etc) as long as it could be done efficiently and
> at scale. A full zone signature from the zone publisher/signer is
> ultimately more secure of course. But if the security model is
> satisfied by trust in RSOs, then that isn't needed."

At the moment, some WG members feel that full zone signature is more secure
and needed. I'm not convinced (on the "needed"), but don't feel strongly
enough to be opposed either.

Shumon.

v2.23.0 | Report a Bug | By Email