Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)
"Wessels, Duane" <dwessels@verisign.com> Wed, 14 October 2020 12:28 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 028823A09F0; Wed, 14 Oct 2020 05:28:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UUgOLP_GC36u; Wed, 14 Oct 2020 05:28:17 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF603A0A87; Wed, 14 Oct 2020 05:28:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8372; q=dns/txt; s=VRSN; t=1602678498; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=u13DcCPB+79iXgbF0+3nXLautDfu7pK9FnoyjmN42NA=; b=ZmQx+2Z54J9O/mMEbXcscIzwFMh9sEa8PpC7sdklhNOiFmAvGFeHv//w DzjN0tBP+BnUjobGQYxcpbLV2S6d1i9okwnNgj+YLGl1x32dx3DnN/ijp +Sw4H78vmy7WHbOi5NbZGMUyW0oTGOapqX4cNmwsU1vIBeZuFIbDLz+Di zmARe36W5I80hYWU6d+x1XdJNTl1wgzTMd/c8u7W6UJrNHAS7nNHThP1Y Fbv3cq7PxUVsjY+DWGw9BdfXrvtGDzzJJtOCqmHJiRQO0+9fK1i23A30P InPhZW7buLhGRSYxjcz8Ofa5AlpO/mz5H6eGIVsC/ft3fHltBcSwjT/VW g==;
IronPort-SDR: xOL09qnpUJlqCCCJcRQGSRxo7eoFGgVZQZvV53ka5tbmr7IUcf0qYVus5fjMeLnJl6K+EUPyX/ 9XqK8cOryZJdP3qFn0bFdCOw8FhvSmDT+Et1P7M1rWzZOMQjyHPUMT6dshJ9JP//sFM5xqp10I Hp9REUBKkyJk/Kq/wWLuDZ7kPcnXB/V8RdeQq73Z4lKPCUF6sFzdfEnIwJSsUf7JlQr72o5y3s yFgNteN2EvIOjZlSQTBu76Tre1WEtRvWALgJZCXFjRsCugyK3yRbsWYj/Na+SCPUK31FOysiQ5 w1I=
X-IronPort-AV: E=Sophos; i="5.77,374,1596499200"; d="p7s'?scan'208"; a="3535334"
IronPort-PHdr: 9a23:k8EqhxPggxeN4IMG3iIl6mtUPXoX/o7sNwtQ0KIMzox0K/7ypMbcNUDSrc9gkEXOFd2Cra4d1KyI6uu5ByQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTagY75+NhS7oRjeusULgIZpN7o8xAbOrnZUYepd2HlmJUiUnxby58ew+IBs/iFNsP8/9MBOTLv3cb0gQbNXEDopPWY15Nb2tRbYVguA+mEcUmQNnRVWBQXO8Qz3UY3wsiv+sep9xTWaMMjrRr06RTiu86FmQwLzhSwZKzA27n3Yis1ojKJavh2hoQB/w5XJa42RLfZyY7/Rcc8fSWdHQ81fVTFOApmkYoUPEeQPIPpYoYf+qVsArxSwAgisC//gxTJTiX/6wag63v4hEQ3awgAtGc8FvnTOrNXyMacfSe65w6nWwjXYdPNZxzP96JPQfhs8r/+MQKh/cczPxkUhCgjIiUifqIL7MDOOzeQCrWyb7/F7WOKxlWEnsQBxoiOuxscjjInFnJ4aylfB9Shgxos+ONK3RlJhb9G+DJtQqz+VN5FwQs46TWxlpiY3xL0YtJO4YCUHxpcqygPfZvKHbYWG7BztWuaQLDtmi3xoZq+ziRm8/0S91uHyWdW53UtWoydHktfBsnYA3AHQ5MifUvZx41ut1SyS2w3R5OxIO104mKrVJpI7zbM9koIfvVnfEiPshUn7jrOael859uWn6OnreKjqq5yaOoRpkA/xKL4ulda6AekgNwgOWHWU9vqk2b34+E35XK1KjvorkqnFqJzaJdoUpqq+AwJNz4st9w6xAyqm39oAkncILU5JdAydg4j3J17OJ+r4De+lj1u2jThn3e7GPqf6ApXLNHTMjLDhfbNl505dzgo808xf6opJBr0dOv7/R038udLCAhMkMwG5zfzrBdp5248GXGKAGK6ZMKfcsV+S4eIvJvGBa5IbuTnjMPgl/ODhjXsimVIGY6mmw4EXaHGjHvRnLEWZZ2DgjcsGEWcPpgY+VvDliEWeUT5PYHa/R7g86SwmB4+9EYjMWJqtgKCb0Ce8BJ1WaXhMCkqQHnfwa4WER/AMZTqPLc5vjDMETqOhRJEl1RG1rAL3xKZrLvTK9S0CtJLjz9l15+LVlR0o6TN0CMGd3nqQQGFxhGwIXSM50Lp+oUNj1leD37J0g/tCFdxc//lJSBs1NYbAz+xmDND/Qh/Ofs2TR1aoXtWqGDAxQcwtw98AekpyBtOijgvE3yqyGrMairqLBIct/qPd2HjxIdhyx2/b26kggFkpXNBPNXG9i65+6QfTG4DJn1+el6aweqQWxDTN+3ubzWqSoEFYVxZ9UbnHXXERfEfWrMr25l/MT7K1BrQnNxFOyc+GKqdQdtLpilBGTu/5ONvCe2Kxh3uwBRGQy7yRaorqYGId3D3EBEcYkwAc53eGNRIlBiq6omLREiBuFVz1b0Pr6+l+p2uxTlUowAGSc01hy7219wYIivyaUPMT2aoEtTwgqzpqAFa90cjaC92apwpuZK9ce88y4E9b1WLFsAxwJp2gIL55hl4RaAl3vl3h1wl5Colalsgqtnwqn0JOLvei11ZIcXu01JbhPrzIYj3o8ByHYKPMxhfZytnAqYkV7/Ft4WrupxqkElFmu1l62t9YmTPI6orHFxEfVYnZTEst9gN7qLecaS44sdCHnUZwOLW552eRk+kiA/Eon1P5J49S
X-IPAS-Result: A2HEAABm7oZf/zGZrQpgHQEBAQEJARIBBQUBQIE+BQELAYNFgQgKlScmg3qYLAQHAQEBAQEBAQEBBAQBLwQBAYRKAoIEJjcGDgIDAQELAQEBBQEBAQEBBgMBAQEChlGCNykBg2oBAQEBAgF5BQsCAQgOCiMLAjAlAgQOBQ6DGAGCXBGoTXSBNIo7EIE4AYFSi36BQj6BEScMEIJNPoQ8g0uCLQSTDgGkWwMHgmqETIJfk0UfXKBmr3KDYAIEAgQFAhWBaoF8cBVlAYI+PhIXAg2OVo4QdDgCBgoBAQMJjAQtgQaBEQEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 14 Oct 2020 08:28:14 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.1979.003; Wed, 14 Oct 2020 08:28:14 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Roman Danyliw <rdd@cert.org>
CC: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>, "draft-ietf-dnsop-dns-zone-digest@ietf.org" <draft-ietf-dnsop-dns-zone-digest@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: [EXTERNAL] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)
Thread-Index: AQHWoLQ3nD3Civu9OESV/IjKbR7GuamXTJ2A
Date: Wed, 14 Oct 2020 12:28:13 +0000
Message-ID: <A17A9498-5987-4ABE-82C0-8FBC780200C2@verisign.com>
References: <160195246471.4620.11112787341926255318@ietfa.amsl.com> <514C2BA5-37C3-48E5-B1FE-DCA96C7F37B3@verisign.com> <5fbeea49742e4866878af08d9681c8fe@cert.org> <51CC3897-1A88-41F7-A56C-0BB4E69EBBC9@verisign.com> <d5e8101c9c40421489b35a7e15e8b726@cert.org>
In-Reply-To: <d5e8101c9c40421489b35a7e15e8b726@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_ED55CE67-05E7-4D57-873A-EE77725ED512"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XW0mNVYn21RxA9DAA_Lt0kJCiRk>
Subject: Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 12:28:26 -0000
> On Oct 12, 2020, at 9:24 AM, Roman Danyliw <rdd@cert.org> wrote: > > Hi Duane! > > Thanks for the extensive changes in -13. They address my concerns. I have left one remaining comment about clarifying "provably secure" with a reference. Otherwise, I've cleared my ballot. Thanks Roman, Instead of "provably secure," how does this look to you: 1. The verifier MUST first determine whether or not to expect DNSSEC records in the zone. By examining locally configured trust anchors, and, if necessary, querying for and validating DS RRs in the parent zone, the verifier knows whether or not the zone to be verified should include DNSSEC keys and signatures. For zones where signatures are not expected, or if DNSSEC validation is not performed, digest verification continues at step 4 below. 2. For zones where signatures are expected, the existence of the apex ZONEMD record MUST be validated. If the DNSSEC data proves the ZONEMD RRSet does not exist, digest verification cannot occur. If the DNSSEC data proves the ZONEMD does exist, but is not found in the zone, digest verification MUST NOT be considered successful. 3. For zones where signatures are expected, the SOA and ZONEMD RRSets MUST have valid signatures, chaining up to a trust anchor. If DNSSEC validation of the SOA or ZONEMD RRSets fails, digest verification MUST NOT be considered successful. DW
- [DNSOP] Roman Danyliw's Discuss on draft-ietf-dns… Roman Danyliw via Datatracker
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Wessels, Duane
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Wessels, Duane
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Wessels, Duane
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw