Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)

"Wessels, Duane" <dwessels@verisign.com> Wed, 14 October 2020 12:28 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 028823A09F0; Wed, 14 Oct 2020 05:28:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UUgOLP_GC36u; Wed, 14 Oct 2020 05:28:17 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF603A0A87; Wed, 14 Oct 2020 05:28:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8372; q=dns/txt; s=VRSN; t=1602678498; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=u13DcCPB+79iXgbF0+3nXLautDfu7pK9FnoyjmN42NA=; b=ZmQx+2Z54J9O/mMEbXcscIzwFMh9sEa8PpC7sdklhNOiFmAvGFeHv//w DzjN0tBP+BnUjobGQYxcpbLV2S6d1i9okwnNgj+YLGl1x32dx3DnN/ijp +Sw4H78vmy7WHbOi5NbZGMUyW0oTGOapqX4cNmwsU1vIBeZuFIbDLz+Di zmARe36W5I80hYWU6d+x1XdJNTl1wgzTMd/c8u7W6UJrNHAS7nNHThP1Y Fbv3cq7PxUVsjY+DWGw9BdfXrvtGDzzJJtOCqmHJiRQO0+9fK1i23A30P InPhZW7buLhGRSYxjcz8Ofa5AlpO/mz5H6eGIVsC/ft3fHltBcSwjT/VW g==;
IronPort-SDR: xOL09qnpUJlqCCCJcRQGSRxo7eoFGgVZQZvV53ka5tbmr7IUcf0qYVus5fjMeLnJl6K+EUPyX/ 9XqK8cOryZJdP3qFn0bFdCOw8FhvSmDT+Et1P7M1rWzZOMQjyHPUMT6dshJ9JP//sFM5xqp10I Hp9REUBKkyJk/Kq/wWLuDZ7kPcnXB/V8RdeQq73Z4lKPCUF6sFzdfEnIwJSsUf7JlQr72o5y3s yFgNteN2EvIOjZlSQTBu76Tre1WEtRvWALgJZCXFjRsCugyK3yRbsWYj/Na+SCPUK31FOysiQ5 w1I=
X-IronPort-AV: E=Sophos; i="5.77,374,1596499200"; d="p7s'?scan'208"; a="3535334"
IronPort-PHdr: =?us-ascii?q?9a23=3Ak8EqhxPggxeN4IMG3iIl6mtUPXoX/o7sNwtQ0K?= =?us-ascii?q?IMzox0K/7ypMbcNUDSrc9gkEXOFd2Cra4d1KyI6uu5ByQp2tWoiDg6aptCVh?= =?us-ascii?q?sI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFR?= =?us-ascii?q?rhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTagY75+NhS7oRjeusULgIZpN7o8xA?= =?us-ascii?q?bOrnZUYepd2HlmJUiUnxby58ew+IBs/iFNsP8/9MBOTLv3cb0gQbNXEDopPW?= =?us-ascii?q?Y15Nb2tRbYVguA+mEcUmQNnRVWBQXO8Qz3UY3wsiv+sep9xTWaMMjrRr06RT?= =?us-ascii?q?iu86FmQwLzhSwZKzA27n3Yis1ojKJavh2hoQB/w5XJa42RLfZyY7/Rcc8fSW?= =?us-ascii?q?dHQ81fVTFOApmkYoUPEeQPIPpYoYf+qVsArxSwAgisC//gxTJTiX/6wag63v?= =?us-ascii?q?4hEQ3awgAtGc8FvnTOrNXyMacfSe65w6nWwjXYdPNZxzP96JPQfhs8r/+MQK?= =?us-ascii?q?h/cczPxkUhCgjIiUifqIL7MDOOzeQCrWyb7/F7WOKxlWEnsQBxoiOuxscjjI?= =?us-ascii?q?nFnJ4aylfB9Shgxos+ONK3RlJhb9G+DJtQqz+VN5FwQs46TWxlpiY3xL0YtJ?= =?us-ascii?q?O4YCUHxpcqygPfZvKHbYWG7BztWuaQLDtmi3xoZq+ziRm8/0S91uHyWdW53U?= =?us-ascii?q?tWoydHktfBsnYA3AHQ5MifUvZx41ut1SyS2w3R5OxIO104mKrVJpI7zbM9ko?= =?us-ascii?q?IfvVnfEiPshUn7jrOael859uWn6OnreKjqq5yaOoRpkA/xKL4ulda6AekgNw?= =?us-ascii?q?gOWHWU9vqk2b34+E35XK1KjvorkqnFqJzaJdoUpqq+AwJNz4st9w6xAyqm39?= =?us-ascii?q?oAkncILU5JdAydg4j3J17OJ+r4De+lj1u2jThn3e7GPqf6ApXLNHTMjLDhfb?= =?us-ascii?q?Nl505dzgo808xf6opJBr0dOv7/R038udLCAhMkMwG5zfzrBdp5248GXGKAGK?= =?us-ascii?q?6ZMKfcsV+S4eIvJvGBa5IbuTnjMPgl/ODhjXsimVIGY6mmw4EXaHGjHvRnLE?= =?us-ascii?q?WZZ2DgjcsGEWcPpgY+VvDliEWeUT5PYHa/R7g86SwmB4+9EYjMWJqtgKCb0C?= =?us-ascii?q?e8BJ1WaXhMCkqQHnfwa4WER/AMZTqPLc5vjDMETqOhRJEl1RG1rAL3xKZrLv?= =?us-ascii?q?TK9S0CtJLjz9l15+LVlR0o6TN0CMGd3nqQQGFxhGwIXSM50Lp+oUNj1leD37?= =?us-ascii?q?J0g/tCFdxc//lJSBs1NYbAz+xmDND/Qh/Ofs2TR1aoXtWqGDAxQcwtw98Aek?= =?us-ascii?q?pyBtOijgvE3yqyGrMairqLBIct/qPd2HjxIdhyx2/b26kggFkpXNBPNXG9i6?= =?us-ascii?q?5+6QfTG4DJn1+el6aweqQWxDTN+3ubzWqSoEFYVxZ9UbnHXXERfEfWrMr25l?= =?us-ascii?q?/MT7K1BrQnNxFOyc+GKqdQdtLpilBGTu/5ONvCe2Kxh3uwBRGQy7yRaorqYG?= =?us-ascii?q?Id3D3EBEcYkwAc53eGNRIlBiq6omLREiBuFVz1b0Pr6+l+p2uxTlUowAGSc0?= =?us-ascii?q?1hy7219wYIivyaUPMT2aoEtTwgqzpqAFa90cjaC92apwpuZK9ce88y4E9b1W?= =?us-ascii?q?LFsAxwJp2gIL55hl4RaAl3vl3h1wl5Colalsgqtnwqn0JOLvei11ZIcXu01J?= =?us-ascii?q?bhPrzIYj3o8ByHYKPMxhfZytnAqYkV7/Ft4WrupxqkElFmu1l62t9YmTPI6o?= =?us-ascii?q?rHFxEfVYnZTEst9gN7qLecaS44sdCHnUZwOLW552eRk+kiA/Eon1P5J49S?=
X-IPAS-Result: =?us-ascii?q?A2HEAABm7oZf/zGZrQpgHQEBAQEJARIBBQUBQIE+BQELA?= =?us-ascii?q?YNFgQgKlScmg3qYLAQHAQEBAQEBAQEBBAQBLwQBAYRKAoIEJjcGDgIDAQELA?= =?us-ascii?q?QEBBQEBAQEBBgMBAQEChlGCNykBg2oBAQEBAgF5BQsCAQgOCiMLAjAlAgQOB?= =?us-ascii?q?Q6DGAGCXBGoTXSBNIo7EIE4AYFSi36BQj6BEScMEIJNPoQ8g0uCLQSTDgGkW?= =?us-ascii?q?wMHgmqETIJfk0UfXKBmr3KDYAIEAgQFAhWBaoF8cBVlAYI+PhIXAg2OVo4Qd?= =?us-ascii?q?DgCBgoBAQMJjAQtgQaBEQEB?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 14 Oct 2020 08:28:14 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.1979.003; Wed, 14 Oct 2020 08:28:14 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Roman Danyliw <rdd@cert.org>
CC: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>, "draft-ietf-dnsop-dns-zone-digest@ietf.org" <draft-ietf-dnsop-dns-zone-digest@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: [EXTERNAL] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)
Thread-Index: AQHWoLQ3nD3Civu9OESV/IjKbR7GuamXTJ2A
Date: Wed, 14 Oct 2020 12:28:13 +0000
Message-ID: <A17A9498-5987-4ABE-82C0-8FBC780200C2@verisign.com>
References: <160195246471.4620.11112787341926255318@ietfa.amsl.com> <514C2BA5-37C3-48E5-B1FE-DCA96C7F37B3@verisign.com> <5fbeea49742e4866878af08d9681c8fe@cert.org> <51CC3897-1A88-41F7-A56C-0BB4E69EBBC9@verisign.com> <d5e8101c9c40421489b35a7e15e8b726@cert.org>
In-Reply-To: <d5e8101c9c40421489b35a7e15e8b726@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_ED55CE67-05E7-4D57-873A-EE77725ED512"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XW0mNVYn21RxA9DAA_Lt0kJCiRk>
Subject: Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 12:28:26 -0000


> On Oct 12, 2020, at 9:24 AM, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi Duane!
> 
> Thanks for the extensive changes in -13.  They address my concerns.  I have left one remaining comment about clarifying "provably secure" with a reference.  Otherwise, I've cleared my ballot.

Thanks Roman,

Instead of "provably secure," how does this look to you:

   1.  The verifier MUST first determine whether or not to expect DNSSEC
       records in the zone.  By examining locally configured trust
       anchors, and, if necessary, querying for and validating DS RRs in
       the parent zone, the verifier knows whether or not the zone to be
       verified should include DNSSEC keys and signatures.  For zones
       where signatures are not expected, or if DNSSEC validation is not
       performed, digest verification continues at step 4 below.

   2.  For zones where signatures are expected, the existence of the
       apex ZONEMD record MUST be validated.  If the DNSSEC data proves
       the ZONEMD RRSet does not exist, digest verification cannot
       occur.  If the DNSSEC data proves the ZONEMD does exist, but is
       not found in the zone, digest verification MUST NOT be considered
       successful.

   3.  For zones where signatures are expected, the SOA and ZONEMD
       RRSets MUST have valid signatures, chaining up to a trust anchor.
       If DNSSEC validation of the SOA or ZONEMD RRSets fails, digest
       verification MUST NOT be considered successful.


DW