IETF Logo Mail Archive

Re: [DNSOP] [Ext] Re: Comments on draft-wessels-dns-zone-digest-02

Paul Wouters <paul@nohats.ca> Mon, 13 August 2018 16:41 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7909B130EB0 for <dnsop@ietfa.amsl.com>; Mon, 13 Aug 2018 09:41:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsAWwaPtouio for <dnsop@ietfa.amsl.com>; Mon, 13 Aug 2018 09:41:57 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2041112F1A2 for <dnsop@ietf.org>; Mon, 13 Aug 2018 09:41:57 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41q1hx1QyrzK8j; Mon, 13 Aug 2018 18:41:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1534178513; bh=4hZ3jL1ataPnl09v/hX7m/JSag9EOjpAtRLgnCjaXK8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Fuyp2citzroZ0bT8bDC9Q8rfde8VBtwXpbDgp7ftvwQZJpCBFZJhK0kriUI0cTUV2 T9C0z5yk9zoSnmfscR1odiB4v0QPvqiaEAiu7TM6O0GKIG/Og3c2jA/lFHzkpmuwtQ T4RpkzUnbQRbjOu/EYpcx89P+hi8ih1lE8r+3Z+Y=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ZPBoMj72c-2Q; Mon, 13 Aug 2018 18:41:51 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 13 Aug 2018 18:41:47 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D15CE940; Mon, 13 Aug 2018 12:41:42 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca D15CE940
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C34894009E83; Mon, 13 Aug 2018 12:41:42 -0400 (EDT)
Date: Mon, 13 Aug 2018 12:41:42 -0400
From: Paul Wouters <paul@nohats.ca>
To: Edward Lewis <edward.lewis@icann.org>
cc: "dnsop@ietf.org" <dnsop@ietf.org>
In-Reply-To: <7223EEB4-57A4-4C54-8C62-631B5FBEE0A5@icann.org>
Message-ID: <alpine.LRH.2.21.1808131236300.10743@bofh.nohats.ca>
References: <7223EEB4-57A4-4C54-8C62-631B5FBEE0A5@icann.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_vK1m1Vgw_NBiFAnRwolIghHU1A>
Subject: Re: [DNSOP] [Ext] Re: Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2018 16:41:59 -0000

On Mon, 13 Aug 2018, Edward Lewis wrote:

> On 8/11/18, 10:44, "DNSOP on behalf of John Levine" wrote:
>
>> The way that ZONEMD is defined in the draft, it's not very useful if the ZONEMD record isn't signed.
>
> That's my read too, which is why I question the incremental benefit over relying on DNSSEC while doing the query/response over port 53 "thing".  Question, not doubt, that is.

Which is why I suggested only using zonemd for glue/NS

> What I'm struggling with is the applicability to other uses of the zone file.  There too, the consumer, when making use of the ZONEMD, if the record isn't signed then it could be recomputed by the manager of the repository from which the zone file came.

The ZONEMD draft should state that before using the contents of ZONEMD,
it must be DNSSEC validated [up the chain, not just with the DNSKEY
obtained via this transfer]

>  If the record is signed, the consumer would then need to implement DNSSEC.  'Course, one signature verification would be cheaper than "$lots" (hundreds, thousands, millions).

That is the only argument in favour of using it to sign the entire zone.
And it does have merit.

My main concern is people's creativity to jump through hoops to avoid
DNSSEC, and see people using zonemd as an "alternative". At which point
origin security is not present, and transport security is very weak
as anyone can subvert the ZONEMD record as has been pointed out.

Paul

v2.23.0 | Report a Bug | By Email