Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Mark Andrews <marka@isc.org> Mon, 09 July 2018 01:35 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FAF6130DD5 for <dnsop@ietfa.amsl.com>; Sun, 8 Jul 2018 18:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.401
X-Spam-Level:
X-Spam-Status: No, score=-6.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVsQ0Jss6zV6 for <dnsop@ietfa.amsl.com>; Sun, 8 Jul 2018 18:35:52 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AD2412777C for <dnsop@ietf.org>; Sun, 8 Jul 2018 18:35:52 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 22A523AB045; Mon, 9 Jul 2018 01:35:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DEA0716003A; Mon, 9 Jul 2018 01:35:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C5C61160067; Mon, 9 Jul 2018 01:35:50 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dVzBmQEZ7oAW; Mon, 9 Jul 2018 01:35:50 +0000 (UTC)
Received: from macbook-pro.home.lan (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C4F6616003A; Mon, 9 Jul 2018 01:35:49 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com>
Date: Mon, 09 Jul 2018 11:35:32 +1000
Cc: Petr Spacek <petr.spacek@nic.cz>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C49D48FA-0200-4C21-9C07-69CD2CE9447A@isc.org>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <e9f99fce-c240-7f23-c580-1fb8bd0a0687@time-travellers.org> <20180621203116.a7kv4ysotfe7kw5k@nic.cl> <3ba53c28-8895-b0ec-badc-7ce31a8df8fc@nic.cz> <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com>
To: Olafur Gudmundsson <ogud@ogud.com>
X-Mailer: Apple Mail (2.3445.8.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bNeNOfsTA61Rytn-5Y_zyH_CpVM>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 01:35:55 -0000
So what if it is not feasible for COM and similarly sized zones? At the moment we have one zone where we need a zone signature so that the zone contents can be loaded into every recursive server. The question we should be asking is "Is SIG(AXFR) a good fit for the root zone?” not whether is is a good mechanism for all zones because quite frankly there are very few zones that you would want loaded into all recursive servers. “.”, “arpa”, “in-addr.arpa” and “ip6.arpa” would be about it. Does anyone else have any others? Any zone would necessarily be small. Mark > On 9 Jul 2018, at 10:28 am, Olafur Gudmundsson <ogud@ogud.com> wrote: > > > >> On Jun 22, 2018, at 6:58 AM, Petr Špaček <petr.spacek@nic.cz> wrote: >> >> On 21.6.2018 22:31, Hugo Salgado-Hernández wrote: >>> On 22:09 21/06, Shane Kerr wrote: >>>>> Dne 1.6.2018 v 12:51 Shane Kerr napsal(a): >>>>> >>>>> Hmm, can you share some details about your experience? >>>>> Did you find out when the data corruption took place? >>>>> a) network transfer >>>>> b) implementation bugs (e.g. incorrectly received IXFR) >>>>> c) on disk >>>>> d) some other option? >>>> >>>> I don't know. I have seen incorrectly transferred zone files both in >>>> BIND >>>> and NSD slaves. IIRC our solution was to include sentinel records in >>>> the >>>> zone files to spot problems, take the node out of service, and force a >>>> re-transfer. This of course won't work if you are slaving zones that >>>> you do >>>> not control, and it doesn't prevent a small window of time when the >>>> servers >>>> are operating with broken zones. TSIG was being used. >>> >>> We have also seen broken transfers between secondaries. Our solution >>> is to dump the zone after transfer, calculate a hash and compare. We >>> would benefit from having a ZONEMD record inside the zone. >> >> If the zone got broken during TSIG-secured transfer then it was not most >> probably not caused by network problem because TSIG would have caught that. >> >> Honestly I do not think it is worth the effort because all the >> complexity does not help to prevent implementation bugs, I would say it >> even increases probability of a bug! >> >> What is left is bug on auth and/or slave sides and in that case there is >> no guarantee that >> a) master did not compute ZONEMD from already broken data >> b) slave verification of ZONEMD actually works >> >> >> If we wanted to catch problems with implementation we need something >> which is outside of the DNS stack we are attempting to check, be is >> simple checksum or some fancier crypto. >> >> I can easily imagine OPENPGPKEY RR located at _zonefile.apex.example >> node and an utility which would extract OPENPGPKEY RR from the zone file >> and verify that the zone file signature (either detached or in .gpg >> file) can be verified using that key (+ add DNSSEC into the mix if you >> wish). >> >> -- >> Petr Špaček @ CZ.NIC >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > > > +1 > I spent lots of time earlier this century along with Johan Ihren trying to figure out how to > secure the transfer of a particular zone (the root) to any resolver. > The only sane way is to not transfer the zone over AXFR as any intermediary can mess with the zone contents mostly in the case of “glue” records, > thus transferring the zone over HTTPS or RSYNC with a PGP signature over the zone file is the only viable solution going forward. > > > Historical background: SIG(AXFR) was rejected because it required putting the zone into canonical order and calculating the signature, > in the case of dynamic update this is a real expensive operation, thus we got rid of it. > > Olafur > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Hugo Salgado-Hernández
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- [DNSOP] New Version Notification for draft-wessel… Weinberg, Matt
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… Roy Arends
- Re: [DNSOP] New Version Notification for draft-we… Jaap Akkerhuis
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Jim Reid
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Bob Harold
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Tim Wicinski
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… tjw ietf
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý