IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Paul Wouters <paul@nohats.ca> Sat, 28 July 2018 15:55 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF08130FAB for <dnsop@ietfa.amsl.com>; Sat, 28 Jul 2018 08:55:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJPna1zvWvqV for <dnsop@ietfa.amsl.com>; Sat, 28 Jul 2018 08:55:45 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0489B130F83 for <dnsop@ietf.org>; Sat, 28 Jul 2018 08:55:45 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41d9R33cYgz365; Sat, 28 Jul 2018 17:55:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532793343; bh=Mpa25lpQHveBR0ZGbfhakyfvK9HjuFmv4LsVv8G5VOY=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=RRzi5k0aWnu1WqGRzuUHfeZnVreUQVdmm6c2kxr2uqYrZCOVl9O1KXO19dzny657F O1q7rQAiicjPLIT4TYaZBFL0yWgZWMkNymIxE/i3PdVGL8S4W58K7TshuqIKj5L50/ S7eDBPIpt155ItM/B1yQpVES1rfVIfUnmsTrWBt4=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id oY5FGovLuLWb; Sat, 28 Jul 2018 17:55:42 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sat, 28 Jul 2018 17:55:42 +0200 (CEST)
Received: from [192.168.1.102] (230.toad.com [209.237.225.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id BE51C9E1; Sat, 28 Jul 2018 11:55:40 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca BE51C9E1
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (15G77)
In-Reply-To: <87k1pfgy5i.fsf@mid.deneb.enyo.de>
Date: Sat, 28 Jul 2018 08:55:34 -0700
Cc: John R Levine <johnl@taugh.com>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <61BE0E89-BDA9-4017-864B-90764C878771@nohats.ca>
References: <20180724143253.83ACC2002CE789@ary.qy> <87va8zh77f.fsf@mid.deneb.enyo.de> <alpine.OSX.2.21.1807281106550.71239@ary.qy> <87k1pfgy5i.fsf@mid.deneb.enyo.de>
To: Florian Weimer <fw@deneb.enyo.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bnBSKDoOaoDCIX9g-N6Zc_9mRHM>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jul 2018 15:55:47 -0000

Another reason for an rr count number in the rrtype. 

Sent from my phone

> On Jul 28, 2018, at 08:47, Florian Weimer <fw@deneb.enyo.de> wrote:
> 
> * John R. Levine:
> 
>>>>> that the served zone is too large.  Otherwise, the receiver has to
>>>>> download the entire zone before it can determine that the hash does
>>>>> not match. ...
>> 
>>> On the other hand, clients will likely have a pretty good idea for the
>>> size of the zone, so they could transfer it twice: ...
>> 
>> Now I'm really confused.  To avoid downloading the whole zone you download 
>> it twice?
>> 
>> Could you explain in simple terms why you can't download the zone, check 
>> the digest and signature, and either use it or discard it?
> 
> A malicious server might never stop sending data, or claim that the
> transfer is ridiculously large.  If the zone digest does not include
> information about the amount of data, this can only be detected after
> the server ended transmission, at which time the ZONEMD digest can be
> compared.  But at this point, the client may already have filled its
> storage with garbage data, unless the double transfer trick is used.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email