IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

George Michaelson <ggm@algebras.org> Mon, 09 July 2018 23:36 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 642FE130E30 for <dnsop@ietfa.amsl.com>; Mon, 9 Jul 2018 16:36:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5q-IpP0ltLx3 for <dnsop@ietfa.amsl.com>; Mon, 9 Jul 2018 16:36:36 -0700 (PDT)
Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com [IPv6:2a00:1450:4864:20::443]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92BCD130DD4 for <dnsop@ietf.org>; Mon, 9 Jul 2018 16:36:36 -0700 (PDT)
Received: by mail-wr1-x443.google.com with SMTP id h10-v6so12646471wre.6 for <dnsop@ietf.org>; Mon, 09 Jul 2018 16:36:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=N+iabHaLq0fEntULWfUoT/FNHmQLVcxyMG/9py5YgnQ=; b=G158hJqfG5WKCfh1qDv8vt94drBneZUxFGTGvq3kNZaVW0lrCYOJBSimvq66lPn6Jk SJgBgAUtqkekKOKRQvHP1+DJ5Dcd9gXaMig1smf+fbHUi8+qlSfMGErPJhrP6w+NBV4k unURrch4GS6niyVjTMeFM2l+iAMMah9fsJRRKYWkdoCSxhuRgcALBWppce1wIEo6pYQQ 5pg/MijPbMJuUftP7I+zMe4HFIRhz/8PKBNWS7DVZSy9ADAI6myTkNVsE1w6/UTgXYpm BPTp07YRGivpoTyj4AUbSV/FaluRxbq3AaqhTGIEr366t4mKkyH2CHvhG+xUZosL97gk 1MLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=N+iabHaLq0fEntULWfUoT/FNHmQLVcxyMG/9py5YgnQ=; b=NRMzvkvS25o4PEVvWfSphVCCQNJBccbPAbYu38zojdFRfHdr7XfNtI6zbquZ4+WFPP ivpPW5EcGetq+mojjPh+9u2/QS4EIeRiI0wrZPxHCIfG0y8XS28Vlt/UAEWOcQ6zjibP qzddAjrjnhzN+L1yI5c0ecHwFjm7133USzClSPOi9iJci/TCcsvtibGEKcJZzvfyUvSe cV6yClI5lKaHAdza4RHkkINHwSGiB8qNY0R1P3S48WyanhA6oUyBSelkDC2t1ITpsvBj 4PwLdYxoJdsud8Wpj4w1b0Jo51Ml/n7yM2GlhGOC+5iRX+s7BV5YDt/ixnLwTOmPbn2Q kAkg==
X-Gm-Message-State: APt69E19JuffSSw0dZZMqpbRU9Jpik49k1lv7hwA2hFYviGFmVcUGQ6B HMNfVrlKSzdCxcWWx5ZrCin6ZvqZm68i3T9Cd1OrpmQ9
X-Google-Smtp-Source: AAOMgpfp1v82uW3Ef1eOTnF+pAZxoETt6P0AJOtZcoAq+NMJ/uUQBhanbEmlUgZIeMoT+L6i5E4ijCL8RGvaOG4vmgE=
X-Received: by 2002:adf:fe42:: with SMTP id m2-v6mr11092318wrs.171.1531179395075; Mon, 09 Jul 2018 16:36:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1c:12cb:0:0:0:0:0 with HTTP; Mon, 9 Jul 2018 16:36:34 -0700 (PDT)
X-Originating-IP: [203.119.0.128]
In-Reply-To: <44A2CDA4-A105-41DE-BCBC-664BCB811304@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <e9f99fce-c240-7f23-c580-1fb8bd0a0687@time-travellers.org> <20180621203116.a7kv4ysotfe7kw5k@nic.cl> <3ba53c28-8895-b0ec-badc-7ce31a8df8fc@nic.cz> <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com> <CAKr6gn0BZgKGExweF2Hawh_shZSD+WxJ460YO-mbRQjg09uo_A@mail.gmail.com> <44A2CDA4-A105-41DE-BCBC-664BCB811304@verisign.com>
From: George Michaelson <ggm@algebras.org>
Date: Tue, 10 Jul 2018 09:36:34 +1000
Message-ID: <CAKr6gn1ALiKPXPpi6ggwiFeLMH-b15UjfWOnMY2++SyoXoiQpQ@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: dnsop WG <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bnYMhO3Og_bgNB5Mrltg043g2OM>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 23:36:40 -0000

There's arguments both sides about cross signing, counter signing and
independent self-signing. If you want to promote out of band zone
exchange, it has to be signed. The key it signs with is immaterial if
you either direct knowledge of the PK in a PKI, or accept a trust
anchor relationship over it, or a web of trust.

So do you prefer (for instance) that the ZSK be used outside of DNSSEC
to sign a detached signature over the file, irrespective or content
order, if the file is to be made available? Because if you basically
prefer its *not signed* for this mode of transfer, you've stepped
outside the model: you now demand the file is checked on load, element
by element, against the TA, rather than being integrity checked by a
MAC signed by the issuer, which permits eg direct binary loadable, or
other states.

-G

On Tue, Jul 10, 2018 at 7:47 AM, Wessels, Duane <dwessels@verisign.com> wrote:
>
>> On Jul 8, 2018, at 6:02 PM, George Michaelson <ggm@algebras.org> wrote:
>>
>> So how about use of a PGP key which is a payload in TXT signed over by
>> the ZSK/KSK so the trust paths bind together?
>>
>> fetch one DNS record +sigs, check against the TA (which has to be a
>> given) and then..
>
> Currently in the zone digest draft DNSSEC is not mandatory.  That is, the zone
> needn't necessarily be signed and a receiver need not perform the validation if
> they don't want to.
>
> Even without DNSSEC the digest gives you a little protection from accidental corruption.  But not from malicious interference of course.
>
> It seems kind of silly to me to double up on public key cryptosystems.  We already have keys attached to zones and software that generates and validates signatures.
>
> DW
>

v2.23.0 | Report a Bug | By Email