[DNSOP] zonemd/xhash versus nothing new

[Paul Wouters <paul@nohats.ca>]

On Fri, 27 Jul 2018, Warren Kumari wrote:

> This can, but does not have, to be built into the nameserver itself.

Those are just more arguments to not have a DNS checksum/sig option.

What I see is that:

We are looking at a way to distribute the root zone, presumably to
make the root servers less mission critical and for enhanced
privacy and reduced NXDOMAIN queries.

We are depening on DNSSEC for integrity of the data, which just misses
glue/NS verification.

we can do AXFR but that would keep the root servers mission critical.

glue/NS verification isn't needed normally, because we would just
need a single working entry to pull the new root zone from one of
the root servers - but then we depend again on the root servers
as critical infrastructure which is something we seem to want to
try and avoid.

maybe this is also useful for non-root zones, so the method was sort
of made to apply generically.


I think the use for non-root zones is quite a different use case, so if
I ignore that, we are looking at specifically the root zone only.


What is the pain of getting a root zone file from an unknown/untrusted
source ?

- transport seurity isn't enough (so no (D)TLS)
- detached sigs like pgp too annoying/hard? (two files instead of one,
   or the one file needs preprocessing before giving it to DNS tools)
- we have to validate it with the known key (so some tooling needed)
- glue/ns could be filtered (either a ddos, or a privacy concern?)
- we cannot depend on finding 1 working root server and then AXFR it
   to confirm, assuming that would be too much load on the existing
   root servers (although load of junk queries would decrease if this
   is deployed)


It seems the way to fix this would be to have well known recursive servers
(8.8.8.8, 1.1.1.1, 4.4.4.4, level3, opendns, etc) also offer the root
zone for AXFR. If you get something that does not work, fall back to
standard recursive root zone queries based on the buildin hints file.

We could also do some /.well-known/root.zone URI to allow for other
https/tls servers for serving the zone without being a public resolver,
eg for enterprise or isp network use only? Maybe a dhcp option to point
to the location?

Additionally, these servers could allow downloads of the root zone via
HTTPS/TLS/etc for those tools that want to write a root zone file to
disk for re-use or for preloading a resolver cache on startup ?

In all of this, I don't see much use in protecting the root zone with
either ZONEMD or XHASH. If the NS/glue is mangled to the point of being
unusable to refresh the root zone, drop the garbage and do traditional
DNS querying from the preloaded hints or previous copy of the root zone.

If ZONEMD or XHASH was a regular record with no special handling, maybe
it could be worth it, but it is a very a-typical RRTYPE and I think
there isn't a very strong case for adding it to the DNS system.

Paul