Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Mukund Sivaraman <muks@mukund.org> Wed, 20 June 2018 16:37 UTC

Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3300131059 for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 09:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZayG-XlnueOR for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 09:37:23 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id 5CF3312F1A2 for <dnsop@ietf.org>; Wed, 20 Jun 2018 09:37:23 -0700 (PDT)
Received: from jurassic (unknown [182.156.100.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 37BA132C08E9; Wed, 20 Jun 2018 16:37:19 +0000 (UTC)
Date: Wed, 20 Jun 2018 22:07:14 +0530
From: Mukund Sivaraman <muks@mukund.org>
To: Mark Andrews <marka@isc.org>
Cc: petr.spacek@nic.cz, "dnsop@ietf.org WG" <dnsop@ietf.org>
Message-ID: <20180620163714.GA29798@jurassic>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <CAHPuVdWXBDHdiQ2Z1uFx=mZFRBpjndiki+6Eno-2qFoe6hAovw@mail.gmail.com> <20180619231512.GA26273@jurassic> <D1BD6740-C3BF-4CFA-966E-6B48247A57F9@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <D1BD6740-C3BF-4CFA-966E-6B48247A57F9@isc.org>
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fMDvDYnUQ4BgODUwXrOReCN6ka8>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 16:37:27 -0000

On Wed, Jun 20, 2018 at 09:48:40AM +1000, Mark Andrews wrote:
> Donald Eastlake’s early DNSSEC work had a working zone signature.  It doesn’t
> require signing each message.  It’s just relatively expensive to compute for
> large zones as it requires hashing the entire zone.
> 
> RFC 2065 4.1.3 Zone Transfer (AXFR) SIG.
> 
> Note this is SIG(AXFR) not SIG(0).

doc/misc/dnssec in the BIND tree has this text by Andreas Gustafsson
from 2001:

  Secure Zone Transfers

  BIND 9 does not implement the zone transfer security mechanisms of
  RFC2535 section 5.6, and we have no plans to implement them in the
  future as we consider them inferior to the use of TSIG or SIG(0) to
  ensure the integrity of zone transfers.

I wonder what the reasons for "inferior" were.

		Mukund