Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
George Michaelson <ggm@algebras.org> Mon, 09 July 2018 01:03 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5657130DF6 for <dnsop@ietfa.amsl.com>; Sun, 8 Jul 2018 18:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.411
X-Spam-Level:
X-Spam-Status: No, score=-1.411 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTc22f1yrMG6 for <dnsop@ietfa.amsl.com>; Sun, 8 Jul 2018 18:02:58 -0700 (PDT)
Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5173312777C for <dnsop@ietf.org>; Sun, 8 Jul 2018 18:02:58 -0700 (PDT)
Received: by mail-wm0-x243.google.com with SMTP id z6-v6so9617093wma.0 for <dnsop@ietf.org>; Sun, 08 Jul 2018 18:02:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=J/DS35GquxGZonJDwhV6nX1TlGBcRxCPuAG/yoWthoo=; b=wGSZVB6b30TZntKmB1BSHohqTF7Bwz3GPvTSmQmpRlZAwFq0YHlmu/YqKEnnfz2V4n hKba+sXb9SobrFTVYq1t674S2leYtm+3Sp+GFYaZzNDVmAWeONY62QvqdhZ06PGo6x5x U3Ao6yEeAl/0BkRp2f/ErdfwVXm3ZHdLBnPI65x0orZ7ywCa+6RAtLZOk6wszmcxQYud w1TJuQHE9qZ5DP2XhEnPCvpveEJQ5sJdtSay1NVUWM36usM5bNYKGfay1PGa+5s2CXV6 mfZ9G3s5bK+uxTd2PEN0XjYYKrKgEpP1nttn6wbN/iw/VEFisd1RkIZaZx3+4+zMK3Pg MWuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=J/DS35GquxGZonJDwhV6nX1TlGBcRxCPuAG/yoWthoo=; b=NITznkhWusxU0Jr4D+NbfFuOy10pHNee7381Hk01OKVhNw7MIV6miDroazCYn7oQ8W py6tYscopha+MRDxClW7b3snmdM/2g3/yYWP4mcKwaDj3EjuCdnzTliG45UFzngeqMO8 6ksJodo/CP8FLmNamu0sXJa0AD+X1Eh7yQ2HRJ3rxN8x2qLrScMul6gdZIaO94ANXjSn 1B/OzjF1Ds0f/6HE7G8EuIrxqew0982OR+qcW4pSkiqDQqp2vJadHzFQ7QWMXwov5qyY quw3oZVy2EfStJ+d+QmoR4KdUALcw0UVlSqs/5Wlr8GQiwUQj33f1aZJAE5386PoIMm3 KRWw==
X-Gm-Message-State: APt69E0cWe+zvWpCtKi1lYNFPJxAoCsrnqVqP3/dfNXEkT0UTxAGZ1YX zvRH0uKavYCbDMIz71RmCybmMdl84gCvFf343bZc1pZy
X-Google-Smtp-Source: AAOMgpf4zUE3nuzoQ6kqkLWbw8cpJuxB+rEl+BHMGJnyOsf8xYD/AxwY2DwFvf0/TAvO3SAKu5VAhfwALw58oaN22vQ=
X-Received: by 2002:a1c:8c08:: with SMTP id o8-v6mr10032899wmd.60.1531098176711; Sun, 08 Jul 2018 18:02:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1c:12cb:0:0:0:0:0 with HTTP; Sun, 8 Jul 2018 18:02:55 -0700 (PDT)
X-Originating-IP: [2001:dc0:2001:210:6061:6f8c:af7f:f8c3]
In-Reply-To: <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <e9f99fce-c240-7f23-c580-1fb8bd0a0687@time-travellers.org> <20180621203116.a7kv4ysotfe7kw5k@nic.cl> <3ba53c28-8895-b0ec-badc-7ce31a8df8fc@nic.cz> <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com>
From: George Michaelson <ggm@algebras.org>
Date: Mon, 09 Jul 2018 11:02:55 +1000
Message-ID: <CAKr6gn0BZgKGExweF2Hawh_shZSD+WxJ460YO-mbRQjg09uo_A@mail.gmail.com>
To: Olafur Gudmundsson <ogud@ogud.com>
Cc: Petr Spacek <petr.spacek@nic.cz>, dnsop WG <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fme7qWF65hLEadnTS1589zor8Qg>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 01:03:01 -0000
So if I look at what you said, what I see is "inband, canonicalization is a cost we don't want to bear, to produce a signed product of whole of zone" and "if we accept knowledge of a PGP or other external key as the moment of trust, out of band, disordered but specifically testable as *this file* is signed by *known key* is workable. wow. Firstly, I thought canonicalization was a given: we have definitions of canonical zone order for other reasons (NSEC*) don't we? secondly, I absolutely (and no sarcasm implied or intended, I really mean it) applaud the pragmatism. If we can move to a world which accepts the root is a resource which can routinely be fetched out of band, validated out of band, and then locally bound to a DNS server, we've probably moved on. in-band is great. but, sometimes, its really hard. So how about use of a PGP key which is a payload in TXT signed over by the ZSK/KSK so the trust paths bind together? fetch one DNS record +sigs, check against the TA (which has to be a given) and then.. -G On Mon, Jul 9, 2018 at 10:28 AM, Olafur Gudmundsson <ogud@ogud.com> wrote: > > > On Jun 22, 2018, at 6:58 AM, Petr Špaček <petr.spacek@nic.cz> wrote: > > On 21.6.2018 22:31, Hugo Salgado-Hernández wrote: > > On 22:09 21/06, Shane Kerr wrote: > > Dne 1.6.2018 v 12:51 Shane Kerr napsal(a): > > Hmm, can you share some details about your experience? > Did you find out when the data corruption took place? > a) network transfer > b) implementation bugs (e.g. incorrectly received IXFR) > c) on disk > d) some other option? > > > I don't know. I have seen incorrectly transferred zone files both in > BIND > and NSD slaves. IIRC our solution was to include sentinel records in > the > zone files to spot problems, take the node out of service, and force a > re-transfer. This of course won't work if you are slaving zones that > you do > not control, and it doesn't prevent a small window of time when the > servers > are operating with broken zones. TSIG was being used. > > > We have also seen broken transfers between secondaries. Our solution > is to dump the zone after transfer, calculate a hash and compare. We > would benefit from having a ZONEMD record inside the zone. > > > If the zone got broken during TSIG-secured transfer then it was not most > probably not caused by network problem because TSIG would have caught that. > > Honestly I do not think it is worth the effort because all the > complexity does not help to prevent implementation bugs, I would say it > even increases probability of a bug! > > What is left is bug on auth and/or slave sides and in that case there is > no guarantee that > a) master did not compute ZONEMD from already broken data > b) slave verification of ZONEMD actually works > > > If we wanted to catch problems with implementation we need something > which is outside of the DNS stack we are attempting to check, be is > simple checksum or some fancier crypto. > > I can easily imagine OPENPGPKEY RR located at _zonefile.apex.example > node and an utility which would extract OPENPGPKEY RR from the zone file > and verify that the zone file signature (either detached or in .gpg > file) can be verified using that key (+ add DNSSEC into the mix if you > wish). > > -- > Petr Špaček @ CZ.NIC > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > > > > > +1 > I spent lots of time earlier this century along with Johan Ihren trying to > figure out how to > secure the transfer of a particular zone (the root) to any resolver. > The only sane way is to not transfer the zone over AXFR as any intermediary > can mess with the zone contents mostly in the case of “glue” records, > thus transferring the zone over HTTPS or RSYNC with a PGP signature over the > zone file is the only viable solution going forward. > > > Historical background: SIG(AXFR) was rejected because it required putting > the zone into canonical order and calculating the signature, > in the case of dynamic update this is a real expensive operation, thus we > got rid of it. > > Olafur > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Hugo Salgado-Hernández
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- [DNSOP] New Version Notification for draft-wessel… Weinberg, Matt
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… Roy Arends
- Re: [DNSOP] New Version Notification for draft-we… Jaap Akkerhuis
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Jim Reid
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Bob Harold
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Tim Wicinski
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… tjw ietf
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý