Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Shumon Huque <shuque@gmail.com> Fri, 27 July 2018 03:49 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0E1F130E2D for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 20:49:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWXTZKBynQBR for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 20:49:52 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC9EA130E27 for <dnsop@ietf.org>; Thu, 26 Jul 2018 20:49:51 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id q129-v6so1401049ywg.8 for <dnsop@ietf.org>; Thu, 26 Jul 2018 20:49:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8t9918gOvdSqn2QbU9MnB65oGuf9mVRAQJNDq9TLito=; b=K5pTKUybiH5Il2+8u+f6qPRQkEtoEFz34hHEiSBxEGlmzooAvqPumTzIId+GDYeetf qJWyHf+/y+9EcQUJa/CpA797+IYAwz/XFhQDboPb6J5Z7hoWvKOdWaUdhfGt9VJPlwJ4 8x9s3ciSYtxtHaoWrJLYVuFJjw7KJQgds1Htme46eVUdRPpiSQ6GKc7uhuj5n21BMc6E 3AxNymSwpRYu3jqTsCZuYYQN2sgNdvdaUK0DnMCNtKhN9HDWkOZxN2BC9Nf7c4T3WgpW 0Qt7D3UHFuSw8fp6GDX3nZI+B9WE+E1YhdBy/H6+YbnWibZajDuB5IWSzwUUWGbt2DzR rMFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8t9918gOvdSqn2QbU9MnB65oGuf9mVRAQJNDq9TLito=; b=lwUyNxpl3FLWzL04lxM6Pn+AyAKrJCSKVCVkFBY6Q1HdFpjdqqNNY4zUMFObHyGHvu 0QvkWV/0kAi+Aux/CMigj2DMgitHW/h8Pz62mR+8maDkx+YC59UOqeDUoeIuvCg+cQLm edrVjNdNNRhV5g5sKIsKLa9LzzzRZ4vc/az1V1JiRudt7sKk8JPcXXhGbxbL4M44PkO2 uIiqRB4cyvXvCpV/rgmkLVNTc0LG9Bvuw9/70ptM1ljAbktBQA3qIRjmo7gqaU1MzG6B gVhGr1+/jQPTDFLvxnu3KcnnARoHUHUHKURy8TAD+jxkyv/OQ8Apzp1PlNLRrLwk+fQj DHng==
X-Gm-Message-State: AOUpUlG1dSLEqiRnOuZyUxYIZeFma6C/p1Q4MK4M88PwI+vrxw5qcvrL dW5cYcvBuyjy8rDyVnSOF3QOmMkbQb7yNBIyGic=
X-Google-Smtp-Source: AAOMgpcGwZRtl2Y8XaPxpDhCgrS+dZVGzcmX1ifP/m7pGwp8jBbThs95vwXan8hxEXLzt0xwJm55IQf5Ve4CGfAUIuM=
X-Received: by 2002:a81:5b89:: with SMTP id p131-v6mr2305377ywb.447.1532663391160; Thu, 26 Jul 2018 20:49:51 -0700 (PDT)
MIME-Version: 1.0
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <CAAObRXL2LoB3f=296ZPE1Pp1nHkG---pRPAmyO1trTROxneHDQ@mail.gmail.com> <CAHPuVdU8YjbnsVGP4qEVoMA4ZdBo3_bHjV+PxgAOEGsKd742Uw@mail.gmail.com> <CABf5zvKnV_YodJSE3UcEXVfJaew0enCzDg_T7Ni=D8xS=s8zAg@mail.gmail.com> <CAHPuVdX6XQbBBLnp180Pak==_J1MqtonskR7qFxh5nOhZ5Goiw@mail.gmail.com> <CAAObRXJSQinCN9=6fWydbmjnAPMJ54xZTkpwPrVp9A98MosCJw@mail.gmail.com>
In-Reply-To: <CAAObRXJSQinCN9=6fWydbmjnAPMJ54xZTkpwPrVp9A98MosCJw@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 26 Jul 2018 23:49:39 -0400
Message-ID: <CAHPuVdVGJi6roVNwtR9+5Mj+Q3CzGRa-9XSCe3Lv9cO4KFghZg@mail.gmail.com>
To: Davey Song <songlinjian@gmail.com>
Cc: Steve Crocker <steve@shinkuro.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>, mweinberg=40verisign.com@dmarc.ietf.org
Content-Type: multipart/alternative; boundary="000000000000fd90060571f300ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hqtvBiFjdho_ONd7OfBzj00_XTI>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 03:49:55 -0000

On Thu, Jul 26, 2018 at 11:24 PM Davey Song <songlinjian@gmail.com> wrote:

> The draft says zone digest is not for protecting zone transmition. IMHO,
> the treat model is  MITM attack by malicious editing on on-disk data (NS
> and glue especially) and server the new zone to end user. DNS digest
> intends to enable end users (resolvers)  automatically detect the
> modifation ( and drop the zone?).
>

That is one possible threat, but I think it's pretty clear from mailing
list discussion that verifying that the zone is transmitted correctly is
one of the key use cases (whether that is post zone transfer verification,
or out-of-band delivery):

   "It allows a receiver of
   the zone file to verify the zone file's authenticity, especially when
   used in combination with DNSSEC.  This technique makes the message
   digest a part of the zone file itself, allowing anything to verify
   the zone file as a whole, no matter how it is transmitted."

Shumon.