Re: [DNSOP] WGLC for draft-ietf-dnsop-zoneversion

Hugo Salgado <hsalgado@nic.cl> Fri, 28 April 2023 18:26 UTC

Return-Path: <hsalgado@nic.cl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E0BC14F747 for <dnsop@ietfa.amsl.com>; Fri, 28 Apr 2023 11:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nic.cl header.b="p2OdKyH0"; dkim=pass (2048-bit key) header.d=nic.cl header.b="p2OdKyH0"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6LBIg7gj34o for <dnsop@ietfa.amsl.com>; Fri, 28 Apr 2023 11:26:10 -0700 (PDT)
Received: from mail.nic.cl (mail.nic.cl [200.1.123.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8374AC15257A for <dnsop@ietf.org>; Fri, 28 Apr 2023 11:26:06 -0700 (PDT)
Received: from mail.nic.cl (localhost [127.0.0.1]) by mail.nic.cl (Postfix) with ESMTP id A78C5195D5A6B; Fri, 28 Apr 2023 14:26:03 -0400 (-04)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nic.cl; s=default; t=1682706363; bh=N4wG2V56mVIBonBASF9V3M3YsUMNhZCRKn61y4dRP8w=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=p2OdKyH0w77KfUGviJwFiFneLJDNxQGOjl6NkmNPBeB0DF1AR/mfhF4Z+7Ov3Jd2W PtyuU5xLsi6FuwQ33MWzcU6X33PHP3A2Hf7+C25vlGvpqI4PMHyo286zB0+i2mqpma /r/2aQPLX3lm9koBYg9Jsj78kivjPWS23cYQBZ/GURB4Kvmvdz3VoMlQ0J29H39qRe /jvmLQUytBnS56/Hm0ldHTmZvbKbYJdO7JQXJihvYMzwcdAgNROE2HoDkFCEptRimu Pyt19HdxeF0VAqwS00KnyFrpWkF7KkUkjRd1dm+qHfewaGenagZfO9t6NuM8YcZoyG 9+Bh+sjub+kTg==
Received: from pepino (unknown [205.153.92.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.nic.cl (Postfix) with ESMTPSA id B7BDE195D5A6A; Fri, 28 Apr 2023 14:26:02 -0400 (-04)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nic.cl; s=default; t=1682706363; bh=N4wG2V56mVIBonBASF9V3M3YsUMNhZCRKn61y4dRP8w=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=p2OdKyH0w77KfUGviJwFiFneLJDNxQGOjl6NkmNPBeB0DF1AR/mfhF4Z+7Ov3Jd2W PtyuU5xLsi6FuwQ33MWzcU6X33PHP3A2Hf7+C25vlGvpqI4PMHyo286zB0+i2mqpma /r/2aQPLX3lm9koBYg9Jsj78kivjPWS23cYQBZ/GURB4Kvmvdz3VoMlQ0J29H39qRe /jvmLQUytBnS56/Hm0ldHTmZvbKbYJdO7JQXJihvYMzwcdAgNROE2HoDkFCEptRimu Pyt19HdxeF0VAqwS00KnyFrpWkF7KkUkjRd1dm+qHfewaGenagZfO9t6NuM8YcZoyG 9+Bh+sjub+kTg==
Date: Fri, 28 Apr 2023 14:25:56 -0400
From: Hugo Salgado <hsalgado@nic.cl>
To: George Michaelson <ggm@algebras.org>
Cc: dnsop <dnsop@ietf.org>
Message-ID: <ZEwPtMYOaNvF5v+F@pepino>
References: <2233B06E-126D-455F-90BA-6C0C00C06508@pir.org> <CAKr6gn1Xc5-LotsfHgiKGU_K-ArEJOCO34QxfmiHn+h+OPBS2w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="ek/IC7lCrpBuDMSJ"
Content-Disposition: inline
In-Reply-To: <CAKr6gn1Xc5-LotsfHgiKGU_K-ArEJOCO34QxfmiHn+h+OPBS2w@mail.gmail.com>
X-Virus-Scanned: ClamAV using ClamSMTP on Fri Apr 28 14:26:03 2023 -0400 (-04) (mail.nic.cl)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iuNj44KYYlWD_xpE3cKhr4dT6Ow>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-zoneversion
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2023 18:26:15 -0000

Thanks a lot George for your comments.
About this suggestion:

On 14:29 27/04, George Michaelson wrote:
> It's a debug tool. It isn't going to be something I expect to use, but
> I like the idea if something goes awry in the responses I am seeing I
> can ask the authority to tell me what SOA serial I should expect to
> see, that has the response state they're giving me for the specific
> query. Thats distinct from ZONEMD which is a DNSSEC signed state of an
> entire zone (assuming it can be done) which is a different class of
> check on zone state related to serial. I like both. They're different.
> That said, you COULD point to ZONEMD in this one in the security
> considerations, but I wouldnt make it normative. It's just another way
> to check the state of a zone.
> 

You're right that we can better state the differences with ZONEMD.
What do you think of adding a paragraph like this in the security
considerations?

   "Please note that ZONEVERSION option can not be used for checking
   the correctness of an entire zone in a server. For such cases, the
   ZONEMD record [RFC8976] might be better suited at such task.
   ZONEVERSION can help identify and correlate a certain specific
   answer with a version of a zone, but it has no special integrity or
   verification function besides a normal field value inside a zone, as
   stated above."

Thanks,

Hugo