Re: [DNSOP] [Ext] Re: Comments on draft-wessels-dns-zone-digest-02
"John Levine" <johnl@taugh.com> Mon, 13 August 2018 15:49 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB163130FA5 for <dnsop@ietfa.amsl.com>; Mon, 13 Aug 2018 08:49:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBO64FpbIBY3 for <dnsop@ietfa.amsl.com>; Mon, 13 Aug 2018 08:49:48 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7C1A130FD1 for <dnsop@ietf.org>; Mon, 13 Aug 2018 08:49:48 -0700 (PDT)
Received: (qmail 41039 invoked from network); 13 Aug 2018 15:49:47 -0000
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 13 Aug 2018 15:49:46 -0000
Received: by ary.qy (Postfix, from userid 501) id A0D5020036E99E; Mon, 13 Aug 2018 11:49:46 -0400 (EDT)
Date: Mon, 13 Aug 2018 11:49:46 -0400
Message-Id: <20180813154946.A0D5020036E99E@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: edward.lewis@icann.org
In-Reply-To: <7223EEB4-57A4-4C54-8C62-631B5FBEE0A5@icann.org>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kuwgMe1PNW23FO6yquzzdp0Ql0k>
Subject: Re: [DNSOP] [Ext] Re: Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2018 15:49:59 -0000
In article <7223EEB4-57A4-4C54-8C62-631B5FBEE0A5@icann.org>, Edward Lewis <edward.lewis@icann.org> wrote: >On 8/11/18, 10:44, "DNSOP on behalf of John Levine" wrote: > >>The way that ZONEMD is defined in the draft, it's not very useful if the ZONEMD record isn't signed. > >That's my read too, which is why I question the incremental benefit over relying on DNSSEC while doing the query/response >over port 53 "thing". Question, not doubt, that is. As we may have mentioned once or twice before in this discussion, it lets you do zone transfers over insecure channels and batch verify the zone before using it. I agree that the consumer needs to implement DNSSEC, but the obvious consumer is a DNS server. On my setup, I batch sign the zones on the primary server and rsync them to the secondary. The setup is reasonably secure, dedicated dns user account on each machine and ssh for transport, but given the number of moving parts between signing and the secondary server and the chance of occasional bitrot, it'd be nice to be able to check that the zone is correct and get notified of failure immediately rather than hoping I notice odd resolution strangeness on the secondary. R's, John
- [DNSOP] Comments on draft-wessels-dns-zone-digest… Edward Lewis
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Viktor Dukhovni
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Paul Wouters
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… Edward Lewis
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Paul Hoffman
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Paul Wouters
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Wessels, Duane
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Wessels, Duane
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… John Levine
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Joe Abley
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Paul Wouters
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… John Levine
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… Edward Lewis
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… John Levine
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… Paul Wouters
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… Edward Lewis
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… John R Levine
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… Edward Lewis
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Brian Dickson
- Re: [DNSOP] [Ext] Re: Comments on draft-wessels-d… Edward Lewis
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Paul Wouters
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Bob Harold
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Shumon Huque
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Paul Wouters
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Brian Dickson
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… Paul Wouters
- Re: [DNSOP] Comments on draft-wessels-dns-zone-di… John Levine