IETF Logo Mail Archive

Re: [DNSOP] [Ext] Re: Comments on draft-wessels-dns-zone-digest-02

"John Levine" <johnl@taugh.com> Mon, 13 August 2018 15:49 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB163130FA5 for <dnsop@ietfa.amsl.com>; Mon, 13 Aug 2018 08:49:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBO64FpbIBY3 for <dnsop@ietfa.amsl.com>; Mon, 13 Aug 2018 08:49:48 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7C1A130FD1 for <dnsop@ietf.org>; Mon, 13 Aug 2018 08:49:48 -0700 (PDT)
Received: (qmail 41039 invoked from network); 13 Aug 2018 15:49:47 -0000
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 13 Aug 2018 15:49:46 -0000
Received: by ary.qy (Postfix, from userid 501) id A0D5020036E99E; Mon, 13 Aug 2018 11:49:46 -0400 (EDT)
Date: Mon, 13 Aug 2018 11:49:46 -0400
Message-Id: <20180813154946.A0D5020036E99E@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: edward.lewis@icann.org
In-Reply-To: <7223EEB4-57A4-4C54-8C62-631B5FBEE0A5@icann.org>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kuwgMe1PNW23FO6yquzzdp0Ql0k>
Subject: Re: [DNSOP] [Ext] Re: Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2018 15:49:59 -0000

In article <7223EEB4-57A4-4C54-8C62-631B5FBEE0A5@icann.org>,
Edward Lewis  <edward.lewis@icann.org> wrote:
>On 8/11/18, 10:44, "DNSOP on behalf of John Levine" wrote:
>
>>The way that ZONEMD is defined in the draft, it's not very useful if the ZONEMD record isn't signed.
>
>That's my read too, which is why I question the incremental benefit over relying on DNSSEC while doing the query/response
>over port 53 "thing".  Question, not doubt, that is.

As we may have mentioned once or twice before in this discussion, it
lets you do zone transfers over insecure channels and batch verify the
zone before using it.

I agree that the consumer needs to implement DNSSEC, but the obvious
consumer is a DNS server.

On my setup, I batch sign the zones on the primary server and rsync
them to the secondary.  The setup is reasonably secure, dedicated dns
user account on each machine and ssh for transport, but given the
number of moving parts between signing and the secondary server and
the chance of occasional bitrot, it'd be nice to be able to check that
the zone is correct and get notified of failure immediately rather
than hoping I notice odd resolution strangeness on the secondary.

R's,
John

v2.23.0 | Report a Bug | By Email