IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Shumon Huque <shuque@gmail.com> Thu, 21 June 2018 01:15 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0689130EDA for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 18:15:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJcrnM6qQE6v for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 18:15:31 -0700 (PDT)
Received: from mail-yb0-x22a.google.com (mail-yb0-x22a.google.com [IPv6:2607:f8b0:4002:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30D6A130DBE for <dnsop@ietf.org>; Wed, 20 Jun 2018 18:15:31 -0700 (PDT)
Received: by mail-yb0-x22a.google.com with SMTP id w74-v6so568350ybe.11 for <dnsop@ietf.org>; Wed, 20 Jun 2018 18:15:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RkO1hc0kYS19INCVssqtIYCgQPHZZFXNJkh6/c12gbU=; b=qHLl6qu5cTxZMJE+zGz8SAWNGUIfbP4e4dLQq9daaVRNu8Jy6VkHdnH07bIBf8FkFm sC0jzV46jWy3zSx/nCjmHxpeaOL/RqUzEEnYwIgE69POlUfbiuxLtAJnDmLnMC/Lxe3W qEthjPuDrUUxJHk1DW4V5Z/DrApyoEzWpwHi9YGAt76DEqkqXEQnTnvaCUwpPLKvYxr5 FvVLeT64is+UWvCaRkJUGoARiVk+eMML0emKV/cugdQzDSyD/XEAu7h05ERGntr7ag1L D1t9r1fqTwUp+KHYuyh5TAZ/mktmdXjxlzBAN2EvnRKgd/fowLvwUeUMX+5vFNgTlVuf 1H6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RkO1hc0kYS19INCVssqtIYCgQPHZZFXNJkh6/c12gbU=; b=tTuFwkRGhn7K1Lrbd9hxd+yOMWM6uA/mGUFeR1ZbSMrrjp2U4w0impcSvoa35oD7Uh l/bxIJbLOu70vsiLOtBTTomedcKuoz/0j68kiPkH6SjpfPCgY6tqdU8XTei3GaZbGHUa 6k+M2PLo4jYen4KHXgnO8cCmSdegd2bHfL8Ym8VYfdhCySfxU/P90Fj+uBEmnnio/X6T 1lbz1r9dwv1E94tp8vMCtWvjp/eJLRCv3kC6yIGEahhhjp+rNBjYDtZU6jI6M6mQ6x5x LeKWHKuuWonoCSjgnV4fJNDyd9F/FLNKknUU5C3xPaqaVO2rqcpsM74/GrmlmdaJbapN qGgQ==
X-Gm-Message-State: APt69E1OPT+YvYauEFtQJ2Pv4bZEaHqI4NeA/9n+Vki9wJQkgo377jnW YzfKdaSJS+UcxAwPJ64LXD3IEmn7ucM/tK28TQw=
X-Google-Smtp-Source: ADUXVKKw5+s768Gw2v9ptE0SpkIoP645IHDcGZ5ENZhw/J5aaKxc1isa+yd9CR3KI+SiUW7ky6+9/7r/rhu8ZeZd/2I=
X-Received: by 2002:a25:d443:: with SMTP id m64-v6mr8941475ybf.432.1529543730472; Wed, 20 Jun 2018 18:15:30 -0700 (PDT)
MIME-Version: 1.0
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <CAHPuVdWXBDHdiQ2Z1uFx=mZFRBpjndiki+6Eno-2qFoe6hAovw@mail.gmail.com> <20180619231512.GA26273@jurassic>
In-Reply-To: <20180619231512.GA26273@jurassic>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 20 Jun 2018 21:15:19 -0400
Message-ID: <CAHPuVdVSXNKZEhZ_2-vV_9py_n5Dw+FaMXXBbQtORwGF2xuDQw@mail.gmail.com>
To: muks@mukund.org
Cc: petr.spacek@nic.cz, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b92afa056f1ca688"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/l-0vo6j9vx5DPkxmztKIsoBdqrk>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 01:15:34 -0000

On Tue, Jun 19, 2018 at 7:15 PM Mukund Sivaraman <muks@mukund.org> wrote:

>
> There also seems to be a scalability problem with SIG(0) in that
> generating the signature involves a public-key operation per DNS
> message.
>
> For a zone transfer of the root zone from F, the AXFR contains 79
> messages in the TCP continuation:
>
> ;; XFR size: 22554 records (messages 79, bytes 1335768)
>

Yup, I realize that. That was one fo the reasons is I mentioned that SIG(0)
can
also sign IXFR messages if they are available from the server, which could
significantly reduce the performance impact. Thinking about it more now
though,
I recall that the current root zone management scheme isn't that conducive
to
incremental transfer, since the zone is signed monolithically twice a day
(IIRC).

Anyway, I'm not really advocating for SIG(0). I'm persuaded that it isn't
optimal. I was just surprised that the draft mentions other potential
solutions,
but didn't mention this one - perhaps it should for completeness.

Longer term, perhaps the best solution will end up being XFR using DNS over
TLS (or HTTPS) with server authentication. Yes, I realize that authoritative
servers are not yet the targets of those protocols, but it's probably only
a matter
of time.

Shumon.

v2.23.0 | Report a Bug | By Email