IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Mark Andrews <marka@isc.org> Tue, 19 June 2018 23:48 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDEAC1311AA for <dnsop@ietfa.amsl.com>; Tue, 19 Jun 2018 16:48:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lP8Svz3_LuOK for <dnsop@ietfa.amsl.com>; Tue, 19 Jun 2018 16:48:45 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A70A713101E for <dnsop@ietf.org>; Tue, 19 Jun 2018 16:48:45 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 5F3A23AB007; Tue, 19 Jun 2018 23:48:44 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 4A4C3160053; Tue, 19 Jun 2018 23:48:44 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 3AC9E16008D; Tue, 19 Jun 2018 23:48:44 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1LxzPGCiSDgD; Tue, 19 Jun 2018 23:48:44 +0000 (UTC)
Received: from rock-73422.home.lan (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 41126160053; Tue, 19 Jun 2018 23:48:43 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20180619231512.GA26273@jurassic>
Date: Wed, 20 Jun 2018 09:48:40 +1000
Cc: Shumon Huque <shuque@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>, petr.spacek@nic.cz
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1BD6740-C3BF-4CFA-966E-6B48247A57F9@isc.org>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <CAHPuVdWXBDHdiQ2Z1uFx=mZFRBpjndiki+6Eno-2qFoe6hAovw@mail.gmail.com> <20180619231512.GA26273@jurassic>
To: Mukund Sivaraman <muks@mukund.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/l7klRgPNW6rrI7CViBV4w-IjKmc>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 23:48:48 -0000

> On 20 Jun 2018, at 9:15 am, Mukund Sivaraman <muks@mukund.org> wrote:
> 
> On Tue, Jun 19, 2018 at 02:11:02PM -0400, Shumon Huque wrote:
>> On Tue, Jun 19, 2018 at 10:32 AM Petr Špaček <petr.spacek@nic.cz> wrote:
>> 
>>> 
>>> I think we need to first answer question why existing technologies do
>>> not fit the purpose.
>>> 
>> 
>> This is a reasonable question.
>> 
>> I noticed that the draft doesn't mention SIG(0) at all. One of the main
>> motivators of the draft is stated to be secure, wide scale distribution of
>> the root zone. To me, SIG(0) would have been an obvious candidate solution
>> for this problem. The zone owner can publish one public key to the world,
>> and signs zone transfers messages with the corresponding secret key. If the
>> zone owner supports IXFR, the incremental cost of these message signatures
>> is also quite small.
> 
> There also seems to be a scalability problem with SIG(0) in that
> generating the signature involves a public-key operation per DNS
> message.
> 
> For a zone transfer of the root zone from F, the AXFR contains 79
> messages in the TCP continuation:
> 
> ;; XFR size: 22554 records (messages 79, bytes 1335768)
> 
> Unfortunately, because the request message's fields are involved in
> calculating the signature for the reply message and the ID also varies,
> it doesn't appear that the signatures can be re-used.
> 
> This scalability problem is probably a reason why TSIG's HMAC has become
> the preferred method for transaction security and SIG(0) isn't used to
> authenticate zone transfers.

Donald Eastlake’s early DNSSEC work had a working zone signature.  It doesn’t
require signing each message.  It’s just relatively expensive to compute for
large zones as it requires hashing the entire zone.

RFC 2065 4.1.3 Zone Transfer (AXFR) SIG.

Note this is SIG(AXFR) not SIG(0).

Mark

> 		Mukund
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email