IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

"Wessels, Duane" <dwessels@verisign.com> Tue, 10 July 2018 00:05 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10E35130EA1 for <dnsop@ietfa.amsl.com>; Mon, 9 Jul 2018 17:05:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p86g5URh0kqG for <dnsop@ietfa.amsl.com>; Mon, 9 Jul 2018 17:05:22 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5359130DC7 for <dnsop@ietf.org>; Mon, 9 Jul 2018 17:05:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9755; q=dns/txt; s=VRSN; t=1531181122; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=80SihD5TGs52Q5VeP+tYihmIGnk01Qex7ozNw6Hjrgc=; b=EwQpxQwPTM0NC1LNtBadViGCw9MbdMcg+tgcAIn1QaDHV4femoWTvpM0 +wPEhlN+XOx4G3cEf2XUvC1GQ/SIWoIIES1PXgIsTtoglqHLPx70jGm1S w42pyXmBParaI+ekzzjtFjfF1pjIYRCEnWa2rgaHB/CyqrhBVbTyYXIys Q7O2f3taswM7A6jDVjckTjqGGl6cbW+ycv7ohYl9WMEH8EJdne3cs3HKW 45ZWlJr4t4smsniH1Jw+ZNj7sNFWdDofQT3zSkolSUzcxYFyBsb6mdAS2 k9o3iIVenX/n1v6VGYHC4jrStotdkJ3Hcwzmzx9N4DauUNmZVQTI0osJv A==;
X-IronPort-AV: E=Sophos; i="5.51,332,1526356800"; d="p7s'?scan'208"; a="5175750"
IronPort-PHdr: 9a23:9wr2ZB8SbU7Zif9uRHKM819IXTAuvvDOBiVQ1KB20eocTK2v8tzYMVDF4r011RmVBduds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2O2+55zebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMNboRr4oRzut86ZrSAfpiCgZMT457HrXgdF0gK5CvR6tuwBzz4vSbYqINvRxY7ndcMsaS2RfQ8hRSyJPDICyb4QNDuoOIelXopLyp1cSqBuzHxWgCP/xxjJOm3T43bc60+MkEQze0gAvH8wBsG/PrNrrMKcSSvi5x7TGwzXedfxW3yny5IbVeR0mvP6NU6x/cdHKyUYxEwPFlU6dqZL7MDOP1+QNqGmb7+VmVe61l2EnrARxryGpy8wxiYfJnpoYxk3Y+Slj3Yo4J9O1RFRmbdOkHpZcrS6XOohuTs8/X21kojs2x78atZKhYSQHx5cqywTCZ/GEa4SI7AzsWeWNLTp9gX9qYrGyihKp/kWlxODwSNS73VdPoyVeltTBt3IA2hnd58WJSPZy40Gs0iuV2Q/J8OFLO0U0mLLeK54m37E/iIIesV/GHi/qgEX2i7KWdlk89uio9evnZrLmq4eBOoFokg/yL6QhlNSwD+s5LgQCQnKX+fqg273k5035WK9GgecrnaXDrpDaP98bpqijDwBJ1YYj7g6zDzag0NsGgXkKNE9JdA6dg4T0OVzDLur0Aeq/jlmiijtmyPPLMqXkAprXL3jDlLnhfax6605Z0Ac80N5e6IxPCrEaPv3zXlTxucfGDhAnKQy0wv3nCNRy1oMYQ26AHqiZMKbKvV+S+u0vO/WMZJMSuDvlJPgl6PvugGQjll8Zcqmmw4AYaGqiEfR9OUmZZmDsgtgZG2cQogU+VPDqiEGFUTNLenmyWbk85jYjCI+9DIfMWJytgLKb0Ce8BJ1WaTMONlfZPnrvbYqJE9INYyKbL8t6lTpMAbeuTqco0R6jvhXz0PxgNOWCqQMCspe2nud4/PbekQp2vRBpBsKQmSnZQ355hXgFQyQewq1loFd8xVHF2q991a8LXedP7u9EB19pfaXXyPZ3XpWrAlrM
X-IPAS-Result: A2EhAQDi90Nb/zCZrQpcGQEBAQEBAQEBAQEBAQcBAQEBAYVSCpowlywIA4F3gnUCgmc4FAECAQEBAQEBAgEBAoERgjUkAYJeAQEBAQIBcgUCBQsCAQgOCi4CMCUCBAoEBQ6DEgGBd6tuiEyBKw+KRT6BDyeCaIRkg0iCJAKMUox9AwYCg1qBWIM4lBWRaQIEAgQFAhSBWIF0cBVlAYI+giMYEY4Gb4w3K4EBgRoBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Mon, 9 Jul 2018 20:05:15 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Mon, 9 Jul 2018 20:05:15 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: George Michaelson <ggm@algebras.org>
CC: dnsop WG <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHUF92tGWd5sGnOeUGradeLlZXH0KSH1quA
Date: Tue, 10 Jul 2018 00:05:15 +0000
Message-ID: <B3D78ECC-F4A8-4EE9-AC79-6B1E85C02D04@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <e9f99fce-c240-7f23-c580-1fb8bd0a0687@time-travellers.org> <20180621203116.a7kv4ysotfe7kw5k@nic.cl> <3ba53c28-8895-b0ec-badc-7ce31a8df8fc@nic.cz> <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com> <CAKr6gn0BZgKGExweF2Hawh_shZSD+WxJ460YO-mbRQjg09uo_A@mail.gmail.com> <44A2CDA4-A105-41DE-BCBC-664BCB811304@verisign.com> <CAKr6gn1ALiKPXPpi6ggwiFeLMH-b15UjfWOnMY2++SyoXoiQpQ@mail.gmail.com>
In-Reply-To: <CAKr6gn1ALiKPXPpi6ggwiFeLMH-b15UjfWOnMY2++SyoXoiQpQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_15C3F9AD-1695-4063-8FBD-DF6B7DBE1AE9"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/m84lfNyrh3DOOaQ_HLBiq3cj3aE>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 00:05:24 -0000

George,


> On Jul 9, 2018, at 4:36 PM, George Michaelson <ggm@algebras.org> wrote:
> 
> There's arguments both sides about cross signing, counter signing and
> independent self-signing. If you want to promote out of band zone
> exchange, it has to be signed. The key it signs with is immaterial if
> you either direct knowledge of the PK in a PKI, or accept a trust
> anchor relationship over it, or a web of trust.

I'm not here to promote out-of-band distribution, but I think its going
to happen (especially for the root zone) and I want something that works
just as well for in- and out-of-band distribution.

I think it makes sense that name server software, whether recursive or
authoritative, can use a technique like this to verify zone data, whether
it is loaded from disk or received over the network.  

The key may be immaterial, but I think the barrier to implementation is
much lower if it can be done with what we already have (DNSSEC) rather than
having to drag something like PGP in.



> So do you prefer (for instance) that the ZSK be used outside of DNSSEC
> to sign a detached signature over the file, irrespective or content
> order, if the file is to be made available?

Sorry I don't quite follow.  What we're suggesting is not a signature over
the file/data, but a hash over the data, which in turn can be signed.

> Because if you basically
> prefer its *not signed* for this mode of transfer, you've stepped

For me the mode of transfer is irrelevant.  My goal is to secure the data,
not the transfer.

> outside the model: you now demand the file is checked on load, element
> by element, against the TA, rather than being integrity checked by a
> MAC signed by the issuer, which permits eg direct binary loadable, or
> other states.

We're not demanding anything (MAY/SHOULD vs MUST) but what we propose is, as
you say, MAC signed by the issuer.

DW


> 
> -G
> 
> On Tue, Jul 10, 2018 at 7:47 AM, Wessels, Duane <dwessels@verisign.com> wrote:
>> 
>>> On Jul 8, 2018, at 6:02 PM, George Michaelson <ggm@algebras.org> wrote:
>>> 
>>> So how about use of a PGP key which is a payload in TXT signed over by
>>> the ZSK/KSK so the trust paths bind together?
>>> 
>>> fetch one DNS record +sigs, check against the TA (which has to be a
>>> given) and then..
>> 
>> Currently in the zone digest draft DNSSEC is not mandatory.  That is, the zone
>> needn't necessarily be signed and a receiver need not perform the validation if
>> they don't want to.
>> 
>> Even without DNSSEC the digest gives you a little protection from accidental corruption.  But not from malicious interference of course.
>> 
>> It seems kind of silly to me to double up on public key cryptosystems.  We already have keys attached to zones and software that generates and validates signatures.
>> 
>> DW
>>

v2.23.0 | Report a Bug | By Email