Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

"Wessels, Duane" <dwessels@verisign.com> Mon, 23 July 2018 21:13 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0B54130F53 for <dnsop@ietfa.amsl.com>; Mon, 23 Jul 2018 14:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Htbcp1BCh10j for <dnsop@ietfa.amsl.com>; Mon, 23 Jul 2018 14:13:35 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFF2F130E73 for <dnsop@ietf.org>; Mon, 23 Jul 2018 14:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7664; q=dns/txt; s=VRSN; t=1532380415; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=niExrH5eLoO+qYu3lZ5ZbRWyFKYAluJzxL54IR/pyUA=; b=ov0A8G0xiCEeBl877ssZhFxEtaCAiCPST856u1or73gLI1mBH9Y+Wn3F oguuS3i8NTUVsWLoumPF8k18Mkj6QLVWaBsows8hIGvmpe8xHpKZUFlcK G7tZDzCGApnyMqB9UenpgenvujOn3dlwUVCzaXxydce3SY051YVlJloD9 hFqiA5aq6rsgRY2DmTXzd/PmsQEuUTXpD9xXURZ++rGFlOIcJvnDxCxjd O1kFl8cWL+OtLvKdpbZ0aI/RzWrP0FzI+yEn8cUCTeziT0jA2n8ect4Zf cQagL1m2iqVCz5hGSRnqMlRcdhvW1c7Ut5JwSEVArw5pweAh3dogK3Qp/ Q==;
X-IronPort-AV: E=Sophos; i="5.51,394,1526342400"; d="p7s'?scan'208"; a="7251054"
IronPort-PHdr: =?us-ascii?q?9a23=3AzdrX3xyeL9fiDePXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?2ukWIJqq85mqBkHD//Il1AaPAd2Fraocw8Pt8InYEVQa5piAtH1QOLdtbDQizf?= =?us-ascii?q?ssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1?= =?us-ascii?q?JuPoEYLOksi7ze+/94HSbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeu?= =?us-ascii?q?BWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbO?= =?us-ascii?q?SxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiS?= =?us-ascii?q?cIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CRWRPQNtfVzBPDI2/?= =?us-ascii?q?YYsADesBMvpXoITmqFsCsR6+CBOwCO/z1DNFgGL9060g0+QmFAHLxAIsENIQv3?= =?us-ascii?q?TPt9X6KqMSUfutwKLVwzvDculZ2THj54TGbxsspuyDXLxufsrK0kkgCQfFjk6L?= =?us-ascii?q?pIz7ITyVzOUNs3Oa7+pvU+KjkXIoqwZ0ojW2wMonl4rHhpoNx1zZ6Sl12ps5KN?= =?us-ascii?q?+2RUJhfNKpEJVduzuVOoZ1Ws8uXn1ktDwnxrAEpZK3ZjUGxZskyhLFdvCKcJCE?= =?us-ascii?q?4hz9W+uSPTt1gXdod6i8ihu26ketz+PxWtep31tLqydKid3Bu3EP2hHW5MWKRP?= =?us-ascii?q?lw8Vqn1D2SzQ7c8PtELloxlafDLp4hxaM/mYQLvETYGy/2hF32jKiLdkU44uSo?= =?us-ascii?q?6/roYrHhppKEKoJ6lhnwPrkulcKnDuo3MxQCU3WB9eSiyLLj+lf5QK1QgvIsj6?= =?us-ascii?q?bVqo7aJd4Apq6/GQNazoEj6xOnAzen1tQXg2UHIUpYdB6blYTlJlPDLf7iAfui?= =?us-ascii?q?g1mhni1nyv/FM7H5B5XCNHnDkLPvfbZn7E5czRI+ws1R5p1KEbEBO+z8WkvqtN?= =?us-ascii?q?HDEB82LRa0w+f8CNV82YMeX3iDDbOeMKPXqVOI/P4gI/GQZI8JvzbwM+Al6OTz?= =?us-ascii?q?jX89g1Mdfa6p3ZUZaHC9BPtmJV6UYWT0gtcHDWgGpA0+TPbliFeaSz5ce26yX7?= =?us-ascii?q?4g5jE8EI+pEIHDRpuqgLyZxyq7H4NZZnxIClyWFnfobYqECL8wb3eqK9Jl2hwD?= =?us-ascii?q?W7akQolpgQmnqQu8y71pIO/d/AUGrZTokt9v6LuAuws18Gk+MMmGyGyJVCU8sn?= =?us-ascii?q?4BQTJ8lPRzvkFm0VqHyoBmjuZZDt1c4bVCVQJsZs2U9PBzF92nAlGJRdyOUlvz?= =?us-ascii?q?B4z+WTw=3D?=
X-IPAS-Result: =?us-ascii?q?A2FuAADQQ1Zb/zCZrQpcGQEBAQEBAQEBAQEBAQcBAQEBAYV?= =?us-ascii?q?XCot4jh0klT2BeggDhGwCgz80GAECAQEBAQEBAgEBAoERgjUkAYJeAQEBAQIBd?= =?us-ascii?q?wIFCwIBCBguAjAlAgQOBQ6DEgGBd7AdikQPilo+gTgMgl6IL4IkAodvkX0DBgK?= =?us-ascii?q?DYYFZl2aRegIEAgQFAhSBQYILcBVlAYI+giQYEY4Gb40ogRsBAQ?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Mon, 23 Jul 2018 17:13:33 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Mon, 23 Jul 2018 17:13:33 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHUIsZl2gy1n6zxQkK2zQWWBU6RHqSdkYCA
Date: Mon, 23 Jul 2018 21:13:33 +0000
Message-ID: <FBDE301D-7F3F-4141-8E4C-E3A54D6408EC@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <87h8kp7sqf.fsf@mid.deneb.enyo.de> <445C5C76-06B3-4F0B-BB7E-FD0254E26019@verisign.com> <36C414EF-0583-410F-8748-C8A0683AB82E@vpnc.org>
In-Reply-To: <36C414EF-0583-410F-8748-C8A0683AB82E@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_CB7E6E61-A481-4F33-96C7-6FD89912B9E7"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mcSVUvlXBdlNdi2vQVxSREYiFkU>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2018 21:13:38 -0000

> On Jul 23, 2018, at 1:47 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> The messages on this thread seem to alternate between this being a zone hash and a zone signature. There is a pretty large difference between the requirements and uses for each.


Thanks for pointing this out.  On the chance that someone is unclear about what we propose in the dns-zone-digest draft (AKA ZONEMD), it is this:

ZONEMD is a hash (message digest) of the zone contents in canonical wire format.  The hash alone provides weak security and the ability to detect unintentional changes or tampering.  It uses the same hashing algorithms that DS uses.

When used with a DNSSEC-signed zone, ZONEMD provides much stronger security guarantees.  The ZONEMD record is signed like all the other records in a zone.

DW