IETF Logo Mail Archive

Re: [DNSOP] [Ext] Re: Comments on draft-wessels-dns-zone-digest-02

Edward Lewis <edward.lewis@icann.org> Mon, 13 August 2018 14:37 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0FB3127332 for <dnsop@ietfa.amsl.com>; Mon, 13 Aug 2018 07:37:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtS3Jl2pRkhr for <dnsop@ietfa.amsl.com>; Mon, 13 Aug 2018 07:37:50 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDEF5130DDE for <dnsop@ietf.org>; Mon, 13 Aug 2018 07:37:48 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 13 Aug 2018 07:37:46 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Mon, 13 Aug 2018 07:37:46 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [Ext] Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02
Thread-Index: AQHUMxMzqpBp9iR+tEaWUlJrtzK1fA==
Date: Mon, 13 Aug 2018 14:37:45 +0000
Message-ID: <7223EEB4-57A4-4C54-8C62-631B5FBEE0A5@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.d.0.180513
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <272731490FC98443B03CF97B8177C3EB@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mrNsJ3UBPTHNdmceVOqUATOl6LU>
Subject: Re: [DNSOP] [Ext] Re: Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2018 14:37:52 -0000

On 8/11/18, 10:44, "DNSOP on behalf of John Levine" wrote:

>The way that ZONEMD is defined in the draft, it's not very useful if the ZONEMD record isn't signed.

That's my read too, which is why I question the incremental benefit over relying on DNSSEC while doing the query/response over port 53 "thing".  Question, not doubt, that is.

What I'm struggling with is the applicability to other uses of the zone file.  There too, the consumer, when making use of the ZONEMD, if the record isn't signed then it could be recomputed by the manager of the repository from which the zone file came.  If the record is signed, the consumer would then need to implement DNSSEC.  'Course, one signature verification would be cheaper than "$lots" (hundreds, thousands, millions).

v2.23.0 | Report a Bug | By Email