Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
Paul Wouters <paul@nohats.ca> Fri, 03 August 2018 02:50 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B105130E0C for <dnsop@ietfa.amsl.com>; Thu, 2 Aug 2018 19:50:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HsrfaSyEpfdA for <dnsop@ietfa.amsl.com>; Thu, 2 Aug 2018 19:50:50 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CF99130DEE for <dnsop@ietf.org>; Thu, 2 Aug 2018 19:50:50 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41hWkY2HNvz39n for <dnsop@ietf.org>; Fri, 3 Aug 2018 04:50:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1533264645; bh=1Jqo8si2v7M0WFJae7T0B7liNiCF5km+YqgXFjEtv+A=; h=Date:From:To:Subject:In-Reply-To:References; b=Nv/34ptksoPepj6mA4NH/1aBDpkYX7mvwVlFyQHCWzCMQ2bSI2HdA9SdNswzATu6a YKEKHTQyOCEGS84JjqVKQccAJ9mm4GGLxW6l00lzCjGr3EzG+BuhMu4DBIFKYMISbi vaXl3/l9PY1cSNTv1qManT+hd8JZmUdWH4ESOHCU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id hzAyjJKjnW7T for <dnsop@ietf.org>; Fri, 3 Aug 2018 04:50:43 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Fri, 3 Aug 2018 04:50:42 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 8B2F51FEE2; Thu, 2 Aug 2018 22:50:40 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 8B2F51FEE2
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 58AC540D37FB for <dnsop@ietf.org>; Thu, 2 Aug 2018 22:50:40 -0400 (EDT)
Date: Thu, 02 Aug 2018 22:50:40 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <54333970-0416-43BB-8E10-39A4617811AB@vpnc.org>
Message-ID: <alpine.LRH.2.21.1808022247150.6981@bofh.nohats.ca>
References: <CADyWQ+HizOJsE9EZ=VEvrbnnyPwaG_yBRg7fP5VvUNTdnidXZA@mail.gmail.com> <ybl4lgg6ztm.fsf@w7.hardakers.net> <m1fkRCk-0000GTC@stereo.hq.phicoh.net> <E10B9DE1-091E-45DF-9C23-380455113A21@kahlerlarson.org> <alpine.LRH.2.21.1808021512160.1415@bofh.nohats.ca> <54333970-0416-43BB-8E10-39A4617811AB@vpnc.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n90ft-ktaAxv1T_1rzf98XPy-YQ>
Subject: Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 02:50:52 -0000
On Thu, 2 Aug 2018, Paul Hoffman wrote: >> Note that the checksum in this case must be at least as >> cryptographically strong as the signature algorithm used >> in the individual RRSIGs/DNSKEYs. > > Not true. > > If the resolver is validating, the ZONEMD only adds assurance that the > non-signed records are there. Thus, the hash algorithm for the zone is > unrelated to the hash algorithms in the signatures. Then don't cover signed RRsets with ZONEMD. Then this problem goes away, and you force implementations to validate all records before putting them in the cache. > If the resolver is not validating, the ZONEMD assures that all the records > are there. The strength of that assurance is the same as the second pre-image > strength of the hash. However, the resolver cannot say "oh, look, now I can > start resolving with what I got in the zone transfer": it still needs to > validate every RRSIG all the way to the root. That's not what people are going to do. They are going to grab the AXFR'ed data, check the checksum and throw it in the "validated" cache and they won't revalidate every root zone entry they are about to serve. Paul
- Re: [DNSOP] One Chair's comments on draft-wessels… John Levine
- [DNSOP] One Chair's comments on draft-wessels-dns… Tim Wicinski
- Re: [DNSOP] One Chair's comments on draft-wessels… Florian Weimer
- Re: [DNSOP] One Chair's comments on draft-wessels… Joe Abley
- Re: [DNSOP] One Chair's comments on draft-wessels… Evan Hunt
- Re: [DNSOP] One Chair's comments on draft-wessels… Mark Andrews
- Re: [DNSOP] One Chair's comments on draft-wessels… Tim Wicinski
- Re: [DNSOP] One Chair's comments on draft-wessels… John R Levine
- Re: [DNSOP] One Chair's comments on draft-wessels… Tim Wicinski
- Re: [DNSOP] One Chair's comments on draft-wessels… Jiankang Yao
- Re: [DNSOP] One Chair's comments on draft-wessels… Evan Hunt
- Re: [DNSOP] One Chair's comments on draft-wessels… Evan Hunt
- Re: [DNSOP] One Chair's comments on draft-wessels… John R Levine
- Re: [DNSOP] One Chair's comments on draft-wessels… Wessels, Duane
- Re: [DNSOP] One Chair's comments on draft-wessels… Wes Hardaker
- Re: [DNSOP] One Chair's comments on draft-wessels… Philip Homburg
- Re: [DNSOP] One Chair's comments on draft-wessels… Joe Abley
- Re: [DNSOP] One Chair's comments on draft-wessels… Wes Hardaker
- Re: [DNSOP] One Chair's comments on draft-wessels… Matt Larson
- Re: [DNSOP] One Chair's comments on draft-wessels… Philip Homburg
- Re: [DNSOP] One Chair's comments on draft-wessels… Philip Homburg
- Re: [DNSOP] distributing zones, was One Chair's c… John Levine
- Re: [DNSOP] lotsa TLDs, was One Chair's comments … John Levine
- Re: [DNSOP] lotsa TLDs, was One Chair's comments … Paul Hoffman
- Re: [DNSOP] lotsa TLDs, was One Chair's comments … Paul Wouters
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Wouters
- Re: [DNSOP] One Chair's comments on draft-wessels… John Levine
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Hoffman
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Wouters
- Re: [DNSOP] One Chair's comments on draft-wessels… Mark Andrews
- Re: [DNSOP] One Chair's comments on draft-wessels… John Levine
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Hoffman
- Re: [DNSOP] One Chair's comments on draft-wessels… Paul Wouters
- Re: [DNSOP] One Chair's comments on draft-wessels… Mark Andrews