Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
Michael StJohns <msj@nthpermutation.com> Wed, 08 January 2020 19:56 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CCF12012A for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:56:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7IBNJWuhzftQ for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:56:24 -0800 (PST)
Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7AF412003E for <dnsop@ietf.org>; Wed, 8 Jan 2020 11:56:23 -0800 (PST)
Received: by mail-qv1-xf33.google.com with SMTP id l14so1942362qvu.12 for <dnsop@ietf.org>; Wed, 08 Jan 2020 11:56:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=Dnvh+xXnC4HOQFpekQm0n/azQfvdheAA6FjU8v0LSgI=; b=ZNE2oU0zJ3caujBOWdJozVJm4xUMBXUD59jqLP9Jl9/hNG9smMY4SsHSoO7hOLuV6i SW5V1R6yKfeqWhwrqW9BDiO3zELjnTmnMfxF6nOF72V5s/KeWy76eXwvznoeJ4amKE9H jaKY6r9qHQw08Gwu8+BwmJ60hHOVVxkti2GRjtiVFWv2aCrMuL7xqEoh8ZclkpRwYxe6 icyfa9XJacp5Ci+CczMc/wZQJO7ZCCqesbBv0zXQX0E24OULsIOn4zUhcZEV2YkkDu5t IGvLHYyHf+Fi/YHAlW+o0VRusJx1utAxT+R09uNjxAIVX8eR5YtBSIZdB2D7dG8bfitg E68w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=Dnvh+xXnC4HOQFpekQm0n/azQfvdheAA6FjU8v0LSgI=; b=Uel0TeJbihMJ9w733ORAI9m5q79Ne/Ev4cqO780DRuhAmSMOi830jzUIC9Y50elfV3 vtkSqK7QefkHDp3fFAv7UWK3Yszg/OLNgaQ5c+KB4i7ZvnGt/i4TrbDG0Menx8x5CtJo 9OfL/ETPHmYhtqF8BAThw11JAJV53Fj2/QJn86Hle8xSPB9JzYxE3ByC1kEHTEus3b/R /CnuuahCuAMXLwb3ULM1+xu1nOaYRttRd/aYeP5uaLlwzokDZ1ncaccnL7ApMFUsrds5 DIGC7ZsQsx9t/XAPptt75fp2ddC3D1Bx1eukAgWBiohBmJQirXlVg+51WaPzgRFOrXrE sueA==
X-Gm-Message-State: APjAAAWDUdRLcRIRjN8ycqFm0rvmg6wCdg7fHfOghP+uC9bGgsgJ/abG CvmIyVGoFuGotACSyF2DEvDjknwx9eU=
X-Google-Smtp-Source: APXvYqzr0vZh56qgBItyz6URqJbX8dG6TWjTIh9OL0xUJj6nX8wOnV3zksRnokUSYLgeawUV99/MGA==
X-Received: by 2002:ad4:4dc3:: with SMTP id cw3mr5647431qvb.130.1578513382581; Wed, 08 Jan 2020 11:56:22 -0800 (PST)
Received: from ?IPv6:2601:152:4400:437c:dd4:4ade:7d8:f573? ([2601:152:4400:437c:dd4:4ade:7d8:f573]) by smtp.gmail.com with ESMTPSA id o81sm1911001qke.33.2020.01.08.11.56.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jan 2020 11:56:22 -0800 (PST)
To: John R Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
References: <20200107023630.628251208AAF@ary.qy> <ce52989c-f6cc-f4e5-0c49-d528d366e350@nthpermutation.com> <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
Date: Wed, 08 Jan 2020 14:56:21 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nEh8rtdopGUe5QQDhxViiHgBUlo>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 19:56:27 -0000
On 1/8/2020 2:07 PM, John R Levine wrote: >> Could you give me a b) for each of these please? E.g. How does >> ZONEMD make your life better in each of these and what would happen >> if you - in a future world - were getting ZONEMD data and validation >> failed? > > Unless someone else says they find this level of anecdotal detail > useful, I'll pass. Thought so - OK. Then let me try a "real world" example and give you a few different choices: I'm running a private copy of the root zone for my organization. I (automated) check the SOA every so often, and arrange for a download of the zone when it changes. I (automated) get a copy of the zone data, including an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD RR is invalid (hashes don't match). I do: a) Discard the download, keep retrying until I get a valid ZONEMD RR, ignoring any changes in the DNSSEC validated data b) Install what I've been able to validate DNSSEC wise, and delete anything not DNSSEC validated. E.g. basically ignore the ZONEMD RR and install any validated changes. Log the error. Schedule a download for next SOA change. c) Yell for a human to make a decision. d) (b) plus turn off ZONEMD RR processing in the future e) anecdotal author's choice. > > As I keep telling you, there is nothing new about dealing with invalid > zones. This is just another way to find that a zone is invalid, and > it is hard to imagine how anyone who would use ZONEMD wouldn't already > have experience dealing with other zone transfer or validation failures. And I will note that zones are rarely invalid. They can have extraneous data, or missing targets for things like CNAME. They can have DNSSEC signature types you don't understand. They can have missing data where DNSSEC says they should have data, and they can have data where DNSSEC says they shouldn't. Those don't make the zone IN ITS ENTIRETY invalid, unlike what ZONEMD purports to do. Later, Mike > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly
- Re: [DNSOP] Working Group Last Call for: Message … Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for: Message … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] Working Group Last Call for: Message Dige… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Paul Vixie
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Joe Abley
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Brian Dickson
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Bob Harold
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] future-proofing (Re: Working Group Last C… Paul Vixie
- Re: [DNSOP] future-proofing (Re: Working Group La… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] future-proofing (Re: Working Group La… Michael StJohns
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Miek Gieben
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] future-proofing (Re: Working Group La… Shane Kerr
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Vixie
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… John Levine