IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones

Michael StJohns <msj@nthpermutation.com> Wed, 08 January 2020 19:56 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CCF12012A for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:56:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7IBNJWuhzftQ for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:56:24 -0800 (PST)
Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7AF412003E for <dnsop@ietf.org>; Wed, 8 Jan 2020 11:56:23 -0800 (PST)
Received: by mail-qv1-xf33.google.com with SMTP id l14so1942362qvu.12 for <dnsop@ietf.org>; Wed, 08 Jan 2020 11:56:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=Dnvh+xXnC4HOQFpekQm0n/azQfvdheAA6FjU8v0LSgI=; b=ZNE2oU0zJ3caujBOWdJozVJm4xUMBXUD59jqLP9Jl9/hNG9smMY4SsHSoO7hOLuV6i SW5V1R6yKfeqWhwrqW9BDiO3zELjnTmnMfxF6nOF72V5s/KeWy76eXwvznoeJ4amKE9H jaKY6r9qHQw08Gwu8+BwmJ60hHOVVxkti2GRjtiVFWv2aCrMuL7xqEoh8ZclkpRwYxe6 icyfa9XJacp5Ci+CczMc/wZQJO7ZCCqesbBv0zXQX0E24OULsIOn4zUhcZEV2YkkDu5t IGvLHYyHf+Fi/YHAlW+o0VRusJx1utAxT+R09uNjxAIVX8eR5YtBSIZdB2D7dG8bfitg E68w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=Dnvh+xXnC4HOQFpekQm0n/azQfvdheAA6FjU8v0LSgI=; b=Uel0TeJbihMJ9w733ORAI9m5q79Ne/Ev4cqO780DRuhAmSMOi830jzUIC9Y50elfV3 vtkSqK7QefkHDp3fFAv7UWK3Yszg/OLNgaQ5c+KB4i7ZvnGt/i4TrbDG0Menx8x5CtJo 9OfL/ETPHmYhtqF8BAThw11JAJV53Fj2/QJn86Hle8xSPB9JzYxE3ByC1kEHTEus3b/R /CnuuahCuAMXLwb3ULM1+xu1nOaYRttRd/aYeP5uaLlwzokDZ1ncaccnL7ApMFUsrds5 DIGC7ZsQsx9t/XAPptt75fp2ddC3D1Bx1eukAgWBiohBmJQirXlVg+51WaPzgRFOrXrE sueA==
X-Gm-Message-State: APjAAAWDUdRLcRIRjN8ycqFm0rvmg6wCdg7fHfOghP+uC9bGgsgJ/abG CvmIyVGoFuGotACSyF2DEvDjknwx9eU=
X-Google-Smtp-Source: APXvYqzr0vZh56qgBItyz6URqJbX8dG6TWjTIh9OL0xUJj6nX8wOnV3zksRnokUSYLgeawUV99/MGA==
X-Received: by 2002:ad4:4dc3:: with SMTP id cw3mr5647431qvb.130.1578513382581; Wed, 08 Jan 2020 11:56:22 -0800 (PST)
Received: from ?IPv6:2601:152:4400:437c:dd4:4ade:7d8:f573? ([2601:152:4400:437c:dd4:4ade:7d8:f573]) by smtp.gmail.com with ESMTPSA id o81sm1911001qke.33.2020.01.08.11.56.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jan 2020 11:56:22 -0800 (PST)
To: John R Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
References: <20200107023630.628251208AAF@ary.qy> <ce52989c-f6cc-f4e5-0c49-d528d366e350@nthpermutation.com> <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
Date: Wed, 08 Jan 2020 14:56:21 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nEh8rtdopGUe5QQDhxViiHgBUlo>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 19:56:27 -0000

On 1/8/2020 2:07 PM, John R Levine wrote:
>> Could you give me a b) for each of these please?   E.g. How does 
>> ZONEMD make your life better in each of these and what would happen 
>> if you - in a future world - were getting ZONEMD data and validation 
>> failed?
>
> Unless someone else says they find this level of anecdotal detail 
> useful, I'll pass.

Thought so - OK.

Then let me try a "real world" example and give you a few different choices:

I'm running a private copy of the root zone for my organization. I 
(automated) check the SOA every so often, and arrange for a download of 
the zone when it changes.    I (automated) get a copy of the zone data, 
including an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD 
RR is invalid (hashes don't match). I do:

a) Discard the download, keep retrying until I get a valid ZONEMD RR, 
ignoring any changes in the DNSSEC validated data

b) Install what I've been able to validate DNSSEC wise, and delete 
anything not DNSSEC validated.  E.g. basically ignore the ZONEMD RR and 
install any validated changes.  Log the error. Schedule a download for 
next SOA change.

c) Yell for a human to make a decision.

d) (b) plus turn off ZONEMD RR processing in the future

e) anecdotal author's choice.


>
> As I keep telling you, there is nothing new about dealing with invalid 
> zones.  This is just another way to find that a zone is invalid, and 
> it is hard to imagine how anyone who would use ZONEMD wouldn't already 
> have experience dealing with other zone transfer or validation failures.

And I will note that zones are rarely invalid.  They can have extraneous 
data, or missing targets for things like CNAME.  They can have DNSSEC 
signature types you don't understand.  They can have missing data where 
DNSSEC says they should have data, and they can have data where DNSSEC 
says they shouldn't.   Those don't make the zone IN ITS ENTIRETY 
invalid, unlike what ZONEMD purports to do.

Later, Mike



>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email