Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-04.txt

"Wessels, Duane" <dwessels@verisign.com> Mon, 29 October 2018 20:36 UTC

IronPort-PHdr: 9a23:60merRUHE2tNeBuNyC4OTmVvXZ3V8LGtZVwlr6E/grcLSJyIuqrYbRyCt8tkgFKBZ4jH8fUM07OQ7/i/HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9wIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlDkIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZAo2ycZYBD/YPM+hboYnypVoOogexCgS3C+Pj1jpIi2Xq0aEmzegsFxzN0gw6H9IJtXTZtNv5O6cMXuCu16nH0zHDb+hO1Tzg5obIbwouofeSUr5+bMHczlQgFg3bgVWLsozqITeV1v8WvmiF8eVgT+Ovi3UmqwF+pDij3Nsjio7Mho8MzF3P6Ct3wIEwJdKiSU57Z8apEIFXtyGdK4t6W9giTH9yuCYk1LIGo4W7cDIMyJs52x7Tc+GIc46T4h76U+aeOy14i25/dLK5mRmy7U6twfD/WMmsyFtGszZJnsPRun0P2RHf8NWLR/tz80u71juC1Bjf5vxYLUwuiKbWKYItzqQtmpccsknPBDL6lUbugK+YaEop+fSk5uHib7r8pZKRM5R7hwTwP6gwh8OyAOE1PRMKUmWa++mx0bPu8EP7TbpXiPA9j7PXv4rAJcsBo660GwpV0oE+5BmhFzqmy9EYnWUfLFJCZRKHk5DlO1HQL/D8Cveym0mhnitzyfzbPrLvGprDIXnfnLv8Z7p99VJTyA0pzdBH/Z5bEKwOLOjtWk/rr9zYCAU1PBCzw+biENl914UeVnyTAqKBLa/erUWE6v8tLuSCfoMZpTbwJvY/6/PhjnI1gVodcrOo3ZsTZnC4BPNmI0CBbHXxjNYOD3wKvhEgQ+zuk12PSiBTaGioX6I9/TE7CY2mDYHZSo+xh7yB2T+3HodKaWBeFlCMDXDoep2cW/gWdSKSJtRskjoDVbihUYAhyQquuBXmxLV9NuDU4DEXtYr/1Nhp4O3ejQw99TpvD8Say2GAVGB0kX0URz84xqx/plZ9yljQmZR/1sRRCNgb2PRUTgogLtaI1+VnD/j0XQLIYszPQ1/wEfu8BjRkBO082MQDZ105U/m/hxbOlWL+D6AYjKeGAIcc7K/G3mPwKMA7wHHDgvpyx2I6S9dCYDX1zpV08BLeUsuQyx2U
From: "Wessels, Duane" <dwessels@verisign.com>
To: Paul Wouters <paul@nohats.ca>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-04.txt
Thread-Index: AQHUa8fSd2S4g6NvQ0q0TjD0Wy0eM6Uwso4AgAZHKAA=
Date: Mon, 29 Oct 2018 20:36:48 +0000
Message-ID: <16BC7FEB-CC3D-4DEE-82D3-CB148FD0F2B8@verisign.com>
References: <154020795105.15126.7681204022160033203@ietfa.amsl.com> <CA+nkc8CR3KL0EVfkWF2U1coRh+chhNxjGWNevOG++BAt0YDwXw@mail.gmail.com> <601062EA-8853-47D9-B535-F71F25C80033@verisign.com> <CA+nkc8CaZ3ZbdWRBts2Zk6zjwZ4upnYJvO3N7eczqem-XCzXVQ@mail.gmail.com> <alpine.LRH.2.21.1810251642030.29075@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1810251642030.29075@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/signed; boundary="Apple-Mail=_AB1C6482-0BD9-442C-8BDE-014192A28D79"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oloRZGWsHOdkepnZXWNOyy53eWs>
Subject: Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-04.txt
Precedence: list

> On Oct 25, 2018, at 1:44 PM, Paul Wouters <paul@nohats.ca> wrote:
> 
> 
> 
>> Subject: Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-04.txt
> 
> Duane,
> 
> It seems this document is really aiming at the root zone, even though
> there is some text about making it sort of general.

Hi Paul,

Certainly the root zone use case is of particular interest to me, but I also
believe it is a mistake to focus narrowly on that.  I've heard others say they think
its useful in general, and I think as time goes on it will find more use cases.

> 
> What if we signed root-servers.net and allowed people to AXFR that
> zone along with the root zone. Would there be any need to do any
> checksumming? It seems a much simpler solution to protecting the unsigned
> glue records then a new checksum method.

First, I don't really see how it makes things simpler.  You'd have to look
in two places (zones) rather than one.

Second, A signed root-servers.net zone doesn't cover all the root zone glue.
From the presentation I recently gave at DNS-OARC (https://indico.dns-oarc.net/event/29/contributions/656/), a root zone from August 2018 has
10,773 total RRsets, 1400 of which are signed, and 9373 are unsigned.

Whether or not root-servers.net should be signed is, IMO, a separate discussion.

DW

Attachment: smime.p7s

[DNSOP] I-D Action: draft-wessels-dns-zone-digest… internet-drafts
Re: [DNSOP] I-D Action: draft-wessels-dns-zone-di… Bob Harold
[DNSOP] Reserved field in draft-wessels-dns-zone-… Paul Hoffman
Re: [DNSOP] I-D Action: draft-wessels-dns-zone-di… Wessels, Duane
Re: [DNSOP] Reserved field in draft-wessels-dns-z… Wessels, Duane
Re: [DNSOP] Reserved field in draft-wessels-dns-z… Joe Abley
Re: [DNSOP] [Ext] Reserved field in draft-wessels… Paul Hoffman
Re: [DNSOP] I-D Action: draft-wessels-dns-zone-di… Bob Harold
Re: [DNSOP] I-D Action: draft-wessels-dns-zone-di… Paul Wouters
Re: [DNSOP] I-D Action: draft-wessels-dns-zone-di… Wessels, Duane
[DNSOP] review: draft-wessels-dns-zone-digest-04.… Joe Abley
Re: [DNSOP] I-D Action: draft-wessels-dns-zone-di… Paul Wouters
Re: [DNSOP] review: draft-wessels-dns-zone-digest… Wessels, Duane
Re: [DNSOP] review: draft-wessels-dns-zone-digest… Joe Abley
Re: [DNSOP] review: draft-wessels-dns-zone-digest… Richard Gibson
Re: [DNSOP] review: draft-wessels-dns-zone-digest… Joe Abley
Re: [DNSOP] review: draft-wessels-dns-zone-digest… A. Schulze
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Paul Hoffman
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Joe Abley
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Paul Hoffman
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Bob Harold
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Brian Dickson
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Joe Abley
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Paul Hoffman
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Brian Dickson
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Joe Abley
Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-… Brian Dickson
Re: [DNSOP] [Ext] Reserved field in draft-wessels… Wes Hardaker
Re: [DNSOP] [Ext] Reserved field in draft-wessels… Wessels, Duane

Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-04.txt

Attachment: smime.p7s