IETF Logo Mail Archive

Re: [DNSOP] Implementation status for ZONEMD?

Willem Toorop <willem@nlnetlabs.nl> Tue, 22 December 2020 09:28 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 503D03A0EB5 for <dnsop@ietfa.amsl.com>; Tue, 22 Dec 2020 01:28:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5NyVth0Ylh9 for <dnsop@ietfa.amsl.com>; Tue, 22 Dec 2020 01:27:58 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BADC3A0EB3 for <dnsop@ietf.org>; Tue, 22 Dec 2020 01:27:58 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 621A36008F for <dnsop@ietf.org>; Tue, 22 Dec 2020 09:27:55 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1608629275; bh=DtAzT3LCffw8rrFh2dC1JbHTnnP6RKck2Esd40qAHrY=; h=Subject:To:References:From:Date:In-Reply-To:From; b=fqh4QLrDdCoYDgRTi12DWvLLsi8oVuSeJK0a0HR92QNsaO42JALDY8oyfUszrEqqy GWZPmQYjn4FHFWx9W5r85rBWEuPX5RGFOhnSDwFCQEFXyTrSmwDrFpjMRq0e+wRdGn 8sYufvFfUsGhKbBwXC+RzEZ81ov1tj10HNzI3jpDGsFBiwTdOVAfTyySoRFO0T9iiJ yIe8Zf65drSzS4uuBYWTheUkqP2x3/bOtX8C6KaBXpcvxmXG5WL2P3MeVxFjbIIQ54 OF2eaRLfNMGnKjihEBOdJiRJmQ86DfqxrqlHRWQrrTY8/2f3StWrBqm1D1Yw/vR5zS yQ1TaktRoJyxw==
To: dnsop@ietf.org
References: <ED068CDB-A808-457D-8A99-A834B4E5FA19@icann.org> <8327f72a-295a-44f4-4f50-84485f47df4a@NLnetLabs.nl>
From: Willem Toorop <willem@nlnetlabs.nl>
Message-ID: <dfad87c7-c96e-9ecb-8341-b979e294f9e5@nlnetlabs.nl>
Date: Tue, 22 Dec 2020 10:27:53 +0100
MIME-Version: 1.0
In-Reply-To: <8327f72a-295a-44f4-4f50-84485f47df4a@NLnetLabs.nl>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pufdVmr9uW2IH19YuuWI-qPKAeE>
Subject: Re: [DNSOP] Implementation status for ZONEMD?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2020 09:28:00 -0000

Op 22-12-2020 om 01:07 schreef Benno Overeinder:
> Hi Paul,
> 
> On 18/12/2020 22:57, Paul Hoffman wrote:
>> Greetings. Now that ZONEMD is waiting in the RFC Editor's queue, I was
>> wondering how the developers are coming with implementation. The
>> protocol is ripe for two-party testing.
> 
> <NLnet Labs hat on>
> 
> We have implemented ZONEMD (verification and DNSSEC validation) in
> Unbound, ready to be merged into the main branch and released early next
> year.


Recently, also the ldns library has been extended with zone-digest
functionality. ZONEMD RRs can now be calculated and added with
ldns-signzone , and verified with ldns-verify-zone .
This is available on the develop branch on

	https://github.com/NLnetLabs/ldns

this will also be released early next year.


Usage: ldns-signzone [OPTIONS] zonefile key [key [key]]
  signs the zone with the given key(s)
  -z <[scheme:]hash>	Add ZONEMD resource record
		<scheme> should be "simple" (or 1)
		<hash> should be "sha384" or "sha512" (or 1 or 2)
		this option can be given more than once
  -Z		Allow ZONEMDs to be added without signing



Usage: ldns-verify-zone [OPTIONS] <zonefile>
	Reads the zonefile and checks for DNSSEC errors.

It checks whether NSEC(3)s are present, and verifies all signatures
It also checks the NSEC(3) chain, but it will error on opted-out delegations
It also checks whether ZONEMDs are present, and if so, needs one of them
to match the zone's data.

OPTIONS:
	-Z	Requires a valid ZONEMD RR to be present.
		When given once, this option will permit verifying
		just the ZONEMD RR of an unsigned zone. When given
		more than once, the zone needs to be validly DNSSEC
		signed as well.


Cheers,

-- Willem

> 
> 
> Cheers,
> 
> -- Benno
>

v2.23.0 | Report a Bug | By Email