Re: [DNSOP] SIG(0) useful (and used?)
Ted Lemon <mellon@fugue.com> Fri, 22 June 2018 13:47 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2E30130E60 for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 06:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLErhVuCbgrT for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 06:47:46 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D843130E52 for <dnsop@ietf.org>; Fri, 22 Jun 2018 06:47:46 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id i23-v6so3254210iog.10 for <dnsop@ietf.org>; Fri, 22 Jun 2018 06:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IgLGUpxnA7EKFIiB9Mghze+1NEnHeyTqnliXICr62ec=; b=K5mIm/NucEJnK4UFvBLyT3KIkk4jyODfhe1ok5DtnvsLIo6zsFQszwl119p7yz/NPK U+dRXGIy67l94Kme/PMe7kk1dmlVaRsx/ARtswyvCPLCP2F8lJlMMN2rhjw5OtLajny6 ZMAcPCebwwsiY0v/F9RBwhBFDJUpNaj0HI0KfRxfY943tIWR86JNePqY4UcyP3VsdZbD CApt4DDmiJ/I2ZxB9+PHbAXxi+ce6Xao1dAUOpP68V+TLb27ppZ6U/L/5e1ghpBJD3eN Me6Yrko+5ZNdLhPpedG5suiw/CMWiHSuBxradQbcY+sQnfgLMQehgvLIaommfCh9m+V7 vfSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IgLGUpxnA7EKFIiB9Mghze+1NEnHeyTqnliXICr62ec=; b=FbeR/8k6TMv1sQkJfA8TrTz9ZA2RZnpC40OIict6vZvTegGeYrhvxnhSBQQcm9gTid t/cvaBV5NWstZSYqF4dYGb9rnI4R6ZHM22BCCF3/R/+yN3XFhPk5oiaAZQz7mTBDkWGd f0jR2/Bmtv8Q6kDips3crrmzUiPkWSqgRp94b675IzlTFLyMaG2ME1N0ENYGCn/wBMEy KsBSDTSrYEOHsp82fzMti6jue5iC2zumsL14cZffi32Rnpb3F9Rip9v6gYd+fqbIZqp6 cDQ8NNlWEopHG1yUSaq7zv4DLhuCscQJj+aaUgrnKoYCbB3ekFm/ZfzKiKLEJGyg2Dzj WYIA==
X-Gm-Message-State: APt69E3r3+rWq2vgsdAy0rX3H0y+FcAtzvbNHerbve7O5PBtvLiL6vTh g8tjiWZC+NeCqUoNKxg2oQun6yoVDBE2gsuvGqQ4xw==
X-Google-Smtp-Source: AAOMgpdCV3fzUPPluaoP1Wx4m1TLPbgvQnrjhRry0bwAJIMtNalkdUvTwNPEjrAB0SS3wyXOTgNfW+q+j9E7MwuUJ2Q=
X-Received: by 2002:a6b:be05:: with SMTP id o5-v6mr1349834iof.45.1529675265572; Fri, 22 Jun 2018 06:47:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:5406:0:0:0:0:0 with HTTP; Fri, 22 Jun 2018 06:47:05 -0700 (PDT)
In-Reply-To: <31a8b13b-3a1c-c150-006d-fe325e79441c@nic.cz>
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org> <6B764CF2-FC1F-4B55-B4A3-F49729847DCF@bangj.com> <b85eb6ec-8d4c-221a-35ac-4c4efb9bd5c4@nic.cz> <56702D15-B557-4A9E-BD18-5379105CCB30@bangj.com> <CAHPuVdWnm8nCHD4DbC=LnPoJgch7ZO7NuitHECnMxsrVLZExqA@mail.gmail.com> <ECDE3B3C-A865-41B9-B188-F6C6DED2467A@bangj.com> <CAPt1N1m+qx78K+2K80adA+nyOtjyyHkc2Ah2duq89a8L6kwjqA@mail.gmail.com> <31a8b13b-3a1c-c150-006d-fe325e79441c@nic.cz>
From: Ted Lemon <mellon@fugue.com>
Date: Fri, 22 Jun 2018 09:47:05 -0400
Message-ID: <CAPt1N1k0=oSTYFYdzin27kFFU1oaig4SgUu8aLAecTNY14H-6w@mail.gmail.com>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d39813056f3b468e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qCeT5z9KXZl2h8zytEi7nqopzkg>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 13:47:49 -0000
It seems to me that the main benefit of SIG(0) is not securing connections between resolvers and caches, but in securing DNS updates and other transfers where you need authentication+authorization. In the case where you just need authentication, we already have DNSSEC. I _guess_ Warren's use case makes some sense, but I think it's a bit hackerly, and not something we'd expect to see wide deployment. On Fri, Jun 22, 2018 at 9:41 AM, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote: > On 06/22/2018 12:27 AM, Ted Lemon wrote: > > Thanks. In the case where a zone isn’t signed but the authoritative > > server supports SIG(0), the response could be verified that it > > includes exactly what the server sent. But the KEY would need to be > > DNSSEC validated or it probably can’t be trusted to verify the SIG(0) > > response. > > Well, the path to the resolver can be secured via other means that are > commonly available nowadays, e.g. DNS over TLS. I can also see use > cases for client trusting a resolver enough not to bother with DNSSEC > validation locally. > > --Vladimir > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] SIG(0) useful (and used?) Ted Lemon
- Re: [DNSOP] SIG(0) useful (and used?) Vladimír Čunát
- Re: [DNSOP] SIG(0) useful (and used?) Ted Lemon
- Re: [DNSOP] SIG(0) useful (and used?) Tom Pusateri
- Re: [DNSOP] SIG(0) useful (and used?) Shumon Huque
- Re: [DNSOP] SIG(0) useful (and used?) Shumon Huque
- Re: [DNSOP] SIG(0) useful (and used?) ietf-dnsops
- Re: [DNSOP] SIG(0) useful (and used?) Warren Kumari
- Re: [DNSOP] SIG(0) useful (and used?) Tom Pusateri
- Re: [DNSOP] SIG(0) useful (and used?) Joe Abley
- Re: [DNSOP] SIG(0) useful (and used?) Vladimír Čunát
- Re: [DNSOP] SIG(0) useful (and used?) Shumon Huque
- Re: [DNSOP] SIG(0) useful (and used?) Joe Abley
- Re: [DNSOP] SIG(0) useful (and used?) Paul Vixie
- Re: [DNSOP] SIG(0) useful (and used?) Warren Kumari
- Re: [DNSOP] SIG(0) useful (and used?) Tom Pusateri
- Re: [DNSOP] SIG(0) useful (and used?) Shane Kerr
- Re: [DNSOP] SIG(0) useful (and used?) Tom Pusateri
- Re: [DNSOP] SIG(0) useful (and used?) Ted Lemon
- Re: [DNSOP] SIG(0) useful (and used?) Bjørn Mork
- Re: [DNSOP] SIG(0) useful (and used?) Tony Finch
- Re: [DNSOP] SIG(0) useful (and used?) Tony Finch
- Re: [DNSOP] SIG(0) useful (and used?) Mark Elkins
- Re: [DNSOP] SIG(0) useful (and used?) Mark Andrews
- Re: [DNSOP] SIG(0) useful (and used?) Wellington, Brian
- Re: [DNSOP] SIG(0) useful (and used?) Ondřej Surý
- Re: [DNSOP] SIG(0) useful (and used?) Mark Andrews
- Re: [DNSOP] SIG(0) useful (and used?) Ondřej Surý
- Re: [DNSOP] SIG(0) useful (and used?) Tony Finch
- [DNSOP] SIG(0) useful (and used?) Ondřej Surý
- Re: [DNSOP] SIG(0) useful (and used?) Viktor Dukhovni
- Re: [DNSOP] SIG(0) useful (and used?) Evan Hunt
- Re: [DNSOP] SIG(0) useful (and used?) Warren Kumari
- Re: [DNSOP] SIG(0) useful (and used?) Shumon Huque