IETF Logo Mail Archive

Re: [DNSOP] SIG(0) useful (and used?)

Ted Lemon <mellon@fugue.com> Fri, 22 June 2018 13:47 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2E30130E60 for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 06:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLErhVuCbgrT for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 06:47:46 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D843130E52 for <dnsop@ietf.org>; Fri, 22 Jun 2018 06:47:46 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id i23-v6so3254210iog.10 for <dnsop@ietf.org>; Fri, 22 Jun 2018 06:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IgLGUpxnA7EKFIiB9Mghze+1NEnHeyTqnliXICr62ec=; b=K5mIm/NucEJnK4UFvBLyT3KIkk4jyODfhe1ok5DtnvsLIo6zsFQszwl119p7yz/NPK U+dRXGIy67l94Kme/PMe7kk1dmlVaRsx/ARtswyvCPLCP2F8lJlMMN2rhjw5OtLajny6 ZMAcPCebwwsiY0v/F9RBwhBFDJUpNaj0HI0KfRxfY943tIWR86JNePqY4UcyP3VsdZbD CApt4DDmiJ/I2ZxB9+PHbAXxi+ce6Xao1dAUOpP68V+TLb27ppZ6U/L/5e1ghpBJD3eN Me6Yrko+5ZNdLhPpedG5suiw/CMWiHSuBxradQbcY+sQnfgLMQehgvLIaommfCh9m+V7 vfSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IgLGUpxnA7EKFIiB9Mghze+1NEnHeyTqnliXICr62ec=; b=FbeR/8k6TMv1sQkJfA8TrTz9ZA2RZnpC40OIict6vZvTegGeYrhvxnhSBQQcm9gTid t/cvaBV5NWstZSYqF4dYGb9rnI4R6ZHM22BCCF3/R/+yN3XFhPk5oiaAZQz7mTBDkWGd f0jR2/Bmtv8Q6kDips3crrmzUiPkWSqgRp94b675IzlTFLyMaG2ME1N0ENYGCn/wBMEy KsBSDTSrYEOHsp82fzMti6jue5iC2zumsL14cZffi32Rnpb3F9Rip9v6gYd+fqbIZqp6 cDQ8NNlWEopHG1yUSaq7zv4DLhuCscQJj+aaUgrnKoYCbB3ekFm/ZfzKiKLEJGyg2Dzj WYIA==
X-Gm-Message-State: APt69E3r3+rWq2vgsdAy0rX3H0y+FcAtzvbNHerbve7O5PBtvLiL6vTh g8tjiWZC+NeCqUoNKxg2oQun6yoVDBE2gsuvGqQ4xw==
X-Google-Smtp-Source: AAOMgpdCV3fzUPPluaoP1Wx4m1TLPbgvQnrjhRry0bwAJIMtNalkdUvTwNPEjrAB0SS3wyXOTgNfW+q+j9E7MwuUJ2Q=
X-Received: by 2002:a6b:be05:: with SMTP id o5-v6mr1349834iof.45.1529675265572; Fri, 22 Jun 2018 06:47:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:5406:0:0:0:0:0 with HTTP; Fri, 22 Jun 2018 06:47:05 -0700 (PDT)
In-Reply-To: <31a8b13b-3a1c-c150-006d-fe325e79441c@nic.cz>
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org> <6B764CF2-FC1F-4B55-B4A3-F49729847DCF@bangj.com> <b85eb6ec-8d4c-221a-35ac-4c4efb9bd5c4@nic.cz> <56702D15-B557-4A9E-BD18-5379105CCB30@bangj.com> <CAHPuVdWnm8nCHD4DbC=LnPoJgch7ZO7NuitHECnMxsrVLZExqA@mail.gmail.com> <ECDE3B3C-A865-41B9-B188-F6C6DED2467A@bangj.com> <CAPt1N1m+qx78K+2K80adA+nyOtjyyHkc2Ah2duq89a8L6kwjqA@mail.gmail.com> <31a8b13b-3a1c-c150-006d-fe325e79441c@nic.cz>
From: Ted Lemon <mellon@fugue.com>
Date: Fri, 22 Jun 2018 09:47:05 -0400
Message-ID: <CAPt1N1k0=oSTYFYdzin27kFFU1oaig4SgUu8aLAecTNY14H-6w@mail.gmail.com>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d39813056f3b468e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qCeT5z9KXZl2h8zytEi7nqopzkg>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 13:47:49 -0000

It seems to me that the main benefit of SIG(0) is not securing connections
between resolvers and caches, but in securing DNS updates and other
transfers where you need authentication+authorization.   In the case where
you just need authentication, we already have DNSSEC.   I _guess_ Warren's
use case makes some sense, but I think it's a bit hackerly, and not
something we'd expect to see wide deployment.

On Fri, Jun 22, 2018 at 9:41 AM, Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
wrote:

> On 06/22/2018 12:27 AM, Ted Lemon wrote:
> > Thanks. In the case where a zone isn’t signed but the authoritative
> > server supports SIG(0), the response could be verified that it
> > includes exactly what the server sent. But the KEY would need to be
> > DNSSEC validated or it probably can’t be trusted to verify the SIG(0)
> > response.
>
> Well, the path to the resolver can be secured via other means that are
> commonly available nowadays, e.g. DNS over TLS.  I can also see use
> cases for client trusting a resolver enough not to bother with DNSSEC
> validation locally.
>
> --Vladimir
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email