Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)

John Levine <johnl@taugh.com> Sat, 10 October 2020 15:34 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA0B13A1559 for <dnsop@ietfa.amsl.com>; Sat, 10 Oct 2020 08:34:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=jxsIjbr4; dkim=pass (2048-bit key) header.d=taugh.com header.b=TwSy2XhM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QXZ-5Cq10Tjx for <dnsop@ietfa.amsl.com>; Sat, 10 Oct 2020 08:34:14 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23E0B3A0964 for <dnsop@ietf.org>; Sat, 10 Oct 2020 08:34:13 -0700 (PDT)
Received: (qmail 69598 invoked from network); 10 Oct 2020 15:34:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=10fdc.5f81d474.k2010; bh=3ezbF+pr3N3BpyVz5E0H76U2sX+C6aEKBaEDKmcBI10=; b=jxsIjbr4/jq7otzwsYz8fzELZgFs4gjDJrVFAXRRjgFR4SoXNZ3SIwYuqNnYTkY+jpstZrHfCtG9WQCho4CSCot5lVZIGa4aBiQvAwzO6lJf5zgoTfkahYMSdy/LMBdNOKT7xppm0HfG9U20VTv8gzBFTlncfEt62mC7uhs1YQ+KUcVayL/Gc4RK88BflVMkQsoPZEyYuQaRztE3wrizjlZChuD0eDgKuf8V2zdxa01Wwyx+08Rllj6zC+6r8+cD202IrDfxbaxsINwqafF9LNLSOq6o/rX0cCNsks68Qi/lNucNJJ2ZOy0lxCdxuBJk15H+6eDCUNbFfYDzlO0idQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=10fdc.5f81d474.k2010; bh=3ezbF+pr3N3BpyVz5E0H76U2sX+C6aEKBaEDKmcBI10=; b=TwSy2XhMEyXbAWfz/0x0XBn1Y9QWhGWSpmulH2eZk3k7E0AkQ+1GrDyM2h/QYX47oD72phHb/iTIHCREs2k0JNONcZELnqktetNenU1DkX6OuYnTCge8Wlj01ahXRXWEhdbr9Kb4v2rD6ZmrdJ1Ikb8OyqeRziDxhBEqiSnMRGXyaSjCKJTHoaPOkxH5fhT0uw7/TLirjdO6Tf/5pBKXdli5T3UzTZmm+T2mYUbQAtN8sOx9fS+vIs6be3DgPB5guFpVcB+Kt/Vzh2hmkJQFKVqkVeOhHjEeFwaZkxpe5M0nTY1YkrhkK5SSzelhcmMKEkRcpDDrHxzNkFxiaKiCtg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 10 Oct 2020 15:34:11 -0000
Received: by ary.qy (Postfix, from userid 501) id 580CE2336CB2; Sat, 10 Oct 2020 11:34:11 -0400 (EDT)
Date: Sat, 10 Oct 2020 11:34:11 -0400
Message-Id: <20201010153411.580CE2336CB2@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: kaduk@mit.edu
In-Reply-To: <20201010032517.GM89563@kduck.mit.edu>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qMe_EzN0zig7UE5D8uiykQxRrT0>
Subject: Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Oct 2020 15:34:16 -0000

In article <20201010032517.GM89563@kduck.mit.edu> you write:
>There's two general classes of attack to consider: when an external
>attacker takes an existing ZONEMD and tries to modify the associated zone,
>or when the zone provider is the malicious entity that wants to provide
>different content to different people but give them the same digest value ...
 
I think there's a third threat, a transcription error due to
transmission error or other kinds of bitrot. I send zone files between
my DNS servers over ssh, so the chances of an external attack are low,
but particularly as zone files continue to grow, the protection of the
TCP checksum is less effective. On my rather small DNS setup I have a
71MB zone and I don't think that's unusual. In many, probably most,
cases a bit flip or two would produce DNS data that is still valid but
wrong, e.g., change the address in AAAA or the characters in a name
anywhere.

That's why there are situations where a zone digest can be useful
even without a DNSSEC validation chain.

R's,
John