Re: [DNSOP] Incremental zone hash - XHASH

Paul Wouters <paul@nohats.ca> Wed, 25 July 2018 17:09 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 046B9130E9C for <dnsop@ietfa.amsl.com>; Wed, 25 Jul 2018 10:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UK1IvEeSkKj2 for <dnsop@ietfa.amsl.com>; Wed, 25 Jul 2018 10:09:20 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5ED8130E97 for <dnsop@ietf.org>; Wed, 25 Jul 2018 10:09:20 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41bMCL6PVSzKGB; Wed, 25 Jul 2018 19:09:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1532538558; bh=5s4Kw6rCawgS8fDNmrgDS+AHVegkbLWAYfruwOUxvjg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=cQXUQhDaEtvlIsQYZyNi8qjexV4cI9YbxvESBfm7j5CI2xzaQbOK6qse/qdZONtpV WOY9q3n/HwvdIiTFv7+mKED4VyTghm05pqqIYQTlFQMecZagCqkr8Nm31KT8Qdmok9 i3tbph3uHyhZwGWtnimmpCpR1ccFsFVcHT/Kjc+c=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id S0hG9a-dr3WQ; Wed, 25 Jul 2018 19:09:16 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 25 Jul 2018 19:09:15 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 619F133AA0F; Wed, 25 Jul 2018 13:09:14 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 619F133AA0F
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 53F1C4009E64; Wed, 25 Jul 2018 13:09:14 -0400 (EDT)
Date: Wed, 25 Jul 2018 13:09:14 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Warren Kumari <warren@kumari.net>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <CAHw9_iK1W-CeA+ppJWggzCDhTwdi-jhGZOe6D44XfRJNeSginA@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1807251300490.24159@bofh.nohats.ca>
References: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org> <CAKr6gn1axEztD06WoH0a+=WGjrzPNSiYWtk-qLzKY0BWprCVwA@mail.gmail.com> <alpine.LRH.2.21.1807221443170.5582@bofh.nohats.ca> <CAHw9_iK1W-CeA+ppJWggzCDhTwdi-jhGZOe6D44XfRJNeSginA@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rezFjalg5227h9C5sWM6J4uX08Q>
Subject: Re: [DNSOP] Incremental zone hash - XHASH
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 17:09:23 -0000

On Wed, 25 Jul 2018, Warren Kumari wrote:

> One of the original promises of DNSSEC is that I'd be able to find a
> zonefile written on a napkin on a bar floor, and trust it -- currently
> I cannot do this.

That's a harder problem :P

> As an example, let's say we'd like to distribute the rootzone over
> BitTorrent to people who want to do LocalRoot - how do they know they
> can trust the zone file before loading it? Or, in a less crazy
> example, distribute it over some set of CDNs - being able to know that
> you have the full, and correct zone without having to walk the NSECs
> and hope that the glue is correct would (IMO) be nice.

Once you validate the ZONEMD, it is not that much more dificult
than running over all the records, eg with validns or ldns-read-zone.

Although you could skip it and let DNSSEC failures deal with any
potential records who were modified by an attacker that doesn't have
the private key of that zone.

That leaves glue and NS, but there is a reason those aren't signed,
and any attacker shouldn't get anything out of that by modifying it.

(other then a DDOS, but they can always do that if they control your
zonefile download)

If you do want all of that protected, which I don't think there are
strong reasons for, why not place an OPENPGPKEY record in the zone and
use pgp to sign it? No new custom software needed, and equally
annoying validing the OPENPGPKEY as the ZONEMD data.

Inventing a file checksum for DNSonly data seems a suboptimal custom
solution to me (too much hammertime)

Paul