Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

"Wessels, Duane" <dwessels@verisign.com> Thu, 21 June 2018 15:55 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2911130F2F for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 08:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w90Ck7-m82PC for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 08:55:25 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85E2C12F1A5 for <dnsop@ietf.org>; Thu, 21 Jun 2018 08:55:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7918; q=dns/txt; s=VRSN; t=1529596525; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=bcNnFSyj3hujmSHFyT04Amd28NY9s3eDroRViLKLIYU=; b=hF0Rqk9/h5BIS4AhuqFJ5HO5lujzvmFw2PiBve5U5o5U2BVEmsqoMedR GNIhVzd2AvMGWnw5zMn09ESJ9pY04q+l3/BJJHEhK7t1lFCrP4b9HpqxG ATgBeD/XLX4HrLbCzMF568euyjuIp5wEfP58ZQ8Pquq1ft2d+rIfIYxQT 2bTm7wkUTVWvNrjB/39Q3l4e8F/X98OeB/O6rGJK3luJT5O/Qmz63hElo /rAzm0i0z1yv53yOzf6w4S8PUlGREsp4+DQu8Di752T1isYavimiRtvjc w9qJy8+MBcMArvia2kpQYdu+6wzYm3RXjNK9FV67ROZE2mBXgis5x6C4a w==;
X-IronPort-AV: E=Sophos; i="5.51,252,1526356800"; d="p7s'?scan'208"; a="5034481"
IronPort-PHdr: 9a23:7DdIrhLFj4MXZhLywNmcpTZWNBhigK39O0sv0rFitYgfKPzxwZ3uMQTl6Ol3ixeRBMOHs68C07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwVFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJBUMhPSiJBHo2yYYgBD+UDPOZXs4byqkABrReiAAmhHv/jxiNKi3LwwKY00/4hEQbD3AE4Ed4BsGrbrM7uNKgMVeC117HExijNYfNLwzj97pbHfh48qvyLQL1xf9TeyVI0FwzbilWQspfoPy2L2eQXsmib9OtgVe2pi2I9tw5xpT2vy94qh4LUhYwV0kjJ+ThlzIovONG1SkB2bcS5HJZQuSyWLYR7T8A6T211pCo20KAKtJyncCQQ1ZgqyB3SZ+aaf4WL+h7jWvieLDRkiH9gfb+wnRW//Ey7xeD5WMS4zktFoytAn9bXsn0A1h7e582JR/Zz/EquxDCC3B3J5O5eO0A7j6/bJoYkwr43i5Ucr1zOHjTzmEXqlK+WcVgk+vSw5+TnfLrmopicOpdphw/iKqoih8ywD/w3PAcPQ2SX5P6w1KP/8k3+WrVKluc6nbPEv5zAO8QbvLW5AwlP3ok/7Ba/Ci+q0NUenXYZMFJIYA+Lg5TzN13TIv31A+2zj0msnTpl3fzLMb7sDo3ILnfZkbfhebh961RbyAo21d1Q+pxVBa8aIPLoREDxsMfYAwQnMwOq2ebnCc591oIRWWKJGKOWLKTSsVqQ6uI1P+aMfJMVuCr6K/U9//7hk2M5mUUHcamyxZsYcmy3EeplI0iCZ3rsg8sOHX0WsQs/VObqkkGNUSZPZ3auWKIx/iw0CIS9DYfEXoCgm72B0zmnHp1YfGxGDUqMEXi7P7mDDs8BdDjawNdomTEHHey5RpM7kwq2vQT3yJJhL+GS8T9O5rz5090grdLejgo/8ScwR+iA2meABSkgknwFXCQ72LtXv0Fny0yC3q4+iPtdQ48Ar8hVWxs3YMaPh9dxDMr/D0eYJo+E
X-IPAS-Result: A2EhAQCByStb/zCZrQpbGQEBAQEBAQEBAQEBAQcBAQEBAYQrgScKg2+WSZZ5CAOEbAKDHTcVAQIBAQEBAQECAQECgRGCNSQBglABAQEBAgEjRBACBQsCAQgYKgICAjAlAgQOBQ4NgwoBgXeqb4IchFuDa14Piik+gQ8ngmiEZIMXMYIkAodjkUMDBgKDUYFYlyaROQIEAgQFAhSBV4F1cBVlAYI8giEXEY4Gb48SgRoBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Thu, 21 Jun 2018 11:55:24 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Thu, 21 Jun 2018 11:55:24 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Petr Špaček <petr.spacek@nic.cz>
CC: "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHT+Qu+UTObAB7uzUeWiEwiTl9lUQ==
Date: Thu, 21 Jun 2018 15:55:24 +0000
Message-ID: <30E5CEA0-F7D9-46B5-B262-599C2101D479@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <CAHPuVdWXBDHdiQ2Z1uFx=mZFRBpjndiki+6Eno-2qFoe6hAovw@mail.gmail.com> <20180619231512.GA26273@jurassic> <CAHPuVdVSXNKZEhZ_2-vV_9py_n5Dw+FaMXXBbQtORwGF2xuDQw@mail.gmail.com> <ebf643d5-a85d-2f72-88f3-3710acde4746@nic.cz>
In-Reply-To: <ebf643d5-a85d-2f72-88f3-3710acde4746@nic.cz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_2598E9F5-1AD4-4E23-921C-36F0A22E088B"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sE1Ly9mnPvDcq8SF83irW2M2tOc>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 15:55:30 -0000

> On Jun 20, 2018, at 11:19 PM, Petr Špaček <petr.spacek@nic.cz> wrote:
> 
>> 
>> Longer term, perhaps the best solution will end up being XFR using DNS over 
>> TLS (or HTTPS) with server authentication. Yes, I realize that authoritative
>> servers are not yet the targets of those protocols, but it's probably
>> only a matter
>> of time.
> 
> HTTPS over TLS is what we did for root zone import into Knot Resolver's
> cache (from version 2.3 onwards but beware, there are little bugs which
> were fixed in 2.4 - to be released soon).

The problem I'm seeking to solve is somewhat different, and its probably
not clearly stated in the draft so I will add some text to rectify that.

I'm not trying to solve the problem that SIG(0), SIG(AXFR), or TLS addresses
-- that you're talking to the right server and that data wasn't modified
in transit.

My goal is to ensure that when you receive a zone file -- however you
receive it (DNS, HTTPS, P2P file sharing, Avian Carrier) -- you get the
data that the zone publisher actually published.

DW