[DNSOP] An extended scenario for ZONEMD
"John R Levine" <johnl@taugh.com> Tue, 14 January 2020 03:05 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C3F7120048 for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 19:05:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Jhh3Odyw; dkim=pass (1536-bit key) header.d=taugh.com header.b=p9HV+uax
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOO-Eji6p0Ni for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 19:04:59 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B78B6120026 for <dnsop@ietf.org>; Mon, 13 Jan 2020 19:04:58 -0800 (PST)
Received: (qmail 8367 invoked from network); 14 Jan 2020 03:04:56 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:user-agent; s=20ac.5e1d2fd8.k2001; i=johnl-iecc.com@submit.iecc.com; bh=xJSrBlBACs3pw6X3X3XfUnFERwxkQGYYke2koKOoeWo=; b=Jhh3Odyw6O4wprjuS5RkW2R6Zg099z/Yl0SvEe3LSVtrDqHjAC0nb0AbZEb9AJYkR+vo0PjJCvddBGNGlfK0Q8vejaATQFX6IVSGuMrWwKI2FjqfKHZoiaiMvhk+ok7ESp02X7EPK7W8puVOheU+k2NZ9t84vhtpj5ltMJeu1vZ75aHdPZ3KYnwVxXgzITlcRxYS8SVb89F9E2g7iBLeCtRRL5IFhFdZKOHPBlwmSbGqn6yZpHNfkCO/9MAgcyVB
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:user-agent; s=20ac.5e1d2fd8.k2001; olt=johnl-iecc.com@submit.iecc.com; bh=xJSrBlBACs3pw6X3X3XfUnFERwxkQGYYke2koKOoeWo=; b=p9HV+uaxYhQF3+LmHbXQty5yNBRC1xj51xqAIIM5scjUdNnkkhXPTT5qj+GpSJ3L4y0anrO/aOhGCT3NpdaZOv0FlhrPZQOxBPUWVdtCxDLBUtBrluKbKzL7ZpSulskTfdAflrbWVdlfR8yTUpbN1TOwj2JSIPNULd/jAtT4tIscIacQp1K3twy4qvX0CgrjkUh/ZBfud7LwyyFVYgXbW2O1tZsfwd4/0K6NJlyTwoJrwkdiNkwaPVQppJPx2WbI
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 14 Jan 2020 03:04:56 -0000
Date: Mon, 13 Jan 2020 22:04:56 -0500
Message-ID: <alpine.OSX.2.21.99999.374.2001131524130.15982@ary.qy>
From: John R Levine <johnl@taugh.com>
To: dnsop@ietf.org
User-Agent: Alpine 2.21.99999 (OSX 374 2019-10-27)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/t24OQGgJuEaNeMnv4EgBbmeJ3rk>
Subject: [DNSOP] An extended scenario for ZONEMD
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 03:05:01 -0000
If the root zone hand a ZONEMD in it, for the first time I'd have a way to validate the IP addresses in the *.root-servers.net glue records. Someone suggested you could validate them by trying a query and seeing if you get a answer, which is of course wrong. That tells you you've found a server with the root zone, but it doesn't defend against someone giving you fake glue and sniffing your queries, something that I hear is an issue if the DoT/DoH discussions are to be believed. To answer another question, I can't give you one size fits all advice about what to do if the ZONEMD validation fails, but if it does, it seems like something you'd want to know about. R's, John
- [DNSOP] An extended scenario for ZONEMD John R Levine