IETF Logo Mail Archive

Re: [DNSOP] SIG(0) useful (and used?)

Warren Kumari <warren@kumari.net> Fri, 22 June 2018 18:31 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10651130EC1 for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 11:31:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A8G9GEhrKtag for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 11:31:03 -0700 (PDT)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35653130EAF for <dnsop@ietf.org>; Fri, 22 Jun 2018 11:31:03 -0700 (PDT)
Received: by mail-wm0-x236.google.com with SMTP id r15-v6so3105136wmc.1 for <dnsop@ietf.org>; Fri, 22 Jun 2018 11:31:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0HMfzABcFmuWFu6NFipgDPNlauGnCJkrO6IGJ28y0qA=; b=SW1qXMSSi7lR6vhDPzSXFdlDb1lctvhU7AQGRANsxBtihOzwVbf0z3mGj50Y8BNA4p TrPwaCJZHFVuCRHxo8u+DjwbDiAyjKXOpaJBNxqNrm1iD1ZKx3vjIwC5Wv0JlSRYs6ld gCyQw2C4bhSk4j70Pw+j8y2UENsiuZ6SeNcTUZN0posMIPPIq4OH7/k+Ch8SjC2ok6F6 hlRzj9flmwD6aykSL/7TrhrR0oBvN3Q4VwggFujpJ9zSr00kFC+BUkiI+GaCMdQnN4R8 6xgLngTsLiT0MA2tA+8VX2zR4yjmmEMQ2ol7T/M7+2phtUdiTGLEqIK3xHvRPXTyCsiT U8Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0HMfzABcFmuWFu6NFipgDPNlauGnCJkrO6IGJ28y0qA=; b=Q4RLZSOVU+gJ4E8e2TT9x5ufjsTonCzSiBWZuFiIg4cJsdd+NA1H0hedhj+VL9Mh4L cosjLHU4h5oaMQ+vZr7dG70KczAclMoCmcjjzkZTsm8KMC8SEN0C8vp2gXhT/bGUpWE8 numm/Hs1K4WE+xncNyWw0Lr9AVvs86czEeXBhqj7xdMTuZ5s9+4OhA6bvQzVE8fgjaSS fgZJRBCwfLBGOcRTmEnMhbBHX3fpGBEg+BMWgNbuzAWAH1dFDkRvJzwNx2XRtjpnlcmP /Td5s4MONJWgsnhq1pa5Jz4s6X2n16MFV4sQffydyixU+MbyILTvMiGc/tWIi+puGWmY CIhQ==
X-Gm-Message-State: APt69E0e+NJlZl0zTmtcRBGOuM1Nh0NiRA/7cReKKJNN2kYf4SUc2zk8 kgI6Jxj6hIMEf3N/nuSBoIGJqwXWR1j6pqFt9XQa9Tiz
X-Google-Smtp-Source: ADUXVKIdXwV53WOqNeIokL9ufuspesKneDHC2gsDWvWwSO1TuxfGBF+G5pzrIQwq1T68h1Ov1j0EbdTQ8teNE6uKPno=
X-Received: by 2002:a1c:4a9d:: with SMTP id n29-v6mr2365682wmi.46.1529692261436; Fri, 22 Jun 2018 11:31:01 -0700 (PDT)
MIME-Version: 1.0
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org> <6B764CF2-FC1F-4B55-B4A3-F49729847DCF@bangj.com> <b85eb6ec-8d4c-221a-35ac-4c4efb9bd5c4@nic.cz> <56702D15-B557-4A9E-BD18-5379105CCB30@bangj.com> <CAHPuVdWnm8nCHD4DbC=LnPoJgch7ZO7NuitHECnMxsrVLZExqA@mail.gmail.com> <ECDE3B3C-A865-41B9-B188-F6C6DED2467A@bangj.com> <CAPt1N1m+qx78K+2K80adA+nyOtjyyHkc2Ah2duq89a8L6kwjqA@mail.gmail.com> <31a8b13b-3a1c-c150-006d-fe325e79441c@nic.cz> <CAPt1N1k0=oSTYFYdzin27kFFU1oaig4SgUu8aLAecTNY14H-6w@mail.gmail.com>
In-Reply-To: <CAPt1N1k0=oSTYFYdzin27kFFU1oaig4SgUu8aLAecTNY14H-6w@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 22 Jun 2018 14:30:25 -0400
Message-ID: <CAHw9_iL2XDF-zxySxGQeYpPiNnAyuyxRAQJHxCoCW-qOT+HnGA@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: vladimir.cunat+ietf@nic.cz, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dbe786056f3f3b63"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tG92gUKhRad-SjcfQPSj631KtZk>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 18:31:07 -0000

On Fri, Jun 22, 2018 at 9:48 AM Ted Lemon <mellon@fugue.com> wrote:

> It seems to me that the main benefit of SIG(0) is not securing connections
> between resolvers and caches, but in securing DNS updates and other
> transfers where you need authentication+authorization.   In the case where
> you just need authentication, we already have DNSSEC.   I _guess_ Warren's
> use case makes some sense, but I think it's a bit hackerly, and not
> something we'd expect to see wide deployment.
>

​I think that if it *had* been implemented (and easily configured!) in e.g
glibc it might have gotten some deployment - but now DPRIVE and DoH (and
similar) will give me everything that I wanted (and more) and so my use
case is no longer worth considering...
W


>
> On Fri, Jun 22, 2018 at 9:41 AM, Vladimír Čunát <
> vladimir.cunat+ietf@nic.cz> wrote:
>
>> On 06/22/2018 12:27 AM, Ted Lemon wrote:
>> > Thanks. In the case where a zone isn’t signed but the authoritative
>> > server supports SIG(0), the response could be verified that it
>> > includes exactly what the server sent. But the KEY would need to be
>> > DNSSEC validated or it probably can’t be trusted to verify the SIG(0)
>> > response.
>>
>> Well, the path to the resolver can be secured via other means that are
>> commonly available nowadays, e.g. DNS over TLS.  I can also see use
>> cases for client trusting a resolver enough not to bother with DNSSEC
>> validation locally.
>>
>> --Vladimir
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf

v2.23.0 | Report a Bug | By Email