Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
"Wessels, Duane" <dwessels@verisign.com> Mon, 09 July 2018 21:47 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41A36130E97 for <dnsop@ietfa.amsl.com>; Mon, 9 Jul 2018 14:47:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ne1fO5cVB9g for <dnsop@ietfa.amsl.com>; Mon, 9 Jul 2018 14:47:55 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B177130E86 for <dnsop@ietf.org>; Mon, 9 Jul 2018 14:47:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7635; q=dns/txt; s=VRSN; t=1531172876; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=G4F9m9JaffRNOC4VltZvoajCYaSsiyLANXDq4/Gwnzo=; b=F8GaEeWGOigBy8jTXOV+y8wSN0HCP+UUwsHL/M1LS1F4+Heu2aO4f+k6 jFUi2IXepjyY2VhxEf7tBvSCQYnHgXUKQRPLmRdwT3+Oii+Z094h/dzq2 3hwBoX6CJhmlviL9z6bQ0rwocNkLRDUHpugsA5l9vFE0N/LtXNc0bArQS CoBLYxiOci2Sl9DRRLWcnbOiHzecLNMI3x+UWHcP5WIcMIvFo2zPDRutY t3KNXPAj+9IQCiW22rlPwhP3D46l6+5m1Jcn8uhrgnTChVk1OirS5jIVM iCJPA4SKk+JBZdzIqCYKL904PP2+DHH5uEH93jQDAafmeo+DplYGTQKTy A==;
X-IronPort-AV: E=Sophos; i="5.51,330,1526342400"; d="p7s'?scan'208"; a="5149510"
IronPort-PHdr: 9a23:ErPvohQxS1ZNK/gp5HBeuGPuN9psv+yvbD5Q0YIujvd0So/mwa6zZhSN2/xhgRfzUJnB7Loc0qyK6/6mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbJ/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRBDI2icoUPE+QPM+VWr4b/plsBsRSxCBKjBO/zzz9FnGP60bEk3+knDArI3BYgH9ULsHnMotn6NLkdUfuuzKbWyTXDdOta0irz5ojVaB8hp++DUbxtesfW1EYuGR3Kjk6LqYP7OzOVzf8As3aF4Op6VOKvkG8nqw53ojS12sgsjYzJi5sTx1vZ9it52J44KcCkREJhfNKpEpVduzuHO4Z2TM4uWW5ltSUixrEbpZK3ZjUGxZY7yxLFdvCKfIuF7gj+WOuSOTt4imxqdbGjixu39EWv0O7xW82v31tPoCdJjMTDu3EI2hPI7sWKS/lw80Kv1DuB1Q3c9+dJKl0um6XBMZ4u2Lswm4IWsUTEAyD5hl37jLSTdkU44uio7PnnYqn+qp+cKYB0jgb+P7wzl8KjGeo0LwgBUXCU9+u9yLHv4Ff1QKtWgf0xiKnZqIrWKt4GqaKjHQ9VyJ0j6xClAzi619QYmGELLFNDeB2Zk4jkI0zCLOziAfuigVmhni1ny+3GM7DvGJnAIXvOnK/kfbln6k5czAQzzcpY55JRErwOPfzyVVHqtNzDEBA5Nxe0zv35CNpjzIMeWHmPAq6WMKPUq1OH+uUvI+yUaI8PpDn9M+Ql5+LpjXIhll8dcqyp0IANZ3C8EfRpPV6WYWD2jdcaC2sKuRA+TOPygl2YTTFTf2qyX7475jwjFY2mC5zDRoe1gLGa3Se0AIFWZm5cBlCLC3foeNbMZ/BZRy+VOMBs2hkFXrioRos60hfm4AD1zpJuKuXZ8DcRrtTkztcjtMPJkhRnvwN5FN+Q13rJB01pl2UFDXdi0L9yuldwzkyrz6VigudZGtoV7PRMBFRpfaXAxvB3XoihEjnKec2EHRP/Go2r
X-IPAS-Result: A2EhAQDq1kNb/zCZrQpdGQEBAQEBAQEBAQEBAQcBAQEBAYVSCpovlywIA4F3gnUCgmc4FAECAQEBAQEBAgEBAoERgjUkAYJeAQEBAQIBdwIFCwIBCA4KLgIwJQIEDgUOgxIBgXesLIRbg3GBKw+KRT6BNoJoiCyCJAKZTwMGAoNagViXTZFpAgQCBAUCFIFYgXRwFWUBgj6CTI4Gb4tsK4EBgRoBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Mon, 9 Jul 2018 17:47:53 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Mon, 9 Jul 2018 17:47:53 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: George Michaelson <ggm@algebras.org>
CC: dnsop WG <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHUF859qwatjeON002uOJs1xZOwhQ==
Date: Mon, 09 Jul 2018 21:47:53 +0000
Message-ID: <44A2CDA4-A105-41DE-BCBC-664BCB811304@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <e9f99fce-c240-7f23-c580-1fb8bd0a0687@time-travellers.org> <20180621203116.a7kv4ysotfe7kw5k@nic.cl> <3ba53c28-8895-b0ec-badc-7ce31a8df8fc@nic.cz> <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com> <CAKr6gn0BZgKGExweF2Hawh_shZSD+WxJ460YO-mbRQjg09uo_A@mail.gmail.com>
In-Reply-To: <CAKr6gn0BZgKGExweF2Hawh_shZSD+WxJ460YO-mbRQjg09uo_A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_5F55DFFD-2A8A-4F4B-A39F-FB5AB0D8C244"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tWU_mVMMf9mugLqO-ssGSL3PD-c>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 21:47:58 -0000
> On Jul 8, 2018, at 6:02 PM, George Michaelson <ggm@algebras.org> wrote: > > So how about use of a PGP key which is a payload in TXT signed over by > the ZSK/KSK so the trust paths bind together? > > fetch one DNS record +sigs, check against the TA (which has to be a > given) and then.. Currently in the zone digest draft DNSSEC is not mandatory. That is, the zone needn't necessarily be signed and a receiver need not perform the validation if they don't want to. Even without DNSSEC the digest gives you a little protection from accidental corruption. But not from malicious interference of course. It seems kind of silly to me to double up on public key cryptosystems. We already have keys attached to zones and software that generates and validates signatures. DW
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Hugo Salgado-Hernández
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- [DNSOP] New Version Notification for draft-wessel… Weinberg, Matt
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… Roy Arends
- Re: [DNSOP] New Version Notification for draft-we… Jaap Akkerhuis
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Jim Reid
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Bob Harold
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Tim Wicinski
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… tjw ietf
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý