Re: [DNSOP] Ghost of a zone signature effort from the long ago days...

"Wessels, Duane" <dwessels@verisign.com> Tue, 31 July 2018 19:25 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F28130E74 for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 12:25:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFdTNaSgl0-I for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 12:25:42 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 584A8130DF7 for <dnsop@ietf.org>; Tue, 31 Jul 2018 12:25:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7521; q=dns/txt; s=VRSN; t=1533065142; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=G7oWKBDABIiA1RRLEEk144pwnl++Jb/gEt3ojcTxBpU=; b=F5yaDafBkepQnFkFY7b0OKakMCJCsOPC9jKFpZj2zk0IFfTaktgcNIW2 /5/VXjjMALXKhRcN3ElQUemFNljeap/lXlLCULV2EdkfNrF5m8i1dB6r4 Fqw81ULJ6zToYhYXF2SIjmSPl5IFekdKzfN7Kw172eEkU04LkGeUaeoy7 jdNuNRFTw7DyCwvNiZPa3NOEcA7i2GCWol+A26TsXOPAGrCgkZ9clLh5n vzEYIJ4qtYWAheAjplwB1pXmrDLFSHTRvYFmss3CCBlmsnM5kz6fttlar 4EA8f6qLQn5cY/rqalijU03n32i1bQZrPptgp54esIrzBj24eeKQQNNpq A==;
X-IronPort-AV: E=Sophos; i="5.51,428,1526342400"; d="p7s'?scan'208"; a="5037471"
IronPort-PHdr: =?us-ascii?q?9a23=3AkTS44BBKske6hEfpunI0UyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSPX4pMbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?= =?us-ascii?q?JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfO?= =?us-ascii?q?pWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnM?= =?us-ascii?q?VhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iS?= =?us-ascii?q?cHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOg?= =?us-ascii?q?YYUBDOQBMuRZr4bhqFQDthS+CRWpBO711jNEmmH60Ksn2OohCwHG2wkgEsoAvH?= =?us-ascii?q?vUstr1L7wSXv6xzKnT1TnIcv1Y2Srn54jObB8tr+yHULVtfsvf10YvDBjFgUuU?= =?us-ascii?q?qYz+JD6VyPoCs3Ka7+p7VOKvhGgnpxttrTiow8chk4/EjZ8WxFDc7Sh13Zo5Kc?= =?us-ascii?q?elREN5b9OoCoZcuiGUOodsTc4vR3lktDsmxrEcpJK2fjQGxI46yxPQaPGLaZWE?= =?us-ascii?q?7xH7WOafPzh1h25pdbe6ihmo8kWtzvbzW8y63VpUsyVIk9zBuWsJ2hHS6MWKT/?= =?us-ascii?q?Vw80mj1DmS0Q3Y9/tKLloulaXBLp4s2rswlp0OvkvdBiL2g0D2jLOOdkUj5+io?= =?us-ascii?q?9/zrYrX4qZ+YMI95khzzPLg2lMCiAes2KgcAUGmH9eiizrHj41H2QLJQjv0uiK?= =?us-ascii?q?XWqo3VKd4Fpq6jGA9V1Jwv5Aq4DzejyNgYnH8HI0xZeB+fkoTlJ0vCLO36APqx?= =?us-ascii?q?mVigjTdmyv7cMrDuBpjBNn3Dn63gfbZ55U5c0g0zzdVH6p1JBLAOPunzWlTvu9?= =?us-ascii?q?zcFR80KBK0zPj9CNV8zYMeWG2PAqmDPKzOtl+I4/ojI/OQa48NpDb9N/8l6ubw?= =?us-ascii?q?gnAkl14SZ7Op0oYNZHC8APtnLUSZYWH3j9cADWgFpAw+TOrwhF2FSz5TaG64X7?= =?us-ascii?q?gg6TEjFIKmEYDDS5iwj7yHxye7GYVWa3tHCl+SDXfoeZ+IW/AWaCKdcYddlWkp?= =?us-ascii?q?WaeoUYNp8RyxtRSyn7drMePO9mscuI3iz/B07OTVk1c17zMiXOqH1GTYBV55hX?= =?us-ascii?q?gFQyRylIxiqEpwgB/X3bd1mOdVEcd7+f5TUxw7OpiaxOt/XYOhEjndd8uEHQ71?= =?us-ascii?q?Cu6tBis8G5dom4cD?=
X-IPAS-Result: =?us-ascii?q?A2GAAQAbt2Bb/zGZrQpbGgEBAQEBAgEBAQEIAQEBAYVYCpo?= =?us-ascii?q?nJZdSCAOEbAKDTTgUAQIBAQEBAQECAQECgRGCNSQBgl4BAQEBAgF5BQsCAQgYL?= =?us-ascii?q?gIwJQIEDgUODYMFAYF3rymEXoVdD4kbgUI+gRInDBOCHi6IMIIkAogWhgWLegM?= =?us-ascii?q?GAoNlgVmDPogCjEWID4oFAgQCBAUCFIFYgXRwFWUBgj6CJRcRjgZvjwCBGwEB?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Tue, 31 Jul 2018 15:25:40 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Tue, 31 Jul 2018 15:25:40 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Edward Lewis <edward.lewis@icann.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Ghost of a zone signature effort from the long ago days...
Thread-Index: AQHUKPcjDWydtbgOXEmuihPLE8gVh6Sp+X0A
Date: Tue, 31 Jul 2018 19:25:40 +0000
Message-ID: <829A7EE7-0344-4183-A7A8-082FE325DE1F@verisign.com>
References: <65F3017E-3571-4517-9189-7D43E48DADBF@icann.org>
In-Reply-To: <65F3017E-3571-4517-9189-7D43E48DADBF@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_9278192F-C29B-4CBC-AEA0-E254171D35BB"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ur8mCniCZk9ZNRUSv0yYc6VyRao>
Subject: Re: [DNSOP] Ghost of a zone signature effort from the long ago days...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jul 2018 19:25:44 -0000


> On Jul 31, 2018, at 10:51 AM, Edward Lewis <edward.lewis@icann.org> wrote:
> 
> I wish I could recall why.  (Anyone else recall why this was dropped?  I recall realizing it was a fool's errand but not the reasons.)  Yes, today's network is different.


Olafur wrote a little about this a couple weeks ago.  He said:

"Historical background: SIG(AXFR) was rejected because it required putting the zone into canonical order and calculating the signature, in the case of dynamic update this is a real expensive operation, thus we got rid of it."


I have been looking at solutions to this problem, and have been implementing them in my proof-of-concept ZONEMD code.

DW