Re: [DNSOP] zonemd/xhash versus nothing new

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 01 August 2018 16:45 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D42A4130DDF for <dnsop@ietfa.amsl.com>; Wed, 1 Aug 2018 09:45:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wRI2K_IkmNiD for <dnsop@ietfa.amsl.com>; Wed, 1 Aug 2018 09:45:41 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B480130E41 for <dnsop@ietf.org>; Wed, 1 Aug 2018 09:45:41 -0700 (PDT)
Received: from [10.32.60.131] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w71GjIlC021642 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 1 Aug 2018 09:45:19 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.131]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Paul Wouters" <paul@nohats.ca>
Cc: "Petr =?utf-8?b?xaBwYcSNZWs=?=" <petr.spacek@nic.cz>, "Tony Finch" <dot@dotat.at>, dnsop@ietf.org
Date: Wed, 01 Aug 2018 09:45:34 -0700
X-Mailer: MailMate (1.11.3r5509)
Message-ID: <8E9BA572-BCDF-4C1C-9B91-9FF5D589ED61@vpnc.org>
In-Reply-To: <DF41F444-DFFC-4563-B3A2-88E45B02AFAB@nohats.ca>
References: <alpine.LRH.2.21.1807271758580.22024@bofh.nohats.ca> <alpine.DEB.2.20.1807301424400.3596@grey.csi.cam.ac.uk> <a6226b2d-957a-7953-3a17-67a7282984bb@nic.cz> <alpine.DEB.2.20.1807311549150.3596@grey.csi.cam.ac.uk> <45f16f82-4a06-b194-a6e5-da0a230527c0@nic.cz> <A693B300-38E7-40A1-9ED9-358B8DD1B9F8@vpnc.org> <DF41F444-DFFC-4563-B3A2-88E45B02AFAB@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vefk74xh1Z-2MSwsXpL6oj_6QCs>
Subject: Re: [DNSOP] zonemd/xhash versus nothing new
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Aug 2018 16:45:43 -0000

On 1 Aug 2018, at 9:31, Paul Wouters wrote:

> I strongly prefer a regular rrtype over any kind of special processing 
> or complicating dnssec further.

Agree.

> If axfr signatures aren’t enough because people envision non-dns 
> zonefile transports, do a single ZONEMD, which signs the whole thing 
> or only all records without RRSIG.

My proposed NONAUTH-RRSIG is not exclusively for zonefile transport. It 
would be useful for normal resolver-authoritative queries as well.

--Paul Hoffman