Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt

"John R Levine" <johnl@taugh.com> Thu, 08 August 2019 19:56 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA60D120108 for <dnsop@ietfa.amsl.com>; Thu, 8 Aug 2019 12:56:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=R39hxr/M; dkim=pass (1536-bit key) header.d=taugh.com header.b=pD2LHZsJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dwa2pXFi7G_q for <dnsop@ietfa.amsl.com>; Thu, 8 Aug 2019 12:56:44 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2C03120172 for <dnsop@ietf.org>; Thu, 8 Aug 2019 12:56:43 -0700 (PDT)
Received: (qmail 12490 invoked from network); 8 Aug 2019 19:56:41 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=30c8.5d4c7e79.k1908; i=johnl-iecc.com@submit.iecc.com; bh=l1Ub/ocAhQmjWn1LSZrzU9ivZhjMlNaFXr9inOXhaMc=; b=R39hxr/M3irGWq7FMQKcCOe0FNpYnTkiMtYgXNSGkjb57VK5ipkVfbrHbTQ5GDvowzyJX7j0m0zn37p5iZvxJadFMOukjDqC72rs92Orf3PpJvCpW8YcnSfzH2JLha9J8k8OwnyFAEJy0i2mCuKwlI03BFjfixufzyunnObxldNMUVIrNwiJjL7cYTNrCQhw5AVfu7/Hca50poQDOwkhJU2QmJhOSPCEOEYEAtU6pLqSG8n+pOSOqWIeEkHGlxY2
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=30c8.5d4c7e79.k1908; olt=johnl-iecc.com@submit.iecc.com; bh=l1Ub/ocAhQmjWn1LSZrzU9ivZhjMlNaFXr9inOXhaMc=; b=pD2LHZsJ/lBCNT3kqUSZU8/pFTr9l0dtc6BoMWxGvX9CADn/EFJd5KG4j5jxn1vldeFjoz3//C1UE35EnuEGReXMa3bFlJQ28J+nhaWTkaR9JWc1jMngysZ42d3mOKyW02LOUxef7EoEyxwpZQRTT57bdvrqL6Ja4Vd26YPOPGR5mfKN6yjya3ys+ZG5mLK2EVG6ppnTyKIZVbSWB7uZhmd1l3vCEd3K3ZO5L/HPgiB7c8fxqk89m0NC7zAKOIcC
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 08 Aug 2019 19:56:41 -0000
Date: Thu, 08 Aug 2019 15:56:40 -0400
Message-ID: <alpine.OSX.2.21.9999.1908081551300.32831@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: dnsop@ietf.org
In-Reply-To: <CAJhMdTPRAu+8ep3-fndYzh10RenKa7Kabi+snajVjdyZEoGpMw@mail.gmail.com>
References: <20190808185156.654657CF5A4@ary.qy> <CAJhMdTPRAu+8ep3-fndYzh10RenKa7Kabi+snajVjdyZEoGpMw@mail.gmail.com>
User-Agent: Alpine 2.21.9999 (OSX 337 2019-05-05)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vjRhucbvOI6RQtoRxrdc5pw7-0o>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 19:56:46 -0000

On Thu, 8 Aug 2019, Joe Abley wrote:
>> I don't see how that's a MUST.  What else could you do?
>
> One alternative would be for the receiver to insist that all digests
> with supported algorithms match. It seems reasonable to specify that
> verifying that one of them matches is sufficient to declare the zone
> intact.

If there are multiple digests and some validate and some don't, I can 
think of a whole lot of reasons why that might happen, e.g., bug at the 
signer, bug at the verifier, cosmic ray bit flip in one of the digests, 
MITM with a strange sense of humor.  I don't want to try to offer 
experience-free advice on how to debug that.

In realistic cases, unless there's a catastrophic break of one of the 
algorithms (so sensible verifiers will stop accepting it), if any of the 
digests verify, the chances are extremely high that the zone is good.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly