Re: [DNSOP] zonemd/xhash versus nothing new

Tony Finch <dot@dotat.at> Tue, 31 July 2018 14:59 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04549130EB3 for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 07:59:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYvS_HvOToVy for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 07:58:59 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04824130E58 for <dnsop@ietf.org>; Tue, 31 Jul 2018 07:58:59 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:34956) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1fkW6y-000dEd-f3 (Exim 4.91) (return-path <dot@dotat.at>); Tue, 31 Jul 2018 15:58:56 +0100
Date: Tue, 31 Jul 2018 15:58:56 +0100
From: Tony Finch <dot@dotat.at>
To: =?UTF-8?Q?Petr_=C5=A0pa=C4=8Dek?= <petr.spacek@nic.cz>
cc: dnsop@ietf.org
In-Reply-To: <a6226b2d-957a-7953-3a17-67a7282984bb@nic.cz>
Message-ID: <alpine.DEB.2.20.1807311549150.3596@grey.csi.cam.ac.uk>
References: <alpine.LRH.2.21.1807271758580.22024@bofh.nohats.ca> <alpine.DEB.2.20.1807301424400.3596@grey.csi.cam.ac.uk> <a6226b2d-957a-7953-3a17-67a7282984bb@nic.cz>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="1870870841-1752501646-1533049136=:3596"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wjEMousAPPWCq57eI3uHiigyen4>
Subject: Re: [DNSOP] zonemd/xhash versus nothing new
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jul 2018 14:59:01 -0000

Petr Špaček <petr.spacek@nic.cz> wrote:
> On 30.7.2018 15:32, Tony Finch wrote:
> >
> > I keep thinking it might make sense to sign non-authoritative delegation
> > records, though it's really hard to see how we could get there from here.
> > For instance, there isn't a flags field in RRSIG so you can't explicitly
> > mark an RRset as being non-authoritative.
>
> It is! RRSIG has signer name field which points to node with particular
> DNSKEY. If signer name is shorter than zone apex name the signature was
> created by someone up the tree.

It would be nice if that is enough :-) For NS records the RRSIG signer
will either be the same as the owner (apex RRset) or shorter (delegation
RRset). For glue it's not so clear-cut if you don't have any
apex/delegation records to hand. But maybe the other context is enough -
the section that the records appear in, the RFC 2181 priority order.

The other question I can't answer is whether existing validators will be
discombobulated by an RRSIG of unknown algorithm on a delegation NS
RRset...

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
an equitable and peaceful international order