IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Mark Andrews <marka@isc.org> Thu, 21 June 2018 00:18 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E697130E3D for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 17:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b85y2mm_j9Gm for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 17:18:25 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 446BC130ECA for <dnsop@ietf.org>; Wed, 20 Jun 2018 17:18:24 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id CFD413AB03C; Thu, 21 Jun 2018 00:18:23 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 9A2FA160055; Thu, 21 Jun 2018 00:18:23 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 74DF8160068; Thu, 21 Jun 2018 00:18:23 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id iXmO2U8KUKBj; Thu, 21 Jun 2018 00:18:23 +0000 (UTC)
Received: from rock-73493.home.lan (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id A22FB160055; Thu, 21 Jun 2018 00:18:22 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20180620163714.GA29798@jurassic>
Date: Thu, 21 Jun 2018 10:18:19 +1000
Cc: petr.spacek@nic.cz, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <15A233D6-DE03-402D-9A04-6AC40DD0D641@isc.org>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <CAHPuVdWXBDHdiQ2Z1uFx=mZFRBpjndiki+6Eno-2qFoe6hAovw@mail.gmail.com> <20180619231512.GA26273@jurassic> <D1BD6740-C3BF-4CFA-966E-6B48247A57F9@isc.org> <20180620163714.GA29798@jurassic>
To: Mukund Sivaraman <muks@mukund.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xai8na15pZsmrTJhg6yxnv_eO5w>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 00:18:29 -0000

> On 21 Jun 2018, at 2:37 am, Mukund Sivaraman <muks@mukund.org> wrote:
> 
> On Wed, Jun 20, 2018 at 09:48:40AM +1000, Mark Andrews wrote:
>> Donald Eastlake’s early DNSSEC work had a working zone signature.  It doesn’t
>> require signing each message.  It’s just relatively expensive to compute for
>> large zones as it requires hashing the entire zone.
>> 
>> RFC 2065 4.1.3 Zone Transfer (AXFR) SIG.
>> 
>> Note this is SIG(AXFR) not SIG(0).
> 
> doc/misc/dnssec in the BIND tree has this text by Andreas Gustafsson
> from 2001:
> 
>  Secure Zone Transfers
> 
>  BIND 9 does not implement the zone transfer security mechanisms of
>  RFC2535 section 5.6, and we have no plans to implement them in the
>  future as we consider them inferior to the use of TSIG or SIG(0) to
>  ensure the integrity of zone transfers.
> 
> I wonder what the reasons for "inferior" were.
> 
> 		Mukund

When you are getting data from a source that you know to be authoritative
and well behaved you only need to ensure that there is not corruption or
MITM in the transfer.  TSIG and SIG(0) work well for those scenarios.

When you have a untrusted source SIG(AXFR) is better as it is generated
by the ultimate source.  That does come at a cost as does validating the
transfer as both require processing the entire zone in a specified order.

Horses for courses.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email