Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

Robert Edmonds <> Mon, 19 March 2018 22:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CFDE512E887 for <>; Mon, 19 Mar 2018 15:24:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hzLsPsPxisp4 for <>; Mon, 19 Mar 2018 15:24:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7B03312D965 for <>; Mon, 19 Mar 2018 15:24:19 -0700 (PDT)
Received: by (Postfix, from userid 1000) id D8DDB12C20C2; Mon, 19 Mar 2018 18:24:18 -0400 (EDT)
Date: Mon, 19 Mar 2018 18:24:18 -0400
From: Robert Edmonds <>
To: Paul Wouters <>
Cc: dnsop <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 Mar 2018 22:24:46 -0000

Paul Wouters wrote:
> On Mon, 19 Mar 2018, Robert Edmonds wrote:
> > Viktor Dukhovni wrote:
> > > The idea is to log the DNSKEY RRs observed at each zone apex.
> > > Without the proposed flag, one would also have to log denial of
> > > existence which would make the logs much too large.
> > 
> > Can you expand on what you mean by "much too large"? There are already
> > existing large scale passive DNS systems that log every RRset that they
> > observe, and on relatively modest amounts of hardware. Is transparency
> > for DNSSEC really all that less tractable than the "log every RRset"
> > problem?
> Do these large scale passive DNS systems then host the data for (m)any
> clients to fully download?

If those "(m)any clients" were interested in being customers of the
operator of the large scale passive DNS system, then yeah.

> There are also privacy aspects. if you need to audit/log every query,
> you are uploading more personal identifiable information. Combined with
> TTL=0 or really short RRSIG times, these can become trackers. DNSKEY and
> DS records don't come with such short TTLs (or if they would it could
> itself be seen as a sign of malicious behavior) so there is much less
> of a one to one relationship between those queriers and answers.

Who is uploading what to whom in this scenario?

Suppose there were something like, but instead of being a daily
point in time snapshot of the root zone in master file format, it were a
log that captured each RRset and a publish date, going back for some
small window of time, and it were (ugh) PGP signed so that you know it's
authentic. Would that be enough for independent auditors to construct
and publish their own append-only Merkle tree logs or whatever, so that
folks who want to "trust, but verify" the DNSSEC responses from the root
could do so without having to upload their query logs to anyone? If so,
doesn't this generalize to TLDs as well?

That is, I guess I'm saying if you need cooperation from the zone
publisher anyway, why not just get them to publish what you need, out of
band? (Sure, it doesn't work for the TLDs that don't want to publish
their zones.)

Robert Edmonds