On Dec 1, 2014, at 5:29 PM, Paul Vixie <[email protected]> wrote: > i think you meant "zone" not "root zone" here.
I meant "root zone" because I have heard nearly no one talk about verifying other zones. If what is created works for other zones, great. >> >> A signed hash meets (2) regardless of how the zone was transmitted. > > not inevitably. the verification tool would be new logic, either built into > the secondary name server, or as an outboard tool available to the transfer > mechanism. Others on this list have asked for a third use case, namely zone files sitting on disk. > when i compare the complexity-cost of that tool to the contents of the > <ftp://ftp.internic.net/domain> directory, i see that existing tools whose > complexity-cost i already pay would work just fine. (those being pgp and > md5sum). so, a detached signature can in some cases meet (2) far more easily > than an in-band signature. Your proposal skips over the "how do I trust this signing key" part. You might want to force everyone else to do the work you have done to get to that trust; others might want a simpler solution. > it's also the case that rsync and similar tools (and AXFR) use TCP which most > of us consider "reliable" even though its checksums aren't nearly as strong > as SCTP's. therefore your problem statement "being sure they got the exact > right zone" would have to refer to an MiTM, possibly inside the secondary > server (if the zone receiver is a tertiary), or possibly on-path. Yes. > in either case, to frustrate the MiTM, the proposed in-band signature would > have to be DNSSEC based. No offense, but you're making no sense. Above, you give a counter-example to that assertion. > and there is already an in-band DNSSEC-based zone identity/coherency test -- > zone walking. why would we add another way to do the same thing we could do > with existing DNSSEC data? Maybe I'm just being dense, but I'm not seeing how zone walking validates the contents of the glue records. > i think walking the existing zone and verifying that there are no records > between the nsecs and that every signature is valid and that the nsec chain > ends at the apex, is simpler. It is. Unless I'm missing something, it is also incomplete. (And, of course, doesn't work for zones that use NSEC3...) --Paul Hoffman _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
