> On 20 Jun 2018, at 9:15 am, Mukund Sivaraman <[email protected]> wrote: > > On Tue, Jun 19, 2018 at 02:11:02PM -0400, Shumon Huque wrote: >> On Tue, Jun 19, 2018 at 10:32 AM Petr Špaček <[email protected]> wrote: >> >>> >>> I think we need to first answer question why existing technologies do >>> not fit the purpose. >>> >> >> This is a reasonable question. >> >> I noticed that the draft doesn't mention SIG(0) at all. One of the main >> motivators of the draft is stated to be secure, wide scale distribution of >> the root zone. To me, SIG(0) would have been an obvious candidate solution >> for this problem. The zone owner can publish one public key to the world, >> and signs zone transfers messages with the corresponding secret key. If the >> zone owner supports IXFR, the incremental cost of these message signatures >> is also quite small. > > There also seems to be a scalability problem with SIG(0) in that > generating the signature involves a public-key operation per DNS > message. > > For a zone transfer of the root zone from F, the AXFR contains 79 > messages in the TCP continuation: > > ;; XFR size: 22554 records (messages 79, bytes 1335768) > > Unfortunately, because the request message's fields are involved in > calculating the signature for the reply message and the ID also varies, > it doesn't appear that the signatures can be re-used. > > This scalability problem is probably a reason why TSIG's HMAC has become > the preferred method for transaction security and SIG(0) isn't used to > authenticate zone transfers.
Donald Eastlake’s early DNSSEC work had a working zone signature. It doesn’t require signing each message. It’s just relatively expensive to compute for large zones as it requires hashing the entire zone. RFC 2065 4.1.3 Zone Transfer (AXFR) SIG. Note this is SIG(AXFR) not SIG(0). Mark > Mukund > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
