On Tue, Jun 19, 2018 at 2:56 PM Wessels, Duane <[email protected]> wrote:
> > > > * If the goal is to support secure acquisition of the zone outside the > DNS protocol, then it can't do that. But neither is ZONEMD needed for that > - we can use an out of band signature using a variety of methods. > > Yes, this is the crux of it for me and the other authors as well I > believe. In my opinion, detached signatures/checksums are not good > enough. Our not-yet-released -02 draft has this new text: > > 1.1.2. Detached Signatures > > Sometimes, detached checksums and signatures can be found adjacent to > zone files. This is the case for the root and other zone files > published on the internic.net sites [InterNIC]. For example, the > files root.zone.md5 and root.zone.sig are in the same directory as > the root.zone file. Unfortunately, since the checksum and signature > are in separate files, they are only weakly associated with the zone > file. They remain associated only if the recipient is careful to > keep them together. Nothing in these files, other than their names > and timestamps, ties them to a specific revision of the root.zone > file. > Hi Duane, If you make this comparison, I think you should also mention that there are many integrated signature/data formats too (supported in PGP, S/MIME, CMS, PKCS7 etc) that can address your 'weakly associated' critique of detached signatures. And then argue why the zonemd scheme is superior to those. I guess one argument is that it uses keys that are already resident in the DNS and doesn't rely on external protocols? Shumon.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
