> On 3 Aug 2018, at 10:35 am, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
>
> On 2 Aug 2018, at 12:14, Paul Wouters wrote:
>
>> On Tue, 31 Jul 2018, Matt Larson wrote:
>>
>>> For all those reasons, I think a checksum in the zone file itself that can
>>> be verified with DNSSEC is the best option for this use case, and I like
>>> the ZONEMD solution.
>>
>> Note that the checksum in this case must be at least as
>> cryptographically strong as the signature algorithm used
>> in the individual RRSIGs/DNSKEYs.
>
> Not true.
>
> If the resolver is validating, the ZONEMD only adds assurance that the
> non-signed records are there. Thus, the hash algorithm for the zone is
> unrelated to the hash algorithms in the signatures.
ZONEMD also adds assurances that RRSIGs have not been removed.
ZONEMD also adds assurances that RRSIGs for unsupported algorithms have not
been tampered with except for RRSIG(ZONEMD).
SIG(AXFR) was designed to validate the entire zone (no need to validate
individual RRsets).
RRSIG(ZONEMD) should be able to validate the entire zone.
> If the resolver is not validating, the ZONEMD assures that all the records
> are there. The strength of that assurance is the same as the second pre-image
> strength of the hash. However, the resolver cannot say "oh, look, now I can
> start resolving with what I got in the zone transfer": it still needs to
> validate every RRSIG all the way to the root.
>
>> This would have to be
>> enforced by software/RFC to prevent a downgrade attack.
>
> Given the above, what downgrade attack are you thinking of?
>
> --Paul Hoffman
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
