On Mon, 13 Aug 2018, Edward Lewis wrote:
On 8/11/18, 10:44, "DNSOP on behalf of John Levine" wrote:
The way that ZONEMD is defined in the draft, it's not very useful if the ZONEMD
record isn't signed.
That's my read too, which is why I question the incremental benefit over relying on
DNSSEC while doing the query/response over port 53 "thing". Question, not
doubt, that is.
Which is why I suggested only using zonemd for glue/NS
What I'm struggling with is the applicability to other uses of the zone file.
There too, the consumer, when making use of the ZONEMD, if the record isn't
signed then it could be recomputed by the manager of the repository from which
the zone file came.
The ZONEMD draft should state that before using the contents of ZONEMD,
it must be DNSSEC validated [up the chain, not just with the DNSKEY
obtained via this transfer]
If the record is signed, the consumer would then need to implement DNSSEC. 'Course, one
signature verification would be cheaper than "$lots" (hundreds, thousands,
millions).
That is the only argument in favour of using it to sign the entire zone.
And it does have merit.
My main concern is people's creativity to jump through hoops to avoid
DNSSEC, and see people using zonemd as an "alternative". At which point
origin security is not present, and transport security is very weak
as anyone can subvert the ZONEMD record as has been pointed out.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
