On Tue, Jun 19, 2018 at 10:32 AM Petr Špaček <petr.spa...@nic.cz> wrote:

>
> I think we need to first answer question why existing technologies do
> not fit the purpose.
>

This is a reasonable question.

I noticed that the draft doesn't mention SIG(0) at all. One of the main
motivators of the draft is stated to be secure, wide scale distribution of
the root zone. To me, SIG(0) would have been an obvious candidate solution
for this problem. The zone owner can publish one public key to the world,
and signs zone transfers messages with the corresponding secret key. If the
zone owner supports IXFR, the incremental cost of these message signatures
is also quite small.

Possible issues with SIG(0):

* Although it is an existing technology, it isn't widely implemented or
used. I just learned on DNS twitter that BIND only supports SIG(0) for
UPDATE for example, and not XFR.

* If the goal is to support secure acquisition of the zone outside the DNS
protocol, then it can't do that. But neither is ZONEMD needed for that - we
can use an out of band signature using a variety of methods.

* And there is also the question of the status of SIG(0) which isn't clear
to me: Although RFC 2931 is not obsolete, it is based on the SIG record,
which is defined in an RFC that has been obsoleted by the DNSSEC-bis
documents.

-- 
Shumon.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to