Re: [DNSOP] SIG(0) useful (and used?)

On Wed, Jun 20, 2018 at 07:47:16AM +1000, Mark Andrews wrote: > SIG(0) has miles of potential. Active Directory shows that hosts updating > their own addresses is useful. And not just their own addresses. On my TODO list is making DANE more manageable by (optionally) allowing the holder of a

Re: [DNSOP] SIG(0) useful (and used?)

On Fri, Jun 22, 2018 at 9:48 AM Ted Lemon wrote: > It seems to me that the main benefit of SIG(0) is not securing connections > between resolvers and caches, but in securing DNS updates and other > transfers where you need authentication+authorization. In the case where > you just need

Re: [DNSOP] SIG(0) useful (and used?)

On Fri, Jun 22, 2018 at 12:05 PM Tom Pusateri wrote: > What’s the point of using DNS to look up a KEY RR to verify a signature if > you can’t trust the KEY? The KEY resides in the senders zone so no > relationship with a resolver will help you here. > Yeah, this is a limitation in the SIG(0)

Re: [DNSOP] SIG(0) useful (and used?)

It seems to me that the main benefit of SIG(0) is not securing connections between resolvers and caches, but in securing DNS updates and other transfers where you need authentication+authorization. In the case where you just need authentication, we already have DNSSEC. I _guess_ Warren's use

Re: [DNSOP] SIG(0) useful (and used?)

On 06/22/2018 12:27 AM, Ted Lemon wrote: > Thanks. In the case where a zone isn’t signed but the authoritative > server supports SIG(0), the response could be verified that it > includes exactly what the server sent. But the KEY would need to be > DNSSEC validated or it probably can’t be trusted

Re: [DNSOP] SIG(0) useful (and used?)

> On Jun 21, 2018, at 1:40 PM, Shumon Huque wrote: > > On Thu, Jun 21, 2018 at 8:05 AM Tom Pusateri > wrote: >> On Jun 21, 2018, at 12:19 AM, Vladimír Čunát > > wrote: >> >> On 06/20/2018 04:59 PM, Tom Pusateri wrote: >>> DNSSEC

Re: [DNSOP] SIG(0) useful (and used?)

On Thu, Jun 21, 2018 at 8:05 AM Tom Pusateri wrote: > On Jun 21, 2018, at 12:19 AM, Vladimír Čunát > wrote: > > On 06/20/2018 04:59 PM, Tom Pusateri wrote: > > DNSSEC will tell you the answer you get is correct but it could be a > to > a different question or be incomplete. > > Can you

Re: [DNSOP] SIG(0) useful (and used?)

On Thu, Jun 21, 2018 at 9:55 AM Warren Kumari wrote: > > I think that 95% of the issue is on the stub side. > > Paul's https://github.com/BII-Lab/DNSoverHTTP and Stubby both come fairly > close to solving this. The more I think about it, DPRIVE and DoH are > driving towards what I want. > >

Re: [DNSOP] SIG(0) useful (and used?)

> On 21 Jun 2018, at 00:13, Paul Vixie wrote: > > ... >> So, SIG(0) could be many nice things, but without more implementations >> is is hobbled... > > i'd love to see it implemented. I would also add my voice to those who would love to see this implemented. I have looked at using SIG(0)

Re: [DNSOP] SIG(0) useful (and used?)

On Thu, Jun 21, 2018 at 4:52 AM Joe Abley wrote: > On Jun 20, 2018, at 21:05, Shumon Huque wrote: > > > On Wed, Jun 20, 2018 at 7:30 PM Joe Abley wrote: > >> On Jun 20, 2018, at 19:07, Warren Kumari wrote: >> >> ​... what I'd alway wanted[0] was to be able to setup my own recursive >> name

Re: [DNSOP] SIG(0) useful (and used?)

> On Jun 21, 2018, at 12:19 AM, Vladimír Čunát > wrote: > > On 06/20/2018 04:59 PM, Tom Pusateri wrote: >> DNSSEC will tell you the answer you get is correct but it could be a > to a >> different question or be incomplete. > Can you elaborate on that point. I believe in signed zones you are

Re: [DNSOP] SIG(0) useful (and used?)

On Jun 20, 2018, at 21:05, Shumon Huque wrote: On Wed, Jun 20, 2018 at 7:30 PM Joe Abley wrote: > On Jun 20, 2018, at 19:07, Warren Kumari wrote: > > ​... what I'd alway wanted[0] was to be able to setup my own recursive > name server somewhere on the Internet, and then only allow myself

Re: [DNSOP] SIG(0) useful (and used?)

On 06/20/2018 04:59 PM, Tom Pusateri wrote: > DNSSEC will tell you the answer you get is correct but it could be a > to a > different question or be incomplete. Can you elaborate on that point.  I believe in signed zones you are able to verify almost everything, in particular existence of the

Re: [DNSOP] SIG(0) useful (and used?)

On Wed, Jun 20, 2018 at 7:30 PM Joe Abley wrote: > On Jun 20, 2018, at 19:07, Warren Kumari wrote: > > ​... what I'd alway wanted[0] was to be able to setup my own recursive > name server somewhere on the Internet, and then only allow myself (and a > few of my closest friends) to be able to

Re: [DNSOP] SIG(0) useful (and used?)

On Jun 20, 2018, at 19:07, Warren Kumari wrote: ​... what I'd alway wanted[0] was to be able to setup my own recursive name server somewhere on the Internet, and then only allow myself (and a few of my closest friends) to be able to query it. For this particular use-case, why is SIG(0) better

Re: [DNSOP] SIG(0) useful (and used?)

Warren Kumari wrote: ... ​​ ​... what I'd alway wanted[0] was to be able to setup my own recursive name server somewhere on the Internet, and then only allow myself (and a few of my closest friends) to be able to query it. 1: Obviously having it as an open-recursive is not the answer (e.g it

Re: [DNSOP] SIG(0) useful (and used?)

On Tue, Jun 19, 2018 at 5:04 PM Tony Finch wrote: > Ondřej Surý wrote: > > > > Do people think the SIG(0) is something that we should keep in DNS and > > it will be used in the future or it is a good candidate for throwing off > > the boat? > > SIG(0) is the only DNS feature that (could) allow

Re: [DNSOP] SIG(0) useful (and used?)

> On Jun 20, 2018, at 3:23 PM, Shane Kerr wrote: > > Ondřej, > > Ondřej Surý: >> as far as I could find on the Internet there are only SIG(0) implementation >> in handful DNS implementations - BIND, PHP Net_DNS2 PHP library, >> Net::DNS(::Sec) Perl library, trust_dns written in Rust and

Re: [DNSOP] SIG(0) useful (and used?)

Ondřej, Ondřej Surý: > as far as I could find on the Internet there are only SIG(0) implementation > in handful DNS implementations - BIND, PHP Net_DNS2 PHP library, > Net::DNS(::Sec) Perl library, trust_dns written in Rust and perhaps others I > haven’t found; no mentions of real deployment

Re: [DNSOP] SIG(0) useful (and used?)

> On Jun 19, 2018, at 4:48 PM, Ondřej Surý wrote: > > > Do people think the SIG(0) is something that we should keep in DNS and it > will be used in the future or it is a good candidate for throwing off the > boat? > > Ondrej As far as I can tell, SIG(0) is the only mechanism in DNS to

Re: [DNSOP] SIG(0) useful (and used?)

You might get a kick out of this expired but soon-to-be-revived document in DNSSD: https://tools.ietf.org/html/draft-sctl-service-registration-00 The principle is a bit different than what you're doing because there's no DHCP (necessarily) involved, but otherwise it's the same basic idea. On

Re: [DNSOP] SIG(0) useful (and used?)

Well Mark did propose this many years ago: https://mailman.nanog.org/pipermail/nanog/2013-October/061619.html And based on that, I created a half-assed implementation using Net::DNS. Of course I never got around to polishing it up enough to actually put it into production. And definitely not

Re: [DNSOP] SIG(0) useful (and used?)

Wellington, Brian wrote: > SIG(0) was implemented in BIND 9 back when BIND 9 was basically the only > modern implementation, and no one used it then. I think the problem is it isn't a complete implementation: you can't use SIG(0) in all the places you can use TSIG. The TKEY support seems to be

Re: [DNSOP] SIG(0) useful (and used?)

Ondřej Surý wrote: > But is it really used like this? Or will it ever? My point was that SIG(0) has use cases that are currently impossible because of lack of implementations. So it's really hard to tell if it is worth the effort. It's like trying to judge the need for a bridge by counting the

Re: [DNSOP] SIG(0) useful (and used?)

I run bind on my authoritative nameservers. I run linux on a number of laptops. When these laptops are provided a DHCP address, they use SIG(0) to authenticate a forwards zone update to update their current (DHCP provided) IPv4 address into the Zone. I've been doing this for years - ever since

Re: [DNSOP] SIG(0) useful (and used?)

SIG(0) has miles of potential. Active Directory shows that hosts updating their own addresses is useful. SIG(0) provides a similar mechanism without the overhead of AD. It actually works well today if you spend the time to hook it into a system. What’s needed is for OS vendors to ship

Re: [DNSOP] SIG(0) useful (and used?)

SIG(0) was implemented in BIND 9 back when BIND 9 was basically the only modern implementation, and no one used it then. The fact that no servers have implemented it since then means that there really isn’t any demand. Brian > On Jun 19, 2018, at 2:20 PM, Mark Andrews wrote: > > SIG(0) is

Re: [DNSOP] SIG(0) useful (and used?)

But if nobody uses that and nobody else implements this, it sort of beats the usefulness of the feature. Ondrej -- Ondřej Surý — ISC > On 19 Jun 2018, at 23:20, Mark Andrews wrote: > > SIG(0) is much superior for machines updating their own data to TSIG as you > don’t need a secondary

Re: [DNSOP] SIG(0) useful (and used?)

SIG(0) is much superior for machines updating their own data to TSIG as you don’t need a secondary storage for the TSIG key. You can replace a master server without having to worry about transferring TSIG secrets off a dead machine. You just copy the zone from a slave and go. There are

Re: [DNSOP] SIG(0) useful (and used?)

But is it really used like this? Or will it ever? Ondrej -- Ondřej Surý ond...@isc.org > On 19 Jun 2018, at 23:04, Tony Finch wrote: > > Ondřej Surý wrote: >> >> Do people think the SIG(0) is something that we should keep in DNS and >> it will be used in the future or it is a good candidate