[dns-operations] Assuring the contents of the root zone

Paul Hoffman paul.hoffman at vpnc.org
Tue Dec 2 03:42:36 UTC 2014

On Dec 1, 2014, at 5:29 PM, Paul Vixie <paul at redbarn.org> wrote:
> i think you meant "zone" not "root zone" here.

I meant "root zone" because I have heard nearly no one talk about verifying other zones. If what is created works for other zones, great.
>> A signed hash meets (2) regardless of how the zone was transmitted.
> not inevitably. the verification tool would be new logic, either built into the secondary name server, or as an outboard tool available to the transfer mechanism.

Others on this list have asked for a third use case, namely zone files sitting on disk.

>  when i compare the complexity-cost of that tool to the contents of the <ftp://ftp.internic.net/domain> directory, i see that existing tools whose complexity-cost i already pay would work just fine. (those being pgp and md5sum). so, a detached signature can in some cases meet (2) far more easily than an in-band signature.

Your proposal skips over the "how do I trust this signing key" part. You might want to force everyone else to do the work you have done to get to that trust; others might want a simpler solution.

> it's also the case that rsync and similar tools (and AXFR) use TCP which most of us consider "reliable" even though its checksums aren't nearly as strong as SCTP's. therefore your problem statement "being sure they got the exact right zone" would have to refer to an MiTM, possibly inside the secondary server (if the zone receiver is a tertiary), or possibly on-path.


> in either case, to frustrate the MiTM, the proposed in-band signature would have to be DNSSEC based.

No offense, but you're making no sense. Above, you give a counter-example to that assertion.

> and there is already an in-band DNSSEC-based zone identity/coherency test -- zone walking. why would we add another way to do the same thing we could do with existing DNSSEC data?

Maybe I'm just being dense, but I'm not seeing how zone walking validates the contents of the glue records.

> i think walking the existing zone and verifying that there are no records between the nsecs and that every signature is valid and that the nsec chain ends at the apex, is simpler.

It is. Unless I'm missing something, it is also incomplete.

(And, of course, doesn't work for zones that use NSEC3...)

--Paul Hoffman

More information about the dns-operations mailing list