[rssac-caucus] FOR REVIEW: RSSAC FAQ
Wessels, Duane
dwessels at verisign.com
Tue Feb 27 00:12:32 UTC 2018
> On Feb 26, 2018, at 3:57 PM, Shumon Huque <shuque at gmail.com> wrote:
>
>
> Hi Duane and others,
>
> I don't think this is correct. TSIG authenticates an entire DNS message using a keyed hash (specifically HMAC-MD5, HMAC-SHA256, etc) computed over the message contents and some metadata. Assuming TSIG is being used to authenticate zone transfers, then each constituent DNS message in the zone transfer will have a TSIG signature placed in the OPT TSIG record. So in fact TSIG does protect zone transfers and will be able to detect corrupted transfers or MITM'd content.
Ah, thanks for clarifying that. I should've read the TSIG RFC more carefully. I withdraw my objection to "protected"!
another attempt:
The transfer of the root zone file from the Root Zone Maintainer (RZM) to the individual RSOs occurs via the DNS zone transfer protocols (AXFR in RFC 5936 and IXFR in RFC 1995). These zone transfer messages are protected by the use of TSIG resource records as described in RFC 2845. This is a reliable protocol and we are not aware of any incidents of data corruption. Furthermore, since the root zone is signed, incorrect or falsified answers can be detected by DNSSEC validators. RSSAC encourages all recursive name server operators to enable DNSSEC validation when possible.
> And it's also impossible.
>
> Paraphrasing what I said in my earlier note in this thread, which most people seemed to have ignored: DNSSEC can't validate the *full* contents of a zone if the zone has any non-authoritative data in it. This is abundantly true for the root zone (it has many child NS sets and glue address records - those don't have DNSSEC signatures so can't be validated). Nor was DNSSEC designed to fulfill that function.
Yes, agreed. I did gloss over that point.
DW
More information about the rssac-caucus
mailing list