Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)

"Rob Wilton (rwilton)" <rwilton@cisco.com> Fri, 09 October 2020 09:23 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F0B33A0DDB; Fri, 9 Oct 2020 02:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=GzhrjlEl; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=bcX1VLCh
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3S1QoGG-9y6; Fri, 9 Oct 2020 02:23:11 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBB3F3A0DDA; Fri, 9 Oct 2020 02:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3400; q=dns/txt; s=iport; t=1602235391; x=1603444991; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=CVFcIc/KQuKWVxtenqrp9EwQFeZvuhLnLqI6t4AL1OQ=; b=GzhrjlElgTkESbnxvAl5aKJUxcTY1UsynX9UF4K1ekHBZgI0ATtJ2Rf+ 1naOD16g1c5TZvFNIjoYNrPy1+kC0sa/u1htk7NzWqjLfu2hd46GhxWMu OWdDFrzpFl1WI9GRnD0McUeyVljDKKdt2yoO8TOlNDJqtP52Hb7WiYJsv 0=;
IronPort-PHdr: =?us-ascii?q?9a23=3AJ86uixyz1Bmh86/XCy+N+z0EezQntrPoPwUc9p?= =?us-ascii?q?sgjfdUf7+++4j5ZRWDt/pohV7NG47c7qEMh+nXtvXmXmoNqdaEvWsZeZNBHx?= =?us-ascii?q?kClY0NngMmDcLEbC+zLPPjYyEgWsgXUlhj8iK0NEFUHID1YFiB6nG35CQZTx?= =?us-ascii?q?P4Mwc9L+/pG4nU2sKw0e36+5DabwhSwjSnZrYnJxStpgKXvc4T0oY=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ARCADTKoBf/4QNJK1dAx0BAQEBCQE?= =?us-ascii?q?SAQUFAUCBT4FSUQeBSS8sCoQzg0YDjVKKEY5qglMDVQsBAQENAQEtAgQBAYR?= =?us-ascii?q?KAheBeAIlOBMCAwEBCwEBBQEBAQIBBgRthVwMhXIBAQEBAgESEREMAQE3AQs?= =?us-ascii?q?EAgEIDgMEAQEBAgImAgICHxEVCAgCBA4FCBqFUAMOIAEDnX0CgTmIYXaBMoM?= =?us-ascii?q?BAQEFhTYNC4IQCYEOKoJyg14PhlYbgUE/gRFDgk0+ghqBeyoVCiaCUDOCLZA?= =?us-ascii?q?jgmUBPKNHUgqCaJVcBIUpgxOPSY5aoHiSRQIEAgQFAg4BAQWBayOBV3AVgyR?= =?us-ascii?q?QFwINjh8JAhgUgzqKVnQ0AwIGCgEBAwl8iweBNAGBEAEB?=
X-IronPort-AV: E=Sophos;i="5.77,354,1596499200"; d="scan'208";a="575208008"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Oct 2020 09:23:09 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 0999N9p1011880 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 9 Oct 2020 09:23:09 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 9 Oct 2020 04:23:09 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 9 Oct 2020 05:23:08 -0400
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 9 Oct 2020 05:23:08 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FXHzurDf3W1ZF3fneJgqDlrgT6+3ALslfaaYntGIgndALdy1UnGYJrMXShc1gQiSMN0M1M5hnTUWyR2coQSIjKA7wj+AXdxIMF7paeDAZ2uZj06jPzKqSTwdt9pw4AarL3lP2lPCTZwTAqWTkqFfM+O9msbNmpW7dBToYnA0xRuu1g4HVtJYF3Fjx67ZQQ0LU6rzmMXeW+1v59AQa2q0Iq/Z8+Z+iWPy8E8YhEaEkBc42YIlf16u6457LSnpHlrpPUb+kBU6lQelsMr0sryCd1vSCC2ovzSfiyGqZbvPlX8HDUh+ucttx50sgPaLmcM/DtAjgXFKalSpWYT462+BrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CVFcIc/KQuKWVxtenqrp9EwQFeZvuhLnLqI6t4AL1OQ=; b=LBtY4m6SM78fj37uhTU1swpRJXfaPYuxq6GwLdDalh6mUZMK708P2g2h+5aWglGaWOb71omUexDnmuuEriERVtsbNsYhf6xRnBydbmDsPkKO+A3c4Srg6vQdWUO5mHUgJVneHBn3HTVoKG0x70Or5xOKDUirEGXH8mt/PpDTS/uxDvixGzEbfUfhzyKgLaCzpcJpvj5WvdK+2LVFi3A6bhVZCaKnOOa29YSonuT+l9rmBYGgKeG23P1hYPaQJyFYG5C2kHao1QXstPvhXbVLC5JDSdFgYYidMTROAOs0lVMRuU2Aln8yIUwZUYPQuzG6JtJyz3T1LZqNx9/ySlL9bg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CVFcIc/KQuKWVxtenqrp9EwQFeZvuhLnLqI6t4AL1OQ=; b=bcX1VLChEQ+vehfiQOM52M6TYweEw9/8zEZRgXnATDGtwFdOGFpKo8iph2rPzN3A8Ds0Zq1QiWBocL80bhqaosgAxNfsuYCNYoKhq2LYpaWPs/0W32qvyi7j2fKgWACPt5sXtxiHgDzQIKjp5LSeX4DJZvDhQtRdZi8MqeMQEB0=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by MN2PR11MB4286.namprd11.prod.outlook.com (2603:10b6:208:18d::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Fri, 9 Oct 2020 09:23:07 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::d84a:115:9ce0:8241]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::d84a:115:9ce0:8241%4]) with mapi id 15.20.3455.025; Fri, 9 Oct 2020 09:23:07 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Donald Eastlake <d3e3e3@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-dns-zone-digest@ietf.org" <draft-ietf-dnsop-dns-zone-digest@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, "<dnsop@ietf.org>" <dnsop@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, Roman Danyliw <rdd@cert.org>
Thread-Topic: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)
Thread-Index: AQHWnWTLXBOmQTmNGkG7AmGk8bLrYqmOX/qAgACeAOA=
Date: Fri, 9 Oct 2020 09:23:07 +0000
Message-ID: <MN2PR11MB436644FCED99A35EB7A7CD64B5080@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <160215590178.19643.8185294724542473578@ietfa.amsl.com> <CAF4+nEEkt=QXZ6OErEBdvZgw4X6bhvB9yBjRjLAgY436i_o=FQ@mail.gmail.com>
In-Reply-To: <CAF4+nEEkt=QXZ6OErEBdvZgw4X6bhvB9yBjRjLAgY436i_o=FQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.12.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 92e74b79-93f6-453c-128a-08d86c34eed4
x-ms-traffictypediagnostic: MN2PR11MB4286:
x-microsoft-antispam-prvs: <MN2PR11MB4286E63D0125C774C269222CB5080@MN2PR11MB4286.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SaF5YjTVWU90j2kiyWYBIFQh2oSKqKHgu0yRAHjx+5FeXg2tifSPlYFoYnaGBIQMD4fdW87wEUM5ytc3vwj8ShUxohDZXmpSdblwk5e5e8Xj7vNMIeUnrWnD3goOhHrVRV/0nKm0mQg+Sq7u0oHba4J0iS2mlExVaZNT2hQlri5H4ttaJ2d5L+JlEu6SW9USODqr+cORV0hlyf1nouzOzwT6rqZKjRC+eUO0+o2LEpEzOWVk8AEIAVvYJDQ0v1tA0DbV6s0D3fqj2FYZTuUVS4OUzDH1KW8PI4uea5vsBdUQUluFHllJ3FN8/RznHFatHdmjLt4C8Z3wKmlGu0h+Yw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(39860400002)(376002)(136003)(396003)(346002)(2906002)(6916009)(71200400001)(9686003)(66946007)(6506007)(76116006)(53546011)(66446008)(66476007)(66556008)(64756008)(4326008)(7696005)(186003)(316002)(54906003)(478600001)(83380400001)(33656002)(8936002)(8676002)(86362001)(55016002)(5660300002)(26005)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ghhZMUeMOazMtFWFRJzbrfBQf2a4ULZpsDwuvVx9e6nZN8+q6rS770tuScIkhZOgJJDh4mNvJgTWlHrtw49H1xe1+TvsEJPYeJVvGbvG7Us0/BPzZTiq2EEq7b3jrF0Fc0xeL/jUmnqmhs9dositR35Efkfv9SppH0UUKY4yIZELdobZPVcTe9IiuEvDXOE/F20XxKPtu3zLMsVyGkaB135/enkIWpsPZQ9bmv5ey2476U6Pug3S7Hy722hosaQ1elaqpcU0gx43nAefrG71aJsBI+7fa7hwIICW7XkkeBNOtJhIaxEFe/IVB2aDCGe2alvB3kvqTFO+5FgOG5rosHREChy+uC078qNbXUry6moj+WMG+UGqddYgm4hIb3bvCFHGwHB0BqRZnZr9JxV1y1j+q6nuhYGVVTq3HXDwoyDkwMEdhUYBYlVe/0rEh9hHCFYoJiXdRxVIY2Ze530xYAghEGq/UvxjEY4e+rH0RKQMqSEIaDNDysIoTsyTYjH2ZYgcjKW03hshFYyVyRsVs0n/yJa4P58cw1ws3aex3G4X2yz5e93BdAc2X8tDWs89+P6PF+sWSfDAy0XSdfPbVsRG1tvbvId+Laa6YnekzWRS8n8b9cDsN7TTgMSRtsShStFrvAG2NmwcGh3yBXtjUA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4366.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 92e74b79-93f6-453c-128a-08d86c34eed4
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2020 09:23:07.2730 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LQ1dxQxszJhG/cTbOUru/pK2iVqYdzXtprxJ4pJsNrIzNeDxM6LU16/M4xAtTOH0RTZmaTHou97cIMCJPDpM6w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4286
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-iuec2FwwKtHlTEUdtc3xz5sxuc>
Subject: Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 09:23:12 -0000

Hi Donald,

> -----Original Message-----
> From: Donald Eastlake <d3e3e3@gmail.com>
> Sent: 09 October 2020 00:47
> To: Rob Wilton (rwilton) <rwilton@cisco.com>
> Cc: The IESG <iesg@ietf.org>rg>; draft-ietf-dnsop-dns-zone-digest@ietf.org;
> Tim Wicinski <tjw.ietf@gmail.com>om>; <dnsop@ietf.org> <dnsop@ietf.org>rg>;
> dnsop-chairs@ietf.org
> Subject: Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-
> zone-digest-12: (with COMMENT)
> 
> On Thu, Oct 8, 2020 at 7:18 AM Robert Wilton via Datatracker
> <noreply@ietf.org> wrote:
> > Robert Wilton has entered the following ballot position for
> > draft-ietf-dnsop-dns-zone-digest-12: No Objection
> >
> > ...
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > ...
> >
> >     2.2.4.  The Digest Field
> >
> >        The Digest field MUST NOT be shorter than 12 octets.  Digests for
> the
> >        SHA384 and SHA512 hash algorithms specified herein are never
> >        truncated.  Digests for future hash algorithms MAY be truncated,
> but
> >        MUST NOT be truncated to a length that results in less than 96-
> bits
> >        (12 octets) of equivalent strength.
> >
> > When I read this, I wonder why the limit of 12 bytes was chosen.
> Possibly a
> > sentence that justifies why this value was chosen might be useful,
> noting that
> > the two suggested algorithms have significantly longer digests.
> 
> To me, the purpose of the limit is to establish a minimum strength
> against brute force attacks. Of course, the hash algorithm also has to
> be strong but the length of the Digest field puts a sharp limit on the
> strength of a ZONEMD.
[RW] 

I absolutely agree on specifying a minimum value.  My question is how was the minimum length of "12 bytes" chosen?  Is there some analysis performed that indicates that this is the right minimal value, or is this just a "12 bytes sounds like enough"?

Regards,
Rob


> 
> Note that for the same reason there is a similar provision from 2006
> in RFC 4635, Section 3.1, point 4, which sets a minimum size of 10
> bytes for the hashes that appear in TSIG RRs.
> 
> Thanks,
> Donald
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  2386 Panoramic Circle, Apopka, FL 32703 USA
>  d3e3e3@gmail.com
> 
> >     ...
> >
> > Regards,
> > Rob