Re: [DNSOP] mixfr - issue #10 - Client RRSIG logic simplification
Matthijs Mekking <matthijs@pletterpet.nl> Wed, 04 April 2018 10:31 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD21812711A for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 03:31:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpNqkfud4RKk for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 03:31:39 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9815126DEE for <dnsop@ietf.org>; Wed, 4 Apr 2018 03:31:38 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w34AOWeV035043; Wed, 4 Apr 2018 10:31:38 GMT
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2h4vtq01v5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 04 Apr 2018 10:31:37 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w34AQaEh030529 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 Apr 2018 10:26:37 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w34AQYP8032572; Wed, 4 Apr 2018 10:26:36 GMT
Received: from [172.19.129.14] (/216.146.45.33) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 04 Apr 2018 03:26:34 -0700
To: Frederico A C Neves <fneves@registro.br>
Cc: dnsop@ietf.org
References: <20180329184513.GF62218@registro.br> <c62db666-fc1b-8ef8-8fbb-42443e1b69a0@pletterpet.nl> <20180404013246.GE10662@registro.br>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <e8f1874c-1be5-2ca5-d3fd-e733234833d6@pletterpet.nl>
Date: Wed, 04 Apr 2018 12:26:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20180404013246.GE10662@registro.br>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8852 signatures=668697
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804040107
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-xa69Bpc9EsNwTAYGbqlWVhh_m8>
Subject: Re: [DNSOP] mixfr - issue #10 - Client RRSIG logic simplification
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 10:31:43 -0000
Hi Frederico, On 04-04-18 03:32, Frederico A C Neves wrote: > Hi Matthijs, > > On Tue, Apr 03, 2018 at 02:37:12PM +0200, Matthijs Mekking wrote: >> Hi Frederico, >> >> On 03/29/2018 08:45 PM, Frederico A C Neves wrote: >>> I was looking at our server to evaluate the MIXFR implementation and >>> it seams to me that the current text covering dnssec aware client >>> logic don't take in account that a posterior record at the addition >>> section, by an MIXFR DNSSEC aware server, will implicitly replace the >>> RRSIG RRset. >> >> I am unclear what case you are covering. > > Any situation that you have an updated RRset. It is implicit that > you'll have to update the signature, so I was arguing that this is > afterward covered by 3.6 Replace a RRset. My "simplified" logic take > this in account to don't impose this extra logic at the client for > updated RRsets, only for removed RRsets, explicit or when a removal of > RR causes it. I get it now, thanks for clarifying. Still, I think the savings in complexity is minimal, since the logic should exist for RR deletion, so it's a small effort to also enable it for RR addition. Looking at your examples, there is very little difference on the wire. So it would only be for client logic purposes I assume. I doubt that the logic is simplified though: If you want to prevent implicit RRSIG deletion in the "Replace RRset" case, you now have to have logic to verify there is no RR in the addition section of the MIXFR. Note that implicit RRSIG deletion is idempotent, so it does not matter if two RRs in the MIXFR trigger it. Best regards, Matthijs > So the actual difference on the wire is one server replacing the RRSIG > and the other adding it. For the client processing is RRSIG removal > logic only at RRset removal in one case and at any change for the > other. Bellow a zone at serial 1 and 2 and the two MIXFR versions. > > example. IN SOA serial=1 > example. IN RRSIG SOA > a.example. IN A 192.0.2.1 > a.example. IN RRSIG A > b.example. IN A 192.0.2.2 > b.example. IN A 192.0.2.3 > b.example. IN RRSIG A > > example. IN SOA serial=2 > example. IN RRSIG SOA > b.example. IN A 192.0.2.3 > b.example. IN A 192.0.2.4 > b.example. IN RRSIG A > c.example. IN A 192.0.2.5 > c.example. IN RRSIG A > > > # "simplified MIXFR" > example. IN SOA serial=2 > example. IN SOA serial=1 > a.example. ANY A > b.example. IN A 192.0.2.2 > example. IN SOA serial=2 > b.example. IN A 192.0.2.4 > b.example. ANY RRSIG A > c.example. IN A 192.0.2.5 > c.example. IN RRSIG A > example. IN SOA serial=2 > > # "implicit RRSIG removal at any change" > example. IN SOA serial=2 > example. IN SOA serial=1 > a.example. ANY A > b.example. IN A 192.0.2.2 > example. IN SOA serial=2 > b.example. IN A 192.0.2.4 > b.example. IN RRSIG A > c.example. IN A 192.0.2.5 > c.example. IN RRSIG A > example. IN SOA serial=2 > >> >>> Logic could be simplified only to Deletions of RRs, when they conclude >>> a removal of a RRset, or RRsets by itself. >> >> No, also if there is an RR addition, it means the RRset has changed, so >> existing RRSIG records can be implicitly removed. >> > > That is true but in this case you imply that it will be later added. I > was proposing to replace it. >>> All the other cases, addition or replacement, will be covered >>> automatically by an addition or replace of a RRSIG RRset. There is no >>> need to extra client logic to remove RRSIG, at addition of a RR, and >>> at deletion of a RR if it not remove the RRset. >> >> Note there is no such thing as an RRSIG RRset. I tried to clarify this >> in the terminology bis document: > > So how do you call, two RR for the same name, type and class in a > double signed zone? Never mind I was not aware of this, thanks! Change > "a RRSIG RRset" by "any RRSIGs" and the logic still stands. > >> >> https://www.ietf.org/mail-archive/web/dnsop/current/msg22118.html >> >> Note that adding an RRSIG is different than replacing an RRSIG. > > Ok, but we could achive the same end result with both logics and > operations. > >> >>> This is documented as issue #10 and includes proposed text. >>> >>> https://github.com/matje/mixfr/issues/10 >> >> I think it makes more sense to keep the text as is, that is when >> changing an RRset implicitly remove the corresponding RRSIG records. I >> am opposed to only removing corresponding RRSIG on a RR deletion. >> > > I think my version is easyer imposing less checks on clients but I can > live with the current text > > I just realized the draft needs a new example for 4.2. The current one > is based on "Delete All RRsets of a Type". This operations was removed > in the current version of the draft. > >> Best regards, >> Matthijs > > Fred >
- [DNSOP] mixfr - issue #10 - Client RRSIG logic si… Frederico A C Neves
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Mark Andrews
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Frederico A C Neves
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Joe Abley
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Mark Andrews
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking