Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-10.txt
Michael StJohns <msj@nthpermutation.com> Thu, 24 September 2020 01:27 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 945753A1647 for <dnsop@ietfa.amsl.com>; Wed, 23 Sep 2020 18:27:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZgA2W4nEia9 for <dnsop@ietfa.amsl.com>; Wed, 23 Sep 2020 18:27:50 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54D943A1646 for <dnsop@ietf.org>; Wed, 23 Sep 2020 18:27:50 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id a4so1658004qth.0 for <dnsop@ietf.org>; Wed, 23 Sep 2020 18:27:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=qqNV5HHRrRo1NEkS7q0yVqiWzM1M5Vzx+d6+OwJtLBU=; b=S8mzE9Hd6avih9uAXj1NIOTdfJzNijkXuLHFxoIN0BC33H61Sztxsxdh2O1KdW+fmh YlvICKHTnLIuEYIe1lTe7iUdaGQ4Wf1JVpSZ/7hopqzVCPacEMVAk8Btp+NAwr22wGpT TNEwCUiC33tt1OXjEi996ou1Ptxb7Qud+50HVN4Sw5peYInZAGTVZ/4L23LscBmXgj+u ODMAQ+Fsvf8WinF9IRrANNKuJiz/26NyMZRaiiwl8QcYQvWtAcbv2nci5S6wQiElnlaL k4w5P0MUhSy3EIytg67j930ud/BHsAx9Za9G5e19zezSdTgy3T7COOLUdeArVsfEr6Wz uSLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=qqNV5HHRrRo1NEkS7q0yVqiWzM1M5Vzx+d6+OwJtLBU=; b=mt/8kjj0I46yfMGfS95EdF0nZiPY6AjvJ3FZSpx3mIp3Nn6VqxsE8GuSkMqivl/oE8 mJPhnH9sCCc6roFgJblgC1i8Ampw9QECTmKIZOFssj0qwIRn+KUk9A1yjlt4lc6sZP9Q qb9t+RDKCkHlFbPObAbNDLwDEqMtVM2lLP4KiYeGTsWxF/mQ15cvarUC1P9QQihhBDBK OB3Ly8ratku/x8ddbRTID1OmTQgWh4Y2BCCac1ZzxV+WQaQ/fPktcCZueVOzvKhLpXot IY9duT0e64p3lYKrsie9vpYlOx7iIeTLAsqcnbKDLEYTSc6ZctZEGHXc2mazNXC/Dn/D LXKw==
X-Gm-Message-State: AOAM530UVCWb3O3980bf1Q8hg4JJQUrG7d2pGou0BM6Y8Da7BIBIlyp6 fxi+P53wUtDHwUgL/TD/BWEBXle6Dftko7gtuEQ=
X-Google-Smtp-Source: ABdhPJwUSKVj8f4Imtb4yDjKF9gNmgMwWt5/KDt/Ulu3zhn1pcFKlDrgrDSiq0ZUCWbMM8zPFegdOg==
X-Received: by 2002:ac8:fa4:: with SMTP id b33mr3155432qtk.13.1600910868849; Wed, 23 Sep 2020 18:27:48 -0700 (PDT)
Received: from [192.168.1.22] (pool-108-28-189-254.washdc.fios.verizon.net. [108.28.189.254]) by smtp.gmail.com with ESMTPSA id g14sm1176671qkk.38.2020.09.23.18.27.48 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 23 Sep 2020 18:27:48 -0700 (PDT)
To: dnsop@ietf.org
References: <160071009516.32585.7690187581775122560@ietfa.amsl.com> <a96ab6c1-59e8-170b-2272-ba274fbcfc45@nthpermutation.com> <CAF4+nEHG4vGjV8VeSb752KXwt-R8A965ZhLeOPDhJyp5+OqTWg@mail.gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <666c68c6-9a3d-c597-63d7-eb88cbfb37cc@nthpermutation.com>
Date: Wed, 23 Sep 2020 21:27:46 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <CAF4+nEHG4vGjV8VeSb752KXwt-R8A965ZhLeOPDhJyp5+OqTWg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0HKf4g4oYNGdTUus5H5ASYl-aUk>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-10.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 01:27:52 -0000
On 9/23/2020 9:11 PM, Donald Eastlake wrote: > Hi, > > Replying on just one point: > > On Mon, Sep 21, 2020 at 2:27 PM Michael StJohns <msj@nthpermutation.com> wrote: >> ... >> >> 2.2.4 - SHA384 has a hash length of 48 bytes. 12 bytes seems to imply >> some sort of left or right truncation. Show stopper! Explain how this >> value was selected and how it interacts with the native length of the >> chosen hash. Note: I have no trouble with truncated hashes here, but no >> modern hash has less than 20 bytes so 12 seems to be a very strange >> number absent a discussion of truncated hashes. > Well, previously the draft said that the length of the digest field > must be larger than zero. Do you think that the previous text implied > you could truncate to 1 byte? There is nothing in the draft about > truncation. No - I assumed it was the full hash. E.g. "the field can't be empty" is somewhat equivalent to "the length of the digest field must be greater than zero". > This is intended to prohibit any future hash algorithm specification > (which could include a truncation operation) for ZOMEND that results > in less than 12 bytes. 96 bits seems to be a common minimum length for > disgests in the IETF although perhaps I have that impression due to > the common case of SHA-1 truncated to 96 bits. However, I note that > RFC 4635 on "HMAC SHA TSIG Algorithm Identifiers", issued in 2006, > prohibits hashes less than 10 bytes or 80 bits. If the draft is going > to specify a minimum length, I think it should be at least 96 bits. Begging still the question of whether or not the current ZONEMD hashes can be truncated and still be acceptable as long as they're 12 bytes or longer on production and transmission. The language is ambiguous and could cause interoperability problems. Something more like "The current hashes for the SIMPLE scheme all require production and inclusion of the entire length of the hash. Future hashes MAY be truncated, but MUST not be truncated to a length that's less than an equivalent to 96 bits of strength - e.g. 12 bytes for the SHA 2 and 3 family of hashes." Later, Mike > > Thanks, > Donald > =============================== > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 2386 Panoramic Circle, Apopka, FL 32703 USA > d3e3e3@gmail.com >
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-dig… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone… Barry Leiba
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone… Wessels, Duane
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone… Donald Eastlake
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone… Michael StJohns