Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
"John Levine" <johnl@taugh.com> Tue, 07 January 2020 01:22 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8904F1200CE for <dnsop@ietfa.amsl.com>; Mon, 6 Jan 2020 17:22:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=q67UNFAG; dkim=pass (1536-bit key) header.d=taugh.com header.b=JEc6h6SY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqEFhMOFcNZD for <dnsop@ietfa.amsl.com>; Mon, 6 Jan 2020 17:22:46 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 830EF120041 for <dnsop@ietf.org>; Mon, 6 Jan 2020 17:22:46 -0800 (PST)
Received: (qmail 9150 invoked from network); 7 Jan 2020 01:22:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=23bc.5e13dd65.k2001; i=printer-iecc.com@submit.iecc.com; bh=ZQgwVrfuSa2zrbrN4YZXR8lVQdhR7zfrHseKLnoUnHY=; b=q67UNFAGXF6OB+a9cXPGa98Njcq5TgCyqiA4oY0rJ617wgpWWLW6uI7se09HeBkCvnyK9W36vsWJ6tO4KJf4d/ucByITPUnqd2f1jYl1upEj/VaCisYA78uLA4JD10b8V6vLcz4nR8L83cjBWjBsOWMLiAKn0zlcXwflj1hPnJkdV+AiBqAyhiMkzlfFlGeH7n562pQX3KZ8QJfYGmTSih1rYPXxFaksEZfgmNMANC7nyJYEXr95xdykr6UZTCVA
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=23bc.5e13dd65.k2001; olt=printer-iecc.com@submit.iecc.com; bh=ZQgwVrfuSa2zrbrN4YZXR8lVQdhR7zfrHseKLnoUnHY=; b=JEc6h6SYZ272PNfbgedDc1lP5wRmsuzX5haSLc4lotlF+g3n82KKMLrR0ENaZwFbg9il7CP4qj17bEoG6vpC8MN+XSPtOsAA9js0oVevxlPrPbTcYQ6V+KdZK53nrK9rgBiqTXz7wzuOmm9RCK2WPBn9BF5Ap2t2+JFn9uemTmLA4Flj9LStXQOEM3g9G4PeZmP2wnXn51CWThLNVXiFf/+I2swb3dLgQgc1wRJPJ++R7Z7INbSzvghfeFN2Q/Dx
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, printer@iecc.com) via TCP6; 07 Jan 2020 01:22:45 -0000
Received: by ary.qy (Postfix, from userid 501) id 6FBA21207DBC; Mon, 6 Jan 2020 20:22:44 -0500 (EST)
Date: Mon, 06 Jan 2020 20:22:44 -0500
Message-Id: <20200107012244.6FBA21207DBC@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: dwessels@verisign.com
In-Reply-To: <C4EB59C4-EA83-4DBE-84D0-D8D43735B63D@verisign.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/20OjXS4Rp51I3EQ9UhZOyWQggXE>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 01:22:47 -0000
In article <C4EB59C4-EA83-4DBE-84D0-D8D43735B63D@verisign.com> you write: >I am reluctant to add this. As John said, I think it won't age well. I think there is no obvious size at which to make >a recommendation. For uses cases such as CZDS / zone file access, I see no harm at all to add ZONEMD for even very large >zones. What might be missing is a paragraph that says those that publish ZONEMD records need to be aware of the possible >consequences it would have on the consumers of their zone data. Perhaps rather than going in circles about this, you could offer some advice on how to estimate how long computing and verifying the signature is likely to take. For signing, I'd think that once you have the zone signed, it should be in the correct order and it's a linear pass over the zone to compute the signature. If your DNSSEC signing software is amenable, you might as well do them both at the same time. For verifying, it's a potential N log N sort of the zone isn't in canonical order, then a linear pass over it. Then wave your hands and say if you can't do all that fast enough, perhaps you should refrain from signing and/or verifying the zone, keeping in mind that "fast enough" is totally subjective and dependent on the situation. >The current text was agreed to during earlier working group discussion. The problem with "ignore" (as John points out) >is that it could mean the non-apex RR should be omitted from the zone. > >At one point the document said that non-apex ZONEMD was forbidden, with the implication that if found the whole zone >should be rejected. Similar to what you might do with a non-apex SOA. But that seemed pretty harsh and in the end we >settled on the current text. I'd suggest going back to MUST NOT. Yes, it's harsh, but if someone is sticking a ZONEMD in the middle of the zone, something is wrong and as I keep saying, I'd rather not try to guess how to kludge around someone else's mistake. >> 8) 3.4.1, there is no reason whatsoever to make the setting of the parameter field a SHOULD here. MUST is correct. > >As I said above I'm willing to make this a MUST, but I disagree there are no reasons whatsoever. > >I think one legitimate reason would be to avoid ossification, or what I think they call GREASE in the TLS world. Grease is fine but in that case I'd change the language to make it clear that the parameter field is an arbitrary value included in the hash. That means you can now have two different valid SHA384-SIMPLE ZONEMDs with same serial and digest type which doesn't obviously break anything but makes me nervous. R's, John
- Re: [DNSOP] Working Group Last Call for: Message … Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for: Message … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] Working Group Last Call for: Message Dige… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Paul Vixie
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Joe Abley
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Brian Dickson
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Bob Harold
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] future-proofing (Re: Working Group Last C… Paul Vixie
- Re: [DNSOP] future-proofing (Re: Working Group La… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] future-proofing (Re: Working Group La… Michael StJohns
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Miek Gieben
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] future-proofing (Re: Working Group La… Shane Kerr
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Vixie
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… John Levine