Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-02.txt

"Wessels, Duane" <dwessels@verisign.com> Mon, 28 October 2019 21:32 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BFD4120098 for <dnsop@ietfa.amsl.com>; Mon, 28 Oct 2019 14:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v30LaOSThB1b for <dnsop@ietfa.amsl.com>; Mon, 28 Oct 2019 14:32:46 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67F08120113 for <dnsop@ietf.org>; Mon, 28 Oct 2019 14:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10614; q=dns/txt; s=VRSN; t=1572298367; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=YSdcb6GCZaVNyB6EkL/fqBoV5H3glmNho4fjnF4ugXs=; b=n7V0uRSTeGXw+PkotvhN/AoL747c2u1x4qMuKYPJfevJu6dDH9qCPShm 3KFeTvfiyLxj0NzVbXygHFG4EX2DzY0Zh7atBuYOqEJGHLsCS9Kuz4ONL eat3Fb0/a9Cn3CLm0xIbIwlRAq9zHNLoVSt5OdsEP5HGw3Ga3LrqgrlKN gcZ6MShMv5NrEQX7TPmvQCiqJFuFerx3O2WcdRiyMVu7mkmIKaWt4EEIe ce79WT2aE2CQkh6ugVqe6AAu7qQhHFqmmrs8W978yXbivYwgBDBwr6s1m HipE5cmARyQrgs3uKES34ggbyW8Z5wQ3O4rM1MRsaPIsWmJ97wSLd7Csx Q==;
X-IronPort-AV: E=Sophos; i="5.68,241,1569283200"; d="p7s'?scan'208"; a="9490784"
IronPort-PHdr: =?us-ascii?q?9a23=3AFEENYhyZ4H93darXCy+O+j09IxM/srCxBDY+r6?= =?us-ascii?q?Qd2uofIJqq85mqBkHD//Il1AaPAdyAraMVwLOL6+jJYi8p2d65qncMcZhBBV?= =?us-ascii?q?cuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx?= =?us-ascii?q?7xKRR6JvjvGo7Vks+7y/2+94fcbglVijexe7d/IRG5oQnMtsQanZZpJ7osxB?= =?us-ascii?q?fOvnZGYfldy3lyJVKUkRb858Ow84Bm/i9Npf8v9NNOXLvjcaggQrNWEDopM2?= =?us-ascii?q?Yu5M32rhbDVheA5mEdUmoNjBVFBRXO4QzgUZfwtiv6sfd92DWfMMbrQ704RS?= =?us-ascii?q?iu4qF2QxLzliwJKyA2/33WisxojaJUvhShpwBkw4XJZI2ZLedycr/Bcd8fQ2?= =?us-ascii?q?dKQ8RfWDFbAo6kb4UBEfcPPfpWoYf+qVsBrxywBQiwC+zg0TJIiWP63agg3u?= =?us-ascii?q?QhDQ3KwgotFM8OvnTOq9X1Mb8fXe61w6bW1jXDdO1Z2TPm6ITQbxsvr+yMUq?= =?us-ascii?q?h2ccXPx0UkCgTIgUieqIP7JDOVzfoCs2yA7+d7S+KglXQnqwBqojiuyccsjJ?= =?us-ascii?q?PFiZ4SylDB7Ch0xps+K9O/SE5+e9GkEZ1QujmbN4RoXsMiTXtkuCEgyr0Jv5?= =?us-ascii?q?OwYSsEyIw/yhLCd/CLaZWE7xDtWeqLPDt1hHxodKiwihux6USs1/HwWtOp3F?= =?us-ascii?q?tIsiZJiMTAu38O2hDJ98SKSeNx/km/1juMywze7+RJLlo3mKffMJEsx7A9mo?= =?us-ascii?q?QOvknCGyL5g0H7ga6Ue0gh9OWl5ebqbajgq5SBLYF7kBv+Pb4rmsGnBOQ4NR?= =?us-ascii?q?UBUHaD9OSn0b3j4VX5QLJXjv0qiqXZsI7VJcAcpqOhHgJbzp4t5wu/ADm+39?= =?us-ascii?q?oXnGULIE9fdBKZk4fpPEvOIOjiAfilnlugiilrx+rdPr3nGJnCMn/DkLL5cb?= =?us-ascii?q?Z87U5T1hYzwMhC655IEL0NPfD+V0HruNDFDhI0PRa4zunkBdll04MRQ2OPAq?= =?us-ascii?q?uXMKPItl+I4/oiLPSCZYALozb9MOYq5/r1jXIih18SY7Op3ZoMaHC5EfRmJV?= =?us-ascii?q?+VbmbrgtcECWsKpBYxTPT2iF2eVj5ef2u9X6Qn5jE8EIKrFobDSZ6xgLyPxi?= =?us-ascii?q?u7GYdWZm8VQmyLRHvubIKcE8gjIHaeJNRmihQFWKSvDYg72kf9mhX9zu8tEe?= =?us-ascii?q?fP4SAcrtar+MV84eCZ3UU+6jFvFMmZyEmTQnt1hWIHQXk926Up8h818UuKza?= =?us-ascii?q?Ut268QLtdU/f4cF15ibZM=3D?=
X-IPAS-Result: =?us-ascii?q?A2EQAABxXbdd/zCZrQplGgEBAQEBAQEBAQMBAQEBEQEBA?= =?us-ascii?q?QICAQEBAYFqAgEBAQELAYMLK4EGCpUzg2qVQ4FfCAkBAQEBAQEBAQEDBAEYD?= =?us-ascii?q?QoBAQKEPgKDbzcGDgIMAQEBBAEBAQEBBQMBAQEChiAMgjspAWJrAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBARYCQ1USAQEdAQEBAQIBAQFsEAsCAQgYLgIlCyUCBBMOg?= =?us-ascii?q?xQBglcRHrAVgieEPQIOQUCEbxCBNgGBUopUgUE+gTgfgkw+gmIBAQIBARaBD?= =?us-ascii?q?zeDQ4IsBJVViRCPAwMHgiSDRoIzgReOOYI8coZlj0eWaY4IgxYCBAIEBQIVg?= =?us-ascii?q?WiBfHAVGiEqAYJBCTUSEBSDERiIZIU/dI9HgQ4BAQ?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Mon, 28 Oct 2019 17:32:47 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Mon, 28 Oct 2019 17:32:47 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: dnsop WG <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-02.txt
Thread-Index: AQHVjdUjGoWVp1RfZUSc8lPwKZ6YPqdw1dqA
Date: Mon, 28 Oct 2019 21:32:46 +0000
Message-ID: <C9B7ADD2-5D9B-4A2A-BB5E-6335B36CB96F@verisign.com>
References: <157229744669.16151.1847387329475971355@ietfa.amsl.com>
In-Reply-To: <157229744669.16151.1847387329475971355@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.9.1)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_21962647-3F4A-4582-8959-1D5E4CD284DC"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2zCBkBXc_wEthD8RBpx4PC2iKH4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 21:32:48 -0000

Dear DNSOP,

Following working group feedback on the -01 version, the draft has been updated to reflect the following changes:

1) Whereas previously the Digest Type field conveyed only the hashing algorithm to be used, now the Digest Type also conveys how the hash value is constructed from the zone data.  The one defined hash algorithm SHA384 has been renamed to SHA384-STABLE to reflect that it designed for use on stable (or small) zones where it is not burdensome to recalculate the digest over the entire zone data each time.  A future Digest Type might also use SHA384 for hashing, but further describe the use of hash trees or similar for efficient digests of large/dynamic zones.

2) What used to be known as the Reserved field is now known as the Parameter field.

3) The meaning of the Parameter field now depends on Digest Type.  For SHA384-STABLE the Parameter field is not used and SHOULD always be zero, but for future digest types it will not necessarily be zero.

4) Fixed a leftover bug stating that multiple ZONEMD RRs were not allowed.

Feedback welcome as always.

DW


> On Oct 28, 2019, at 2:17 PM, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
> 
>        Title           : Message Digest for DNS Zones
>        Authors         : Duane Wessels
>                          Piet Barber
>                          Matt Weinberg
>                          Warren Kumari
>                          Wes Hardaker
> 	Filename        : draft-ietf-dnsop-dns-zone-digest-02.txt
> 	Pages           : 29
> 	Date            : 2019-10-28
> 
> Abstract:
>   This document describes an experimental protocol and new DNS Resource
>   Record that can be used to provide a message digest over DNS zone
>   data.  The ZONEMD Resource Record conveys the message digest data in
>   the zone itself.  When a zone publisher includes an ZONEMD record,
>   recipients can verify the zone contents for accuracy and
>   completeness.  This provides assurance that received zone data
>   matches published data, regardless of how the zone data has been
>   transmitted and received.
> 
>   ZONEMD is not designed to replace DNSSEC.  Whereas DNSSEC protects
>   individual RRSets (DNS data with fine granularity), ZONEMD protects
>   protects a zone's data as a whole, whether consumed by authoritative
>   name servers, recursive name servers, or any other applications.
> 
>   As specified at this time, ZONEMD is not designed for use in large,
>   dynamic zones due to the time and resources required for digest
>   calculation.  The ZONEMD record described in this document includes
>   fields reserved for future work to support large, dynamic zones.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-zone-digest/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-02
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-zone-digest-02
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dns-zone-digest-02
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop