Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones

"Wessels, Duane" <dwessels@verisign.com> Tue, 07 January 2020 22:34 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61EE11200A3 for <dnsop@ietfa.amsl.com>; Tue, 7 Jan 2020 14:34:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuOvYpTIHBMG for <dnsop@ietfa.amsl.com>; Tue, 7 Jan 2020 14:34:01 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E05A120025 for <dnsop@ietf.org>; Tue, 7 Jan 2020 14:34:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9560; q=dns/txt; s=VRSN; t=1578436441; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=t5u8uRGiop6pUE77oE3ngM0uu5Z15p/Ke965+YjrYK8=; b=RlRJ1eJn4/7GZ2G9v+jX6KGcP4E2pu1L45yCgFA1B5mVUrGALS3vL9k0 lD8G8rtMsNTKA15EeamDhgEUrGnzhHFmVBnL9wqTLT4Is6iNymD6Fc2vA 5HZGpcjh2JqTukKdAPKfvTch2PX51PGNc+0fhgK0RGpwgZIfnlQfWX581 xKE62MWUaxamainTPqDBoE+pV+TuFy2VCWQVkyWqfKIrti9SvdXZoRxqP rkifAhaDsmU+E+JBWGL0akgETmKgK+NEXyBldPaTsOqgL+t7NRJHETEtV U5PeRiTAlv8MjvWTSoQpiz8YsktiajVKrtXcSVM5PjEl0x/lbfK7gDNIy w==;
IronPort-SDR: fHypGdXr2fLdcR9SeE+Lo5IFcLb9JcAHr5ZlsJLEqfKqB61HtwWXrIAEnLzKwQ9LjEI63qHBA5 YN4gVB7tuCNjau5ujUOSwxXnfLzTlEFXSSEnxYdpyZLgucQ7jwDO20O0sdPEi/oai48MuTNxAT tIQMLvd4B6JzvZVfgNusSkqU5wwrLjhkcQSCPUZEPEOg5eY1VCey1WPypQ9Y2AtKu6wYC6nlhu ZSfkx+4Drmrzu3Py/A8fbvS4Wqp0VFsr26P3Z0QOI+21IfKL6ylUjAE5ae2mXXB50yRlgtME9U OPw=
X-IronPort-AV: E=Sophos;i="5.69,407,1571702400"; d="p7s'?scan'208";a="449188"
IronPort-PHdr: 9a23:Ip1+PxWBv6TZfw2cvqcqOILDcK3V8LGtZVwlr6E/grcLSJyIuqrYbRSOt8tkgFKBZ4jH8fUM07OQ7/m7HzZdv93d7TgrS99lb1c9k8IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBoKevrB4Xck9q41/yo+53Ufg5EmCexbal9IRmrowjdrNcajItjJ6o+xRbEomZDdvhLy29vOV+dhQv36N2q/J5k/SRQuvYh+NBFXK7nYak2TqFWASo/PWwt68LlqRfMTQ2U5nsBSWoWiQZHAxLE7B7hQJj8tDbxu/dn1ymbOc32Sq00WSin4qx2RhLklDsLOjgk+2zRl8d+jr9UoAi5qhJ/3YDafZ2VOvR9cKPTf9wUQmtBUdpeWCFaDYOwc44PAvABPepEsYXwoUYFoxukBQmrAePi0jFEiX/o0q0hyOQuDwXG3Bc4E9kTvnrUsc/6NKEMXuy70aLFyijMbv1I1jfm84jHbBQhoeqXULJub8XR00gvFxjEjlWfr4zpJS+a1uMIs2WC6edrSOGhi3Y/pg1svjSj3Nogh4vHi44P11zJ9St0zJw6KNC8UEJ3fMKoHIFNuyyYK4d6WN4uTm5rtSog17ELuoa3fCYUx5kk2xLSbvmKfJKL7x/nT+mcJDl1iGx4d7++ghu96kytx+z+W8Sx3ltHoChIncTKu3sQzRLc8NKHReF4/kq53DaP0B3c5f9cLEAvkKrbN4YhwrktlpoPqUjDHjH5mEHxjKKOa0gq5vCm5/nnbbv+qZGTNpN4hh/kPqQwhsO/Bv44MhAUU2eB5OuwzqPj/VfiQLVMlPE5jq7ZsJXCKcQaoK62HRNV354+5xqjFTuqzdYVkHcdIF5YeB+KgZLlNl7KLfzgCPewmVWskDNlx/DcOb3hB43AIWXNkbj/ZrZ98FBTyA4ozd1E+ZJbFKsBIPPoWk/wu9zYCAU1PBCzw+biENl9zJ8RWXqTAq+FN6PfqVqI5vktI+SXYo8VpDb9K+A76P70iH85hEMdcrO13ZsWb3C4GO5qLFmeYXrpmt0BC3sFvhIiTOz2j12PSSNcZ3CpX6I7/jE2E4OmApnfRoCjmrCB2z27HpIFLlxBX3WNGnfheoHMYOsubyKUOYc1lycGfb69S5cszxSzqAbmyr1haOHT/3tLm4jk0Y0/2ODIjhw27ng8I9mU1WzHBzV4gW4TXDIyx4hhrFZ80VaM1+5zhPkORo8b3O9ATgpvbc2U9Od9Ed2nAg8=
X-IPAS-Result: A2E3AACUBhVe/zGZrQplGwEBAQEBAQEFAQEBEQEBAwMBAQGBawMBAQELAYM/gQYKlQglg26XSAkBAQEBAQEBAQEDBAEvAQGBTIJ0AoIONwYOAgMBAQsBAQEEAQEBAQEFAwEBAQKFdAEFMoI7IoNWAQEBAQIBHVwFCwIBCBguAjAlAgQKBAUOgxQBglcRrCyCJ4VPhFsQgTYBgVKKYIFCPoERJwwUgkw+hEgYgyuCLASNTIhsl3J1AweCNoNhgjiQHoJHmBiQG5VvgyoCBAIEBQIVgWiBfHAVZQGCQT4SGA1YgzqHHIIcjg50j2yBEAEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 7 Jan 2020 17:33:52 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Tue, 7 Jan 2020 17:33:52 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Michael StJohns <msj@nthpermutation.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
Thread-Index: AQHVxaqJ1PcP2XvfpE+aEEItjjDb/Q==
Date: Tue, 07 Jan 2020 22:33:52 +0000
Message-ID: <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <84650844-1d13-9377-c913-23dcbc76dc37@nthpermutation.com> <C4EB59C4-EA83-4DBE-84D0-D8D43735B63D@verisign.com> <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com>
In-Reply-To: <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_F234A9F8-9286-44B5-8FE0-F172C0B1C795"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3eyS3xqBwJBS42jO4uvUXqCF8t4>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 22:34:03 -0000


> On Jan 6, 2020, at 6:15 PM, Michael StJohns <msj@nthpermutation.com> wrote:
> 
> As I suggested in one of my messages, giving an idea of how long it takes to digest various sizes of zones given commodity hardware would be a good start.   Going on and talking about the ratio of that time to the typical update frequency of the zone  (e.g. zone digest 5 minutes, transfer time of 10 minutes, zone update 24 hours  - ratios of 1:288 and 1:144 are probably acceptable;   zone digest of 30 minutes, transfer time of 2 hours and an update of every 4 hours - ratios of 1:8 and 1:2  are probably stretching it)

Would text like this address your concern?

7.  Performance Considerations

   This section is provided to make zone publishers aware of the
   performance requirements and implications of including ZONEMD RRs in
   a zone.

7.1.  SHA384-SIMPLE

   As mentioned previously, SHA384-SIMPLE may not be appropriate for use
   in zones that are either large or highly dynamic.  Zone publishers
   should carefully consider the use of ZONEMD in such zones, since it
   might cause consumers of zone data (e.g., secondary name servers) to
   expend resources on digest calculation.  Furthermore, for such use
   cases, it is recommended that ZONEMD only be used when digest
   calculation time is significnatly less than propagation times and
   update intervals.

   The authors' implementation (Section 10.1) includes an option to
   record and report CPU usage of its operation.  The software was used
   to generate digets for more than 800 TLD zones available from [CZDS].
   The table below summarizes the the results for SHA384-SIMPLE, grouped
   by zone size.  The Rate column is the mean amount of time per RR to
   calculate the digest, running on commidity hardware at the time of
   this writing.

                 +---------------------+----------------+
                 |     Zone Size (RRs) | Rate (msec/RR) |
                 +---------------------+----------------+
                 |             10 - 99 |        0.00683 |
                 |           100 - 999 |        0.00551 |
                 |         1000 - 9999 |        0.00505 |
                 |       10000 - 99999 |        0.00602 |
                 |     100000 - 999999 |        0.00845 |
                 |   1000000 - 9999999 |         0.0108 |
                 | 10000000 - 99999999 |         0.0148 |
                 +---------------------+----------------+

   For example, based on the above table, it takes approximately 0.13
   seconds to calculate a SHA384-SIMPLE digest for a zone with 22,000
   RRs, and about 2.5 seconds for a zone with 300,000 RRs.