Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt
Shane Kerr <shane@time-travellers.org> Mon, 09 September 2019 08:03 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E5081201CE for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 01:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v4zu7YFTjkVr for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 01:03:57 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44588120128 for <dnsop@ietf.org>; Mon, 9 Sep 2019 01:03:56 -0700 (PDT)
Received: from earth.zonnestelsel.tk ([2001:470:78c8:2::9]) by time-travellers.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <shane@time-travellers.org>) id 1i7EeQ-0002Db-JN for dnsop@ietf.org; Mon, 09 Sep 2019 08:03:54 +0000
To: dnsop@ietf.org
References: <156772626756.24320.17129416326124710273@ietfa.amsl.com> <F32CBA84-2D35-4AA6-AB37-BA24D6F023E2@verisign.com>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <40f9c8ae-d7bf-225f-665d-878733b482b4@time-travellers.org>
Date: Mon, 09 Sep 2019 10:03:53 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <F32CBA84-2D35-4AA6-AB37-BA24D6F023E2@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5AzUjV6lQ4K0YHnkJOYLl0v_HVs>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 08:04:04 -0000
Duane,
On 2019-09-06 02:01, Wessels, Duane wrote:
>
> With this version the authors feel that it is ready for working group last call.
Sorry for a late comment, but I decided to give this one thorough last
read-through.
I'm a little concerned that the way the Reserved field is described may
make adoption of later versions of ZONEMD difficult. The relevant text:
2.1.3. The Reserved Field
The Reserved field is an 8-bit unsigned integer, which is always set
to zero. This field is reserved for future work to support efficient
incremental updates.
.
.
.
4. Verifying Zone Message Digest
.
.
.
7. The Reserved field MUST be checked. If the Reserved field value
is not zero, verification MUST NOT be considered successful.
The question is, what can a zone producer do to support both this
version of ZONEMD as well as a new version? Adding a non-zero Reserved
ZONEMD value will break any implementation using this specification.
I think what would be ideal is for non-zero Reserved values to be ignored.
If we treat non-zero Reserved the same as unknown algorithms (that is,
using placeholders) will that be okay? It may complicate generating
compatible ZONEMD in future ZONEMD implementations. With the envisioned
incremental version I think it will be fine; if you want both a
full-zone and incremental ZONEMD then it will indeed be complicated, but
I think probably few zones will need that. I have no idea whether using
the placeholder technique will work for more weird and wonderful later
versions.
I suppose it is okay to reject the use case and not worry about
compatibility, since we expect the incremental version to be used mostly
for large zones where the current ZONEMD simply won't work... š¤
Cheers,
--
Shane
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digā¦ internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zoneā¦ Wessels, Duane
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zoneā¦ Shane Kerr
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zoneā¦ George Michaelson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zoneā¦ Wessels, Duane
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zoneā¦ Richard Gibson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zoneā¦ Wessels, Duane