Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt

Shane Kerr <shane@time-travellers.org> Mon, 09 September 2019 08:03 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E5081201CE for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 01:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v4zu7YFTjkVr for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 01:03:57 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44588120128 for <dnsop@ietf.org>; Mon, 9 Sep 2019 01:03:56 -0700 (PDT)
Received: from earth.zonnestelsel.tk ([2001:470:78c8:2::9]) by time-travellers.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <shane@time-travellers.org>) id 1i7EeQ-0002Db-JN for dnsop@ietf.org; Mon, 09 Sep 2019 08:03:54 +0000
To: dnsop@ietf.org
References: <156772626756.24320.17129416326124710273@ietfa.amsl.com> <F32CBA84-2D35-4AA6-AB37-BA24D6F023E2@verisign.com>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <40f9c8ae-d7bf-225f-665d-878733b482b4@time-travellers.org>
Date: Mon, 9 Sep 2019 10:03:53 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <F32CBA84-2D35-4AA6-AB37-BA24D6F023E2@verisign.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5AzUjV6lQ4K0YHnkJOYLl0v_HVs>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 08:04:04 -0000

Duane,

On 2019-09-06 02:01, Wessels, Duane wrote:
> 
> With this version the authors feel that it is ready for working group last call.

Sorry for a late comment, but I decided to give this one thorough last 
read-through.

I'm a little concerned that the way the Reserved field is described may 
make adoption of later versions of ZONEMD difficult. The relevant text:

2.1.3.  The Reserved Field

    The Reserved field is an 8-bit unsigned integer, which is always set
    to zero.  This field is reserved for future work to support efficient
    incremental updates.
     .
     .
     .
4.  Verifying Zone Message Digest
     .
     .
     .
    7.   The Reserved field MUST be checked.  If the Reserved field value
         is not zero, verification MUST NOT be considered successful.


The question is, what can a zone producer do to support both this 
version of ZONEMD as well as a new version? Adding a non-zero Reserved 
ZONEMD value will break any implementation using this specification.

I think what would be ideal is for non-zero Reserved values to be ignored.

If we treat non-zero Reserved the same as unknown algorithms (that is, 
using placeholders) will that be okay? It may complicate generating 
compatible ZONEMD in future ZONEMD implementations. With the envisioned 
incremental version I think it will be fine; if you want both a 
full-zone and incremental ZONEMD then it will indeed be complicated, but 
I think probably few zones will need that. I have no idea whether using 
the placeholder technique will work for more weird and wonderful later 
versions.

I suppose it is okay to reject the use case and not worry about 
compatibility, since we expect the incremental version to be used mostly 
for large zones where the current ZONEMD simply won't work... 🤔

Cheers,

--
Shane