IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

"Wessels, Duane" <dwessels@verisign.com> Mon, 23 July 2018 20:40 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB009130E25 for <dnsop@ietfa.amsl.com>; Mon, 23 Jul 2018 13:40:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BbtU7Hn0CdYs for <dnsop@ietfa.amsl.com>; Mon, 23 Jul 2018 13:40:03 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF07A130DF0 for <dnsop@ietf.org>; Mon, 23 Jul 2018 13:40:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8002; q=dns/txt; s=VRSN; t=1532378402; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=UypdtzIottMODlNQ9tzh7WcAOY0j9QNz9iqObRpwVS8=; b=WA7gf9FPz6CC+RuM6Dz89QK1FmfGjjXtKBdKfNvGMEhidj9LU4gk4ESx BEojrbnHohQ+K0YjILco60Jk6QE7x6UD27NBborFwPhfONfa3bhoZHkfW QLNhlz55NLPhxwkcRi0CssdPEkxfoHWk6PW4ZfBlW1Xp5nBah8r0YXl3L vCvVU28Y+UgmMAW+1A3yt0gOM816+WpV2qMxT8yIfYPBqskznMdkbXL/d W2uGNZO1h6ExWjQ+aIbVl69tjwyckPgUNgzjFdQxIuGJk529rQKrAu1e8 vYSuEsSjenbpeldlwTWTeL+JiSQhBYji9PQtX9bwbik4DrquYDF3HUM6H w==;
X-IronPort-AV: E=Sophos; i="5.51,394,1526356800"; d="p7s'?scan'208"; a="5285199"
IronPort-PHdr: 9a23:5qrzYRZExBJzhFLqRXso/73/LSx+4OfEezUN459isYplN5qZrsm7bnLW6fgltlLVR4KTs6sC17KI9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCa8bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjm58axlVAHnhzsGNz4h8WHYlMpwjL5AoBm8oxBz2pPYbJ2JOPZ7eK7WYNEUSndbXstJVyJPHJ6yb5cBAeQCM+ZXrYj9qEcBohalCgmgGObvxyVUinPqw6E31fkqHwHc3AwnGtIDqHrYo9XrO6cJSuC60q3IzS7bY/hL1zn99ZLHchY/rv2CQLl9dtfeyEcxGAPelVWft4jlPyiO2+QTrWeb9etgVfmui24orQF9uCSgxsApioTQgI8e117K9SJ8wIkvJN24TlZ2Yd+6H5tMuSGWLYx2QtktQ2xupS00yaUGtIamcCQW0pgr2hzSZvKdf4SV4h/uWvydLDh7iX59Zb6zmwy+/VWix+HgTMW4zVlHoylfntXRtX0BzxLT5daER/dh+0qs3CyA2gPX5+5fJE05m7TXJIMgz7M1jZUetUXOEy3zlUj4gqKbdFgr9+614Or9eLrmvIWTN4pshwH7NaQhh9KwDPwjMggLQ2ib4eO81KD//UHhQLVFkPk2kq7BvZ3HOcoVvrO1DA9N3Igs6hmzEyqq3M4GnXYbK1JFYgqHg5LzNF7TOvz4E+2/g0+qkDtx2//GObjhDo3MLnjFjrjhYa5w51NAxAYp0NxS5ZxZBqscLP/zVEL9rtPVAxwhPwyx2ennCdF91o0EWWKIB6+UKL7dsFGW6eI0OOmDeosVuC3mJvg7+fHul345mUQcfamm25sbcmy3HvNjI0mBe3rjns8BEXsWvgo5VOHqhlODXCVOaHmsWaIz+Co0BJi4AofFRoGth6aN0zqlEZdOfGBJFkiMEWv0d4WDQ/oDdSSSItRmkjwcTrWhSpEu1Q2gtAPgzLpnNOXUqWUkssfN0N9v5uTV3S4/9Dl5FYzJ3X6lQ2xyk2lOSjkn2+ZzrBou5E2E1P0yvPFDDtFX/LcBfhozM5OWh7h2FN3pQQ/FZf+XRUynWdSpB3c6SddnkIxGWFp0B9j31kOL5CGtGbJA0uXTXJE=
X-IPAS-Result: A2GCAQDDO1Zb/zCZrQpcGgEBAQEBAgEBAQEIAQEBAYQwgScKmjmVPYF6CAMYCwuEPgKDPzUXAQIBAQEBAQECAQECgQUMgjUkAQ4vHD0BAQEBAQFQAkQsAQEBAQIBAQFsCQIFCwIBCA4KLgIlCyUCBA4FDoMSAYF3F60lEYJPhF2FZQoFilo+gREngmqDGwEBhRKCJAKZbAMGAoNhgVmXZpF6AgQCBAUCFIFDAYIIcBU7KgGCPoIkGBGISIU+b4t8K4EBgRsBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Mon, 23 Jul 2018 16:40:01 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Mon, 23 Jul 2018 16:40:01 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Florian Weimer <fw@deneb.enyo.de>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHUIsVTbj3wO2UQsEec4YxM0ySR4A==
Date: Mon, 23 Jul 2018 20:40:00 +0000
Message-ID: <445C5C76-06B3-4F0B-BB7E-FD0254E26019@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <87h8kp7sqf.fsf@mid.deneb.enyo.de>
In-Reply-To: <87h8kp7sqf.fsf@mid.deneb.enyo.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_C7B8C4BA-F7DD-452C-A09C-7CCC024D1761"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5pAb15BlBFpfN20x_sqKikefdRk>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2018 20:40:05 -0000

I wouldn't be opposed to this in principle -- say an RR count field.  

For this to be useful in an unsigned zone then all you need is for the ZONEMD (with RR count field) to be received early in the AXFR.  If it is at the end then this field doesn't help.

For a signed zone, we'd have to think about whether the ZONEMD record should be DNSSEC validated before trusting the RR count field.  If yes then you need the signatures and NSEC* records too, so it becomes sort of complex when you'd be able to trust and check the RR count.

But it seems to me like this is better suited to be a feature of AXFR in general, rather than ZONEMD.

DW


> On Jul 23, 2018, at 10:43 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
> 
> The ZONEMD record should contain a size indicator for the zone,
> something that allows a receiver to stop downloading if it is clear
> that the served zone is too large.  Otherwise, the receiver has to
> download the entire zone before it can determine that the hash does
> not match.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email