IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

神明達哉 <jinmei@wide.ad.jp> Fri, 25 May 2018 18:33 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FBA812DFE0 for <dnsop@ietfa.amsl.com>; Fri, 25 May 2018 11:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.445
X-Spam-Level:
X-Spam-Status: No, score=-0.445 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.248, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aJina6xwrSl for <dnsop@ietfa.amsl.com>; Fri, 25 May 2018 11:33:40 -0700 (PDT)
Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61C97127286 for <dnsop@ietf.org>; Fri, 25 May 2018 11:33:40 -0700 (PDT)
Received: by mail-wm0-f41.google.com with SMTP id l1-v6so16966323wmb.2 for <dnsop@ietf.org>; Fri, 25 May 2018 11:33:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=TyYXGDEQZB8sqwlNwQpu8b9bXAnDNVBSqaepv/EzBWw=; b=OjbxBUCo6/ioYaxy5u8cqN5pXXhjOX+C2e3RtktC0x7o3h1kZKc4f8lxv3GP1Bg1M6 7/XDRzPM6nfeYRsv3YQfTwG+8JK/okbnI/kB/APTbZHQ08HmCi9n2ja3NWyIzg9ghiEK Cduz9e0235Navwumc08245vODCBztPrxAQ6hP5J/LyMzxKLVbR29Jo2FQ9BLA6iuJyWH eKmPfJ8dZZENYKa2jegfUUobksSqeNSlodQtiZJm5Tr6dpS0VcN5mMa503MPtFiCsRfd bhVCRQelUTn0m7yvnQmSCuGbpTRC1Yh4O1i6Aalh1KfPt65VNroDwFLIoLfLulJOPxjE Purw==
X-Gm-Message-State: ALKqPweXj7PXDzOKDCsHznuUzEOHjK3mr516uCc0oEwYO9MAv3DC+Xbb Y2vy/8zj9KRzrfXpkGDPlQuYxawZiW7r5YiQ2r7RGGm6
X-Google-Smtp-Source: ADUXVKLCinJaq/lNVlc44eidef3t/4frr7tnZ7R8L8kxdmd7ncvpuk7MmznwdmC4oKfYIbDT0gePQMuU8/daKNnGZog=
X-Received: by 2002:a2e:934f:: with SMTP id m15-v6mr2405258ljh.39.1527273218693; Fri, 25 May 2018 11:33:38 -0700 (PDT)
MIME-Version: 1.0
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com>
In-Reply-To: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Fri, 25 May 2018 11:33:27 -0700
Message-ID: <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com>
To: mweinberg=40verisign.com@dmarc.ietf.org
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6BQELYXiE36UEASk0ueBKx-1czI>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2018 18:33:43 -0000

At Wed, 23 May 2018 15:32:11 +0000,
"Weinberg, Matt" <mweinberg=40verisign.com@dmarc.ietf.org> wrote:

> We’ve posted a new version of draft-wessels-dns-zone-digest.  Of note,
this -01 version includes the following changes:
[...]
> We plan to ask for time on the dnsop agenda in Montreal.  Your feedback
is welcome and appreciated.

I've read the draft.  I have a few high level comments and specific
feedback on the draft content:

- It was not really clear exactly what kind of problem this digest
   tries to solve, especially given that the primarily intended usage
   is for the root zone, which is DNSSEC-signed with NSEC.  In that
   primary case we should be able to check the integrity of the
   entire zone with DNSSEC (including a complete list of authoritative
   names and RR types for each name), right?  One thing I can think of
   is integrity including glue records, but it's not clear from the
   draft whether the digest includes these records (see also below),
   and even if so, it seems to be a relatively minor addition.  So I'm
   wondering I'm missing something very trivial.  Even so, it would be
   nice to clarify the intended advantage(s) over DNSSEC-based
   integrity check for the root zone case.

- This digest can't be incrementally updated, that is, you'll need to
   calculate the digest over the entire zone even if just a single
   record is modified (am I correct?).  That's probably an inevitable
   cost for the motivation of providing cryptographically strong
   integrity check, but that's a pity for me.  One case I know of where
   things like "zone digest" is wanted is to ensure consistency for a
   very large zone between primary and secondary servers that are
   synchronized using IXFR.  In principle they must be consistent, but
   operators may want to have a lightweight (albeit not
   cryptographically strong) way to confirm no unexpected events (such
   as an implementation bug) quietly broke the consistency.  Perhaps
   such usage is just outside the scope of this proposal, but I first
   expected I could use it for this kind of purpose it was a bit
   disappointing and I wanted to mention it.

Specific comments:

- Section 4.1

    This specification adopts DNSSEC's canonical ordering for names
    (Section 6.1 of [RFC4034]), and canonical ordering for RRs within an

   This means upper case letters in owner names are converted to lower
   case ones.  It could be considered a feature, but I guess some
   operators might want to check integrity including letter case of
   names.  For example, recent versions of ISC BIND 9 tries quite hard
   to preserve the letter case of owner names per RRset basis, which I
   think suggests operator needs for preserving the case as much as
   possible.

- Section 4.1.2

    [...]  However, according to the
    requirement to sort RRsets with the same owner name by type, the SOA
    RR (type value 2) might not be first in the digest calculation.  If
    the zone has an A RR (type value 1) at the apex, it MUST be processed
    before the SOA RR.

   SOA's type value is 6, not 2.  This also means you might rather want
   to use NS (type value 2) instead of A, since you don't need to add
   'if', as long as the zone is reasonably valid to have both SOA and
   NS.

- Section 4.4

    The zone digest is calculated by concatenating the canonical on-the-
    wire form of RRs in the zone, in the order described above, subject
    to the inclusion/exclusion rules described below, and then applying
    the digest algorithm:

   I wonder whether glue records are included in these RRs.  Either
   way, it would be better to clarify the point.

- Section 4.5

    If the zone is signed with DNSSEC, the appropriate RRSIG records
    covering the ZONEMD record MUST then be added.  Because the ZONEMD
    placeholder was added prior to signing, the zone will already have
    the appropriate denial-of-existence (NSEC, NSEC3) records.

   I would suggest clarifying that this 'resigning' MUST NOT change the
   SOA serial (it MUST NOT, right?).  It may depend on specific
   implementation or operational practices, but I know of
   implementations that increase the serial for every such incremental
   resigning.  So it would be prudent to explicitly note that this case
   is an exception for such practices.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email