Re: [DNSOP] IETF 102 Hackathon: prototype implementation of draft-wessels-dns-zone-digest-02

Shane Kerr <> Thu, 19 July 2018 14:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BF4371310F0 for <>; Thu, 19 Jul 2018 07:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zJ2ZMCG8XNMm for <>; Thu, 19 Jul 2018 07:26:21 -0700 (PDT)
Received: from ( [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 67775130F13 for <>; Thu, 19 Jul 2018 07:26:18 -0700 (PDT)
Received: from [2001:67c:370:128:72e7:8f03:3ad9:63f1] by with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1fg9up-0007ML-EM for; Thu, 19 Jul 2018 14:28:23 +0000
References: <> <>
From: Shane Kerr <>
Message-ID: <>
Date: Thu, 19 Jul 2018 10:26:13 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] IETF 102 Hackathon: prototype implementation of draft-wessels-dns-zone-digest-02
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Jul 2018 14:26:34 -0000


On 2018-07-18 14:36, Wessels, Duane wrote:
>> It seems to work, although since I have no other implementation to compare against I can't be sure that the digest values are in any way correct.
> My own implementation, alluded to in the draft, is here:
> I have a few test cases in the Tests directory.

Duane sent me a mail off-list and after minor tweaks on both sides it 
seems like the two implementations now interoperate.

>> * It might be worth mentioning that names are expected to be
>>   uncompressed. It's kind of obvious, but it might trick up some
>>   implementations.
> The draft says "It also adopts DNSSEC's canonical RR form (Section 6.2 of [RFC4034])" in one place and "calculated by concatenating the canonical on-the-wire form of all RRs" later.  I wouldn't object to being more explicit.  Do you want to propose some text or shall I take a stab?

I think just adding like this is enough:

"calculated by concatenating the canonical on-the-wire form, without 
name compression, of all RRs"

>> * The TTL of the ZONEMD record has to come from somewhere. It can either
>>   come from configuration or pulled from somewhere else (I used the TTL
>>   of the SOA record). This should be documented.
> I also used the SOA TTL in my implementation.  I can make that a recommendation in the draft.

Someone pointed out to me that since ZONEMD is meta-data we don't really 
expect it to be queried normally, and a TTL of 0 is a reasonable default.

My own feeling is that I would like ZONEMD to be a "normal" record 
outside of zone generation, so assume that it can and will be queried 
just like any other record. (This is also an open question in the 
current draft, IIRC.)

In the current draft we already have to look at the SOA to get the 
serial, so using the TTL is straightforward. If we remove serial from 
the ZONEMD then TTL from the SOA might be less obvious, but I think it 
will still be the best default.