Re: [DNSOP] Second Working Group Last Call for: Message Digest for DNS Zones
Dick Franks <rwfranks@gmail.com> Mon, 09 March 2020 06:11 UTC
Return-Path: <rwfranks@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 537BF3A125D for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2020 23:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWFjWUCkzYR5 for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2020 23:11:34 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 239313A1253 for <dnsop@ietf.org>; Sun, 8 Mar 2020 23:11:34 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id h131so7288313iof.1 for <dnsop@ietf.org>; Sun, 08 Mar 2020 23:11:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=19N1jXpnI9fIY6UKsD5Gxslk14calGUFH5FhlzKuGzU=; b=P8/nrkYby3gggBbU2vBIrnPbwiqbRatxWbImdzbXH3vElPrc9ea02CjLWRbxgSTKUG IZEG3fksI+1xd2PwzusuLOWGaLP//lNGOZG9sIhR4hXgwY3BjHSykm4Pd8KR25O+2bA6 Qp/kibmuTQABvP+K6ZaboJUaJ7np4ArxcdbeM/qst8enm1J3QW/ojj6/OR2mH0JYQXGu bfk7N4Z4fSXuSGYkr9iLDAktFPogzWW8R7QtBC9yfgX288f2qB6sD0CJT6jxjEgFogOt Mk94+OGrlzuZ8wv66wWAPXiPb5a0Auw3PYoPBS4mfu8wxuGEtbNiqB8VoZVCNCdt9ygg glSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=19N1jXpnI9fIY6UKsD5Gxslk14calGUFH5FhlzKuGzU=; b=PklS6Xclpr2SkhktkSgwr0ME4SjgSC/rJmCDrobDD0zV0dk6InH9KRziqOHgyeEvke XQ7lOTfvcjtkZFg4JGI86xW24NsflavvvK8AkpZrZxL6qz5tXg+nAKi1c8bvo7xGJCf3 2QRWnXd2NHbdNVWGv3hXEf4haa4Nr/DhRdWDD52BtV0+EzSj34vO2SSea7F73Hupehr8 wbeinchuoJSjNhYfnv1jb4G09Lt8r20G6kh3lMqAQdV38B8OalQGLmz74VkX0JMiC8d2 7QR/YLOZnoClbCiHYu/Qsk9sJLbn6jGLcYA3kQCnsHOUOlRMoNrkmCINxQpytNKK7dGk oMng==
X-Gm-Message-State: ANhLgQ3eGzZnfmAg9CdmF0Zox/0Gmw8FDkEvOaLAipY0pwH+2WHwT3UY nmF665UEmlywZ8uIflbYe/8Yp0Iix6BVoUwhhWs=
X-Google-Smtp-Source: ADFU+vtLypfd2qyYyrJ3iqNnhcviFvtiWlfXlnpYIYWZuGiD69RAvKEd8cysqyXILhT5N+vxe0B2s9N3faVOibhBGb4=
X-Received: by 2002:a6b:f718:: with SMTP id k24mr12178391iog.186.1583734293237; Sun, 08 Mar 2020 23:11:33 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+GDfbaAKz9iAWVH=TP=2A3hr9iGhTarayAEjgF5TrnvXQ@mail.gmail.com>
In-Reply-To: <CADyWQ+GDfbaAKz9iAWVH=TP=2A3hr9iGhTarayAEjgF5TrnvXQ@mail.gmail.com>
From: Dick Franks <rwfranks@gmail.com>
Date: Mon, 09 Mar 2020 06:10:57 +0000
Message-ID: <CAKW6Ri6YbMKquv7sMqK5D4OH7Z=h-zuvmUXqfUG2NpJdu91ooA@mail.gmail.com>
To: Tim Wicinski <tjw.ietf@gmail.com>, "Wessels, Duane" <dwessels@verisign.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9plPm0THJbz7VPoov5JRDiSch7A>
Subject: Re: [DNSOP] Second Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 06:11:50 -0000
draft-ietf-dnsop-dns-zone-digest-04 is still a work in progress, with a
number of internal contradictions to be resolved.
[1.2 para 1]
... The procedures for digest calculation and DNSSEC
signing are similar (i.e., both require the same ordering of RRs) and
can be done in parallel.
There is no requirement for the RR collating sequence be the same as
DNSSEC, otherwise it would be impossible for there to be more than one
scheme.
[3.1 para 1]
In preparation for calculating the zone digest, any existing ZONEMD
+ and covering RRSIG
records at the zone apex are first deleted.
[3.1 para 1]
Prior to calculation of the digest, and prior to signing with DNSSEC,
a placeholder ZONEMD record is added to the zone apex.
reword as follows:
Prior to calculation of the digest, and prior to signing with DNSSEC,
exactly one placeholder ZONEMD record is added to the zone apex.
[3.1 para 5]
reword as follows:
If multiple digests are to be published in the zone, e.g., during an
algorithm rollover, each digest calculation is performed independently
using the placeholder for the corresponding Scheme and Hash Algorithm.
[3.2]
s/signature(s)/signature/
There can never be more than one.
[3.3] and [3.3.1]
This specification adopts DNSSEC's canonical on-the-wire RR format
(without name compression) as specified in [RFC4034].
RR(i) = owner | type | class | TTL | RDATA length | RDATA
where "|" denotes concatenation.
The record collating sequence is scheme specific.
[3.4 bullet 3]
o Only one instance of duplicate RRs with equal owner, class, type
and RDATA SHALL be included ([RFC4034] Section 6.3).
This seems to detract from the idea of a general purpose comparison
advertised in 1.3.5. If unexpected duplicate RRs were to be present in
the original zone, the downstream copy should be expected to match,
warts and all.
[3.5.1 para 5]
Needs to be incorporated into 3.3.
[3.6]
reword:
Once a zone digest has been calculated, the published ZONEMD record
is finalised by inserting the digest into the placeholder ZONEMD.
Repeat for each digest if multiple digests are to be published.
If the zone is signed with DNSSEC, the RRSIG record covering
the ZONEMD RRSet MUST then be added or updated.
Dick Franks
________________________
- [DNSOP] Second Working Group Last Call for: Messa… Tim Wicinski
- Re: [DNSOP] Second Working Group Last Call for: M… Tim Wicinski
- Re: [DNSOP] Second Working Group Last Call for: M… Dick Franks
- Re: [DNSOP] Second Working Group Last Call for: M… Mark Andrews
- Re: [DNSOP] Second Working Group Last Call for: M… Dick Franks
- Re: [DNSOP] Second Working Group Last Call for: M… Wessels, Duane
- Re: [DNSOP] Second Working Group Last Call for: M… Wessels, Duane
- Re: [DNSOP] Second Working Group Last Call for: M… Michael StJohns
- Re: [DNSOP] Second Working Group Last Call for: M… Michael StJohns
- Re: [DNSOP] Second Working Group Last Call for: M… Tim Wicinski