Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt

Richard Gibson <richard.j.gibson@oracle.com> Wed, 11 September 2019 05:11 UTC

Return-Path: <richard.j.gibson@oracle.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B62E712026E for <dnsop@ietfa.amsl.com>; Tue, 10 Sep 2019 22:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVBWRSXT5N5e for <dnsop@ietfa.amsl.com>; Tue, 10 Sep 2019 22:11:04 -0700 (PDT)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9022F120020 for <dnsop@ietf.org>; Tue, 10 Sep 2019 22:11:04 -0700 (PDT)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x8B53r2N046201; Wed, 11 Sep 2019 05:10:58 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type; s=corp-2019-08-05; bh=FaCP3WNHNUEnrL/yYWS4cPPf+yd7sHKn5dCl2IanzXg=; b=ojMhaJLzfnC4MaLnat94+o2cor0XBiKxfQ8BlIMXOHmck8Zz5MFkHVeTdLez+NNlqJRg 7F/6zvrkhSPQXUkcetJgq2VJ2OQ3XzhbyRQeMxwBe456JTNK8roknZwZDdDy+9Fa02YT j8L0w6HKxumcvtzmuGo9KoWD20PGRJN8MMGnU2m16VHQj7+joTPeYllH3GYJVkQRDz3s zcaoz6y5LQwOu1uc3CqjPJR17ANa7RtPg64oS+K7iPItbnsUB3xB8K1QMGJBlrgMfPet Uq9uWvqtkeQfoN8OK9W3T3pTGFqYA9m9ZGGhUEhw/f84eZbs5qbmakbcUa84H/KoomI+ +Q==
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by aserp2120.oracle.com with ESMTP id 2uw1jy7c7v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Sep 2019 05:10:58 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x8B546LK063496; Wed, 11 Sep 2019 05:10:57 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3020.oracle.com with ESMTP id 2uxk0st1mj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Sep 2019 05:10:57 +0000
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x8B5AmmO008624; Wed, 11 Sep 2019 05:10:48 GMT
Received: from [192.168.1.213] (/67.189.230.160) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 10 Sep 2019 22:10:48 -0700
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>, George Michaelson <ggm@algebras.org>, Shane Kerr <shane@time-travellers.org>
Cc: dnsop WG <dnsop@ietf.org>
References: <156772626756.24320.17129416326124710273@ietfa.amsl.com> <F32CBA84-2D35-4AA6-AB37-BA24D6F023E2@verisign.com> <40f9c8ae-d7bf-225f-665d-878733b482b4@time-travellers.org> <CAKr6gn2ym7JauyJBaxjKACJPQ64+5gK5yzMgY7qZggqjsJdbgg@mail.gmail.com> <915D04B3-7C54-4DA7-B6E2-A21B27B20B51@verisign.com>
From: Richard Gibson <richard.j.gibson@oracle.com>
Message-ID: <17437930-c9c7-83a5-1ed1-baa9adf36fc7@oracle.com>
Date: Wed, 11 Sep 2019 01:10:46 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <915D04B3-7C54-4DA7-B6E2-A21B27B20B51@verisign.com>
Content-Type: multipart/alternative; boundary="------------57CC0F31874A811FB16F975E"
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9376 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1909110048
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9376 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1909110048
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CK1PE3NBMU8AoY84ZlXB202w4po>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 05:11:07 -0000

The following excerpts allow for and even encourage software written 
against this document in its present form to behave in ways that will 
hinder adoption of future changes, and should probably be altered in 
order to foster the desired compatibility.

Section 2 requires "Each ZONEMD RR MUST specify a unique Digest Type", 
which means that a name server written against this document would be 
justified in rejecting a zone containing both a SHA384 ZONEMD RR with 
Reserved=0 and a SHA384 ZONEMD RR with Reserved!=0.

Section 2.2 declares that "The [presentation format] Reserved field MUST 
be represented as an unsigned decimal integer set to zero", which means 
that software written against this document would be justified in 
rejecting a master file containing a ZONEMD RR with nonzero Reserved.

In Section 3.2 ZONEMD placeholder records, "The Digest field MUST be set 
to all zeroes and of length appropriate for the chosen digest 
algorithm", which may poorly accommodate variable-length digests and 
result in interoperability issues.

Section 1 anticipates "a name server can verify the zone data it was 
given and refuse to serve a zone which fails verification" but Section 4 
declares that digest verification MUST NOT be considered successful if 
"If the zone contains more than one apex ZONEMD RR" or "If the Reserved 
field value is not zero", which means that software written against this 
document would be justified in rejecting a zone containing a ZONEMD 
described by either of those conditions. This is the crux of the 
compatibility concerns, and I think it would be best corrected by 
restricting step 4 failures to zones containing "more than one apex 
ZONEMD RR /with Reserved field equal to zero and the same Digest Type/" 
and updating later steps such that they apply for each ZONEMD RR and 
failures mean "digest verification MUST NOT be considered successful 
/for that RR/".


On 9/10/19 19:18, Wessels, Duane wrote:
> Thanks Shane & George, I agree this needs some clarification.
>
> Something thats probably missing from the document is that in any future revision of ZONEMD we expect backwards compatibility.  For this version, it is expected that Reserved is set to zero.  In a future version, if the formerly reserved field can have non-zero values, then a value of zero there should produce the exact same hashes as it does in this version.
>
> I gave a presentation at DNS-OARC last year with some experiments in making large dynamic zones more efficient.  There I used the reserved field to encode the depth of a Merkle tree.  A depth of zero corresponds to effectively no tree which is the same as described in the current version.
>
> Recently Mukund posted here a proposal of his for how to store zone data in memory in a ZONEMD-compatible way.  While slightly different than my idea, I believe his also could be implemented in a way such that the reserved field encodes what the consumer needs to know about how the data should be stored and the hash computed for interoperation.
>
> If we agree that a value of zero in this field produces the same hash value in this version and future versions of ZONEMD, then shouldn't we say that it is an error to have non-zero values at this time?  If we say it is acceptable to ignore non-zero values at this time, then it would lead to incompatible hash values in the future version.
>
> DW
>
>> On Sep 9, 2019, at 2:13 AM, George Michaelson <ggm@algebras.org>; wrote:
>>
>> This is a not uncommon problem in 'make this protocol work in future' spec. It could say "for version ZERO of this protocol" and then say "future versions of this protocol should stipulate what other values mean, and how this affects handling of all-zeros state, and other states"
>>
>> Saying "must not validate" baldly basically says "will always be zero" to me -Which I think is what you're saying!
>>
>> _G
>>
>> On Mon, Sep 9, 2019 at 3:04 PM Shane Kerr <shane@time-travellers.org>; wrote:
>> Duane,
>>
>> On 2019-09-06 02:01, Wessels, Duane wrote:
>>> With this version the authors feel that it is ready for working group last call.
>> Sorry for a late comment, but I decided to give this one thorough last
>> read-through.
>>
>> I'm a little concerned that the way the Reserved field is described may
>> make adoption of later versions of ZONEMD difficult. The relevant text:
>>
>> 2.1.3.  The Reserved Field
>>
>>      The Reserved field is an 8-bit unsigned integer, which is always set
>>      to zero.  This field is reserved for future work to support efficient
>>      incremental updates.
>>       .
>>       .
>>       .
>> 4.  Verifying Zone Message Digest
>>       .
>>       .
>>       .
>>      7.   The Reserved field MUST be checked.  If the Reserved field value
>>           is not zero, verification MUST NOT be considered successful.
>>
>>
>> The question is, what can a zone producer do to support both this
>> version of ZONEMD as well as a new version? Adding a non-zero Reserved
>> ZONEMD value will break any implementation using this specification.
>>
>> I think what would be ideal is for non-zero Reserved values to be ignored.
>>
>> If we treat non-zero Reserved the same as unknown algorithms (that is,
>> using placeholders) will that be okay? It may complicate generating
>> compatible ZONEMD in future ZONEMD implementations. With the envisioned
>> incremental version I think it will be fine; if you want both a
>> full-zone and incremental ZONEMD then it will indeed be complicated, but
>> I think probably few zones will need that. I have no idea whether using
>> the placeholder technique will work for more weird and wonderful later
>> versions.
>>
>> I suppose it is okay to reject the use case and not worry about
>> compatibility, since we expect the incremental version to be used mostly
>> for large zones where the current ZONEMD simply won't work... 🤔
>>
>> Cheers,
>>
>> --
>> Shane
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop