IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt

"Wessels, Duane" <dwessels@verisign.com> Thu, 12 September 2019 18:06 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 860F3120164 for <dnsop@ietfa.amsl.com>; Thu, 12 Sep 2019 11:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOUak6PJkm24 for <dnsop@ietfa.amsl.com>; Thu, 12 Sep 2019 11:06:47 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B351120152 for <dnsop@ietf.org>; Thu, 12 Sep 2019 11:06:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=14430; q=dns/txt; s=VRSN; t=1568311607; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=ev8xLsye2B0P9KbQDOAmN5xBJTqoDwAFQ0b1tOmRvp4=; b=Kn51akOLvY0p7Gth4E8ddaWgxO8kbIpkCZy6NFZ+OgecEo0ECTqXVIXg PZnJ8l92yP8HnEcUWeYHV0rbIvoz3RMVKFjR2+9plKTGno7xg3kW7cyB8 VLZlNwYfh5fAldtdMZa1cTJSul1ddOS90Ouu4IzYqx5/WoGRKVAhCY31E fWD5u4KgvNvCRgSCpP65SpVanNND/9q292HRvuxoZyjU/ndtZWmziePFE n4iPdLBRWUurCkfMQ3MSzQiPhA9JnfyN/PZmLd+K2zGGAFkereNt6nVlQ BIsLagTXIVIXU6F4q8Da88TtAc33TPuWS98rz//jEYwKYZXfND7GD2Zp6 A==;
X-IronPort-AV: E=Sophos; i="5.64,498,1559534400"; d="p7s'?scan'208"; a="8361341"
IronPort-PHdr: 9a23:5dunKBeigESGtwGWYFADIzyhlGMj4u6mDksu8pMizoh2WeGdxc27YByN2/xhgRfzUJnB7Loc0qyK6vumATFLuM/Q+DBaKdoQDkVD0Z1X1yUbQ+e9QXXhK/DrayFoVO9jb3RCu0+BDE5OBczlbEfTqHDhpRQbGxH4KBYnbr+tQt2agMu4zf299IPOaAtUmjW9falyLBKrpgnNq8Uam4RvJrs/xxfTvndFe+tayX51KV+Xgh3w4tu88IN5/ylfpv4t6dRMXbnmc6g9ULdVECkoP2cp6cPxqBLNVxGP5nwSUmUXlhpHHQ3I5wzkU5nyryX3qPNz1DGVMsPqQ780Xy+i77pwRx/zlCgHLT85/3rJhcF2kalWvQiupx17w47TfYGVKP9zdb7TcN8GWWZMWNtaWjdfCY2gcYQAE+sBPf5Zr4bjoVsOsQC+DhSoCO/21zNEmmP60ag83u88Ew/JwRYgEsoOvnrKsdv1KKkcX+O7zKbKyjvDbu9Z1jjm5YjHbhwhpOuBXbJsfcfTz0QkCgPLjk+XqYzgJz6Z2OQCvHaA7+p7S+2vj3UnpxlsqTah28cjkI/JiZwbxlvZ8ih23Yg0KsOjSE5gf9GkFIBQujqEN4RoWMMiQnpouCc1yr0Ao5K0YC8KyJE+yhPZdveJfY+I4hf5W+aQJzd1nHNld6yjhxa860Sgzff8Vsay3V1XrSRFisHBum0R2xDJ98SKSPVw8l281TuP2Q3f8O5JLEMsmabGN5It2KM8m5gPvUjZAyP7l0b7gLWLekgn4uSo5frob7b6qpKZMoJ7kALzP6A1lcG6D+k0LBUBUmme9Oun0LDu/E/0TbBEg/A4kKTWrZbXLtkBqKGjGQ9ayIMj5g66DzehzdsXg2EKLElAeBKbl4jpPEzOIOzgAfe/nVuslDBryujbM7P9GpvBM3jMnq/uc7l890JQ1RA/zc5D6JJTELEBOOj/VVXsu9DCEB85KRe0w+D9BNph0YMeXHqDAq6fMKzMrV+F/v8jL/WWaIMIujvwJeIp6+PugHI3g1MQcqqk0YMSaH+iH/RmJ0uZYWDrgtcECWoFowQ/Q/LxiF2ZTzFTY22yUrki5j4lEoKmDJzDRoGigLyHxiu0AppWZmVeBlCWDXjob5mEW+sLaC+KOM9hkyALVbi7RI87yB6irg36x6BoLurV4SIYrpXj1N5u6u3UjxE97yB7D8CD3G2XU250mWYITScs3K9juUx91kuD0a9gjvxXGtxT4uhEXR0+NZ7T0eN1EMryVRjaftuTT1amWNqmCykrTt0t298Of1p9G9K6gxDY3yqlGbkVmKKQCZwo86Lc2mb+K99hy3bczqYhkUcpQs9LNWK4nK5/7BLfB4nTk0WWj6yqb7gT3DbR9GefymqDpFxXUAhrUaXCRXASfUrWosrl5kPMVbOuDq4nMgQSgfKFf5FLYd3gl1kOa/bpI9PYKzarmmywDAyEgLHKY4vgYGIb9CLHAUMAnkYY+nPQZiYkASL06V3TFydjEUmrK2/x+O9z4jvvQlA51BqHa1ZJybev+wUUivraQPQWiOFX8Bw9oil5SQ7ul+ndDMCN8k84JP1R
X-IPAS-Result: A2FGAABniHpd/zCZrQpmGgEBAQEBAgEBAQEHAgEBAQGBZ4FpgRyBLwqEF5BqJYNslyUICQEBAQEBAQEBAQMEARgLDAEBAoFJgnQCgwE4EwIMAQEBBAEBAQEBBgMBAQEChhcMgjopAWFrAQEBAQEBAQEBAQEBAQEBAQEBARYCRBIBARgBAQEBAgEBASFLCwULAgEGAhgqAgICJQslAgQOBQ6DFAGBex6PPptvgTKKNwoGgTSBUYo/gUE+gREnDBOBTn4+gmEBAYFLFRiCdDKCJgSVAZdGAweCIYM+gi2GI4kEgjSLYYp1o1yDEQIEAgQFAhWBaYF6cBU7KgGCQT6CDxiIY4U/cwGNVSuBBIEjAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 12 Sep 2019 14:06:44 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Thu, 12 Sep 2019 14:06:44 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Richard Gibson <richard.j.gibson@oracle.com>
CC: George Michaelson <ggm@algebras.org>, Shane Kerr <shane@time-travellers.org>, dnsop WG <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt
Thread-Index: AQHVaZTWPt7nXMvMykWTEhA2PDl1RA==
Date: Thu, 12 Sep 2019 18:06:44 +0000
Message-ID: <243414A0-1701-41F1-9F3F-4C13F1F943E6@verisign.com>
References: <156772626756.24320.17129416326124710273@ietfa.amsl.com> <F32CBA84-2D35-4AA6-AB37-BA24D6F023E2@verisign.com> <40f9c8ae-d7bf-225f-665d-878733b482b4@time-travellers.org> <CAKr6gn2ym7JauyJBaxjKACJPQ64+5gK5yzMgY7qZggqjsJdbgg@mail.gmail.com> <915D04B3-7C54-4DA7-B6E2-A21B27B20B51@verisign.com> <17437930-c9c7-83a5-1ed1-baa9adf36fc7@oracle.com>
In-Reply-To: <17437930-c9c7-83a5-1ed1-baa9adf36fc7@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.9.1)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_1349E35F-49C0-47C1-BFB5-A23CEE0A15A5"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FUQWLId-Uc5O6Q4hcTMKWm0tGH4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 18:06:51 -0000

Hi Richard, thanks for the review.

This and the earlier messages makes me think that perhaps it would be better to bump the digest type (while possibly using the same hash algorithm) in a future revision, when the reserved field takes on meaning.



> On Sep 10, 2019, at 10:10 PM, Richard Gibson <richard.j.gibson@oracle.com> wrote:
> 
> The following excerpts allow for and even encourage software written against this document in its present form to behave in ways that will hinder adoption of future changes, and should probably be altered in order to foster the desired compatibility.
> 
> Section 2 requires "Each ZONEMD RR MUST specify a unique Digest Type", which means that a name server written against this document would be justified in rejecting a zone containing both a SHA384 ZONEMD RR with Reserved=0 and a SHA384 ZONEMD RR with Reserved!=0.
> 
> Section 2.2 declares that "The [presentation format] Reserved field MUST be represented as an unsigned decimal integer set to zero", which means that software written against this document would be justified in rejecting a master file containing a ZONEMD RR with nonzero Reserved.
> 
> In Section 3.2 ZONEMD placeholder records, "The Digest field MUST be set to all zeroes and of length appropriate for the chosen digest algorithm", which may poorly accommodate variable-length digests and result in interoperability issues.

Are there really variable length digests whose length would not be known at the time of placeholder creation?  If so then it would be better to just omit the digest field from the digest calculation.


> 
> Section 1 anticipates "a name server can verify the zone data it was given and refuse to serve a zone which fails verification" but Section 4 declares that digest verification MUST NOT be considered successful if "If the zone contains more than one apex ZONEMD RR" or "If the Reserved field value is not zero", which means that software written against this document would be justified in rejecting a zone containing a ZONEMD described by either of those conditions. This is the crux of the compatibility concerns, and I think it would be best corrected by restricting step 4 failures to zones containing "more than one apex ZONEMD RR with Reserved field equal to zero and the same Digest Type" and updating later steps such that they apply for each ZONEMD RR and failures mean "digest verification MUST NOT be considered successful for that RR".

Yes, this is a good catch.  That was sort of leftover from when there was only going to be one ZONEMD.  It needs to be updated for multiple digests.

DW


> 
> On 9/10/19 19:18, Wessels, Duane wrote:
>> Thanks Shane & George, I agree this needs some clarification.
>> 
>> Something thats probably missing from the document is that in any future revision of ZONEMD we expect backwards compatibility.  For this version, it is expected that Reserved is set to zero.  In a future version, if the formerly reserved field can have non-zero values, then a value of zero there should produce the exact same hashes as it does in this version.
>> 
>> I gave a presentation at DNS-OARC last year with some experiments in making large dynamic zones more efficient.  There I used the reserved field to encode the depth of a Merkle tree.  A depth of zero corresponds to effectively no tree which is the same as described in the current version.
>> 
>> Recently Mukund posted here a proposal of his for how to store zone data in memory in a ZONEMD-compatible way.  While slightly different than my idea, I believe his also could be implemented in a way such that the reserved field encodes what the consumer needs to know about how the data should be stored and the hash computed for interoperation.
>> 
>> If we agree that a value of zero in this field produces the same hash value in this version and future versions of ZONEMD, then shouldn't we say that it is an error to have non-zero values at this time?  If we say it is acceptable to ignore non-zero values at this time, then it would lead to incompatible hash values in the future version.
>> 
>> DW
>> 
>> 
>>> On Sep 9, 2019, at 2:13 AM, George Michaelson <ggm@algebras.org>
>>>  wrote:
>>> 
>>> This is a not uncommon problem in 'make this protocol work in future' spec. It could say "for version ZERO of this protocol" and then say "future versions of this protocol should stipulate what other values mean, and how this affects handling of all-zeros state, and other states"
>>> 
>>> Saying "must not validate" baldly basically says "will always be zero" to me -Which I think is what you're saying!
>>> 
>>> _G
>>> 
>>> On Mon, Sep 9, 2019 at 3:04 PM Shane Kerr 
>>> <shane@time-travellers.org>
>>>  wrote:
>>> Duane,
>>> 
>>> On 2019-09-06 02:01, Wessels, Duane wrote:
>>> 
>>>> With this version the authors feel that it is ready for working group last call.
>>>> 
>>> Sorry for a late comment, but I decided to give this one thorough last 
>>> read-through.
>>> 
>>> I'm a little concerned that the way the Reserved field is described may 
>>> make adoption of later versions of ZONEMD difficult. The relevant text:
>>> 
>>> 2.1.3.  The Reserved Field
>>> 
>>>     The Reserved field is an 8-bit unsigned integer, which is always set
>>>     to zero.  This field is reserved for future work to support efficient
>>>     incremental updates.
>>>      .
>>>      .
>>>      .
>>> 4.  Verifying Zone Message Digest
>>>      .
>>>      .
>>>      .
>>>     7.   The Reserved field MUST be checked.  If the Reserved field value
>>>          is not zero, verification MUST NOT be considered successful.
>>> 
>>> 
>>> The question is, what can a zone producer do to support both this 
>>> version of ZONEMD as well as a new version? Adding a non-zero Reserved 
>>> ZONEMD value will break any implementation using this specification.
>>> 
>>> I think what would be ideal is for non-zero Reserved values to be ignored.
>>> 
>>> If we treat non-zero Reserved the same as unknown algorithms (that is, 
>>> using placeholders) will that be okay? It may complicate generating 
>>> compatible ZONEMD in future ZONEMD implementations. With the envisioned 
>>> incremental version I think it will be fine; if you want both a 
>>> full-zone and incremental ZONEMD then it will indeed be complicated, but 
>>> I think probably few zones will need that. I have no idea whether using 
>>> the placeholder technique will work for more weird and wonderful later 
>>> versions.
>>> 
>>> I suppose it is okay to reject the use case and not worry about 
>>> compatibility, since we expect the incremental version to be used mostly 
>>> for large zones where the current ZONEMD simply won't work... šŸ¤”
>>> 
>>> Cheers,
>>> 
>>> --
>>> Shane
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> 
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> 
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
>> 
>> _______________________________________________
>> DNSOP mailing list
>> 
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email