IETF Logo Mail Archive

Re: [DNSOP] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)

"Wessels, Duane" <dwessels@verisign.com> Wed, 08 January 2020 21:22 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EACED12012A for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 13:22:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dglwdpSSJSXu for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 13:22:53 -0800 (PST)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089AF12003E for <dnsop@ietf.org>; Wed, 8 Jan 2020 13:22:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7963; q=dns/txt; s=VRSN; t=1578518574; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=gPor+9e0CcdP2t724veVbpUlysmC0o7cP6ayJ72AoCA=; b=dd/DU3Th6ahJMYAgrl2dILOkb79otHyGcA1h7oemmHSCa96d7vtSeju9 gYReQnrD6BKzIFGhJ7L12mVp2f1exTCZl+wUcpvsMw2SzBXwHDvUkODhV IdgVlO8JiprjLK16vI8XNI3TmjGAE482ICrMfFx6QL9/Heok5dSaOs9d/ K5lm5trpsdln9cEplIw2dQPBetWdjt/fDZuVxcpmKRcINlCnVlIO+9PD9 enkUdemJE6+QS4IWi6kaqypVCtjjveW8J8YZslfvD+pUlsDNpIZyqMIpV VyL2SYAPawXxOhw2hGTYzA0nzGzVP7IeAh6qa5f4smnx7E2wVQpNd+bxK A==;
IronPort-SDR: X5zVDREgz+zK1v2uK0+movJD6/YQh4+VF9HmG36svvSp9SrWdqBruDZvtfzlE9ovLt2lMY0b5f L53AO3OFsUfkXYxLFzi/d5RlWz94gejl7BOvqUS38uoV84l6xW5sbcx9oe62Bi5Nou9BhkXF1T 8lJ6ajMNFvT6OhbXKjOprkgGQrcAz5J37s7Ct7/xR+YV2Hxc+ciVxfepzdo0+l5TVCrcLIRki3 VpUWBu5KfsitwerrET/aaYdDc75N3+g2knWA+RuGusN/jcz0rbqE7h8g6qvIhIHc/LwGxdBaMw 18M=
X-IronPort-AV: E=Sophos;i="5.69,411,1571716800"; d="p7s'?scan'208";a="397175"
IronPort-PHdr: 9a23:aiQ++B3o6oeL9od+smDT+DRfVm0co7zxezQtwd8ZseMVKvad9pjvdHbS+e9qxAeQG9mCsLQe1rqd6vy9EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCezbL9oMhm7rQbcusYLjYZtKqs61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzocOjUn7G/YlNB/jKNDoBKguRN/xZLUYJqIP/Z6Z6/RYM8WSXZEUstXSidPAJ6zb5EXAuQBI+hWspX9qVUNoxuwBwaiA+LvxSNHiXLt0q02z+EhHBvG3AA8Ad4DtmnfotXvNKcVVOC41KfEwjXdYPNNwjfy9ozIcgs5rfqRU7xwbNDeyU8xGA/Lk16drpHqPj2L2eQWqGiU8e5gVfm0hm45tQ5xuDmvxtwtionGgIIZ0EzL9SJ8wIssI9CzVU11Yca8HZdNqy2WLZZ6T8EsTm1ypSo3yrMLtYS0cSUJ0Jgr2gLTZ+aaf4WK/h7vTvudLDh7iX5/Zb6yhA6+8Ua+xeD/SsW51VNHoTBGn9TIrX8A0hLe5taaRfZ8+0quwjKC2gHR5+xBL005m6jWJIMnz7UtjJQcq17DETXzmEjuia+WcVgr9faw5uT8Z7XmuoecN4hpigHiKqgumtKwAeA/MgUWQmWV5fyy2KDj8kPhT7tFj+E6nrTDvJDEOcsbobS5AxdP3ok59hmzFSmm0M4DnXkBNl5KZBWHj43xN1HPJvD3E+u/jkyxnDt33fzKI7/sD5vXInTekLrsc6xx5kFfxQYryNBQ/ZNUCrUPIPLpXU/xscTVAQI3MgOq2ObnE8ty1ocFWW+UHK+WLrnSsV6T5uIuLOmMYpUZtyr6K/gg//Lul2M2mUcBfam12psacGi4Ee57I0WdenfsmMkOHnoRsQUkVuzqjkeOUTlJZ3a9R6g8/C00CJq6DYffQYCgmKGO3CGgHp1RfmBLEVGMHmn0d4WKQfsMbziSIsAy2gADAIagW44snSmnqQuyn6JuM+784CAUv5v50p5y/eKFxj8o8jkhRfuQyHqAS3ow1k8VTjk7lugrrVNw0UyO1bNQnfFCFMdS6PUPWQA/Y82Ph9dmAsz/D1qSNuyCT0yrF5D/WWk8
X-IPAS-Result: A2EzAgB2RxZe/zCZrQpmHAEBAQEBBwEBEQEEBAEBgXyDQIEGCpUjg26XSAkBAQEBAQEBAQEDBAEvAQGEQAKCDzgTAgMBAQsBAQEEAQEBAQEFAwEBAQKGLII7KQGDTgEBAQECAR1cBQsCAQgYIwsCMCUCBA4FDoMUAYJXEasHgieKOBCBNoFTimCBQj6BEScggkw+hEiDQ4IsBI4AoScDB4I2g2GCOJAkgkeHfgWQGJAelXSDKwIEAgQFAhWBaYF7cBVlAYJBPhIYDY0dARcVjg50j2uBEAEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Wed, 8 Jan 2020 16:22:43 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Wed, 8 Jan 2020 16:22:43 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Vixie Paul <paul@redbarn.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)
Thread-Index: AQHVxmEiJbtSe5pri02+tyleRH5Jiafhmp4A
Date: Wed, 08 Jan 2020 21:22:43 +0000
Message-ID: <57C19AE6-CE64-42F4-BFF1-7FD5C442CD4A@verisign.com>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com> <b3132d4a-8b91-27ff-83af-0204a47ec2c3@nthpermutation.com> <28189634.PH2fhW1m7e@linux-9daj>
In-Reply-To: <28189634.PH2fhW1m7e@linux-9daj>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_371D934E-1E01-411E-AEE6-ED328A6691BD"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FtATqjMkTjnBnEzdUW3inoCuC0I>
Subject: Re: [DNSOP] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 21:22:55 -0000


> On Jan 8, 2020, at 12:20 PM, Paul Vixie <paul@redbarn.org> wrote:
> 
> can we please not put the ZONEMD RR at the apex, or else, can we please add an 
> ALG-ID to its rdata. because some day we're going to ship different kinds of 
> MD's, one of which is today's full-zone traversal-required version that 
> optimizes for AXFR, and another will be tomorrow's block hash that optimizes 
> for IXFR.

Paul,

The current draft already does this future proofing, although earlier revisions did not. So maybe you missed the change and maybe we haven't done a good job of making this clear.

The ZONEMD Digest Type field encodes both the hash algorithm (SHA384) and the traversal algorithm (SIMPLE).  

A future update can define a new Digest Type such as SHA384-MUMBLE in which the zone is traversed differently but the end result is still a SHA384 hash value.

The Parameter field lets you encode some Digest Type specific parameter information.  Perhaps something like Merkle tree depth, or whatever would be needed for some other traversal algorithm.

DW

v2.23.0 | Report a Bug | By Email