Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt

Joe Abley <jabley@hopcount.ca> Thu, 08 August 2019 19:36 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D954C12016B for <dnsop@ietfa.amsl.com>; Thu, 8 Aug 2019 12:36:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U26w8yqmoO5c for <dnsop@ietfa.amsl.com>; Thu, 8 Aug 2019 12:36:04 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D90C9120165 for <dnsop@ietf.org>; Thu, 8 Aug 2019 12:36:03 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id z28so35756519ljn.4 for <dnsop@ietf.org>; Thu, 08 Aug 2019 12:36:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:mime-version:references:in-reply-to:date:message-id:subject:to :cc; bh=gkQHceIQ7h6regoupPzzQnVYHlZXYErJ5Pztxu3+dxc=; b=nYFF4tfW550bKZzemY/k8TYvU2yY0hHprjsuZT+WnCrKbw4w2uI+SnsqNv367dCREz xK/VA02j6CMuUu8U9s1KCbbhV8IGqNCr4WclXjatIOZmKZNCMJVLll+FPCSgupNCXrAh afmKkewqhmdfkzhNqPGfAhuTSebxQR0KaaOnI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:references:in-reply-to:date :message-id:subject:to:cc; bh=gkQHceIQ7h6regoupPzzQnVYHlZXYErJ5Pztxu3+dxc=; b=JjTc3BBn9ueK+YzfSCs9UVPHTANGMpVXdhHnDb51SLNUn7m6H3bW/CyKs/Lg0DfPhT 3k+PMxN+HavZXsbDt+bKjwox5xGXShVqQit7V5XiFHshfZftXapdJC63Hw7pD5ifCy2j HRY4GFRMntuqOIAte2pH/0Nas3MTnfDE1JlxWBGlnmWYcw4edfe6c/0+Cf1J2JtxK3TJ x5J/WWxEBDNUUIVEbqCQ/nGIOIyUSM06LXJVjn8H4Wzp2M27dB3uyN3Om90vuAJiEr5j UgbJ46RiWI5tEjdYNQacvjt0chn+yt4+l3lm+DH7dYzHhiECxaJBoYKZAgkv8Ug9yNBj 7qzw==
X-Gm-Message-State: APjAAAXPZaT90mAwlYBSIalrna55CqDVpX+lp5AQhm0nV0GEX1k7e+3y 5nPl4zN0FpVbezSfVEwB4sTlkXE3j41hdk7nSKInLGpdo+E=
X-Google-Smtp-Source: APXvYqzQ5rQXzYMUbMF0iBRi22TXs/uwhhh9+p1gzx5qC2xKoCfedHrb1DIvaDk8YZ7+ElQRR09JtoxALhL0omot/CY=
X-Received: by 2002:a2e:b1c1:: with SMTP id e1mr9240800lja.228.1565292962044; Thu, 08 Aug 2019 12:36:02 -0700 (PDT)
Received: from unknown named unknown by gmailapi.google.com with HTTPREST; Thu, 8 Aug 2019 12:36:00 -0700
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
References: <20190808185156.654657CF5A4@ary.qy>
In-Reply-To: <20190808185156.654657CF5A4@ary.qy>
Date: Thu, 08 Aug 2019 12:36:00 -0700
Message-ID: <CAJhMdTPRAu+8ep3-fndYzh10RenKa7Kabi+snajVjdyZEoGpMw@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GzFUof4WxC7O42BkBYbnushUDj4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 19:36:06 -0000

On Aug 8, 2019, at 14:51, John Levine <johnl@taugh.com> wrote:

> I agree with Joe's advice to limit the spec to what you need to
> interoperate.  It's a good idea to allow algorithm rollover, but I
> don't think it's useful to try and guess how people might implement
> it, or to try to invent a way to send back failure reports.
>
>
>> NEW:
>>
>> 4.1.  Verifying Multiple Digests
>>
>> If multiple digests are present in the zone, e.g., during an
>> algorithm rollover, at least one of the recipient's supported Digest
>> Type algorithms MUST verify the zone.
>
> I don't see how that's a MUST.  What else could you do?

One alternative would be for the receiver to insist that all digests
with supported algorithms match. It seems reasonable to specify that
verifying that one of them matches is sufficient to declare the zone
intact.

I realise now that you mention it that that's not exactly what the
text says, but that's how I interpreted it earlier.


Joe