Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Florian Weimer <> Tue, 24 July 2018 07:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1EF09130E4A for <>; Tue, 24 Jul 2018 00:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4Bco4SnXeADH for <>; Tue, 24 Jul 2018 00:10:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E5151130E12 for <>; Tue, 24 Jul 2018 00:10:39 -0700 (PDT)
Received: from [] ( by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1fhrSu-000134-T6; Tue, 24 Jul 2018 07:10:36 +0000
Received: from fw by with local (Exim 4.89) (envelope-from <>) id 1fhrOo-0003FL-0d; Tue, 24 Jul 2018 09:06:22 +0200
From: Florian Weimer <>
To: "Wessels\, Duane" <>
Cc: dnsop <>
References: <> <> <>
Date: Tue, 24 Jul 2018 09:06:22 +0200
In-Reply-To: <> (Duane Wessels's message of "Mon, 23 Jul 2018 20:40:00 +0000")
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Jul 2018 07:10:42 -0000

* Duane Wessels:

> I wouldn't be opposed to this in principle -- say an RR count field.  

That doesn't really bound the amount of transferred data, I think,
because RR size can still vary widely.  I believe something that
counts the hashed bytes would be more helpful and about as easy to

> For this to be useful in an unsigned zone then all you need is for the
> ZONEMD (with RR count field) to be received early in the AXFR.  If it
> is at the end then this field doesn't help.
> For a signed zone, we'd have to think about whether the ZONEMD record
> should be DNSSEC validated before trusting the RR count field.  If yes
> then you need the signatures and NSEC* records too, so it becomes sort
> of complex when you'd be able to trust and check the RR count.

Could you query it before the transfer.

> But it seems to me like this is better suited to be a feature of AXFR
> in general, rather than ZONEMD.

It depends on what you want to achieve with ZONEMD.  If you want to
prevent trivial, but potentially persistent DoS attacks with custom
root servers, you need it in ZONEMD.