Re: [DNSOP] [Ext] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)

Paul Hoffman <paul.hoffman@icann.org> Thu, 16 January 2020 01:39 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FAA6120891 for <dnsop@ietfa.amsl.com>; Wed, 15 Jan 2020 17:39:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDs5WVVUUmER for <dnsop@ietfa.amsl.com>; Wed, 15 Jan 2020 17:39:51 -0800 (PST)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 278E3120882 for <dnsop@ietf.org>; Wed, 15 Jan 2020 17:39:51 -0800 (PST)
Received: from PFE112-CA-1.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) by ppa5.dc.icann.org (8.16.0.27/8.16.0.27) with ESMTPS id 00G1dmcQ003411 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 16 Jan 2020 01:39:49 GMT
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 15 Jan 2020 17:39:47 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1497.000; Wed, 15 Jan 2020 17:39:47 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Michael StJohns <msj@nthpermutation.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)
Thread-Index: AQHVy9EwH0gz7MfST0K5GTKzh8gRcqftBvOAgAADMQA=
Date: Thu, 16 Jan 2020 01:39:46 +0000
Message-ID: <1F8E8497-DBB5-49FC-A3DA-FFF4D9B95F3A@icann.org>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com> <b3132d4a-8b91-27ff-83af-0204a47ec2c3@nthpermutation.com> <28189634.PH2fhW1m7e@linux-9daj> <57C19AE6-CE64-42F4-BFF1-7FD5C442CD4A@verisign.com> <4c9cee8f-c05f-1cb4-6a2d-4e61371bf045@nthpermutation.com> <C34B2364-13D8-461A-B15C-090C1C2F6200@verisign.com> <94fc8dac-0735-67af-f413-004e6f84c349@time-travellers.org> <956DFE58-587E-47FA-8D60-C279351697ED@icann.org> <CAH1iCirrLDfrVxUNx4eYdpv5Gfw2X=k_byOprDN9CZDkyLDoiQ@mail.gmail.com> <5f68ad09-f607-a502-18ee-56d658de93ce@nthpermutation.com>
In-Reply-To: <5f68ad09-f607-a502-18ee-56d658de93ce@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_082435DD-42CA-49D6-B475-2C5F9ABBD514"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-16_01:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JWb_hzlyWIKVP6x8GSAUp9BeZTA>
Subject: Re: [DNSOP] [Ext] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 01:39:53 -0000

On Jan 15, 2020, at 5:28 PM, Michael StJohns <msj@nthpermutation.com> wrote:
> I think its a co-existence issue here.  I don't think you should have two different (calculation-wise) ZONEMD-like RRSets in the same zone for the reasons you've mentioned.  

That makes good sense. When someone defines an incremental zone hash RRtype, that protocol spec should likely either prohibit ZONEMD RRsets, or state that their interpretation is suppressed. The WG can cross that bridge when we see a reasonably filled-out proposal for INCZOEMD.

> I don't think that reserving RR types is the right way of doing things and I'm not sure how you'd write the IANA guidance to cover the later assignment of those type numbers.

Fully agree.

>  It's possible that we can tweak this a bit and get around the problem.
> 
> So maybe:
> 
> 1 byte - Scheme - 1 == SIMPLE
> 
> Which has a body of
> 
> 1 byte - digest - 1 == SHA384, a
> 
> followed by N bytes of the appropriate digest length.

Using a different RRtype would be significantly easier and safer due to applications having clearly separate code paths.

--Paul Hoffman