IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-04.txt

"Wessels, Duane" <dwessels@verisign.com> Mon, 24 February 2020 23:06 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 336913A150A for <dnsop@ietfa.amsl.com>; Mon, 24 Feb 2020 15:06:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hiidwAHqd0J for <dnsop@ietfa.amsl.com>; Mon, 24 Feb 2020 15:06:34 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 685623A1540 for <dnsop@ietf.org>; Mon, 24 Feb 2020 15:06:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=11711; q=dns/txt; s=VRSN; t=1582585594; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=m5fu/gHs5IoATPWioiMxfPN3iBovsitP3zSq0TnJQ+E=; b=CrgY4rSspAqTkB0t9ZJ6XYK+pTXnlcRtyhOURXXFA/ApcJrvXPQWuLUE i1JT7ycABrZB0JGNuFpmLWOwb5N5flq6QRUkCANkKjSW5b1TsEni/za8K jTz0uSHXZty/QZARBXC4pnge7L2oiiCaR8dcBzVvz+bzb0w6UdAk+zJ0l V8U7+CupQc3yWWzGWZlZRxdrFFjPA0SQe3jvFK2cFteXGK/1Q+ISi7b63 zj7SMfxVB/PrPzeNLcGvkLAzQ+SE4+/7IAZtIDH3chxLLCuE84eOUIByy xu73Bxud/cAyJSCVkJxvQQogPFVvUxMR1no4cUGmn6ilCgOsTYQp+nnF4 A==;
IronPort-SDR: fVJuIDE5IyfTSe8ZQEVG4gDyPX5eD9jJoBKLvUSXMQQ5dx6giMbt0NEN2KB54T34PGoXdGmTyG vhl4zdj61SxiuPWjbA+wyQa4N9b2kHTn+jGOrZOEu4awQ8fzOw6rCkGrZ0OhdIIrVpuFhxl802 0gxYqxMi8vdS6/Y+VFE4b1pwg2yXmYmH3sbgO4bChmf++46pVcG5zZ8tdmsJGARbbwRPHYbbau S6Tb8OseU9g6+tCp5EjuJKbMKueZ+dP+Qj3g7CfLaOC/5sRn3RMzMeDVCfT8emyQCJQ9dKAxq3 KoA=
X-IronPort-AV: E=Sophos;i="5.70,481,1574121600"; d="p7s'?scan'208";a="819998"
IronPort-PHdr: 9a23:65gp8hzsKsnfTDjXCy+O+j09IxM/srCxBDY+r6Qd2usTIJqq85mqBkHD//Il1AaPAdyHraMdwLKK+4nbGkU+or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCeybL9oKBi6sArdutUZjIB/Nqs/1xzFr2dHdOhR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/YTQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhSEaPDMi7mrZltJ/g75aoBK5phxw3YjUYJ2ONPFjeq/RZM4WSXZdUspUUSFKH4GyYJYVD+cZPehWsZTzp0cAoxW9CwmjBuThyj5UiXD5xqA63PgtEQTc0QwgA94CrnLZp8j1OqcIVuC1ybHFwTvDYPxIwjf985bHchQ6of2UQLl+f9fRxlMpFwzbgFmbtIvoMC6b1+sTqGib9PRvVea0i2M8tQF+vCKvxsY3ionIiYIVzErI+jl+wIYwPNC1TlNwb9CjEJtVrS6aNo12T9sjQ252pCY6xKcKuZmhfCgFzpks2h3Ra+SffoSV/h7vTvudLDV2iX5/Zb6yhxi//VKvx+D/TsW4zUpGojBYntTOqnwBzQHf58eER/dn40us2i6D1w7N5exHPUw5kK/WJIQiz7M0jZUetErOEjHrl0j3iaKZbUEp9+mq5unibLjrqJ2ROJJyhwrjKKohgNa/Dv49MgUWWmib/vmz26P78E3iRbVKkuU2kq7EsJDGPcgbprC2AwtS0os79huxEy+o3MkYkncfI1xKeQ6Lg5XzN1HQPP/4Cu2/g0y2nDhx2v/KJKPhAo/WLnjFirvuYbF960tExAoyy9BQ+Y5UB6kcLP7vQEP9qd7VAxEjPwCpw+vqBs9x24wdVG6XB6+WKqLSsVuG5uI1JOmMYZcYtyvzKvc7/P7ulmE2mVsGfaSyw5sYdmq4HvV9I0WYbnrshM0NHnsNvgo7VODqkkGNUSZPZ3auWKIx/iw0CIS9DYfEXoCgm72B0zmnHp1YfGxGDUqMEXi7P7mDDvsKcyWKavBO2mgIU6OmU6cg2A2g8gjgxOw0APDT/3hSip/4z9Vx/KmbuQw78zE+R5CRzGyWVGxwhUsWSiU3x6Fwpwp2zVLVgvswuOBRCdEGv6ABaQw9L5OJirUiU90=
X-IPAS-Result: A2FDAwB5VlRe/zCZrQplHQEBAQkBEQUFAYF7gxUrgQYKlH4lg26VaIFfCAIHAQEBAQEBAQEBAwQBGA0KBAEBAoQ+AoIyOBMCAwEBCwEBAQUBAQEBAQUDAQEBAoYgDII7KQFucQEBAQEBAQEBAQEBAQEBAQEBAQEWAkNVEgEBHQEBAQECAQEBbBALAgEIGC4CJQslAgQTDoMYAYJbER6sd4InhDkCDkFAhFoQgTiBU4prgUI+gREnDBSCTD6CZAEBAgEBGIEvGYNEgiwElnWJZI89AweCPINwgjuBJo8wgkl9hx6QSpdsjxmDMgIEAgQFAhWBaYF7cBUaISoBgkEJNRIYDY4oGIhkhUF0jiKBEAEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Mon, 24 Feb 2020 18:06:03 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Mon, 24 Feb 2020 18:06:03 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: dnsop WG <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-04.txt
Thread-Index: AQHV62VFXjLic0UlIEC5RaMNULHxiKgrSx0A
Date: Mon, 24 Feb 2020 23:06:03 +0000
Message-ID: <25353EC1-D84B-4507-80F9-9059174B8D0C@verisign.com>
References: <158258479417.24286.15972230615732983631@ietfa.amsl.com>
In-Reply-To: <158258479417.24286.15972230615732983631@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_E43E1504-08A5-4BCF-8A68-262AD5E7FC0D"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KsIkHkfVUAFm8zkuTpmI_XbY3CE>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 23:06:42 -0000

All,

This version of the ZONEMD draft incorporates and addresses the feedback we received from the working group last call.  The list of changes is below.

Note there is one important change to the RDATA fields that we believe addresses concerns about future proofing.

Previously there was a field named Digest Type, whose meaning incorporated both the hash algorithm (e.g. SHA384) and a scheme for organizing the zone data as input to the hash function (e.g. "simple").  These have been split into separate fields now (Hash Algorithm and Scheme).  The Parameter field has been dropped, but we feel its intended use can still be accomplished with the Scheme field. 

We hope this version addresses all the comments received.  If there are any omissions it was not intentional.

DW



   From -03 to -04:

   o  Addressing WGLC feedback.

   o  Changed from "Digest Type + Paramter" to "Scheme + Hash
      Algorithm".  This should make it more obvious how ZONEMD can be
      expanded in the future with new schemes and hash algorithms, while
      sacrificing some of the flexibility that the Parameter was
      intended to provide.

   o  Note: old RDATA fields: Serial, Digest Type, Parameter, Digest.

   o  Note: new RDATA fields: Serial, Scheme, Hash Algorithm, Digest.

   o  Add new IANA requirement for a Scheme registry.

   o  Rearranged some sections and separated scheme-specific aspects
      from general aspects of digest calculation.

   o  When discussing multiple ZONEMD RRs, allow for Scheme, as well as
      Hash Algorithm, transition.

   o  Added Performance Considerations section with some benchmarks.

   o  Further clarifications about non-apex ZONEMD RRs.

   o  Clarified inclusion rule for duplicate RRs.

   o  Removed or lowercased some inappropriately used RFC 2119 key
      words.

   o  Clarified that all ZONEMD RRs, even for unsupported hash
      algorithms, must be zeroized during digest calculation.

   o  Added Resilience and Fragility to security considerations.

   o  Updated examples since changes in this version result in different
      hash values.



> On Feb 24, 2020, at 2:53 PM, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
> 
>        Title           : Message Digest for DNS Zones
>        Authors         : Duane Wessels
>                          Piet Barber
>                          Matt Weinberg
>                          Warren Kumari
>                          Wes Hardaker
> 	Filename        : draft-ietf-dnsop-dns-zone-digest-04.txt
> 	Pages           : 32
> 	Date            : 2020-02-24
> 
> Abstract:
>   This document describes a protocol and new DNS Resource Record that
>   can be used to provide a cryptographic message digest over DNS zone
>   data.  The ZONEMD Resource Record conveys the digest data in the zone
>   itself.  When a zone publisher includes an ZONEMD record, recipients
>   can verify the zone contents for accuracy and completeness.  This
>   provides assurance that received zone data matches published data,
>   regardless of how the zone data has been transmitted and received.
> 
>   ZONEMD is not designed to replace DNSSEC.  Whereas DNSSEC protects
>   individual RRSets (DNS data with fine granularity), ZONEMD protects a
>   zone's data as a whole, whether consumed by authoritative name
>   servers, recursive name servers, or any other applications.
> 
>   As specified at this time, ZONEMD is not designed for use in large,
>   dynamic zones due to the time and resources required for digest
>   calculation.  The ZONEMD record described in this document is
>   designed so that new digest schemes may be developed in the future to
>   support large, dynamic zones.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-zone-digest/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-04
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-zone-digest-04
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dns-zone-digest-04
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email