IETF Logo Mail Archive

Re: [DNSOP] [Ext] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)

Paul Hoffman <paul.hoffman@icann.org> Wed, 15 January 2020 15:05 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0EAD120090 for <dnsop@ietfa.amsl.com>; Wed, 15 Jan 2020 07:05:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOG2XolhRqrz for <dnsop@ietfa.amsl.com>; Wed, 15 Jan 2020 07:05:34 -0800 (PST)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8039120077 for <dnsop@ietf.org>; Wed, 15 Jan 2020 07:05:34 -0800 (PST)
Received: from PFE112-CA-2.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) by ppa5.dc.icann.org (8.16.0.27/8.16.0.27) with ESMTPS id 00FF5Ws8003594 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 15 Jan 2020 15:05:33 GMT
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 15 Jan 2020 07:05:30 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1497.000; Wed, 15 Jan 2020 07:05:30 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Shane Kerr <shane@time-travellers.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)
Thread-Index: AQHVy7U6oQwtP9OesUawb1gnNIparQ==
Date: Wed, 15 Jan 2020 15:05:30 +0000
Message-ID: <956DFE58-587E-47FA-8D60-C279351697ED@icann.org>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com> <b3132d4a-8b91-27ff-83af-0204a47ec2c3@nthpermutation.com> <28189634.PH2fhW1m7e@linux-9daj> <57C19AE6-CE64-42F4-BFF1-7FD5C442CD4A@verisign.com> <4c9cee8f-c05f-1cb4-6a2d-4e61371bf045@nthpermutation.com> <C34B2364-13D8-461A-B15C-090C1C2F6200@verisign.com> <94fc8dac-0735-67af-f413-004e6f84c349@time-travellers.org>
In-Reply-To: <94fc8dac-0735-67af-f413-004e6f84c349@time-travellers.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_A8F3CC3F-EDBB-4B37-8984-F803EDE62C28"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-15_02:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NO3SIVHxl9MBuIlTBXQ2ZmZVdfA>
Subject: Re: [DNSOP] [Ext] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 15:05:40 -0000

On Jan 15, 2020, at 12:14 AM, Shane Kerr <shane@time-travellers.org> wrote:
> 
> Duane,
> 
> On 13/01/2020 19.26, Wessels, Duane wrote:
>>> On Jan 8, 2020, at 3:55 PM, Michael StJohns <msj@nthpermutation.com> wrote:
>>> There's also the case that future ZONEMD schemes may need a different format for the digest field.   E.g. one approach to dealing with incremental changes is to have a NSEC like ZONEMD record which covers hashes only across a range of names.
>> We think that the currently documented RR format will solve most use cases - since the digest field is variable length, it already provides a lot of flexibility for future uses, by defining additional Digest Types.  Anything which cannot be solved with this format seems like it would be a sufficiently different protocol that it would deserve a new RRtype and document.
> 
> Honestly thinking about it more, I'm not even sure we should consider supporting an incremental version of zone digests in ZONEMD at all. There's no harm in introducing a new type with its own syntax and semantics if we tackle that problem in the future.
> 
> Some agility is needed to add new hashing algorithms, but beyond that I think maybe we should consider ZONEMD perfect in every way and not ever needing to be revised. 😉

Thank you for voicing this, Shane. Given that any incremental digest mechanism will have at least a few significantly different processing rules, I strongly suspect that it would be easier for implementors if there were two different RRtypes. The requests to have both sets of processing rules under one RRtype seems actively dangerous from a security perspective.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email