IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Shane Kerr <shane@time-travellers.org> Fri, 01 June 2018 10:51 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AD9F1289B0 for <dnsop@ietfa.amsl.com>; Fri, 1 Jun 2018 03:51:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.554
X-Spam-Level:
X-Spam-Status: No, score=-0.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_BL_SPAMCOP_NET=1.347, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gkQYF03ApVJW for <dnsop@ietfa.amsl.com>; Fri, 1 Jun 2018 03:51:04 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08BA91276AF for <dnsop@ietf.org>; Fri, 1 Jun 2018 03:51:03 -0700 (PDT)
Received: from chomsky.torservers.net ([77.247.181.162] helo=[127.0.0.1]) by time-travellers.org with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1fOhff-0007c7-Sw for dnsop@ietf.org; Fri, 01 Jun 2018 10:52:35 +0000
To: dnsop@ietf.org
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org>
Date: Fri, 01 Jun 2018 10:51:00 +0000
MIME-Version: 1.0
In-Reply-To: <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OBFLBX-EaB_Sj6o57tD30CclD6Q>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 10:51:06 -0000

Wessels, Duane:
> 
>> On May 25, 2018, at 11:33 AM, 神明達哉 <jinmei@wide.ad.jp> wrote:
>>
>> At Wed, 23 May 2018 15:32:11 +0000,
>> "Weinberg, Matt" <mweinberg=40verisign.com@dmarc.ietf.org> wrote:
>>
>>> We’ve posted a new version of draft-wessels-dns-zone-digest.  Of note,
>> this -01 version includes the following changes:
>> [...]
>>> We plan to ask for time on the dnsop agenda in Montreal.  Your feedback
>> is welcome and appreciated.
>>
>> I've read the draft.  I have a few high level comments and specific
>> feedback on the draft content:
>>
>> - It was not really clear exactly what kind of problem this digest
>>   tries to solve, especially given that the primarily intended usage
>>   is for the root zone, which is DNSSEC-signed with NSEC.
> 
> Thanks you for the feedback.  We will write a clearer problem statement
> in the introduction for the next version.

As I mentioned, I have seen zones broken during transfer in production,
and having a standard way to check for this seems reasonable.

>> - This digest can't be incrementally updated, that is, you'll need to
>>   calculate the digest over the entire zone even if just a single
>>   record is modified (am I correct?).  That's probably an inevitable
>>   cost for the motivation of providing cryptographically strong
>>   integrity check, but that's a pity for me.  One case I know of where
>>   things like "zone digest" is wanted is to ensure consistency for a
>>   very large zone between primary and secondary servers that are
>>   synchronized using IXFR.  In principle they must be consistent, but
>>   operators may want to have a lightweight (albeit not
>>   cryptographically strong) way to confirm no unexpected events (such
>>   as an implementation bug) quietly broke the consistency.  Perhaps
>>   such usage is just outside the scope of this proposal, but I first
>>   expected I could use it for this kind of purpose it was a bit
>>   disappointing and I wanted to mention it.
> 
> Incremental updates could be supported if the working group feels it is
> important.  We have a working proof-of-concept implementation of this that
> hashes individual RRsets and then XORs them into a final message digest
> (thanks to Roy Arends for the suggestion).
> 
> However, this complicates the implementation.  It almost certainly requires
> more CPU processing but probably not to an extent that matters significantly.
> We could do some simple benchmarks.
> 
> If there is desire to follow this path, then we should discuss whether or
> not to keep having the zone digest algorithms exactly match the DS digest
> algorithms.  For example, digest alg 2 could mean "SHA256 over the zone
> as a whole" while digest alg 3 could mean "SHA-256 digest and XOR individual
> RRsets" to support incremental updates.

As I mentioned in my review of the first version of this document, I
think that inserting digest records periodically throughout the zone
could serve to allow incremental updates (as the recipient can cache
unchanged values) and also allow a degree of parallelism.

I certainly won't push for it. My main concern is that for large-ish
zones with frequent updates digest is basically useless without such a
mechanism.

Cheers,

--
Shane

v2.23.0 | Report a Bug | By Email