Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt

"Wessels, Duane" <dwessels@verisign.com> Wed, 07 August 2019 23:29 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D11120232 for <dnsop@ietfa.amsl.com>; Wed, 7 Aug 2019 16:29:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnUX-a-8QZPj for <dnsop@ietfa.amsl.com>; Wed, 7 Aug 2019 16:29:03 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 718EE120033 for <dnsop@ietf.org>; Wed, 7 Aug 2019 16:29:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8083; q=dns/txt; s=VRSN; t=1565220544; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=U5VPjf2B0dI8i28hFwQr3As7cWSv867XEz1dGBA+RKQ=; b=Pu18WH6JuDDJIrg2Idjv6Vk33m72QpWBKjQ0MxEeLvVRJ3urWIlxQZrg AB1xIt0e3LfJAZVr02sNiiiEcZ5DACn1kmtcpTRWNAXAl84fX/HZtrIke x/wrfFo8UlWB0vWZXbbQ2GAUWm3U6P8tdEoMnApfIfjVSL7+rw1keHsII dq3LcaO1G12z06yyYcomFXRILKWsxRh8WbipXQtwkbYlAG5MoAufnTWZc jmQ+b8u0jxVBYcP9FMSij4P8cjC3pP0tfSa0Smn0aDSPotweNdILcx5Vy bu+jahQkshEBk3DA92BBwuSDvPapNkUuf4lOLgoCbimhJeNpBEtBaWt4V g==;
X-IronPort-AV: E=Sophos; i="5.64,358,1559520000"; d="p7s'?scan'208"; a="8291421"
IronPort-PHdr: 9a23:SFdH+x9mmIhH5f9uRHKM819IXTAuvvDOBiVQ1KB31+8cTK2v8tzYMVDF4r011RmVBN+dsqsfwLCM+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxhWiDanfL9+MRu7oQrPusUInIBvNrs/xhzVr3VSZu9Y33loJVWdnxb94se/4ptu+DlOtvwi6sBNT7z0c7w3QrJEAjsmNXs15NDwuhnYUQSP/HocXX4InRdOHgPI8Qv1Xpb1siv9q+p9xCyXNtD4QLwoRTiv6bpgRRn1gykFKjE56nnahMxugqxGvBKvqR9xw4DWb4+SNfpxYqzScMgVRWZdW8ZcTSxBDp+iY4YJEuEPPfxYr474p1YWoxexBRejBPj0yjBWgn/2xrU22PkvHwHbxgMgGcwBvHrJp9jyKagTX/66zLLTzTrda/NWwizw6JbWfRA7oPGMRrNwccXXyUU1CwzFiVCQpJXjMjiI1eoNq3CW4/d8We61lmIqqQ98riKyysoshITFnI0Yx1Tc+Slk3Io5P8C0RUxnbdK+DZdduCKXO5FrTs4hW21otjg1x74atZO+eSUF0pcqyhrEZPGCfYWE/A/sWeeULDhjgH9oebCyihO8/EWuyODzS8+520tQoCVfiNnDrHUN2gTW6siAV/Ry4F+s2S2K1wDP8uFEJl00lbbDJ54h3LEwkp0TvFzeEyHqgEv6ka+ZeF0r9Oep9+jrfK/qpoGAOI9zkAH+Kr4ildaiDugiLAgORXOb+eKm2LL/+k35Ra1GjvwwkqbHrJDXPdkXqrKjDwNI0Isu5QyzAyqm3dkWh3UKI1ZIdAqCj4fzOlHOJP74De24g1SpiDpk2v7HMaP6ApXWMHfDlKzhcK1j60FC0gozzMtf55NbCrEHOv78RkjxtNnAAh8jLwO02/rnCMl61o4GRG2PBLSZMKTKsVKT5+IgPfWMZIEPtDb6Mfgl6K2msXhs01MbZq6x9ZoadH7+Ge5pa3q2KzK4jtEaFn8ivwciQqrtklLUAhBJYHPnFZ0x/So2DJniRaveT4agyvTV0Di2BYZbYntuFF2WEGzpeIPCUPAJPnHBavR9myAJAODyA7Qq0guj4Vf3
X-IPAS-Result: A2EJAACLXUtd/zGZrQplGgEBAQEBAgEBAQEHAgEBAQGBVQMBAQEBCwGEPJVrg2eVJIF7CQEBAQEBAQEBAQMEAS8BAYQ/AoJ2NgcOAQQBAQEEAQECAQkBAQEChhyCOiKCcAEEAX4LAgEIRgIwJQIEIYMUAYF7rTOFSYReExCBNAGBUIoqgUE+gREnH4JMPoRDgz6CJgSrLAMGAoIcgy6CII5wmDKNTZRmgw4CBAIEBQIVgVcBgglwFTsqAYJCPZBIjnKBIQEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 7 Aug 2019 19:29:02 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Wed, 7 Aug 2019 19:29:02 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt
Thread-Index: AQHVKl2WBnnit8X+cUiZyFXZKmuZcKbw3hsA
Date: Wed, 07 Aug 2019 23:29:01 +0000
Message-ID: <BD673DE3-C27D-4BD7-8A52-2146F6D65FD7@verisign.com>
References: <156135988131.17726.12457283360064863692@ietfa.amsl.com> <8EF45B1E-1F80-49CA-97E8-0E7DE497A313@verisign.com>
In-Reply-To: <8EF45B1E-1F80-49CA-97E8-0E7DE497A313@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.9.1)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_7F19E658-9295-4CD0-8DA0-23A19139CDA1"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RFCklH7Lx00bL-tOVRCAc0j5ftw>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 23:29:05 -0000

Greetings DNSOP,

AFAICT there was no feedback received after this most recent version of the ZONEMD draft was posted.  As I mentioned before, there was one pretty significant change in that version:

> The most significant change is that multiple ZONEMD records are allowed.  The document recommends that multiple digests be present only when transitioning to a new digest type algorithm and has this to say about verification given multiple digests:
> 
> 4.1.  Verifying Multiple Digests
> 
>   If multiple digests are present in the zone, e.g., during an
>   algorithm rollover, at least one of the recipient's supported Digest
>   Type algorithms MUST verify the zone.
> 
>   It is RECOMMENDED that implementations maintain a (possibly
>   configurable) list of supported Digest Type algorithms ranked from
>   most to least preferred.  It is further RECOMMENDED that recipients
>   use only their most preferred algorithm that is present in the zone
>   for digest verification.
> 
>   As a matter of local policy, the recipient MAY require that all
>   supported and present Digest Type algorithms verify the zone.


We would like to have feedback on this change before progressing to working group last call.

DW