Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
Michael StJohns <msj@nthpermutation.com> Mon, 06 January 2020 17:59 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25BFB1200EB for <dnsop@ietfa.amsl.com>; Mon, 6 Jan 2020 09:59:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDxERslZ5Bvi for <dnsop@ietfa.amsl.com>; Mon, 6 Jan 2020 09:59:53 -0800 (PST)
Received: from mail-qv1-xf43.google.com (mail-qv1-xf43.google.com [IPv6:2607:f8b0:4864:20::f43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECB4E1200FB for <dnsop@ietf.org>; Mon, 6 Jan 2020 09:59:52 -0800 (PST)
Received: by mail-qv1-xf43.google.com with SMTP id dc14so19379395qvb.9 for <dnsop@ietf.org>; Mon, 06 Jan 2020 09:59:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=TQ+I1FFxd7v3kCv4VPWxpsxtropH+284/CqZwpnfSew=; b=IcZNbeKe/AJlJeyXR2LgDJ87LNCLQwzuvEY16nVassfYk36fsPwkH0ehLUewINmCfF tjDs5T2xeZYrXoC+YkudPRS52nuPt3UW5KJXA/Dpb4xic435pXsQ5qkecHOMzKu1LK7y Dpkv7DH7wp1B1u1xcf3kZnw97MUx3thDksTDKNongpC1u0gKJdokKBM/eb6d11gPe0xJ xqs+KuuhQplX/vOUOZffEiyMPiI9tYvCMlNY5F8hLSO8nhm//QIbSQyuK/gXNoq1fXGv +RFRKzSR/FL0l3l6SuJMWUvTN8jU1iYEU30uFZ7zY1NjPJnly8B+qEN0fHFL2dQLuV+b 47Bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=TQ+I1FFxd7v3kCv4VPWxpsxtropH+284/CqZwpnfSew=; b=XnQuTR/5PYH7PwTFVxM9RMl+Rgxng9zbfvr2R9lTQH5PSQ4PDg5yBOhHSbyYWV3kN9 mRJXCho0hNKp+o2+ioQCwxUPo6h6zRlSsvHIqgyST4jcPSAiEl//R5ktIBk0VCMg9ybs m3hFqpkxGbWOsA+JHywfxXX5xjqLUMwAzrkjkdZK8GOS8cjaJoG2bkIqPtztNi8f72E8 Jb0Q1ato/GPrCscV+Dbx6r1XhMGdqf5GLdWCVSeisppvR8A5sEggdscB9zu7oH3kPYJM pBgQAme4zb/kqBd36WezeB9USjuiu4HErhAyWMFi30RoYKgiP0TJQHYcRkpE8FAZ/zdL 897g==
X-Gm-Message-State: APjAAAUOL1rCWAqcIB+xUboiLq/ZXrDG3P39w6PcHoqpZSpzo9izSy9U tJTzK1kXU/OOWPJ2bDdWPtdKBFjo4lc=
X-Google-Smtp-Source: APXvYqxOa0Ks2t1NCZzkLHUsTBYfyBQVbmmXwrpL2VMBBJnQ2WCLQ/Azt2hty0lbGj1pUssAqTRfrA==
X-Received: by 2002:a0c:9023:: with SMTP id o32mr65011192qvo.110.1578333591616; Mon, 06 Jan 2020 09:59:51 -0800 (PST)
Received: from ?IPv6:2601:152:4400:437c:60c9:c159:93da:c173? ([2601:152:4400:437c:60c9:c159:93da:c173]) by smtp.gmail.com with ESMTPSA id t23sm23596619qto.88.2020.01.06.09.59.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Jan 2020 09:59:51 -0800 (PST)
To: John Levine <johnl@taugh.com>, dnsop@ietf.org
References: <20200106171326.E0E1E120301E@ary.qy>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <54ddbdea-50c5-42eb-aa0c-bff4bb2d3bcc@nthpermutation.com>
Date: Mon, 06 Jan 2020 12:59:49 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <20200106171326.E0E1E120301E@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VJxLYZaZp8HoRMqY38K2ypOOJZE>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2020 17:59:55 -0000
On 1/6/2020 12:13 PM, John Levine wrote: > In article <9952199f-9ea5-2d51-a5d2-6aaf805774a5@nthpermutation.com> you write: >> If a computer can't figure out what to do with a failed validation >> absent human interaction then you might as well say: >> >> "ZONEMD RRs may be safely ignored by all but the geekiest of DNS human >> operators as there is no guidance on what to do if you see a zone that >> appears to be incomplete due to ZONEMD RR validation as it might not >> actually be incomplete" > Well, OK, here's a concrete example. I download the COM zone every > day from Verisign, and also a separate file with an MD5 hash of the > main file. Using RFC 2119 language, what do I do if the hash I get > doesn't match their hash? > > For background, there are about 1600 people with passwords to download > the .com file, with a few dozen new passwords issued each month. I > can tell you what I do with the zone file, but I have no idea what the > other 1599 do. The downloads are by plain old FTP, since this was set > up a long time ago. Ok - you've described half of this - the download and the validation. Let's move on to the use. E.g. you now have a zone with a good ZONEMD - you throw it into what application? Or you now have a zone with a bad (unable to validate) ZONEMD, do you still throw it into the application. Does the application check the ZONEMD or did you do that manually? If you throw the zone into the application without validation then what? Do you retry to download it? How often and how long between tries? If I'm downloading this and all I'm going to do with it is browse the text - who cares? If I'm downloading this and the data is going to end up serving infrastructure of some sort then what should I do before I come to depend on the data? Please provide a general rule for automated handling of failed validations. That's all I'm asking. Of course humans will violate that rule - not the point. Later, Mike > R's, > John
- Re: [DNSOP] Working Group Last Call for: Message … Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for: Message … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] Working Group Last Call for: Message Dige… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Paul Vixie
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Joe Abley
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Brian Dickson
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Bob Harold
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] future-proofing (Re: Working Group Last C… Paul Vixie
- Re: [DNSOP] future-proofing (Re: Working Group La… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] future-proofing (Re: Working Group La… Michael StJohns
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Miek Gieben
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] future-proofing (Re: Working Group La… Shane Kerr
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Vixie
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… John Levine