Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
"Wessels, Duane" <dwessels@verisign.com> Tue, 07 January 2020 23:01 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA622120131 for <dnsop@ietfa.amsl.com>; Tue, 7 Jan 2020 15:01:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YD0UlQ_gB3nQ for <dnsop@ietfa.amsl.com>; Tue, 7 Jan 2020 15:01:22 -0800 (PST)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1A78120025 for <dnsop@ietf.org>; Tue, 7 Jan 2020 15:01:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8534; q=dns/txt; s=VRSN; t=1578438082; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=XWLBrQ5kSyfdqxiResNBCL4tT8xU5cgNAGqmD5JOUGw=; b=R2qHafcVL39NBufAVXA8g07PxcOKsDfLcZjDACeMkTvG33vEY4NGgy36 owjT/+RC8rvlkwRGxP2iSzmCzPGflsAeU5Xik7m857ljLhbgOjLVRT2wZ FbofbDxP7LxuwsLHiEz3skTscGS9zoH/bGq3vdH92p3gohBc476hV8k7a +3jdOp+Ej+CmOc1muDEymNXBb2zf/OP6f44GAz81DgigXBHYyN+EWZKdr xYMw7dYeW9XF4d/fZWvDqrpca685N6/gklh+IpuoN6Xy1sminrSvebD/k 7VD/0MtXeAyrRLo6okBSBqkYjbXGvN0a4PbmCkILv/08CZTcXoyYOmA/l g==;
IronPort-SDR: L3lSwuC7Y5Y/cTcQHe2ikHHg74ri8ZblzVwVsvmKthHASAAafGoLhU/JgX8SHyOgaD244635uh 6Swc/nQH9vscdh/hFqAIIUkCrDYqEioVVT/gtT08M76VM5dtP67Sbz5CENACcW0cdX60q90ZCN r1OwUBisrMly9XvTS8AM6LboUA9qBqvWWmJWsj3bHMQ0HUmso9ZhMl5LKAO1yMTf3w7+5qg/wH OonAVT9Qt8g2L3MEMWxLKbasVaYU3uBBfSO3N/liIQFCwRt+NSWXMRuWKPwqxo6AFkwKs57Q6Q WDE=
X-IronPort-AV: E=Sophos;i="5.69,407,1571716800"; d="p7s'?scan'208";a="391864"
IronPort-PHdr: 9a23:7uZDThSU0u6FuYpwRgfH0QbdK9psv+yvbD5Q0YIujvd0So/mwa6zYxWN2/xhgRfzUJnB7Loc0qyK6vumAzFfqs7b+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe7x/IAi4oAnLqMUbgYlvJqktxhfXv3BFZ/lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3g668P3uxbDSxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RTGv5LplRRP0lCsKMSMy/WfKgcJyka1bugqsqRxhzYDJfIGbOvlwfq3fct0dRGpOQsleWjdOAo+gaosCFeoBMfpGo4T7ulAArQG+BQ6pBO73xDNHhmH53bYh0+s/FQHGxxQsFM8AvnTJttr1MrkdXe6ox6TP0DrCYe1Z2Szm6IfWdhAhuuqBXaxufsrLyEkvDALFjlqWqYD/IzyV0eENvnGd4uF9W+yvjGsnpBtwojip3soshYjJhp4VylDZ7ip12po6Jdq9SEJjf9GlH4FftySCN4tyXMwuWX1nuCE/yrAApJW1fzAKxYw6yxLDcfCLboqF7xz5WOqMITp1imhpdb27ihqq7ESs1vfwWtS23VpWtCZJj9bBu3MX2xDO6cWLUvV98Vmi1DqT0g3e7/tLLEMwmKXALpMszKA8mYcSvEnGBSD7nET7ga2Te0gq9OWl6fnob7P7rZGGLYB0kBvxMqE2l8y6BuQ3LxYBUnCA+eS5yL3j5Ur5QKhWjvEukqnWrpTaJcMDq6OkHwFbypsv5BanATmp0dsUgWcLIEhbeB2biIjpIUnOLOriAviimVisji1rx+vAPrH7HprNKX3DnK/gfbZ79UFc1BI+wc1D655OF70MIvz+VlXsuNHYABI1KQO5zuL/BNV4zIweWGaPAqGDMKPVtF+F/v8gIueSa48OozbyNfwl5+X1gH8nh1AdZ6ip3YAWaHC3GPRqOVmWYX3pgtsZC2cFohI+TPD2iF2FSTNTYm2yX6An6zE9FIKmDZ/DSZ63gLyEwSe7AodZZnxHClCLF3fkbZmLW/AJaCiKOM9ujiQEVaS9S48mzRyhqQn6y6FgLurM4SAYtIzs1MR75+HJkhEy7zN0XIyh1DSoTmp0l24MDwQq/qd/p1c1nlKY04B+n/xAGMZW+u9ATgY9M9jXyOksWP7oXQeUNOiEU02rRs7iSR0sR9Q8iZdab1lwAM6vigvrwSewAqQUmLrND5sxpPGPl0PtLtpwni6VnJIqiEMrF5NC
X-IPAS-Result: A2HQAADXDBVe/zGZrQpmHAMCBxQEBIFtBA0BgxQrgQYKlSyDbpcMPAkBAQEBAQEBAQEDBAEjDAEBAoQ+AoIONwYOAgMBAQsBAQEEAQEBAQEFAwEBAQKGIAyCOyIZWD8yAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQESAg1UMzUBAQEBAgEdXAULAgEIGC4CMCUCBA4FDoMUAYJXER6rfoInhDoBgRSEYRCBNgGBUopggUI+gTgggkw+gksZAgKBYD+DBIIsBI1ToUwDB4I2g2GCOIEcjwKDPZcilyeGDIhXgyoCBAIEBQIVgWiBfHAVZQGCQQk1EhgNjUqDO4pTdI9sgRABAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 7 Jan 2020 18:01:12 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Tue, 7 Jan 2020 18:01:12 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Michael StJohns <msj@nthpermutation.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
Thread-Index: AQHVxa5bq+pBqTe5HE61KzX6gQRz6A==
Date: Tue, 07 Jan 2020 23:01:12 +0000
Message-ID: <A61A5E45-F694-4FAC-BF22-1C0AAB510FD1@verisign.com>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <84650844-1d13-9377-c913-23dcbc76dc37@nthpermutation.com> <C4EB59C4-EA83-4DBE-84D0-D8D43735B63D@verisign.com> <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com>
In-Reply-To: <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_D5EE926E-6AEC-46D5-9DA8-31AA9A38D388"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VML-jFCJ6EZlnn5Et7ng_qp8Xug>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 23:01:24 -0000
> On Jan 6, 2020, at 6:15 PM, Michael StJohns <msj@nthpermutation.com> wrote: > >> >> >>> 5) 3.1.2 - This is I believe different than how DNSSEC does it? If it's the same, then this is fine, otherwise this protocol should be calculating the RRSet wire representation the same as DNSSEC does it. >> In my experience, duplicates are suppressed either when a zone is loaded or when it is signed. ZONEMD matches DNSSEC. >> >> >> Here's how named-checkzone behaves: >> >> $ named-checkzone -i none -o /dev/fd/1 example.com /dev/fd/0 >> $ORIGIN example.com. >> @ 60 SOA a b 1 2 3 4 5 >> @ 60 NS ns >> NS 60 A 192.168.1.1 >> @ 60 A 127.0.0.1 >> @ 60 A 127.0.0.1 >> zone example.com/IN: loaded serial 1 >> example.com. 60 IN SOA a.example.com. b.example.com. 1 2 3 4 5 >> example.com. 60 IN NS ns.example.com. >> example.com. 60 IN A 127.0.0.1 >> NS.example.com. 60 IN A 192.168.1.1 >> OK >> >> >> And in ldns_dnssec_rrs_add_rr() at https://github.com/NLnetLabs/ldns/blob/develop/dnssec_zone.c#L46 you can see at the end that equal RRs are silently ignored. >> > Can you provide a cite? Not disagreeing - just curious if its been written down in an RFC somewhere. > RFC2181 (cited in ZONEMD) says: Each DNS Resource Record (RR) has a label, class, type, and data. It is meaningless for two records to ever have label, class, type and data all equal - servers should suppress such duplicates if encountered. DW
- Re: [DNSOP] Working Group Last Call for: Message … Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for: Message … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] Working Group Last Call for: Message Dige… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Paul Vixie
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Joe Abley
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Brian Dickson
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Bob Harold
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] future-proofing (Re: Working Group Last C… Paul Vixie
- Re: [DNSOP] future-proofing (Re: Working Group La… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] future-proofing (Re: Working Group La… Michael StJohns
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Miek Gieben
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] future-proofing (Re: Working Group La… Shane Kerr
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Vixie
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… John Levine