Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones

"Wessels, Duane" <dwessels@verisign.com> Tue, 07 January 2020 23:01 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA622120131 for <dnsop@ietfa.amsl.com>; Tue, 7 Jan 2020 15:01:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YD0UlQ_gB3nQ for <dnsop@ietfa.amsl.com>; Tue, 7 Jan 2020 15:01:22 -0800 (PST)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1A78120025 for <dnsop@ietf.org>; Tue, 7 Jan 2020 15:01:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8534; q=dns/txt; s=VRSN; t=1578438082; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=XWLBrQ5kSyfdqxiResNBCL4tT8xU5cgNAGqmD5JOUGw=; b=R2qHafcVL39NBufAVXA8g07PxcOKsDfLcZjDACeMkTvG33vEY4NGgy36 owjT/+RC8rvlkwRGxP2iSzmCzPGflsAeU5Xik7m857ljLhbgOjLVRT2wZ FbofbDxP7LxuwsLHiEz3skTscGS9zoH/bGq3vdH92p3gohBc476hV8k7a +3jdOp+Ej+CmOc1muDEymNXBb2zf/OP6f44GAz81DgigXBHYyN+EWZKdr xYMw7dYeW9XF4d/fZWvDqrpca685N6/gklh+IpuoN6Xy1sminrSvebD/k 7VD/0MtXeAyrRLo6okBSBqkYjbXGvN0a4PbmCkILv/08CZTcXoyYOmA/l g==;
IronPort-SDR: L3lSwuC7Y5Y/cTcQHe2ikHHg74ri8ZblzVwVsvmKthHASAAafGoLhU/JgX8SHyOgaD244635uh 6Swc/nQH9vscdh/hFqAIIUkCrDYqEioVVT/gtT08M76VM5dtP67Sbz5CENACcW0cdX60q90ZCN r1OwUBisrMly9XvTS8AM6LboUA9qBqvWWmJWsj3bHMQ0HUmso9ZhMl5LKAO1yMTf3w7+5qg/wH OonAVT9Qt8g2L3MEMWxLKbasVaYU3uBBfSO3N/liIQFCwRt+NSWXMRuWKPwqxo6AFkwKs57Q6Q WDE=
X-IronPort-AV: E=Sophos;i="5.69,407,1571716800"; d="p7s'?scan'208";a="391864"
IronPort-PHdr: =?us-ascii?q?9a23=3A7uZDThSU0u6FuYpwRgfH0QbdK9psv+yvbD5Q0Y?= =?us-ascii?q?Iujvd0So/mwa6zYxWN2/xhgRfzUJnB7Loc0qyK6vumAzFfqs7b+Fk5M7V0Hy?= =?us-ascii?q?cfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFR?= =?us-ascii?q?rwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe7x/IAi4oAnLqMUbgYlvJqktxh?= =?us-ascii?q?fXv3BFZ/lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3?= =?us-ascii?q?g668P3uxbDSxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RT?= =?us-ascii?q?Gv5LplRRP0lCsKMSMy/WfKgcJyka1bugqsqRxhzYDJfIGbOvlwfq3fct0dRG?= =?us-ascii?q?pOQsleWjdOAo+gaosCFeoBMfpGo4T7ulAArQG+BQ6pBO73xDNHhmH53bYh0+?= =?us-ascii?q?s/FQHGxxQsFM8AvnTJttr1MrkdXe6ox6TP0DrCYe1Z2Szm6IfWdhAhuuqBXa?= =?us-ascii?q?xufsrLyEkvDALFjlqWqYD/IzyV0eENvnGd4uF9W+yvjGsnpBtwojip3soshY?= =?us-ascii?q?jJhp4VylDZ7ip12po6Jdq9SEJjf9GlH4FftySCN4tyXMwuWX1nuCE/yrAApJ?= =?us-ascii?q?W1fzAKxYw6yxLDcfCLboqF7xz5WOqMITp1imhpdb27ihqq7ESs1vfwWtS23V?= =?us-ascii?q?pWtCZJj9bBu3MX2xDO6cWLUvV98Vmi1DqT0g3e7/tLLEMwmKXALpMszKA8mY?= =?us-ascii?q?cSvEnGBSD7nET7ga2Te0gq9OWl6fnob7P7rZGGLYB0kBvxMqE2l8y6BuQ3Lx?= =?us-ascii?q?YBUnCA+eS5yL3j5Ur5QKhWjvEukqnWrpTaJcMDq6OkHwFbypsv5BanATmp0d?= =?us-ascii?q?sUgWcLIEhbeB2biIjpIUnOLOriAviimVisji1rx+vAPrH7HprNKX3DnK/gfb?= =?us-ascii?q?Z79UFc1BI+wc1D655OF70MIvz+VlXsuNHYABI1KQO5zuL/BNV4zIweWGaPAq?= =?us-ascii?q?GDMKPVtF+F/v8gIueSa48OozbyNfwl5+X1gH8nh1AdZ6ip3YAWaHC3GPRqOV?= =?us-ascii?q?mWYX3pgtsZC2cFohI+TPD2iF2FSTNTYm2yX6An6zE9FIKmDZ/DSZ63gLyEwS?= =?us-ascii?q?e7AodZZnxHClCLF3fkbZmLW/AJaCiKOM9ujiQEVaS9S48mzRyhqQn6y6FgLu?= =?us-ascii?q?rM4SAYtIzs1MR75+HJkhEy7zN0XIyh1DSoTmp0l24MDwQq/qd/p1c1nlKY04?= =?us-ascii?q?B+n/xAGMZW+u9ATgY9M9jXyOksWP7oXQeUNOiEU02rRs7iSR0sR9Q8iZdab1?= =?us-ascii?q?lwAM6vigvrwSewAqQUmLrND5sxpPGPl0PtLtpwni6VnJIqiEMrF5NC?=
X-IPAS-Result: =?us-ascii?q?A2HQAADXDBVe/zGZrQpmHAMCBxQEBIFtBA0BgxQrgQYKl?= =?us-ascii?q?SyDbpcMPAkBAQEBAQEBAQEDBAEjDAEBAoQ+AoIONwYOAgMBAQsBAQEEAQEBA?= =?us-ascii?q?QEFAwEBAQKGIAyCOyIZWD8yAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQESAg1UM?= =?us-ascii?q?zUBAQEBAgEdXAULAgEIGC4CMCUCBA4FDoMUAYJXER6rfoInhDoBgRSEYRCBN?= =?us-ascii?q?gGBUopggUI+gTgggkw+gksZAgKBYD+DBIIsBI1ToUwDB4I2g2GCOIEcjwKDP?= =?us-ascii?q?ZcilyeGDIhXgyoCBAIEBQIVgWiBfHAVZQGCQQk1EhgNjUqDO4pTdI9sgRABA?= =?us-ascii?q?Q?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 7 Jan 2020 18:01:12 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Tue, 7 Jan 2020 18:01:12 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Michael StJohns <msj@nthpermutation.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
Thread-Index: AQHVxa5bq+pBqTe5HE61KzX6gQRz6A==
Date: Tue, 7 Jan 2020 23:01:12 +0000
Message-ID: <A61A5E45-F694-4FAC-BF22-1C0AAB510FD1@verisign.com>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <84650844-1d13-9377-c913-23dcbc76dc37@nthpermutation.com> <C4EB59C4-EA83-4DBE-84D0-D8D43735B63D@verisign.com> <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com>
In-Reply-To: <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_D5EE926E-6AEC-46D5-9DA8-31AA9A38D388"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VML-jFCJ6EZlnn5Et7ng_qp8Xug>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 23:01:24 -0000


> On Jan 6, 2020, at 6:15 PM, Michael StJohns <msj@nthpermutation.com> wrote:
> 
>> 
>> 
>>> 5) 3.1.2 - This is I believe different than how DNSSEC does it?  If it's the same, then this is fine, otherwise this protocol should be calculating the RRSet wire representation the same as DNSSEC does it.
>> In my experience, duplicates are suppressed either when a zone is loaded or when it is signed.  ZONEMD matches DNSSEC.
>> 
>> 
>> Here's how named-checkzone behaves:
>> 
>> $ named-checkzone -i none -o /dev/fd/1 example.com /dev/fd/0
>> $ORIGIN example.com.
>> @ 60 SOA a b 1 2 3 4 5
>> @ 60 NS ns
>> NS 60 A 192.168.1.1
>> @ 60 A 127.0.0.1
>> @ 60 A 127.0.0.1
>> zone example.com/IN: loaded serial 1
>> example.com.                                  60 IN SOA         a.example.com. b.example.com. 1 2 3 4 5
>> example.com.                                  60 IN NS          ns.example.com.
>> example.com.                                  60 IN A           127.0.0.1
>> NS.example.com.                               60 IN A           192.168.1.1
>> OK
>> 
>> 
>> And in ldns_dnssec_rrs_add_rr() at https://github.com/NLnetLabs/ldns/blob/develop/dnssec_zone.c#L46 you can see at the end that equal RRs are silently ignored.
>> 
> Can you provide a cite?  Not disagreeing - just curious if its been written down in an RFC somewhere.
> 


RFC2181 (cited in ZONEMD) says:

   Each DNS Resource Record (RR) has a label, class, type, and data.  It
   is meaningless for two records to ever have label, class, type and
   data all equal - servers should suppress such duplicates if
   encountered.

DW