IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt

Bob Harold <rharolde@umich.edu> Thu, 08 August 2019 15:56 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ADF21201B7 for <dnsop@ietfa.amsl.com>; Thu, 8 Aug 2019 08:56:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMzBsPzkXGfQ for <dnsop@ietfa.amsl.com>; Thu, 8 Aug 2019 08:56:35 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C897B1201CD for <dnsop@ietf.org>; Thu, 8 Aug 2019 08:56:34 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id x3so67343203lfc.0 for <dnsop@ietf.org>; Thu, 08 Aug 2019 08:56:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6zxWO3VFw6Q+7i+Wka9unpv3JdPaNFjFoBMsvV4Q4Qg=; b=cOxAyFg7ubHKTsKc6JbRY2xyZtDR0XcxmyPR4E/ePigNk3QkzzAGzVfkRBRMRGmW5B 8WBaGyVTS67bZVAPpFxEGjJHT2ZKTN5XYoLqJ5+2QBmrqqo26dRnfnCI2KrpGbVl+AHO YEYHW0SORMDGvnolfrAjdUxWJPd8U8nyjsPIkdLSt6PISDaTpn9hpXv0tcTjLTZ9Vcjh bULy/gGGVpRpDH4AHNFd+z0QKt1mvDME93JE3jFd0z2RhOCCJUAKwoAqI2tGjb/LzVo2 ixjDevT4lEiOPnBU17z+zOb4Xxk2+x1wq2xN2MHRukEEyUC88CErZMFWc5rJeScNGSwB N76w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6zxWO3VFw6Q+7i+Wka9unpv3JdPaNFjFoBMsvV4Q4Qg=; b=Maf80wyYgwQtq5uph0enXpG2vb+ajsiDpXl0qhUNn/HQmSRYEGkX4Rinkf0NaZ+c5i mYdu7k36NtP6KW2oyR7QyQL4Ow9RPMY6UFGfEM+xkxX+mauJfFmTDhLCh1NuPFruiiad kVomOyuNLPauQyzYQGKDU7xINaQjc56JFlHBhseXNgvcg6e7VPdClAYv7F/jdwYJdaa0 PM5wQLErBhz9YScpOJ4WH8DQGdWiY0lJrwiJYmxENrc0Jd9wlj17Z9u3tV8oqu/oN2cd YnQw7LeKwzJTrF4n9yw3/lTpW3aKcrJptYuMkkrB1zZjBVYSk1waK5EMAy4yu2fUDlxF CqmA==
X-Gm-Message-State: APjAAAWi1Rwipo179qWqHWonGJDHg5xUgpnz+CekEMe45JniLcoQTRsi OHxFuIKerIbaxJmUaQ9Ei8dwMbVXG83jD24AI0Hb/w==
X-Google-Smtp-Source: APXvYqy9SrTqvc4XfDYkwap1P3Shh99zjYQ9M68Vtlf8z4KCyy+1vsTDxJWqMd/ZVLnNcqxeZx30546ox3FJnuRXlxc=
X-Received: by 2002:ac2:4309:: with SMTP id l9mr9722891lfh.65.1565279792846; Thu, 08 Aug 2019 08:56:32 -0700 (PDT)
MIME-Version: 1.0
References: <156135988131.17726.12457283360064863692@ietfa.amsl.com> <8EF45B1E-1F80-49CA-97E8-0E7DE497A313@verisign.com> <BD673DE3-C27D-4BD7-8A52-2146F6D65FD7@verisign.com>
In-Reply-To: <BD673DE3-C27D-4BD7-8A52-2146F6D65FD7@verisign.com>
From: Bob Harold <rharolde@umich.edu>
Date: Thu, 08 Aug 2019 11:56:21 -0400
Message-ID: <CA+nkc8Ac0_++KRstiNVrCuuRUKqWDnSA8+hrwODN5NMwNRO7BQ@mail.gmail.com>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000006e70a058f9d1a47"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/W5B340i0zsdTZHUklu3Xw8-N5iY>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 15:56:50 -0000

On Wed, Aug 7, 2019 at 7:29 PM Wessels, Duane <dwessels=
40verisign.com@dmarc.ietf.org> wrote:

> Greetings DNSOP,
>
> AFAICT there was no feedback received after this most recent version of
> the ZONEMD draft was posted.  As I mentioned before, there was one pretty
> significant change in that version:
>
> > The most significant change is that multiple ZONEMD records are
> allowed.  The document recommends that multiple digests be present only
> when transitioning to a new digest type algorithm and has this to say about
> verification given multiple digests:
> >
> > 4.1.  Verifying Multiple Digests
> >
> >   If multiple digests are present in the zone, e.g., during an
> >   algorithm rollover, at least one of the recipient's supported Digest
> >   Type algorithms MUST verify the zone.
> >
> >   It is RECOMMENDED that implementations maintain a (possibly
> >   configurable) list of supported Digest Type algorithms ranked from
> >   most to least preferred.  It is further RECOMMENDED that recipients
> >   use only their most preferred algorithm that is present in the zone
> >   for digest verification.
> >
> >   As a matter of local policy, the recipient MAY require that all
> >   supported and present Digest Type algorithms verify the zone.
>
>
> We would like to have feedback on this change before progressing to
> working group last call.
>
> DW
>

Allowing multiple digests is good for algorithm rollovers.

It would be nice if the receiving end could warn (without failing) if it
did not recognize the new algorithm.
If the new algorithm was known but did not verify, I don't know whether to
pass or fail, but at least warn.
I don't see a good way to specify that, so it may be out of scope for the
draft.

Seems fine to me as written.

-- 
Bob Harold

v2.23.0 | Report a Bug | By Email