IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-wessels-dns-zone-digest-00.txt

"Wessels, Duane" <dwessels@verisign.com> Wed, 04 April 2018 16:27 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2844127869 for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 09:27:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLT-HkzygQHf for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 09:27:03 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF08D120724 for <dnsop@ietf.org>; Wed, 4 Apr 2018 09:27:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=2404; q=dns/txt; s=VRSN; t=1522859222; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=y6l/UEV8M/nc/NSC+L8VzCXDvI/WLSnwZljj6AeGNS0=; b=iEwvWppm+9zo11iZepr0UgREluyQ4y3wVvswj2r+sUDvyIxk/uE23yYm sBe3NyyJfUycMCxHtue1abaP1K2qoWzNRfq2U9yvb3i89NKGEbyyb10q5 LdkrA19XsMW10RfhgTYWpWOU43OAOELpeYLXj8IRAU7mhOaRNzFVrGRU6 uU9zgWJhdMlzKIRqzRycNjdO6Ph14VQwY9s/vNFjF+trPqjG+XXb5N5pB wnsx63bFx+Fl5g7WuvnOWcGoZpI4hyj+rC8YLBK/q/8f+EFzaMAm5Omiv uS9HMHrtD3dQcuVn89z4EnuSwQnQF6jtfkEq+mNZeuXEiyKbIgFq1GKZe A==;
X-IronPort-AV: E=Sophos;i="5.48,407,1517875200"; d="scan'208";a="4059465"
IronPort-PHdr: 9a23:NyuCdxbtUVO7IwruMBclFYX/LSx+4OfEezUN459isYplN5qZr8W+bnLW6fgltlLVR4KTs6sC17KN9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCazbL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjm58axlVAHnhzsGNz4h8WHYlMpwjL5AoBm8oxBz2pPYbJ2JOPZ7eK7WYNEUSndbXstJVyJPHJ6yb5cBAeQCM+ZXrYj9qEcBoxSxHgSsGPrvyjpUinPqwaE2zeIsGhzG0gw6GNIOtWzZoNv1O6gMSuC117fHzTHYb/9OxDzz5pXIfQonof6SU757bM3cxlQhFgzblVWQspLqPzeO1ukWrWiU8fBgVeO0i24mpAFxpCKjydsrionMn48YzE3P+yZhwIstONG0VFR3bcOmHZZerS2WKot7T804T212tys3yqUKtYOncCQQ1ZgqxRDSZ+aaf4WI7B/vTumcLDR+iXl4YrywnQyy/lKlyuDkU8m010tFoTRdn9nXs3ANywTT6s+aSvth5kuh2SiA1wTU6uxcOk80j6zbJ4Mlwr8/k5ocq0XDHivxmEXrkK+aalso9vK26+v5eLXmp4ScN457igH4KKghhsu/AeEgPggPWWiU5/i82aX+8UHlWrlGk/87n6fDvJzHJckWqLS1DxFa34sj8xq/Ci2p0NUcnXkJNlJFfxeHgpD0NFDAPv/4Fuy/jEqokDdw3P3GIKPuAo/MLnjYkbfhcrB951RAxwo0yNBT/4hUBa0ZIPLvRk/xs8TVAQI/MwyvxObnEM5w1oIAVmKTDK+VKqTSsUWH5ug3OemDeJcVuCrhK/gi//Puln85lkUbfaa3xpYXdHG4HvF4LEmAfXrsmM0OEXkUsQo6SOzllkeCUSVJa3a1RaI86WJzNIXzNofKQI3lo7Gbxm/vBZ1fYG1uFlGJHDL0bYyaVvMIZTiJZMh7nWpXe6KmTtpr6hy1rwL+0P4vAvfd/CBS/cbvy9Vu/ODXjjks+CZ1FMWS1SeGSGQizTBAfCM/wK0q+R818VyEy6UtxqUATdE=
X-IPAS-Result: A2EgAQBP+8Ra//WZrQpcGQEBAQEBAQEBAQEBAQcBAQEBAYU6CppREX6UTwuBeoMJAoRiNxUBAgEBAQEBAQIBAQKBEII1JAGCSQEBAQECAQ4sKxICBQsCAQgNCx4QMiUCBAoEBYUFriKIQYIlhUSDcz6BDCKCYoRZFoMwgiQCi3OLSwMFAogekk2PVgIECwITAYElMoF1cBVkAYIYgkiOBm+MWoEXAQE
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id w34GR0RR003858 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 4 Apr 2018 12:27:00 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Wed, 4 Apr 2018 12:27:00 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Shane Kerr <shane@time-travellers.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Fwd: New Version Notification for draft-wessels-dns-zone-digest-00.txt
Thread-Index: AQHTzDHBHRIp5RQb1UeLN1MJ20ZpGw==
Date: Wed, 04 Apr 2018 16:27:00 +0000
Message-ID: <C0B6E005-143D-44F5-AF7E-21FEFD376265@verisign.com>
References: <152277670738.22791.3511791082557717517.idtracker@ietfa.amsl.com> <88E182D8-64C4-4FFE-961C-AA3571F8A86B@verisign.com> <4cd3191a-e53c-87ad-1a6d-cbeee414b62f@time-travellers.org>
In-Reply-To: <4cd3191a-e53c-87ad-1a6d-cbeee414b62f@time-travellers.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.153.48]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <68743056EA23A9498E6BE296440F6000@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_5q2jgMEvawjDv_Y_qH7Yf0Kdgg>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-wessels-dns-zone-digest-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 16:27:05 -0000

> On Apr 4, 2018, at 4:01 AM, Shane Kerr <shane@time-travellers.org> wrote:
> 
> One issue is that the algorithm proposed requires that the recipient who
> is generating a digest has to store basically the entire zone before
> beginning the digest calculation, since it has no way to know if the
> zone will be delivered in any kind of canonical order.

Yes.  Certainly for large zones this could be an issue.  We will have to
find the right balance between complexity and efficiency here.

I think it makes the most sense to perform a verification when the zone is
loaded or received by a name server, but it could also be done in an external
process, such as named-checkzone or ldns-verify-zone.


> 
> As for specific questions in the draft:
> 
> * I think that it should be allowed for unsigned zones. If nothing else,
>  it provides the equivalent of checksum to help prevent truncations or
>  not properly updated records (missing deletions or additions).
> 
> * I don't see much benefit in multiple ZONEMD. We generally expect
>  masters & slaves to co-operate, so they should be able to find
>  software that has an algorithm that both sides support.

Yes, but master/slave transfers can already be protected with TSIG.  Perhaps
the more interesting use case is out-of-band zone distribution.

> 
> * I think the serial in ZONEMD is helpful. Doesn't it also help prevent
>  replay attacks?

You might have to convince me that it does...

> 
> * I would rather not special-case ZONEMD regarding responding. Even
>  though it is bigger than most RDATA, large responses seem like a
>  general problem. OTOH, I won't object too loudly if someone feels very
>  strongly that this should be an option.
> 
> A final possible concern is that generating a digest on a large zone
> might be computationally quite expensive. Indeed it could be used as an
> attack vector on a hosting provider by using small IXFR to cause large
> zone digests to be repeatedly calculated. Is it worth exploring the
> possibility of including multiple ZONEMD in a zone at different names,
> which digest the part of the zone up to that point? So something like:


Yes, as currently specified it probably only works well with relatively static zones.
Again, we'll have to decide where we want to be in the complexity vs efficiency tradeoff.

DW

v2.23.0 | Report a Bug | By Email