Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt

Shane Kerr <shane@time-travellers.org> Sun, 01 September 2019 08:43 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1658B1200CE for <dnsop@ietfa.amsl.com>; Sun, 1 Sep 2019 01:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6AGkdnx9EbXa for <dnsop@ietfa.amsl.com>; Sun, 1 Sep 2019 01:42:59 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 908CE12006B for <dnsop@ietf.org>; Sun, 1 Sep 2019 01:42:59 -0700 (PDT)
Received: from earth.zonnestelsel.tk ([2001:470:78c8:2::9]) by time-travellers.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <shane@time-travellers.org>) id 1i4LRo-0006Mn-VC for dnsop@ietf.org; Sun, 01 Sep 2019 08:42:56 +0000
To: dnsop@ietf.org
References: <156135988131.17726.12457283360064863692@ietfa.amsl.com> <8EF45B1E-1F80-49CA-97E8-0E7DE497A313@verisign.com> <BD673DE3-C27D-4BD7-8A52-2146F6D65FD7@verisign.com>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <8e644f83-395e-4668-0d36-b7d62b2d3bbb@time-travellers.org>
Date: Sun, 01 Sep 2019 10:42:56 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <BD673DE3-C27D-4BD7-8A52-2146F6D65FD7@verisign.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dDd06ev44hbQecQq7uHtN4e4RoI>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Sep 2019 08:43:01 -0000

Duane and all,

On 08/08/2019 01.29, Wessels, Duane wrote:
> 
> AFAICT there was no feedback received after this most recent version of the ZONEMD draft was posted.  As I mentioned before, there was one pretty significant change in that version:
> 
>> The most significant change is that multiple ZONEMD records are allowed.  The document recommends that multiple digests be present only when transitioning to a new digest type algorithm and has this to say about verification given multiple digests:
>>
>> 4.1.  Verifying Multiple Digests
>>
>>    If multiple digests are present in the zone, e.g., during an
>>    algorithm rollover, at least one of the recipient's supported Digest
>>    Type algorithms MUST verify the zone.
>>
>>    It is RECOMMENDED that implementations maintain a (possibly
>>    configurable) list of supported Digest Type algorithms ranked from
>>    most to least preferred.  It is further RECOMMENDED that recipients
>>    use only their most preferred algorithm that is present in the zone
>>    for digest verification.
>>
>>    As a matter of local policy, the recipient MAY require that all
>>    supported and present Digest Type algorithms verify the zone.
> 
> 
> We would like to have feedback on this change before progressing to working group last call.

It makes sense to me.

I updated my proof-of-concept Python code to match this draft, and was 
able to verify the examples in it.

I think the draft is clear and complete enough for last call.

Cheers,

--
Shane