Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)

Donald Eastlake <d3e3e3@gmail.com> Thu, 08 October 2020 23:47 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5386C3A102C; Thu, 8 Oct 2020 16:47:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMTTPIhnB-Ql; Thu, 8 Oct 2020 16:47:42 -0700 (PDT)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB3703A1024; Thu, 8 Oct 2020 16:47:41 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id r4so683266ioh.0; Thu, 08 Oct 2020 16:47:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=54+fWpiKXsPofZJYK5o6E4EEE1MPfpOjjTJstcsYIic=; b=ZBvRI3LnIuntkS9tIMoTDR2Q7xnUGxueNWq04BJ1TECF/eE1R0IrolzK3HUamnA7LI XhO2aAkJaaHQP9oBAlvncky07/sJzqngqwlefZqHsCoCPbfI91mgtNqejzXF/Ms6csJ6 qGckt4PhykUesFr2wY4YsRfPdIm/kbCD0h4jOdxAYoPwqRGXqGD8bC7WUph7s6Rm3BBi DOXBugRGFe5/XUrf1FTwJmDOxiK0X727EzOSlw2rR0FwzudmdfQixTMC7yh3LUJU/1gj 16cRH/oyxC9eITANuuulqxKE3+l5wa99kdWqZQpw9JJGotKsTiutF7hrBSsdXZI+gbfg HgLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=54+fWpiKXsPofZJYK5o6E4EEE1MPfpOjjTJstcsYIic=; b=IBrdF9ggYLv8mZZShkvzzwVUhRmif9my3PbLJlo3bskZtrwbuVwSEikpt0FEE89E6E SKZROCcXCFecCW8nv/rlj3frxsnWte7T77RCLtn1sWDxp7TXyQRXIPhgx4VIKDBI0KnL tMdd7jbtP5+7v46wlsZJ47erP/9Ey5GCp19UGw0mgyDvB8N34LhXLtdTrLTy3YELz/Jk O/EoMEZP2lHgKXc1FdYZEmpcm4A/z28BC7wHOThPbwdP3bm+k17HqKXGpjfOEJYQRll7 EFUPRNUmzWEAq5t0I00n9TMKePm8rOY468URXPZQLe2p7wwR1YuE1tDoDeqrfNv++ab6 UZ4Q==
X-Gm-Message-State: AOAM531HU/bA7AV3wXhRYbmqo8d8I+f9Jh5i9OS9hxPdD4C7fVvXrifq 2nsSgoHqGIhTZjX3omV6580XwEilYnSMbCvz9XY=
X-Google-Smtp-Source: ABdhPJxBtsSn08T3kETi2o8VFfk+JYbKQ2cndqeR3LVE9ZMj3rgy5pVToao9Dc56Jp/YgDF6Mf4u0F1TIdfI8F6IBmU=
X-Received: by 2002:a5d:9f0e:: with SMTP id q14mr7586731iot.185.1602200861076; Thu, 08 Oct 2020 16:47:41 -0700 (PDT)
MIME-Version: 1.0
References: <160215590178.19643.8185294724542473578@ietfa.amsl.com>
In-Reply-To: <160215590178.19643.8185294724542473578@ietfa.amsl.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Thu, 8 Oct 2020 19:47:29 -0400
Message-ID: <CAF4+nEEkt=QXZ6OErEBdvZgw4X6bhvB9yBjRjLAgY436i_o=FQ@mail.gmail.com>
To: Robert Wilton <rwilton@cisco.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dnsop-dns-zone-digest@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, "<dnsop@ietf.org>" <dnsop@ietf.org>, dnsop-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/d_xUQIyy3AvV-h_BMG50JnKREpI>
Subject: Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2020 23:47:43 -0000

On Thu, Oct 8, 2020 at 7:18 AM Robert Wilton via Datatracker
<noreply@ietf.org> wrote:
> Robert Wilton has entered the following ballot position for
> draft-ietf-dnsop-dns-zone-digest-12: No Objection
>
> ...
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> ...
>
>     2.2.4.  The Digest Field
>
>        The Digest field MUST NOT be shorter than 12 octets.  Digests for the
>        SHA384 and SHA512 hash algorithms specified herein are never
>        truncated.  Digests for future hash algorithms MAY be truncated, but
>        MUST NOT be truncated to a length that results in less than 96-bits
>        (12 octets) of equivalent strength.
>
> When I read this, I wonder why the limit of 12 bytes was chosen.  Possibly a
> sentence that justifies why this value was chosen might be useful, noting that
> the two suggested algorithms have significantly longer digests.

To me, the purpose of the limit is to establish a minimum strength
against brute force attacks. Of course, the hash algorithm also has to
be strong but the length of the Digest field puts a sharp limit on the
strength of a ZONEMD.

Note that for the same reason there is a similar provision from 2006
in RFC 4635, Section 3.1, point 4, which sets a minimum size of 10
bytes for the hashes that appear in TSIG RRs.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com

>     ...
>
> Regards,
> Rob