[DNSOP] TIMEOUT resource record RDATA format revisited
Tom Pusateri <pusateri@bangj.com> Tue, 23 July 2019 21:31 UTC
Return-Path: <pusateri@bangj.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E083C120352 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 14:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bangj.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-uQdYc6F-Je for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 14:31:54 -0700 (PDT)
Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CE5A1202C3 for <dnsop@ietf.org>; Tue, 23 Jul 2019 14:31:54 -0700 (PDT)
Received: from dhcp-9bd5.meeting.ietf.org (dhcp-9bd5.meeting.ietf.org [31.133.155.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 07F373061E for <dnsop@ietf.org>; Tue, 23 Jul 2019 17:31:52 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bangj.com; s=201907; t=1563917513; bh=rKVlgDUchLiBK7g5FAV7KK+ry9FMEfZcp1R4kWbYffE=; h=From:Subject:Date:To:From; b=NFnZeLsrK4IeERTyZvg23wcMfFLVWvt28rIAknZnzklxjcyKuN91WsZYG7hoxjQlQ W+ZzS1louG8YbNyKT+w4A0Fox2lyjPr4LqhGAXX9s1Wqg92Crr73EhH0TA9kMgNOPG bNn7K9lJjKmj/FZn5VU9lroj3Bm9/suaMVSFL3KIiFF8hhmpOec/hE1s1vDMifkdrq QhE0ZsNkw3CGvG5CdXiWoJj7M0G7/mwFH0ocCDjC3ZvwkRXEsKCChATZlBRJ1ro1B0 XiwqOX08Ex7dicYniqblXWiiHrDSz0N4sCk4LGGGZq3WhQQljc0/LtiYGY4QZuak3H blyxrm5rVyHRQ==
From: Tom Pusateri <pusateri@bangj.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3566.0.1\))
Message-Id: <B5A0DA8F-3099-4CB7-B97A-5ECFBDCE00FB@bangj.com>
Date: Tue, 23 Jul 2019 17:31:52 -0400
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3566.0.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/djTpk_uGp347MipQKYhh2tSg934>
Subject: [DNSOP] TIMEOUT resource record RDATA format revisited
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 21:31:56 -0000
DNSOP, It’s exciting to see some implementation experience in bind 9 by Mark Andrews for TIMEOUT records and during this process several issues have come up with the current use of RDATA as the method to match represented records. Thanks Mark for all the work and feedback so far! 1. Representing multiple records RDATA within another records RDATA is difficult in the presentation format. This happens when written to a zone file and read back in. Multiple TXT records RDATA following each other has been tricky. 2. This is compounded by lengthy and complicated security records for uses like ACME and domain keys which are both time limited and potential uses of TIMEOUT records. 3. Creating TIMEOUT records and sending them with the nsupdate utility is also challenging with the RDATA method. 4. There is the (theoretical) possibility that a record already has max length. In this case it couldn’t be represented in a TIMEOUT record. In the initial version, we used a HASH in the TIMEOUT RDATA to represent the records and it was suggested to fallback to the RDATA because the HASH was a “premature optimization”. This was good advice and we followed it. But now with the experience we feel the HASH optimization is no longer premature but appropriate and would like to change the TIMEOUT RDATA format back to a HASH. The HASH also has the advantage of being a fixed length per record which is nicer for parsing and presenting in zone files. This time we are suggesting using the first 128 bits of SHA256 (instead of SHAKE128) due to the overwhelming request for this change earlier. Having talked to some security experts, we now feel comfortable with using only a portion of the calculated HASH without fear of collisions. This makes it the same length as an IPv6 address RDATA. It was suggested that we include both methods (RDATA and HASH) but we would prefer to only have a single method in order that we don’t run into problems with capability differences between primary and secondary servers. So hopefully everyone will approve of this change. If you have feedback one way or the other, we’d love to hear it. Thanks, Tom & Tim
- [DNSOP] TIMEOUT resource record RDATA format revi… Tom Pusateri