Re: [DNSOP] Review of draft-wessels-dns-zone-digest-04.txt
"Wessels, Duane" <dwessels@verisign.com> Mon, 29 October 2018 22:26 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D1D413107A for <dnsop@ietfa.amsl.com>; Mon, 29 Oct 2018 15:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WkDkBsYzULax for <dnsop@ietfa.amsl.com>; Mon, 29 Oct 2018 15:26:44 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A1691310E4 for <dnsop@ietf.org>; Mon, 29 Oct 2018 15:26:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=11149; q=dns/txt; s=VRSN; t=1540852004; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=uiOvHj7fUxwdawHZKznLm6dhXHcHjeuwxK1W5oKhvHs=; b=iGph+nsALrYzRPjiGnEaXho+5K9rN3yLrqQ3J/2RJI9MqCaNJ41NA9bt MRKVVa39rE/Qceb/0khQzAUaU68baxUMuRt6QNuA/N2ntLv2mqrpGJ6ye dVV6SyziuadetDXloQbMV8QuHq7YYhmwiq24Zqg3xxDQs123/KndY0nOa lM5j6wjHNztWePhr6WKI5ErmH26BCQ4PdbjtVcPc8UNgT3D8f5LjnptlA ZH3E2JsAV+bdjNRL0MATV24haygAPf/G9IiRZtiP8jIhZxMe/rQdCFx9Q 4mjlU1Mw+qjw+nT8XqOySah8LdqR8E4/tO4hPEyonL72fHl9+BfuJ9Y3f A==;
X-IronPort-AV: E=Sophos; i="5.54,441,1534824000"; d="p7s'?scan'208"; a="6069492"
IronPort-PHdr: 9a23:L4DO5BK7MmrFmctAP9mcpTZWNBhigK39O0sv0rFitYgfK/rxwZ3uMQTl6Ol3ixeRBMOHs60C07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwdFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJBUMhPSiJBHo2yYYgBD+UDPOZXs4byqkABrReiAAmhHv/jxiNWinLwwKY00/4hEQbD3AE4Ed4BsGrbrM7uNKgMVeC117HExijNYfNLwzj97pbHfh48qvyLQL1xf9TeyVI0FwzbilWQspfoPy2L2eQXsmib9OtgVe2pi2I9tw5xpT2vy94qh4LUhYwV0kjJ+ThlzIovONG1SkB2bcS5HJZQuSyWLYR7T8A6T211pCo20KAKtJyncCQQ1ZgqyB3SZ+aaf4WL+h7jWvieLDRkiH9gfb+wnRW//Ey7xeD5WMS4zktFoytAn9bXsn0A1h7e582JR/Zz/EquxDCC3B3J5O5eO0A7j6/bJoYkwr43i5Ucr1zOHjTzmEXqlK+WcVgk+vSw5+TnfLrmopicOpdphw/iKqoih8ywD/w3PAcPQ2SX5P6w1KP/8k3+WrVKluc6nbPEv5zAO8QbvLW5AwlP3ok/7Ba/Ci+q0NUenXYZMFJIYA+Lg5TzN13TIv31A+2zj0msnTpl3fzLMb7sDo3ILnfZkbfhebh961RbyAo21d1Q+pxVBa8aIPLoREDxsMfYAwQnMwOq2ebnCc591oIRWWKJGKOWLKTSsVqQ6uI1P+aMfJMVuCr6K/U94v7ukHw5mUQGcKmswJsXa224HvJ7LEmDZnrsmNgBG38QvgUiVOzqlEGCUTlLanmvWaI8/TY7CJq9AIfCWI+tnLKB0D28Hp1MaWAVQmyLRFL1dJiCV783aTybOMZkmzpMAb28SJQJ0AytqQn2jb19IbyH1DcfsMep69Vu/ODXjlV62SF9CcnXmzWBUGxvhW4MXBco0bp+uk1yzBGI1q0u0K8QLsBa+/4cClRyDpXb1eEvTomqAg8=
X-IPAS-Result: A2EJAAAdiNdb/zCZrQpkGwEBAQEDAQEBBwMBAQGBUQYBAQELAYQRCowDjgElepYmFIFmCAQBhGwCg080DQ0BAwEBAQEBAQIBAQKBEYI2JAGCYAEBAQECAXkFCwIBCA4KLgIwJQIECgQFDoMTAYF5q2CFO4RTD4JtiRGBQj6BEScME4FOSTWEZoNNgiYCiFcShXeQKQMGAoQUgW+EBocRkEeIN44+AgQCBAUCFIFDgg5wFWUBgkGCJQEXjhpvjAaBHwEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Mon, 29 Oct 2018 18:26:42 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1531.003; Mon, 29 Oct 2018 18:26:42 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Mukund Sivaraman <muks@mukund.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Review of draft-wessels-dns-zone-digest-04.txt
Thread-Index: AQHUb5/nUk4VIqDrAE2pW7oQRq67BaU3ELyA
Date: Mon, 29 Oct 2018 22:26:42 +0000
Message-ID: <B0240FFE-D4C7-49DF-8321-A3DF8F0BC794@verisign.com>
References: <20181029155524.GA13798@jurassic>
In-Reply-To: <20181029155524.GA13798@jurassic>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_5A390FE6-966B-4EA1-A2C9-6BEE34CA7E40"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hWmgcwBlwnLbdBcUnnM7ZH_KZiU>
Subject: Re: [DNSOP] Review of draft-wessels-dns-zone-digest-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2018 22:26:54 -0000
Mukund, Thanks for the comments. I have incorporated most of them. I will follow up below on items I did not incorporate. > On Oct 29, 2018, at 8:55 AM, Mukund Sivaraman <muks@mukund.org> wrote: > > After a reading, despite what is said in Section 5, I'd like to see such > a scheme to be generally useful for larger zones and zones with high > rates of updates. There are some kinds of zones in common use which can > benefit from better performance. So I recommend working on an > incremental scheme now than having multiple types of schemes later. The feedback I have received regarding this point has been mixed. I have some folks saying "make it work with stable zones now, figure out dynamic zones later" and others saying "have to support incremental updates now." The proposal to have a reserved-for-future use field is an attempt to find compromise. I personally think incremental updates can be efficiently supported with a variable-depth Merkle tree. But I have concerns about the complexity / benefit tradeoff. I presented on this at the last DNS-OARC meeting (not sure if you had a chance to see it). This is why the authors propose proceeding with the Reserved field at this time. If it later turns out we can agree on a way to support incremental updates by using this 8-bit field, then that would be great. If not, we can, as you say, consume another RR type and the wasted 8-bits stays Reserved indefinitely. > > Again, it appears use of zone *file* is incorrect. It seems to appear > several times in this memo, and I'll not repeat this observation. My apologies. I've fixed it for the next revision. > >> The root zone [InterNIC] is perhaps the most widely distributed DNS >> zone on the Internet, served by 930 separate instances [RootServers] >> at the time of this writing. > > It can be argued, but I think popular RPZ zones have a lot more > distribution. More below. [citation needed]? > > RPZ seems like a good candidate for end-to-end authentication of data > without having to trust the peer a resolver got the data from, esp. for > open(unrestricted) policy zones. Some popular RPZ zones are very large, > and change very frequently (sooner than a minute). The current memo's > performance is inadequate to be used with such zones. Out of curiosity, are these large RPZ zones signed? I ask because some people say ZONEMD is worthless without DNSSEC and, as far as I know, policy zones don't necessarily need to align with the name space. > >> 2.1.1. The Serial Field > >> The Serial field is a 32-bit unsigned integer in network order. It >> is equal to the serial number from the zone's SOA record ([RFC1035] >> section 3.3.13) for which the message digest was generated. > > Why is this field necessary? Can't the serial number be determined from > the SOA's field? This was a point of discussion in earlier revisions: FOR DISCUSSION: the serial number is included in order to make DNS response messages of type ZONEMD meaningful. Without the serial number, a stand-alone ZONEMD digest has no association to any particular zone file. If there is agreement that ZONEMD responses are not useful, this field could be removed. See also the end of Security Considerations. Based on feedback from that revision, seems like there was consensus to keep the Serial field and allow ZONEMD queries/responses. > > I had mentioned this in my first reply to an early version of this draft. > > May I implore that that you avoid other hash types and make SHA-384 as > mandatory? So many types are not needed. SHA-512(/384) is a faster hash > to calculate on many 64-bit platforms (what will be typically used by > this draft's target market) than SHA-256, and its hash construction and > size (compared to the rest of the zone) are not very different from > SHA-256 to require SHA-256 as well. Speed is good, especially in this > simplistic version of this scheme. If you want to include more hash > algorithms, pick a different hash construction such as SHA-3. I was thinking it would be useful to have ZONEMD digest types track DS digest types, so that it wouldn't require a new RFC to define a new ZONEMD digest type. But I'm not sensing much support for this approach. As an implementor, you would be okay with, say SHA384 having value 4 when used in as a DS digest type, but value 1 when used as a ZONEMD digest type? > >> For the purposes of calculating the zone digest, RRsets having the >> same owner name MUST be numerically ordered by their numeric RR TYPE. > > in ascending or descending order? (I don't blame you.. RFC 4034 also > makes no mention of that except "sorting the names"). Does "... RRsets having the same owner name MUST be processed in numerically ascending order by their numeric RR TYPE" work for you? > >> 3.1.2. Special Considerations for SOA RRs > >> When AXFR is used to transfer zone data, the first and last records >> are always the SOA RR ([RFC5936] Section 2.2). Because of this, zone >> files on disk often contain two SOA RRs. > > Is this fair to say.. the "often" part? How about "sometimes" instead of often? > >> 3. For zones that are provably signed, the SOA RR and ZONEMD RR(set) > > Isn't >1 RR for ZONEMD prohibited by this draft? The distinction > "RR(set)" isn't clear vs. "SOA RR". Yes. There was a time when the draft was less clear about single/multiple ZONEMD records and I missed this one when cleaning it up. > >> Additionally, the ZONEMD record defined in this document includes a >> Reserved field. The authors have a particular future use in mind for >> this field, namely to support efficient digests in large, dynamic >> zones. We intend to conduct future experiments using Merkle trees of >> varying depth. The choice of tree depth can be encoded in this >> reserved field. > > Sorry I'm seeing this after writing some comments earlier. This > experimental Merkle tree scheme needs to be described more thoroughly to > make sense of "depth" to be encoded in the reserved field. Assuming the document were to move forward with this reserved-for-future-use field, I'm not sure what would be the appropriate level of detail to put here. I'd rather not get too caught up in those details yet. DW
- [DNSOP] Review of draft-wessels-dns-zone-digest-0… Mukund Sivaraman
- Re: [DNSOP] Review of draft-wessels-dns-zone-dige… Wessels, Duane
- Re: [DNSOP] Review of draft-wessels-dns-zone-dige… Paul Wouters
- Re: [DNSOP] Review of draft-wessels-dns-zone-dige… Mukund Sivaraman