Re: [DNSOP] review: draft-wessels-dns-zone-digest-04.txt

Joe Abley <jabley@hopcount.ca> Wed, 31 October 2018 23:50 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB527128D09 for <dnsop@ietfa.amsl.com>; Wed, 31 Oct 2018 16:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVXUdqpRztiG for <dnsop@ietfa.amsl.com>; Wed, 31 Oct 2018 16:50:27 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13E44124BE5 for <dnsop@ietf.org>; Wed, 31 Oct 2018 16:50:27 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id q18-v6so11031864iod.5 for <dnsop@ietf.org>; Wed, 31 Oct 2018 16:50:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZZn1DqTY/zDBZCYIy9r0hBFkV8zrJc90d5fnujSe6iQ=; b=UBOS2+glYCGTq+LyNXON6xk4C2HE7PuLOq+63MJ+ipfqZlHlKLO7iPEaYfxmTjpMUC k2C3VvTu2ECy221z3gR4F2FVvOYzlaP9Awi3+zZa4m035WOVED9hbLtlEkq18rysVJEL h/JRNi79FuQNEtTAiJ7VqigTQTPwc9DoLOIR4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZZn1DqTY/zDBZCYIy9r0hBFkV8zrJc90d5fnujSe6iQ=; b=D2WqRZ7L4iPag9XOQpakJIt3hX31pIs0EDJi6C4E4z/y7xMdXCMk2KdWyedjHVDaRW HwyJAYnod5D9/TrEcJlmqdR039oKi/Dku7sW76+qS6zW0F5XOsX4flAIX+c1RQhXCc9U e8zQ6JE9Ii6rsqtehvvNf3syrBVd2YBp/8ejnU5X9lQiaSB+a88GUQwFrOOzMXLuK/ao 0K7jogL5Ekkh1NvTdqaLO2c2WCQLRdoXkiN+t8QQP7HrFRN7gJf5CkqFau/9Zz8OFSto EVnfqXGub9QHRQ0CIolnsbBWMYPpLIlXiSWGT4g9STvWcKp7zgfDGZYIzxAXkAZOuoAX 9L2g==
X-Gm-Message-State: AGRZ1gJQQVv54BoIp/viZQqozvCmNuClSdjXuOxSVCSih2WNjntKHP5E u5Dwl74Dy/ni0g0KUYHiW6j0k0yDIsc=
X-Google-Smtp-Source: AJdET5cLGYP/Aj8vbDc3WOU9Aco5KPVfntU01dh+b0K1mHY2/uVqjXXXdsLsrp8Sy0e/5j63gmlmhg==
X-Received: by 2002:a6b:918b:: with SMTP id t133-v6mr3727781iod.267.1541029826101; Wed, 31 Oct 2018 16:50:26 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:101:3:9d59:e8e9:c9ae:e2eb? ([2607:f2c0:101:3:9d59:e8e9:c9ae:e2eb]) by smtp.gmail.com with ESMTPSA id z136-v6sm11485542iof.23.2018.10.31.16.50.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Oct 2018 16:50:25 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <509F5E08-5EDF-4A54-BB34-A76BA390F01D@verisign.com>
Date: Wed, 31 Oct 2018 19:50:23 -0400
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <46FB2005-A7EF-42AD-9D78-5D121D26CB45@hopcount.ca>
References: <154020795105.15126.7681204022160033203@ietfa.amsl.com> <DD4AADA8-A23A-4C2C-9F0D-401CA5A51745@hopcount.ca> <509F5E08-5EDF-4A54-BB34-A76BA390F01D@verisign.com>
To: Wessels Duane <dwessels@verisign.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hYm_EmDO63gTtHE3TjiCwTLQtk4>
Subject: Re: [DNSOP] review: draft-wessels-dns-zone-digest-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 23:50:29 -0000

Hi Duane,

On 31 Oct 2018, at 19:03, Wessels, Duane <dwessels@verisign.com>; wrote:

>> Section 1.2
>> 
>> I don't understand the benefits of suggesting that verification of a zone digest "would be implemented in name server software". The inference is that software that normally concerns itself with responding to queries should be extended to check zone digests, which seems unnecessary and contentious; in general it's not the libraries or executables in which the software live that is important but rather that there be a trusted relationship between the verification process and the software that consumes the validated zone data. I think the final paragraph could just be removed.
> 
> The thinking here is that its best to have the verification part as close to the serving part as possible.  If there is agreement that this text is an unnecessary distraction, then it would be okay to remove it. It doesn't affect the protocol itself. 

There is understandable sensitivity to the idea that new protocol development work makes diversity of implementation of nameserver software more expensive, since the list of specifications to support gets ever longer. I think there's value in emphasising that this protocol is optional by avoiding any inference that modifications to nameservers are required to use it. While that's certainly an option, it's an implementation decision, not a requirement.

>> I think supporting multiple ZONEMD records per zone using different digest types might be useful if it was specified in such a way that it ensured that consumers of the ZONEMD RRSet should not fall back to other digest types if their preferred type did not work. I understand the concern about downgrade attacks in general, but in this case if the ZONEMD RRSet is signed, a downgrade attack would require the ability to replace the covering RRSIG, and if you can do that you don't need to force a downgrade, you can just replace the ZONEMD RRs' RDATA with your own and re-sign illicitly.
> 
> I think you might be the first person to argue for supporting multiple ZONEMD algorithms per zone. I actually expected more.
> 
> What you're saying is that a recipient would have a list of supported algorithms, ordered by its own preference.  It finds the most-preferred ZONEMD RR, and uses only that one for verification, ignoring all others.  Correct?

That seems reasonable, although I'm not convinced I fully understand the restriction on checking only one. Seems to me that could also be left to local policy, along with the interpretation of the case where some subset of ZONEMD RRs in a set fail verification.

>> Section 2.2
>> 
>> You don't specify the representation of unsigned decimal integers clearly enough for me to know whether leading zeros are tolerated or preferred.
> 
> I emulated RFC 4034 here.  I guess I'm not aware of any decimal presentation fields that prefer leading zeroes.  How would you like to see it specified?

If it's good enough for 4034 then I guess it's good enough for this draft. I just always find it imprecise to specify that a value should be presented (or provided) as a decimal integer without confirming whether 123 0123 000123 and 1.23E2 are equivalently acceptable.

>> Section 3.1.2
>> 
>> I think that in the specific case mentioned the two SOA RRs are expected to be identical. I wonder whether it's worth generalising the advice to confirm that where there are multiple identical instances of RRs within a single RRSet (same owner name, RRType, RDATA, class, TTL) only one is included in the calculation of the zone digest?
> 
> It sounds wrong to me to say that identical instances of RRs would not be allowed in a zone.

It's true though, right? It's not meaningful to include more than one resource record with the same (owner,type, class, TTL, RDATA) in the same RRSet, and hence also not meaningful to include such duplicates in a single zone (which is a particular set of RRSets). I don't think RFC 1034 is explicit about this, but it's surely implied. I don't know of any nameserver software that would allow duplicates like that, though, with the possible exception of the SOA. Quite possibly I have just typed more nonsense about this than the world ever needed to see.

>> Perhaps SOA is the only example of this. For the precise reasons given, calling SOA out as a well-known example would make sense even if the specification was generalised as suggested above.
> 
> Mukund informed me that repeated SOAs are likely less common than I believed, and probably due to
> thinking in terms of "zone files" rather than zones.  Perhaps the bullet about multiple SOAs should
> just be removed.

Repeated SOAs are specified in RFC 5936 section 2.2; even if a retrieved zone never touches a disk the AXFR response is still bracketed by identical SOA RRs. I think it's reasonable to consider that framing though and not the presence of a duplicate RR in a zone structure.

>> Section 3.3
>> 
>> I don't see the point of ZONEMD in the absence of DNSSEC. This section to me suggests that there might be a point to it. I don't know what that might be.
> 
> The only point would be so that you could discover accidental zone corruption, rather than intentional fiddling.

Oh, true. That might be worth spelling out.


Joe