Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Tony Finch <dot@dotat.at> Mon, 30 July 2018 13:17 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DDB4130F35 for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 06:17:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmWZVTwEW4x0 for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 06:17:40 -0700 (PDT)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6768F130EFE for <dnsop@ietf.org>; Mon, 30 Jul 2018 06:17:40 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:39412) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1fk83H-000MWU-hc (Exim 4.91) (return-path <dot@dotat.at>); Mon, 30 Jul 2018 14:17:31 +0100
Date: Mon, 30 Jul 2018 14:17:31 +0100
From: Tony Finch <dot@dotat.at>
To: John R Levine <johnl@taugh.com>
cc: Ondřej Surý <ondrej@isc.org>, dnsop@ietf.org
In-Reply-To: <alpine.OSX.2.21.1807290047300.46393@ary.qy>
Message-ID: <alpine.DEB.2.20.1807301416020.3596@grey.csi.cam.ac.uk>
References: <20180728215805.E60F020030A8E0@ary.qy> <FC43CF7A-9653-4EF3-BFF5-79600DC940AD@isc.org> <alpine.OSX.2.21.1807290047300.46393@ary.qy>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mHYSbMcaGpQe7aWhniUikdPPVpw>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 13:17:42 -0000

John R Levine <johnl@taugh.com> wrote:
>
> I'm also thinking the hash wouldn't need to include the RRSIG records, since
> those are mechanically derived from the underlying records and the ZSK.

If you omit the RRSIGs from the hash, you'll have to verify all the RRSIGs
to ensure you aren't serving a bogus zone, and this is more expensive than
including the RRSIGs in the hash.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Tyne, Dogger: South or southeast veering southwest 4 or 5, occasionally 6 in
Dogger. Slight or moderate. Showers. Good.