Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-04.txt

Bob Harold <rharolde@umich.edu> Mon, 22 October 2018 16:53 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 012EF130E61 for <dnsop@ietfa.amsl.com>; Mon, 22 Oct 2018 09:53:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUr_X0RrOmh1 for <dnsop@ietfa.amsl.com>; Mon, 22 Oct 2018 09:53:43 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5C59130E18 for <dnsop@ietf.org>; Mon, 22 Oct 2018 09:53:42 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id z21-v6so37671641ljz.0 for <dnsop@ietf.org>; Mon, 22 Oct 2018 09:53:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1WLDWK+VsCsfKANzricjwFENUjWQuS+Z5eIRwSv0gew=; b=eNS5nYW2OZ8meUwst/cFxstJ1/HqBxBrar8leaXJnnI3v4L/m1DrdRBTW5ltI50G5U +84Dpz9YcctYChjPbu/U8vq3nvACwJ8eHFGe2mqBVOtBs3K9/PvFakRPa8T3hSABsxlN B4RahN3VRIU6wMNUMO5LMvuHFDsRN2fKJ98WCTILrYqmZwMdm66l5DgPm32YS5gJmljr eehBCQOen2rjSLTtl4uAG8Z5AqjOwtwd+uQNWkSuQtPIpRk5iKbnore8l9JLUau2T9OK 7ue1mrZiWOL2JOra7jdr6hYc1FWAn7X8Sp+9aVmtkny43j24uuM/b45g+gIStK61WKUe 53Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1WLDWK+VsCsfKANzricjwFENUjWQuS+Z5eIRwSv0gew=; b=aQdurZZ66Wfw4gZcV5aKpp7c8/VYKrRvc4WkoZ2ksiK5rDG/gQZ4lD7cyNRc7vngIX OxB3NqawUrMMEFcDZYPdAHQmcnHL4HUqvY9uqClnIxK/3pSWoLR+f+ZznzGm6TauIVWk wINBTT5OxNNavjFQR+0Z/8NENPLLP/SZQVupMAIjMLzHb2u3Dv3N+1CTNy1OQnizdQrf sxxYjt+4cJCwpPse4iJ6l2PDUf/rD/dudXr/GrRNSQX2jmilHKNxP69Uxlj5uu3F/F+p r052wTLVxndxSLFdhf5zYfaZNb00BuNEVQ2oad+0tU7MK7HsQKo3AvFi8b2xWNV6bO/Q JWTQ==
X-Gm-Message-State: ABuFfogyP1KvS4GMAbwOhX+eGOI0NJxSF1zuWAP0gvJdvpDXIzBMAReD wgWOAjd2hF0etT7Nakz/jT4WcGUgmeGX+a9yOGH9QXsV
X-Google-Smtp-Source: ACcGV63hE7kQoX+6xQySRArq5URwHF8qJTHlayk9sq2NPIa0ch7nNBECRGRbUQZHWUIJNHKtiKOeH1jTz3RY1nH5jyw=
X-Received: by 2002:a2e:4255:: with SMTP id p82-v6mr29721569lja.58.1540227220472; Mon, 22 Oct 2018 09:53:40 -0700 (PDT)
MIME-Version: 1.0
References: <154020795105.15126.7681204022160033203@ietfa.amsl.com>
In-Reply-To: <154020795105.15126.7681204022160033203@ietfa.amsl.com>
From: Bob Harold <rharolde@umich.edu>
Date: Mon, 22 Oct 2018 12:53:28 -0400
Message-ID: <CA+nkc8CR3KL0EVfkWF2U1coRh+chhNxjGWNevOG++BAt0YDwXw@mail.gmail.com>
To: IETF DNSOP WG <dnsop@ietf.org>
Cc: i-d-announce@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005999a60578d41844"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oVgkW4ZCChtJxaC5m54QYBepaKA>
Subject: Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 16:53:49 -0000

On Mon, Oct 22, 2018 at 7:32 AM <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Domain Name System Operations WG of the
> IETF.
>
>         Title           : Message Digest for DNS Zones
>         Authors         : Duane Wessels
>                           Piet Barber
>                           Matt Weinberg
>                           Warren Kumari
>                           Wes Hardaker
>         Filename        : draft-wessels-dns-zone-digest-04.txt
>         Pages           : 26
>         Date            : 2018-10-22
>
> Abstract:
>    This document describes an experimental protocol and new DNS Resource
>    Record that can be used to provide an message digest over DNS zone
>    data.  The ZONEMD Resource Record conveys the message digest data in
>    the zone itself.  When a zone publisher includes an ZONEMD record,
>    recipients can verify the zone contents for accuracy and
>    completeness.  This provides assurance that received zone data
>    matches published data, regardless of how the zone data has been
>    transmitted and received.
>
>    ZONEMD is not designed to replace DNSSEC.  Whereas DNSSEC is designed
>    to protect recursive name servers and their caches, ZONEMD protects
>    applications that consume zone files, whether they be authoritative
>    name servers, recursive name servers, or uses of zone file data.
>
>    As specified at this time, ZONEMD is not designed for use in large,
>    dynamic zones due to the time and resources required for digest
>    calculation.  The ZONEMD record described in this document includes
>    fields reserved for future work to support large, dynamic zones.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-wessels-dns-zone-digest/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-wessels-dns-zone-digest-04
> https://datatracker.ietf.org/doc/html/draft-wessels-dns-zone-digest-04
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-wessels-dns-zone-digest-04


Just my opinions:

Keep the Reserved field

Include occluded data - it is part of the zone, even if never served.
(Similar to glue data when a server has both a parent and child zone.)

If you might have multiple zonemd records not at the apex later, why not
allow them now?  Otherwise, your choice whether to restrict them.  (Someone
will find a use for them, like verifying glue records.  Everyone else can
ignore them.)

-- 
Bob Harold