IETF Logo Mail Archive

Re: [DNSOP] Second Working Group Last Call for: Message Digest for DNS Zones

"Wessels, Duane" <dwessels@verisign.com> Mon, 09 March 2020 20:25 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 513153A16FF for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2020 13:25:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yky4PlbBAyye for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2020 13:25:05 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCFA3A09C3 for <dnsop@ietf.org>; Mon, 9 Mar 2020 13:25:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10756; q=dns/txt; s=VRSN; t=1583785506; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=LXvLinptdMj24TP36eh7PTl9h7xFmg5uL59s+KNPEeE=; b=fTdIAQzjBLx0EmuNtPTCAaQtLud0vXC1mQD82yP3rEYgdOvrRsaMlO+5 0+DipJAJOwVbkQk30WQa4h5PTjARs7Uvxehv0WoBuipv3pfYxsXtSJGTH 0Usjpb4pDBzv77y59CFP3ICI9sHqT3qlBVTwyvfi/yugRu0p6BMq8Nxvz +dxgKQftZ1SP8rFCIDLqpecNlsxDXNdAIaFzgu5CpGggELl/b+KvCSi6h tSUfggzWGal1l7JDifYVxGnBNmUSfjdzwZ2NArCPGTGsf1xERD8iZyyZM FqXrZEV9FLj1WWRp//jzlyy64vlKNJ/an8fgsL+yYIL5B3qAvB+eFpCX2 g==;
IronPort-SDR: i4t7W3Rrqv5ugGxh7r8JyVHty9ZkLoNiYMmQl2pkBawPGtP+aCc1at8iX95zqtrl1GlvtOW6gG 3tKnzjOqHrm5hdQiSOqwNn1qd4TE4guKsZ9JCHSN4R6Y7LTNoC1x2SvNAoPAePBqYCTxticyOX vsq+x/DEgC0zMAuQAy3C3ft9BjwQoadzzjEdbvTVMAzEsrytHd5+79y4DvduT4LPgYwdg9BssB r+vf1kkVcPhtmyv2XkMk8hDvkE9/z6FdmCVPh0V3HpiInzaA9Exb9/Vn4YoQWzde1e6op94e1J dUg=
X-IronPort-AV: E=Sophos;i="5.70,534,1574139600"; d="p7s'?scan'208";a="848910"
IronPort-PHdr: 9a23:WkUCOxDrOljH9EHJoyTgUyQJP3N1i/DPJgcQr6AfoPdwSPXyr8bcNUDSrc9gkEXOFd2Cra4d16yP6vCrADdbqb+681k8M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe7x/IAi5oAnLq8UanIhvJqksxhbHrHZDZvhby35vKV+PkBnw4du98oR++CpKofIh8MBAUaT+f6smSLFTESorPWMo6sD1rBfPVQSA6GcSXWUQiRpIHhPK7ArmUZfrsyv1rfRy1S+HNsDrV780WDCi76B2SB/0jSoMKjA0/H3LhsF2kalWuwyqqQBhzIHIYYGVLPt+cb3bfdMGXmpKQ8JdWzVcDo+gc4cDCuwMNvtaoYbgvVsDtRuwCxexCuPzxDFGhXH20q893eQgDQ7J0xctH90SvHTRttj1NLseXf6zwaLVzTvDdfRW2TLl5YTGch8uv+qMXalufsrV0kkjDx7OgFuNqYP/OTOayOoBuHWc4uV9W+OglXUnqxpvrTir3cchkZfJiZwPylDF7iV5wYk1JduiREFnZt6kFYJduieHPIV1WsMvW3xktDogxrEbu5O2cjIGxIknyhPRcfCKfIyF7gr+WOqNOzt0mXBodK6lixqv/kWtyffwWtS33VpSoCpKjNrBumwI2hHW8MeKSf9w8Vyk1DuByQzc9+BJLEUvmqffKpMswLs9m5QdvEnBAyD7nlj9grWMeUU+4Oeo7vzqYrDhppCBKYB5khr+MqEymsynBuQ4LxQOU3Cb+eui0L3j+lX0TahWgPMuj6XWsIjUK8saqaKlHQNZyJgj5Aq4Dze8yNQUh2MII09fdBKZlYjpIFfOLOrkAve4hlSgiDZrx/bYMb39GpjBM2TPnK38cbt/5UNQ0hc/wNBR6p5OBbwMJOr/Wkrru9zZCh85PRa0w+HiCNhly4wfV3yAArSCMKzMtV+I/fkiI/eSa48PuTb9MPkl5/HojXMjhVAdeqyp0YMNaH+kBvRmP1mZYX30j9cbH2YKsBA+Q/bsiF2BSj5efHmyX6cm6TE6DIKqF5vMRoeogLaZxie0AoVWZnxaClCLCXroa4eEWvkWZCKTPMBhjjIEWKOuS48kzx6utQv6x6B7IerT/y0SrYjj28Rt5+3PiREy8iR5ANmb02GWSGF0hngFRz4o06Bjr0xx0FCD0bJ3g68QKdsGy/JCUU8UL5fazPcyX8rtVBjIeNSSYFmjS9SiRzo2S4Ri7cUJZhM3JNi5lR3HxG7iL6IckbHBTMg47a/HxHX1PO5jxmzHz6guiR8tRc4ZZj7uvbJ26wWGX92BqE6ejav/MP1EhCM=
X-IPAS-Result: A2G6AAAqpWZe/zGZrQpmGwEBAQEBAQEFAQEBEQEBAwMBAQGBe4NAgQYKlSGDboV1kVsCBwEBAQEBAQEBAQMEAS8EAQGEQwKCMzgTAgMBAQsBAQEFAQEBAQEFAwEBAQKGS4I7KQGDUwEBAQECAR1cBQsCAQgOCi4CHxElAgQOBQ6DGAGCSgMOEahsgieFSoJEDYIQEIE4gVOKc4FCPoERJyCCTT6CG4Ivg0SCLASNdokEZokFjntEAweCPINxgjuMBIRSmzWaI4xygzICBAIEBQIVgWmBe3AVZQGCQT4SGA2OKAEXFY4QdI1+MV8BAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Mon, 9 Mar 2020 16:23:55 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Mon, 9 Mar 2020 16:23:55 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Dick Franks <rwfranks@gmail.com>
CC: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Second Working Group Last Call for: Message Digest for DNS Zones
Thread-Index: AQHV9lCoCuXqFURvQU+6qJmf3Q2s6Q==
Date: Mon, 09 Mar 2020 20:23:55 +0000
Message-ID: <73CDE5C0-FEA3-48D1-B3F2-21A42E0E1185@verisign.com>
References: <CADyWQ+GDfbaAKz9iAWVH=TP=2A3hr9iGhTarayAEjgF5TrnvXQ@mail.gmail.com> <CAKW6Ri6YbMKquv7sMqK5D4OH7Z=h-zuvmUXqfUG2NpJdu91ooA@mail.gmail.com>
In-Reply-To: <CAKW6Ri6YbMKquv7sMqK5D4OH7Z=h-zuvmUXqfUG2NpJdu91ooA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_B1E7E5D6-1C85-4FDA-9F2F-2B8DA1656187"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oWKyvTvAeacvE2joTZbwHhJDgI0>
Subject: Re: [DNSOP] Second Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 20:25:15 -0000


> On Mar 8, 2020, at 11:10 PM, Dick Franks <rwfranks@gmail.com> wrote:
> 
> draft-ietf-dnsop-dns-zone-digest-04 is still a work in progress, with a
> number of internal contradictions to be resolved.
> 
> 
> [1.2 para 1]
> 
>   ...  The procedures for digest calculation and DNSSEC
>   signing are similar (i.e., both require the same ordering of RRs) and
>   can be done in parallel.
> 
> There is no requirement for the RR collating sequence be the same as
> DNSSEC, otherwise it would be impossible for there to be more than one
> scheme.


Collation/scheme means more than just sorting.  It can also refer to how
the data is grouped or partitioned before digesting.  In the simple scheme
proposed here, all the zone data is sorted in a single partition.  A future
scheme could define a more sophisticated data structure that partitions
zone data by name, etc.  But the data within each partition would be sorted.

So you can have more than one scheme and still use DNSSEC sorting.  In my
opinion, DNSSEC sorting is sufficient, no matter the collating scheme.
The way to make ZONEMD perform well with incremental updates in a future
scheme is to define an efficient in-memory data structure and something
like a merkle tree.  The leafs of the merkle tree can still use DNSSEC
sorting, rather than needing to define some new sorting.

Having said that, I'm no opposed to change the text in 1.2.



> 
> [3.1 para 1]
> 
>   In preparation for calculating the zone digest, any existing ZONEMD
> +  and covering RRSIG
>   records at the zone apex are first deleted.

Happy to add this, although maybe unnecessary IMO because any time you delete
an RRset from a zone I'd expect the RRSIGs to also get deleted.


> 
> [3.1 para 1]
> 
>   Prior to calculation of the digest, and prior to signing with DNSSEC,
>   a placeholder ZONEMD record is added to the zone apex.
> 
> reword as follows:
> 
>   Prior to calculation of the digest, and prior to signing with DNSSEC,
>   exactly one placeholder ZONEMD record is added to the zone apex.
> 
> [3.1 para 5]
> 
> reword as follows:
> 
>   If multiple digests are to be published in the zone, e.g., during an
>   algorithm rollover, each digest calculation is performed independently
>   using the placeholder for the corresponding Scheme and Hash Algorithm.
> 
> [3.2]

I'll respond to this in your later followup message.


> 
> s/signature(s)/signature/
> 
> There can never be more than one.


Although perhaps not recommended or common, a zone can be signed with
multiple keys (ZSKs) so I'm not sure what you mean here?



> 
> [3.3] and [3.3.1]
> 
>    This specification adopts DNSSEC's canonical on-the-wire RR format
>    (without name compression) as specified in [RFC4034].
> 
>       RR(i) = owner | type | class | TTL | RDATA length | RDATA
> 
>       where "|" denotes concatenation.
> 
> The record collating sequence is scheme specific.

Yeah, good call.  I can move it to 3.3.


> 
> [3.4 bullet 3]
> 
>   o  Only one instance of duplicate RRs with equal owner, class, type
>      and RDATA SHALL be included ([RFC4034] Section 6.3).
> 
> This seems to detract from the idea of a general purpose comparison
> advertised in 1.3.5. If unexpected duplicate RRs were to be present in
> the original zone, the downstream copy should be expected to match,
> warts and all.
> 
> [3.5.1 para 5]
> 
> Needs to be incorporated into 3.3.

Not sure what you mean by that.


> 
> [3.6]
> 
> reword:
> 
>   Once a zone digest has been calculated, the published ZONEMD record
>   is finalised by inserting the digest into the placeholder ZONEMD.
>   Repeat for each digest if multiple digests are to be published.
> 
>   If the zone is signed with DNSSEC, the RRSIG record covering
>   the ZONEMD RRSet MUST then be added or updated.

Okay, thanks.


DW

v2.23.0 | Report a Bug | By Email