IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-04.txt

"Wessels, Duane" <dwessels@verisign.com> Thu, 27 February 2020 17:47 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D2223A0E07 for <dnsop@ietfa.amsl.com>; Thu, 27 Feb 2020 09:47:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id quXq7QCN3X3I for <dnsop@ietfa.amsl.com>; Thu, 27 Feb 2020 09:47:03 -0800 (PST)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32A5D3A0E2C for <dnsop@ietf.org>; Thu, 27 Feb 2020 09:47:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=14448; q=dns/txt; s=VRSN; t=1582825623; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=CYnu+zDJBldiR8YLJZteVY081Azph81+SZtFoh7uFjw=; b=Mzk7kjZ2i2y0TLv2p71uk0/NrxwfJYMJJXBMI13mLVz0aZgmyfnCZwkF PzlBIqZfvv8GzBgWMFbMXqnNJVMPxoJYcIySnUZC1Cm+tVEfeG1scaybF G454xYQrts8BfwRyDmamrwBixlDSCR9ysbyamxHUgiCiv+rPalD5lcWmX ba1asMx+frSReYlNfA9PjkFzlouZQrrnrJhVrcBWaoJ/uW73EkAxZMOCI xDHJ1gHu9NmQkXVvoDPMSuAY3PZWauCKSZW/VvpPreS3fRV8g3LhgM9xE L1ih94ljhZcFk3/diZS80btnSJCZIX2tfV4BLQE2v10WJXGqmJreSO5At g==;
IronPort-SDR: s9IpaJ8xYybbCmlrOngqOTxQRDlJbrMYc05JwYeDOpeBCc2lWVAO5LiTJonhUTw/yoERA7JCnr oNmhvzk7NG3tdNJg/OU/9+ekous294kzMUTA0TinWY5nMS3N+SD6utt/mR5MFULjv0sudWVcuT wAdkg8DpjMtTnphRG+0ojwCqgmJRkbXvIk4zvfwmPgiwWv15bn2Rew2Nq542Zr/rj+M0sqbwDG xcVNAil2L9yMqbdJAetUVlDdahp5TySDzcsQAjgsm6Ef98X2W4ljvLYtFyDRWqftQNQLFy07oH yC8=
X-IronPort-AV: E=Sophos;i="5.70,492,1574139600"; d="p7s'?scan'208";a="767757"
IronPort-PHdr: 9a23:sJdqxRSwX43HHO1nxcjPpw3as9psv+yvbD5Q0YIujvd0So/mwa6zYR2N2/xhgRfzUJnB7Loc0qyK6vymCDJLuM7Z+Fk5M7VyFDY9wf0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3OgV6PPn6FZDPhMqrye+y54fTYwJVjzahfL9+Nhq7oRjeu8UMhYZvK6k9xgbVrndUZu9b2X5mKVWPkhnz4cu94IRt+DlKtfI78M5AX6T6f6AmQrFdET8rLWM76tD1uBfaVQeA6WcSXWsQkhpTHgjK9wr6UYvrsiv7reVyxi+XNtDrQL8uWDSi66BrSAL0iCoCKjU0/n3bhtB2galGux+quQBxzJDIb4GULPp+f73SfdUGRWpaQ81dUzVNDp6gY4cTCuYMO/tToYvgqFsUtRawBReiCv7zyjFGhXH206813eMgEQ7a0wMtBN0OvGjRrNjvNKceTf65wa/VxjvDdfNW3jL95ZDGfh8hv/6MRqlwftTVyUk0Dw/Ok1ueqZH/MDOTyOsBvXWQ4u19WuOhlWEnsBpxrSarxsc3kYTJmJwaykrF9SViwYY1Ktu4RFRnbt6jFZtdrieXPJZ1TMM6W2xkpTo2xqcbtZO5ciUG0okryh7RZvCdfIWF4QrvWPuNLTtimX5oeq6ziwyv/UWvyeDwTNS43VVSoipLjNbBtWwB2hnW58edSfZw+lyu1DOB2gzN9+5JIEU5mrHfJpMgwLM9k5QevErBEyDrnkj9kbWYeV8++uey7uTqerDmppiBOIBqkgz+KaEumtCnAeQ/LwgOQ3CX+eSi273n+k30WKhHgOEunKXEsJ/UPcsVqa+lDwNIyIoj9QqwDzC80NQAh3UINk9KdAiZj4jzIFHOJur0Auu4g1SpiDtrxvbGMaP9ApjVM3TPjK3tcat/5kNS0gY/0NBS6pxOBrwOI///Qkrxu8bZDh89PQy02eHnCNBl24wDV2OAHLSZMLjMvl+M/eIiOPeMa5EPuDb8MPgl5vHujXkjlVABeqmp2IMbaGqkEfR+P0WZfX3sj88EEWcRvAozV+rqiEGCUT5LeXmyRac85iwnCI28EYfDR4etgLqb0CinGZ1WY3hMCkqQHnfwa4WER/AMZTqPLc9niTwEUqChRpQg1R6wqA/6xaBrLu3O+i0X5trf041Q5ubTnBw2vQdoLcOd1XrFG2RvnEsOWz8u0bp6vFB01laE1+5zhPkORvJJ4PYcGDg3LoXRy/c+Q/zvUwTMNJ/dREmrWc6rBSoZUN8rwsQPbEA7ENKn2EOQlxG2CqMYwuTYTKc/9bjRij2of55w
X-IPAS-Result: A2E6AgAKAFhe/zCZrQpmHAEBAQEBBwEBEQEEBAEBgXuBeIFIgQYKlRiDbpVogWcCBwEBAQEBAQEBAQMEAS8EAQGBTIJ0AoItOBMCAwEBCwEBAQUBAQEBAQUDAQEBAoYsgjspAYNTAQEBAQIBDlcGDgULAgEIGBUEAhMCMCUCBAoEBQ6DGAGCWxGvPYInhUqEZRCBOIFTiAmCY4FCPoERJyCCTD6EBEZAHwKCY4IsBI1IiS2JZI5HdgMHgjyDcII7kFabLo4UmHGDMgIEAgQFAhWBaYF7cBU7KgGCQT4SGA2OJgIBF44ldIFoiwqBMYEQAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 27 Feb 2020 12:46:14 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Thu, 27 Feb 2020 12:46:14 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Michael StJohns <msj@nthpermutation.com>
CC: dnsop WG <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-04.txt
Thread-Index: AQHV7ZXO5adOBwYw1kaGI9Grxs3KNA==
Date: Thu, 27 Feb 2020 17:46:14 +0000
Message-ID: <ACF3155B-3D04-42D3-AF79-E06FDABBE30F@verisign.com>
References: <158258479417.24286.15972230615732983631@ietfa.amsl.com> <25353EC1-D84B-4507-80F9-9059174B8D0C@verisign.com> <6ef6e6f9-5ba9-b298-d500-5fb0eaed7462@nthpermutation.com>
In-Reply-To: <6ef6e6f9-5ba9-b298-d500-5fb0eaed7462@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_D861641E-E1B7-4FB2-8E4B-ED3EBD3F9DFF"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oYu0fXdt2tdlHG-bnq9qqHcvpAo>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 17:47:13 -0000


> On Feb 24, 2020, at 7:32 PM, Michael StJohns <msj@nthpermutation.com> wrote:
> An improvement, but still:

Thanks Mike.

> 
> 1.3 - general  - add something like "Specifically, ZONEMD covers the integrity of <your text here> records that are not otherwise covered by DNSSEC".

Sorry, I don't quite follow this.  There is currently no text between 1.3 and 1.3.1.  Are you saying that the text suggested above should go there?  Or did you mean 1.3.5?  Feels like "Specifically, ..." should follow some thing so I'm not sure.

> 
> 1.3.5 - "zone digest calculation" not simply "zone digest" - this doesn't require a ZONEMD record.

Ok, changed.

> 
> 1.3.2, 1.3.3 and 1.3.4 are mostly "off-line" (not DNS in-band) services.  It's still unclear to me the value of a ZONEMD record vs something like a hash (signed or unsigned) separately published (ala root key down loads, or various software with published hashes)  1.3.1 may have some benefit... but still may be just another off-line service.

To me the value is quite clear.  The digest can be signed by the publisher, whose keys are already known and easily found.  By being part of the zone the digest is automatically propagated no matter how the data is transferred.


> 
> I think you still missed the point on Scheme/Digest mechanism.   For Scheme 1 - SIMPLE - the ancillary data is 1 byte of digest algorithm indicator and N bytes of the actual digest per the digest, and the digest is calculated per section 3.  For scheme 2 -N  - the ancillary data is not specified, and the RR may not have a digest indicator, or may have several indicators or fields.   Describing the RRSet as Scheme plus data, and then describing the format of the SIMPLE scheme's  data field is clearer for the extension model.      That also implies that any RRSet with a unknown scheme has to be digested as if the entire data field (e.g. including the digest field for SIMPLE) is zeros*****.
> 

I disagree.  The scheme + algorithm + digest is, IMO, the better approach.  The presentation format is better and more understandable.  I believe there is significant value in having the RDATA fully parsable by libraries and such.  It strikes the right balance between extensibility and simplicity.

The Scheme space is large enough to a wide variety, and even encode some "indicators" in the scheme value.  For example, if you wanted to have a Merkle-tree based zone digest one of the indicators might be how to partition the name space and another might be the tree depth.  The scheme could be MERKLE-DEPTH4-SHA2.  

If the RDATA were scheme + ancillary then we would have to change all the rules about multiple ZONEMD RRs to support algorithm rollovers.  As currently written, multiple RRs must have unique scheme + algorithm tuples.  If that were
to be come just unique scheme, then you couldn't have an algorithm rollover since its opaque. 

Sure you can dream up some digest approaches that won't fit in the proposed ZONEMD RDATA but I think there are a number of workable approaches that will fit and will support large, dynamic zones.  IMO if there is some future approach that doesn't fit, then a new RRtype could be defined for it.


> 
> 2.1 - "Included" is confusing here.  Instead "the digest is calculated over the data as-is and the RR is not replaced by a placeholder RR.

Ok, new proposed text:

  During digest calculation, non-apex ZONEMD RRs are treated like any
  other RRs.  They are digested as-is and the RR is not replaced by a
  placeholder RR.



> 3.1 - Could be misunderstood as written. In the second para "one or more placeholder ZONEMD RR(s) are added (one for each digest in the SIMPLE scheme and as many as are required to cover new schemes)".  Last paragraph becomes redundant (and it's actually multiple ZONEMD RRs not digests).

New proposed text:

  Prior to calculation of the digest, and prior to signing with DNSSEC,
  one or more placeholder ZONEMD records are added to the zone apex.
  This serves two purposes: (1) it allows the digest to cover the
  Serial, Scheme, and Hash Algorithm fields, and (2) ensures that
  appropriate denial-of-existence (NSEC, NSEC3) records are created if
  the zone is signed with DNSSEC.  When multiple ZONEMD RRs are
  published in the zone, e.g., during an algorithm rollover, each must
  specify a unique Scheme and Hash Algorithm tuple.



> *****(and as I think about it - what would be the harm in not including ZONEMD placeholder records in the ZONEMD digest -e.g. just skip them?)

For signed zones DNSSEC is sufficient to detect tampering of ZONEMD RRs.

For unsigned zones, including the placeholder protects against unintentional or accidental modification of the non-digest parts of the RR.

> 
> 4.1 - move the text up before the text for 4. and delete the subsection.  Style wise, RFCs try and avoid single subsections under a section.

New proposed format:

4.  Verifying Zone Digest

  The recipient of a zone that has a ZONEMD RR can verify the zone by
  calculating the digest as follows.  If multiple ZONEMD RRs are
  present in the zone, e.g., during an algorithm rollover, a match
  using any one of the recipient's supported Schemes and Hash
  Algorithms is sufficient to verify the zone.

  [enumerated list...]

  Note that when multiple ZONEMD RRs are present in the zone, the
  Digest field of each MUST be zeroed in step 8 above, even for
  unsupported Scheme and Hash Algorithm values.



> Section 5 - what's the requirement to add new entries to the registries being defined?   Expert Review, RFC? 

Added:

   The IANA policy for assigning new values to the ZONEMD Scheme
   registry shall be Specification Required, as described in [RFC8126].

and

   The IANA policy for assigning new values to the ZONEMD Hash Algorithm
   registry shall be Specification Required, as described in [RFC8126].


> 
> 6.2 assumes the zonemd record is NOT calculated on the fly or dynamically upon request. 

Proposed text:

6.2.  Attacks Utilizing ZONEMD Queries

  Nothing in this specification prevents clients from making, and
  servers from responding to, ZONEMD queries.  Servers SHOULD NOT
  calculate zone digests dynamically (for each query) as this can be
  used as a CPU resource exhaustion attack.


> 
> 
> 6.3 last paragraph conflicts with 4.1 - e.g. if all you have is a private hash, then you can't verify ZONEMD and .... well you get the point.   Basically, you have no signalling mechanism for when you might be dependent on this record past NSEC/NSEC3.   I don't know how to resolve these two.

Sorry, I don't understand the concern here.  Yes, if a recipient is given only a private algorithm ZONEMD then it won't be able to verify it (unless its in on the private arrangement).  This is similar to unsupported DNSSEC algorithms. 


> 
> 7.1 - add "This calculation does not take into the account any time required to canonicalize a zone for processing".

The benchmarks do in fact take that into account.  New text:

  These benchmarks attempt to emulate a worst-case scenario and take
  into account the time required to canonicalize the zone for
  processing.  Each of the 800+ zones were measured three times, and
  then averaged, with a different random sorting of the input data
  prior to each measurement.


DW

v2.23.0 | Report a Bug | By Email