IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Mark Andrews <marka@isc.org> Mon, 09 July 2018 01:57 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6168130EBC for <dnsop@ietfa.amsl.com>; Sun, 8 Jul 2018 18:57:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wo3yAQklVJqX for <dnsop@ietfa.amsl.com>; Sun, 8 Jul 2018 18:57:43 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00871130DFE for <dnsop@ietf.org>; Sun, 8 Jul 2018 18:57:42 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E5E633AB045; Mon, 9 Jul 2018 01:57:42 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D0E1616003A; Mon, 9 Jul 2018 01:57:42 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 902AA160067; Mon, 9 Jul 2018 01:57:42 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id pt2H_Yc0C_mX; Mon, 9 Jul 2018 01:57:42 +0000 (UTC)
Received: from macbook-pro.home.lan (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id B6C7A16003A; Mon, 9 Jul 2018 01:57:41 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAJhMdTNYEKcxdgqtRs-g1wE-RXbnKSpNxcBQHqn4UmbHEjGOAQ@mail.gmail.com>
Date: Mon, 09 Jul 2018 11:57:39 +1000
Cc: George Michaelson <ggm@algebras.org>, dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <667B81C8-EB73-4EC1-9FF4-64852E185783@isc.org>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <e9f99fce-c240-7f23-c580-1fb8bd0a0687@time-travellers.org> <20180621203116.a7kv4ysotfe7kw5k@nic.cl> <3ba53c28-8895-b0ec-badc-7ce31a8df8fc@nic.cz> <C027F687-BE37-42D4-959B-269BA2F49837@ogud.com> <CAKr6gn0BZgKGExweF2Hawh_shZSD+WxJ460YO-mbRQjg09uo_A@mail.gmail.com> <CAJhMdTNYEKcxdgqtRs-g1wE-RXbnKSpNxcBQHqn4UmbHEjGOAQ@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.3445.8.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qr8ON5AwITzZsiPos_RDGUZkrs8>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 01:57:45 -0000


> On 9 Jul 2018, at 11:27 am, Joe Abley <jabley@hopcount.ca> wrote:
> 
> On Jul 9, 2018, at 02:02, George Michaelson <ggm@algebras.org> wrote:
> 
>> wow. Firstly, I thought canonicalization was a given: we have
>> definitions of canonical zone order for other reasons (NSEC*) don't
>> we?
> 
> NSEC is concerned with the ordering of owner names.
> 
> RRSIG is concerned with the ordering of individual RRs in an RRSet.
> 
> Unsigned RRSets (e.g. glue, NS RRSets above a zone cut) are unordered.
> You could apply the same rules (RFC4034 section 6.3) to sort them into
> canonical order, but I think you could also not do that and still have
> a compliant implementation of DNSSEC.

You need to sort them or you need to provide a mechanism that preserves the existing order.

I actually think we could design a system that works for in-band and dynamic update.  Add a XSIG (record where the XSIG is RRSIG(hash(NS and other records in the zone up to the next secure delegation in DNSSEC)).  For NSEC this becomes the NS records and glue below the NS.  This is incrementally generatable.

Mark

> Joe
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email