[DNSOP] Incremental zone hash - XHASH
Mark Andrews <marka@isc.org> Fri, 20 July 2018 10:31 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75E88130F28 for <dnsop@ietfa.amsl.com>; Fri, 20 Jul 2018 03:31:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TBsPpUuE3NUT for <dnsop@ietfa.amsl.com>; Fri, 20 Jul 2018 03:31:13 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6795130F1A for <dnsop@ietf.org>; Fri, 20 Jul 2018 03:31:12 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 287B63AB06B for <dnsop@ietf.org>; Fri, 20 Jul 2018 10:31:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id E993116008F for <dnsop@ietf.org>; Fri, 20 Jul 2018 10:31:10 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id DDAC216008E for <dnsop@ietf.org>; Fri, 20 Jul 2018 10:31:10 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JICdZLPlDMmf for <dnsop@ietf.org>; Fri, 20 Jul 2018 10:31:10 +0000 (UTC)
Received: from [172.16.61.138] (modemcable166.19-73-45.static.videotron.ca [45.73.19.166]) by zmx1.isc.org (Postfix) with ESMTPSA id 695DE160048 for <dnsop@ietf.org>; Fri, 20 Jul 2018 10:31:10 +0000 (UTC)
From: Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org>
Date: Fri, 20 Jul 2018 20:31:07 +1000
To: dnsop WG <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rCVu_rMfN3EPXWmUMUjxSs_yVz4>
Subject: [DNSOP] Incremental zone hash - XHASH
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 10:31:15 -0000
Rather than having a full zone hash this can be done as a chain of hashes (XHASH). The XHASH would include all records at a signed name (where a signed name is NOT an NSEC3 name) up until the next signed name (where a signed name is NOT a NSEC3 name) in DNSSEC order similar to ZONEMD. If there is a NSEC3 record and its RRSIGs in this range it is included in the hash computation. Where a NSEC3 record matches the name of a record that exists in the zone it is hashed with that name. The record type appears at both top and bottom of zone similar to NS. The chain is only deemed to be complete if there is a hash record at the zone apex. This allows for incremental construction and destruction of the XHASH chain similar to the way the presence of NSEC at the zone apex indicates that chain is complete. If there are records that are not at or under the zone apex they are included in the final XHASH of the zone sorting from the zone apex to the end of the namespace then from the start of the namespace to the zone apex. Such records at not normally visible to queries other than AXFR/IXFR. AXFR/IXFR permit such records. XHASH would allow for UPDATE to incrementally adjust the chain without having to hash the entire zone at once. XHASH would allow for a slave server to verify a zone is still complete after a IXFR by just checking the areas of the zone impacted by the IXFR. e.g. example.com SOA example.com NS ns.example.com example.com DNSKEY … example.com NSEC a.example.com NS SOA RRSIG NSEC DNSKEY XHASH example.com XHASH … a.example.com NS ns.a.example.com a.example.com NSEC b.example.com NS RRSIG NSEC XHASH a.example.com XHASH … ns.a.example.com A … b.example.com NS ns.b.example.com b.example.com NSEC ns.example.com NS RRSIG NSEC XHASH b.example.com XHASH … ns.b.example.com A … ns.example.com A … ns.example.com AAAA … ns.example.com NSEC example.com A AAAA RRSIG NSEC XHASH ns.example.com XHASH … Each of the groupings shows which records plus RRSIGs that are included in the XHASH calculation. To prevent removal/introduction of RRSIGs of XHASH records a DNSKEY flag bit is be needed to indicate which RRSIG(XHASH) should/should not be present once the chain is complete. The same applies to RRSIG(ZONEMD). Verification of a AXFR would be slightly slower than with ZONEMD as there are more RRSIG records to be processed, -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] Incremental zone hash - XHASH Mark Andrews
- [DNSOP] Incremental zone hash - XHASH Mark Andrews
- Re: [DNSOP] Incremental zone hash - XHASH George Michaelson
- Re: [DNSOP] Incremental zone hash - XHASH Mark Andrews
- Re: [DNSOP] Incremental zone hash - XHASH Paul Vixie
- Re: [DNSOP] Incremental zone hash - XHASH Wessels, Duane
- Re: [DNSOP] Incremental zone hash - XHASH Paul Wouters
- Re: [DNSOP] Incremental zone hash - XHASH Warren Kumari
- Re: [DNSOP] Incremental zone hash - XHASH Joe Abley
- Re: [DNSOP] Incremental zone hash - XHASH Paul Wouters
- Re: [DNSOP] Incremental zone hash - XHASH Wessels, Duane
- Re: [DNSOP] Incremental zone hash - XHASH Ondřej Surý
- Re: [DNSOP] Incremental zone hash - XHASH Wes Hardaker