Re: [DNSOP] Incremental zone hash - XHASH
Paul Vixie <paul@redbarn.org> Fri, 20 July 2018 18:01 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF406131218 for <dnsop@ietfa.amsl.com>; Fri, 20 Jul 2018 11:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1yAq7zBrd0O for <dnsop@ietfa.amsl.com>; Fri, 20 Jul 2018 11:01:09 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCD14131183 for <dnsop@ietf.org>; Fri, 20 Jul 2018 11:01:08 -0700 (PDT)
Received: from [10.4.109.204] (unknown [12.31.71.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 22408892B9; Fri, 20 Jul 2018 18:01:08 +0000 (UTC)
Message-ID: <5B522365.1090101@redbarn.org>
Date: Fri, 20 Jul 2018 20:01:09 +0200
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
CC: dnsop WG <dnsop@ietf.org>
References: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org>
In-Reply-To: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rpO87xsrOWJT-PD9pP1-GywNkis>
Subject: Re: [DNSOP] Incremental zone hash - XHASH
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 18:01:17 -0000
perfect! Mark Andrews wrote: > Rather than having a full zone hash this can be done as a chain > of hashes (XHASH). > > The XHASH would include all records at a signed name (where a signed > name is NOT an NSEC3 name) up until the next signed name (where a > signed name is NOT a NSEC3 name) in DNSSEC order similar to ZONEMD. > If there is a NSEC3 record and its RRSIGs in this range it is included > in the hash computation. Where a NSEC3 record matches the name of a > record that exists in the zone it is hashed with that name. The record > type appears at both top and bottom of zone similar to NS. > > The chain is only deemed to be complete if there is a hash record at > the zone apex. This allows for incremental construction and destruction > of the XHASH chain similar to the way the presence of NSEC at the zone > apex indicates that chain is complete. > > If there are records that are not at or under the zone apex they are included > in the final XHASH of the zone sorting from the zone apex to the end of the > namespace then from the start of the namespace to the zone apex. Such records > at not normally visible to queries other than AXFR/IXFR. AXFR/IXFR permit such > records. > > XHASH would allow for UPDATE to incrementally adjust the chain without > having to hash the entire zone at once. > > XHASH would allow for a slave server to verify a zone is still complete > after a IXFR by just checking the areas of the zone impacted by the IXFR. > > e.g. > > example.com SOA > example.com NS ns.example.com > example.com DNSKEY … > example.com NSEC a.example.com NS SOA RRSIG NSEC DNSKEY XHASH > example.com XHASH … > > a.example.com NS ns.a.example.com > a.example.com NSEC b.example.com NS RRSIG NSEC XHASH > a.example.com XHASH … > ns.a.example.com A … > > b.example.com NS ns.b.example.com > b.example.com NSEC ns.example.com NS RRSIG NSEC XHASH > b.example.com XHASH … > ns.b.example.com A … > > ns.example.com A … > ns.example.com AAAA … > ns.example.com NSEC example.com A AAAA RRSIG NSEC XHASH > ns.example.com XHASH … > > Each of the groupings shows which records plus RRSIGs that are > included in the XHASH calculation. > > To prevent removal/introduction of RRSIGs of XHASH records a DNSKEY > flag bit is be needed to indicate which RRSIG(XHASH) should/should not > be present once the chain is complete. The same applies to RRSIG(ZONEMD). > > Verification of a AXFR would be slightly slower than with ZONEMD as there > are more RRSIG records to be processed, > > -- P Vixie
- Re: [DNSOP] Incremental zone hash - XHASH Mark Andrews
- [DNSOP] Incremental zone hash - XHASH Mark Andrews
- Re: [DNSOP] Incremental zone hash - XHASH George Michaelson
- Re: [DNSOP] Incremental zone hash - XHASH Mark Andrews
- Re: [DNSOP] Incremental zone hash - XHASH Paul Vixie
- Re: [DNSOP] Incremental zone hash - XHASH Wessels, Duane
- Re: [DNSOP] Incremental zone hash - XHASH Paul Wouters
- Re: [DNSOP] Incremental zone hash - XHASH Warren Kumari
- Re: [DNSOP] Incremental zone hash - XHASH Joe Abley
- Re: [DNSOP] Incremental zone hash - XHASH Paul Wouters
- Re: [DNSOP] Incremental zone hash - XHASH Wessels, Duane
- Re: [DNSOP] Incremental zone hash - XHASH Ondřej Surý
- Re: [DNSOP] Incremental zone hash - XHASH Wes Hardaker