Re: [DNSOP] Incremental zone hash - XHASH

Paul Vixie <paul@redbarn.org> Fri, 20 July 2018 18:01 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF406131218 for <dnsop@ietfa.amsl.com>; Fri, 20 Jul 2018 11:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1yAq7zBrd0O for <dnsop@ietfa.amsl.com>; Fri, 20 Jul 2018 11:01:09 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCD14131183 for <dnsop@ietf.org>; Fri, 20 Jul 2018 11:01:08 -0700 (PDT)
Received: from [10.4.109.204] (unknown [12.31.71.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 22408892B9; Fri, 20 Jul 2018 18:01:08 +0000 (UTC)
Message-ID: <5B522365.1090101@redbarn.org>
Date: Fri, 20 Jul 2018 20:01:09 +0200
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
CC: dnsop WG <dnsop@ietf.org>
References: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org>
In-Reply-To: <FA63BBB1-5AB1-4494-85A9-B43CB2A04F89@isc.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rpO87xsrOWJT-PD9pP1-GywNkis>
Subject: Re: [DNSOP] Incremental zone hash - XHASH
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 18:01:17 -0000

perfect!

Mark Andrews wrote:
> Rather than having a full zone hash this can be done as a chain
> of hashes (XHASH).
>
> The XHASH would include all records at a signed name (where a signed
> name is NOT an NSEC3 name) up until the next signed name (where a
> signed name is NOT a NSEC3 name) in DNSSEC order similar to ZONEMD.
> If there is a NSEC3 record and its RRSIGs in this range it is included
> in the hash computation.  Where a NSEC3 record matches the name of a
> record that exists in the zone it is hashed with that name. The record
> type appears at both top and bottom of zone similar to NS.
>
> The chain is only deemed to be complete if there is a hash record at
> the zone apex. This allows for incremental construction and destruction
> of the XHASH chain similar to the way the presence of NSEC at the zone
> apex indicates that chain is complete.
>
> If there are records that are not at or under the zone apex they are included
> in the final XHASH of the zone sorting from the zone apex to the end of the
> namespace then from the start of the namespace to the zone apex. Such records
> at not normally visible to queries other than AXFR/IXFR.  AXFR/IXFR permit such
> records.
>
> XHASH would allow for UPDATE to incrementally adjust the chain without
> having to hash the entire zone at once.
>
> XHASH would allow for a slave server to verify a zone is still complete
> after a IXFR by just checking the areas of the zone impacted by the IXFR.
>
> e.g.
>
> 	example.com SOA
> 	example.com NS ns.example.com
> 	example.com DNSKEY …
> 	example.com NSEC a.example.com NS SOA RRSIG NSEC DNSKEY XHASH
> 	example.com XHASH …
>
> 	a.example.com NS ns.a.example.com
> 	a.example.com NSEC b.example.com NS RRSIG NSEC XHASH
> 	a.example.com XHASH …
> 	ns.a.example.com A …
>
> 	b.example.com NS ns.b.example.com
> 	b.example.com NSEC ns.example.com NS RRSIG NSEC XHASH
> 	b.example.com XHASH …
> 	ns.b.example.com A …
>
> 	ns.example.com A …
> 	ns.example.com AAAA …
> 	ns.example.com NSEC example.com A AAAA RRSIG NSEC XHASH
> 	ns.example.com XHASH …
>
> Each of the groupings shows which records plus RRSIGs that are
> included in the XHASH calculation.
>
> To prevent removal/introduction of RRSIGs of XHASH records a DNSKEY
> flag bit is be needed to indicate which RRSIG(XHASH) should/should not
> be present once the chain is complete.  The same applies to RRSIG(ZONEMD).
>
> Verification of a AXFR would be slightly slower than with ZONEMD as there
> are more RRSIG records to be processed,
> 	
>

-- 
P Vixie