Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
"Wessels, Duane" <dwessels@verisign.com> Thu, 31 May 2018 18:18 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB7381205F0 for <dnsop@ietfa.amsl.com>; Thu, 31 May 2018 11:18:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REwMbXlZK-4y for <dnsop@ietfa.amsl.com>; Thu, 31 May 2018 11:18:19 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A10F812DA0C for <dnsop@ietf.org>; Thu, 31 May 2018 11:18:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=13302; q=dns/txt; s=VRSN; t=1527790698; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=njk+d21AFKORmF3KseYTonon6UcId3WlKVE0GpHIhDk=; b=QwLdTtcHQbKN/BpMX+YfuPv8jp9gs3+eX4tKLaJxXE1pTRirbEHPy9ld DbDXTwqloEOIsF+aXICYdlr310HtNkvXcm8LDHhtabdqZiyOwVw5IsAaY Lmkeo8DX04Qm03ri44tNYF0IFdsKqT2q40x0w/e0Qb+ZgRSwmky09kPtC 2mu3mkn5S0TIcQS7PyVf3X45vUy8JPHI8v5V9c7yj78wzt4Au0NP972gQ +AqAATUZJIBlsfv11XOvLa3O4+LeG6m51taqkaFmY9Yt78ez/IGTopWkI VHYKrt9NcMqEVxhmGzRRSHV8UNWLE2NvYa3EJK4XgmUjPKwoaQH2VzKdp w==;
X-IronPort-AV: E=Sophos; i="5.49,463,1520899200"; d="p7s'?scan'208"; a="4554125"
IronPort-PHdr: 9a23:3pTbgxfCacdcL0QFTlrsDLN0lGMj4u6mDksu8pMizoh2WeGdxcS7Yx7h7PlgxGXEQZ/co6odzbaO7ua4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahYb5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM38H/ZhNFsjKxVoxyhqR5ww4/Ib46aL/d+cb/RfdYASGZdQspcVSpMCZ68YYsVCOoBOP5Vo4f9qFQQthu+HhejBOf0yjNQm3T407A63P4nEQ7Y0gArAtUDv2nardrrL6cSSv66zK3TzTjYcfNZxy396InTchAgrvGMW6h8ftbWyUkqDg7IiEibp4/9Pz6Ny+gBr3KX4/diWO+hkWIrtgF8rza1ysojjoTFnp8Zxkze+Slkwos4K8e0RFN7bNOqCpdduCKXOo1rSc04WW5oojw1yrgetJ6+eygF1YooygbEa/yCb4iI+hXjVPuNITtghHJqZra/hxGq/EW91uPyTtS431ZSoCRKk9bAqm4B2wbN6sebTft95F+h1SyV2A/O8O1EP1o0lbHdK5I73rEwkZ8TvVzCHi/whkr2kLebelg49uSy9ujqYLvrqoWBO4J0hAzyKKsjl8inDeQ9KAcOXmyb+eqm1L3k+E30WKhFj/MonanCq5DVO8AbprWiDg9LzIkj8Re/Dyyn0NQXm3kLNk5KeBWCj4TxIVHBPOj4Deujg1SriDprxfHGPrvkAprTL3jOi7ngfbdg5EFC0gY8181Q64hWCrEZOPjzQFP+tMTEDh8lNAy52/voCNNm1oMZQWKCGa6ZP73OsV+G/O4vJPOMZIBG8Ar6fgDdHwam2X04n1oQfIG23JcaLnm0WPZ+dRa3e33p150+HHwRsw4lCKTGlVSEXHQbM3qtUrkn6zUgIJyrF4bYR4+rxreG2XHoTdVtemlaBwXUQj/TfIKeVqJUZQ==
X-IPAS-Result: A2GNAAA5OxBb/zGZrQpcGQEBAQEBAQEBAQEBAQcBAQEBAYVNCoNtiASOOyGBD4IWkSaBeAgDhGwCgiY0GAECAQEBAQEBAgEBAoEQgjUiglMBAQEBAgEjVAIFCwIBBgIYKgICAjAlAgQOBQ6DFAKBd4wmm0eCHIRYg2eBWQ8JAYoMPoEPJAyCXYMRBIF1gmkwgiQCh0mEY4R4h0UDBgKDRYFVgnI2h1mGWIR/kG4CAgICBAUCFIFBggtwFTsqAYIYgkiOBm8BjRsrgQGBGQEB
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Thu, 31 May 2018 14:18:17 -0400
Received: from BRN1WNEXCAS01.vcorp.ad.vrsn.com (10.173.152.205) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1466.3 via Frontend Transport; Thu, 31 May 2018 14:18:17 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Thu, 31 May 2018 14:18:16 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: 神明達哉 <jinmei@wide.ad.jp>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHT+Qu+0W7gfz9h9UmJwGmgyyIefQ==
Date: Thu, 31 May 2018 18:18:16 +0000
Message-ID: <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com>
In-Reply-To: <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.153.48]
Content-Type: multipart/signed; boundary="Apple-Mail=_CFBA8C2F-82BE-4DE0-ADDA-91EB9D2CE183"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sUYRiT19C3YKP4hroGFHxzu6EkM>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 18:18:22 -0000
> On May 25, 2018, at 11:33 AM, 神明達哉 <jinmei@wide.ad.jp> wrote: > > At Wed, 23 May 2018 15:32:11 +0000, > "Weinberg, Matt" <mweinberg=40verisign.com@dmarc.ietf.org> wrote: > >> We’ve posted a new version of draft-wessels-dns-zone-digest. Of note, > this -01 version includes the following changes: > [...] >> We plan to ask for time on the dnsop agenda in Montreal. Your feedback > is welcome and appreciated. > > I've read the draft. I have a few high level comments and specific > feedback on the draft content: > > - It was not really clear exactly what kind of problem this digest > tries to solve, especially given that the primarily intended usage > is for the root zone, which is DNSSEC-signed with NSEC. Thanks you for the feedback. We will write a clearer problem statement in the introduction for the next version. > In that > primary case we should be able to check the integrity of the > entire zone with DNSSEC (including a complete list of authoritative > names and RR types for each name), right? One thing I can think of > is integrity including glue records, but it's not clear from the > draft whether the digest includes these records (see also below), > and even if so, it seems to be a relatively minor addition. Yes, we intend to include glue records in the digest. The proposal is to have a digest over the zone as a whole. So that is ALL records in the zone. > So I'm > wondering I'm missing something very trivial. Even so, it would be > nice to clarify the intended advantage(s) over DNSSEC-based > integrity check for the root zone case. We can clarify that in the next version. Essentially we feel the digest technique provides two advantages over a straight DNSSEC-based integrity check: (1) it covers unsigned data (glue, delegations, NSEC3 opt-out spans), and (2) just one signature to validate. > > - This digest can't be incrementally updated, that is, you'll need to > calculate the digest over the entire zone even if just a single > record is modified (am I correct?). That's probably an inevitable > cost for the motivation of providing cryptographically strong > integrity check, but that's a pity for me. One case I know of where > things like "zone digest" is wanted is to ensure consistency for a > very large zone between primary and secondary servers that are > synchronized using IXFR. In principle they must be consistent, but > operators may want to have a lightweight (albeit not > cryptographically strong) way to confirm no unexpected events (such > as an implementation bug) quietly broke the consistency. Perhaps > such usage is just outside the scope of this proposal, but I first > expected I could use it for this kind of purpose it was a bit > disappointing and I wanted to mention it. Incremental updates could be supported if the working group feels it is important. We have a working proof-of-concept implementation of this that hashes individual RRsets and then XORs them into a final message digest (thanks to Roy Arends for the suggestion). However, this complicates the implementation. It almost certainly requires more CPU processing but probably not to an extent that matters significantly. We could do some simple benchmarks. If there is desire to follow this path, then we should discuss whether or not to keep having the zone digest algorithms exactly match the DS digest algorithms. For example, digest alg 2 could mean "SHA256 over the zone as a whole" while digest alg 3 could mean "SHA-256 digest and XOR individual RRsets" to support incremental updates. > > Specific comments: > > - Section 4.1 > > This specification adopts DNSSEC's canonical ordering for names > (Section 6.1 of [RFC4034]), and canonical ordering for RRs within an > > This means upper case letters in owner names are converted to lower > case ones. It could be considered a feature, but I guess some > operators might want to check integrity including letter case of > names. For example, recent versions of ISC BIND 9 tries quite hard > to preserve the letter case of owner names per RRset basis, which I > think suggests operator needs for preserving the case as much as > possible. We do not propose that owner names be permanently converted. DNSSEC has this same characteristic, does it not? The validator canonicalizes the owner names upon validation, but does not cache them canonicalized. > > - Section 4.1.2 > > [...] However, according to the > requirement to sort RRsets with the same owner name by type, the SOA > RR (type value 2) might not be first in the digest calculation. If > the zone has an A RR (type value 1) at the apex, it MUST be processed > before the SOA RR. > > SOA's type value is 6, not 2. This also means you might rather want > to use NS (type value 2) instead of A, since you don't need to add > 'if', as long as the zone is reasonably valid to have both SOA and > NS. Yes, thank you for pointing that out! > > - Section 4.4 > > The zone digest is calculated by concatenating the canonical on-the- > wire form of RRs in the zone, in the order described above, subject > to the inclusion/exclusion rules described below, and then applying > the digest algorithm: > > I wonder whether glue records are included in these RRs. Either > way, it would be better to clarify the point. If we say "calculated by concatenating ... all RRs in the zone" is that sufficient? > > - Section 4.5 > > If the zone is signed with DNSSEC, the appropriate RRSIG records > covering the ZONEMD record MUST then be added. Because the ZONEMD > placeholder was added prior to signing, the zone will already have > the appropriate denial-of-existence (NSEC, NSEC3) records. > > I would suggest clarifying that this 'resigning' MUST NOT change the > SOA serial (it MUST NOT, right?). It may depend on specific > implementation or operational practices, but I know of > implementations that increase the serial for every such incremental > resigning. So it would be prudent to explicitly note that this case > is an exception for such practices. This will be added. DW
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Hugo Salgado-Hernández
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- [DNSOP] New Version Notification for draft-wessel… Weinberg, Matt
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… Roy Arends
- Re: [DNSOP] New Version Notification for draft-we… Jaap Akkerhuis
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Jim Reid
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Bob Harold
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Tim Wicinski
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… tjw ietf
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý