IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

"Wessels, Duane" <dwessels@verisign.com> Thu, 31 May 2018 18:18 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB7381205F0 for <dnsop@ietfa.amsl.com>; Thu, 31 May 2018 11:18:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REwMbXlZK-4y for <dnsop@ietfa.amsl.com>; Thu, 31 May 2018 11:18:19 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A10F812DA0C for <dnsop@ietf.org>; Thu, 31 May 2018 11:18:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=13302; q=dns/txt; s=VRSN; t=1527790698; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=njk+d21AFKORmF3KseYTonon6UcId3WlKVE0GpHIhDk=; b=QwLdTtcHQbKN/BpMX+YfuPv8jp9gs3+eX4tKLaJxXE1pTRirbEHPy9ld DbDXTwqloEOIsF+aXICYdlr310HtNkvXcm8LDHhtabdqZiyOwVw5IsAaY Lmkeo8DX04Qm03ri44tNYF0IFdsKqT2q40x0w/e0Qb+ZgRSwmky09kPtC 2mu3mkn5S0TIcQS7PyVf3X45vUy8JPHI8v5V9c7yj78wzt4Au0NP972gQ +AqAATUZJIBlsfv11XOvLa3O4+LeG6m51taqkaFmY9Yt78ez/IGTopWkI VHYKrt9NcMqEVxhmGzRRSHV8UNWLE2NvYa3EJK4XgmUjPKwoaQH2VzKdp w==;
X-IronPort-AV: E=Sophos; i="5.49,463,1520899200"; d="p7s'?scan'208"; a="4554125"
IronPort-PHdr: 9a23:3pTbgxfCacdcL0QFTlrsDLN0lGMj4u6mDksu8pMizoh2WeGdxcS7Yx7h7PlgxGXEQZ/co6odzbaO7ua4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahYb5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM38H/ZhNFsjKxVoxyhqR5ww4/Ib46aL/d+cb/RfdYASGZdQspcVSpMCZ68YYsVCOoBOP5Vo4f9qFQQthu+HhejBOf0yjNQm3T407A63P4nEQ7Y0gArAtUDv2nardrrL6cSSv66zK3TzTjYcfNZxy396InTchAgrvGMW6h8ftbWyUkqDg7IiEibp4/9Pz6Ny+gBr3KX4/diWO+hkWIrtgF8rza1ysojjoTFnp8Zxkze+Slkwos4K8e0RFN7bNOqCpdduCKXOo1rSc04WW5oojw1yrgetJ6+eygF1YooygbEa/yCb4iI+hXjVPuNITtghHJqZra/hxGq/EW91uPyTtS431ZSoCRKk9bAqm4B2wbN6sebTft95F+h1SyV2A/O8O1EP1o0lbHdK5I73rEwkZ8TvVzCHi/whkr2kLebelg49uSy9ujqYLvrqoWBO4J0hAzyKKsjl8inDeQ9KAcOXmyb+eqm1L3k+E30WKhFj/MonanCq5DVO8AbprWiDg9LzIkj8Re/Dyyn0NQXm3kLNk5KeBWCj4TxIVHBPOj4Deujg1SriDprxfHGPrvkAprTL3jOi7ngfbdg5EFC0gY8181Q64hWCrEZOPjzQFP+tMTEDh8lNAy52/voCNNm1oMZQWKCGa6ZP73OsV+G/O4vJPOMZIBG8Ar6fgDdHwam2X04n1oQfIG23JcaLnm0WPZ+dRa3e33p150+HHwRsw4lCKTGlVSEXHQbM3qtUrkn6zUgIJyrF4bYR4+rxreG2XHoTdVtemlaBwXUQj/TfIKeVqJUZQ==
X-IPAS-Result: A2GNAAA5OxBb/zGZrQpcGQEBAQEBAQEBAQEBAQcBAQEBAYVNCoNtiASOOyGBD4IWkSaBeAgDhGwCgiY0GAECAQEBAQEBAgEBAoEQgjUiglMBAQEBAgEjVAIFCwIBBgIYKgICAjAlAgQOBQ6DFAKBd4wmm0eCHIRYg2eBWQ8JAYoMPoEPJAyCXYMRBIF1gmkwgiQCh0mEY4R4h0UDBgKDRYFVgnI2h1mGWIR/kG4CAgICBAUCFIFBggtwFTsqAYIYgkiOBm8BjRsrgQGBGQEB
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Thu, 31 May 2018 14:18:17 -0400
Received: from BRN1WNEXCAS01.vcorp.ad.vrsn.com (10.173.152.205) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1466.3 via Frontend Transport; Thu, 31 May 2018 14:18:17 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Thu, 31 May 2018 14:18:16 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: 神明達哉 <jinmei@wide.ad.jp>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHT+Qu+0W7gfz9h9UmJwGmgyyIefQ==
Date: Thu, 31 May 2018 18:18:16 +0000
Message-ID: <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com>
In-Reply-To: <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.153.48]
Content-Type: multipart/signed; boundary="Apple-Mail=_CFBA8C2F-82BE-4DE0-ADDA-91EB9D2CE183"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sUYRiT19C3YKP4hroGFHxzu6EkM>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 18:18:22 -0000

> On May 25, 2018, at 11:33 AM, 神明達哉 <jinmei@wide.ad.jp> wrote:
> 
> At Wed, 23 May 2018 15:32:11 +0000,
> "Weinberg, Matt" <mweinberg=40verisign.com@dmarc.ietf.org> wrote:
> 
>> We’ve posted a new version of draft-wessels-dns-zone-digest.  Of note,
> this -01 version includes the following changes:
> [...]
>> We plan to ask for time on the dnsop agenda in Montreal.  Your feedback
> is welcome and appreciated.
> 
> I've read the draft.  I have a few high level comments and specific
> feedback on the draft content:
> 
> - It was not really clear exactly what kind of problem this digest
>   tries to solve, especially given that the primarily intended usage
>   is for the root zone, which is DNSSEC-signed with NSEC.

Thanks you for the feedback.  We will write a clearer problem statement
in the introduction for the next version.

> In that
>   primary case we should be able to check the integrity of the
>   entire zone with DNSSEC (including a complete list of authoritative
>   names and RR types for each name), right?  One thing I can think of
>   is integrity including glue records, but it's not clear from the
>   draft whether the digest includes these records (see also below),
>   and even if so, it seems to be a relatively minor addition.

Yes, we intend to include glue records in the digest.  The proposal is to
have a digest over the zone as a whole.  So that is ALL records in the
zone.

>  So I'm
>   wondering I'm missing something very trivial.  Even so, it would be
>   nice to clarify the intended advantage(s) over DNSSEC-based
>   integrity check for the root zone case.

We can clarify that in the next version.  Essentially we feel the digest
technique provides two advantages over a straight DNSSEC-based integrity
check: (1) it covers unsigned data (glue, delegations, NSEC3 opt-out spans),
and (2) just one signature to validate.


> 
> - This digest can't be incrementally updated, that is, you'll need to
>   calculate the digest over the entire zone even if just a single
>   record is modified (am I correct?).  That's probably an inevitable
>   cost for the motivation of providing cryptographically strong
>   integrity check, but that's a pity for me.  One case I know of where
>   things like "zone digest" is wanted is to ensure consistency for a
>   very large zone between primary and secondary servers that are
>   synchronized using IXFR.  In principle they must be consistent, but
>   operators may want to have a lightweight (albeit not
>   cryptographically strong) way to confirm no unexpected events (such
>   as an implementation bug) quietly broke the consistency.  Perhaps
>   such usage is just outside the scope of this proposal, but I first
>   expected I could use it for this kind of purpose it was a bit
>   disappointing and I wanted to mention it.

Incremental updates could be supported if the working group feels it is
important.  We have a working proof-of-concept implementation of this that
hashes individual RRsets and then XORs them into a final message digest
(thanks to Roy Arends for the suggestion).

However, this complicates the implementation.  It almost certainly requires
more CPU processing but probably not to an extent that matters significantly.
We could do some simple benchmarks.

If there is desire to follow this path, then we should discuss whether or
not to keep having the zone digest algorithms exactly match the DS digest
algorithms.  For example, digest alg 2 could mean "SHA256 over the zone
as a whole" while digest alg 3 could mean "SHA-256 digest and XOR individual
RRsets" to support incremental updates.


> 
> Specific comments:
> 
> - Section 4.1
> 
>    This specification adopts DNSSEC's canonical ordering for names
>    (Section 6.1 of [RFC4034]), and canonical ordering for RRs within an
> 
>   This means upper case letters in owner names are converted to lower
>   case ones.  It could be considered a feature, but I guess some
>   operators might want to check integrity including letter case of
>   names.  For example, recent versions of ISC BIND 9 tries quite hard
>   to preserve the letter case of owner names per RRset basis, which I
>   think suggests operator needs for preserving the case as much as
>   possible.

We do not propose that owner names be permanently converted.  DNSSEC has this
same characteristic, does it not?  The validator canonicalizes the owner names
upon validation, but does not cache them canonicalized.

> 
> - Section 4.1.2
> 
>    [...]  However, according to the
>    requirement to sort RRsets with the same owner name by type, the SOA
>    RR (type value 2) might not be first in the digest calculation.  If
>    the zone has an A RR (type value 1) at the apex, it MUST be processed
>    before the SOA RR.
> 
>   SOA's type value is 6, not 2.  This also means you might rather want
>   to use NS (type value 2) instead of A, since you don't need to add
>   'if', as long as the zone is reasonably valid to have both SOA and
>   NS.

Yes, thank you for pointing that out!


> 
> - Section 4.4
> 
>    The zone digest is calculated by concatenating the canonical on-the-
>    wire form of RRs in the zone, in the order described above, subject
>    to the inclusion/exclusion rules described below, and then applying
>    the digest algorithm:
> 
>   I wonder whether glue records are included in these RRs.  Either
>   way, it would be better to clarify the point.

If we say "calculated by concatenating ... all RRs in the zone" is that sufficient?


> 
> - Section 4.5
> 
>    If the zone is signed with DNSSEC, the appropriate RRSIG records
>    covering the ZONEMD record MUST then be added.  Because the ZONEMD
>    placeholder was added prior to signing, the zone will already have
>    the appropriate denial-of-existence (NSEC, NSEC3) records.
> 
>   I would suggest clarifying that this 'resigning' MUST NOT change the
>   SOA serial (it MUST NOT, right?).  It may depend on specific
>   implementation or operational practices, but I know of
>   implementations that increase the serial for every such incremental
>   resigning.  So it would be prudent to explicitly note that this case
>   is an exception for such practices.

This will be added.

DW

v2.23.0 | Report a Bug | By Email