Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
Michael StJohns <msj@nthpermutation.com> Wed, 08 January 2020 19:18 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAB8012012A for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:18:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j91APkEsI8jk for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:18:48 -0800 (PST)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 472961200E9 for <dnsop@ietf.org>; Wed, 8 Jan 2020 11:18:48 -0800 (PST)
Received: by mail-qv1-xf36.google.com with SMTP id n8so1889504qvg.11 for <dnsop@ietf.org>; Wed, 08 Jan 2020 11:18:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=DNeW4ZpB6eopeeFPi/fT7QMgm6qCUqu6Tlhf2ZxYRLw=; b=uXuOfLg6Ht5r9TZiMGEnhrnnLbVCkTPn0GrYl1DCkpnsafbmgdL8VbQ5I2RVPjZZ3Q 7raPxsS2o0MRQd5rSjjUQbd2fjIrP9aveqjp4rOpFf5AKSbNedUCdNim8KSyZuRWMMaV ioEFHMvJHV1mmcQIskW/m3k7F4XwPg6vz032OyUSSdNe5QRtdrcg9oEK+3l+sxMhUYzf gEqicQScijrOLmGTlmTNUimM0TmDBhmLVLr1F3Joi3JiiePWx9figFZ/0QBftdCg8wDE dHecrba91yGXjKiH0ywj/mL02pb+MUEWNLKRJWMN8bToZtE6l7UyXmWVxbkcVeTwqoVc CMjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=DNeW4ZpB6eopeeFPi/fT7QMgm6qCUqu6Tlhf2ZxYRLw=; b=Ro63UQ21e50jLpZGJS9g88Ks6EXL6r7k2wLn2lxf6TKSraV2t5KwCrP7VASp85oJ2y AD+SfKGnhIqJv9cgsWJ3M/gfa25MAT6jpQ5dgXTlql+XMf+InELVYnrryVRs1ELrQ9av NnAPGgnlMiOdm6UYU6UOf1tHnMnMfvjuQKD73JZQewIkLK8JUQNbe7xCk6NAL118/VGs ApekpbtnxeLjsQczitt9bTgxkfvhoNzn1v2SOJQCLB0/E4wESVSE/dzAeVzB6rY3Vecj m+ay96Clcg9L916hOrZCIHJ23Ol6tW9B/l/I2TfakJ/MdMUJUhUC+rqfcGqC+p0DyL0m mGwA==
X-Gm-Message-State: APjAAAUD2UYj56+Wbv3t1XdeWfDufKvWIyM3zNYrUY5sOqE5Kd40KZsx f/svi9MGVycaEK2q9OC9/5QxenHOrlM=
X-Google-Smtp-Source: APXvYqxeSoikTvx2N+JKM4VkhKYfA9zjilsiyWBd24r7p/A1rjOzjiT1Kg5kINEuA1N3dckapcQsBQ==
X-Received: by 2002:a05:6214:8c3:: with SMTP id da3mr5329943qvb.249.1578511126910; Wed, 08 Jan 2020 11:18:46 -0800 (PST)
Received: from ?IPv6:2601:152:4400:437c:dd4:4ade:7d8:f573? ([2601:152:4400:437c:dd4:4ade:7d8:f573]) by smtp.gmail.com with ESMTPSA id t15sm1802361qkg.49.2020.01.08.11.18.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jan 2020 11:18:46 -0800 (PST)
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <84650844-1d13-9377-c913-23dcbc76dc37@nthpermutation.com> <C4EB59C4-EA83-4DBE-84D0-D8D43735B63D@verisign.com> <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com> <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <b3132d4a-8b91-27ff-83af-0204a47ec2c3@nthpermutation.com>
Date: Wed, 08 Jan 2020 14:18:45 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tpt9ruUIws9k_FA586Sez6CRjW0>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 19:18:50 -0000
On 1/7/2020 5:33 PM, Wessels, Duane wrote: > >> On Jan 6, 2020, at 6:15 PM, Michael StJohns <msj@nthpermutation.com> wrote: >> >> As I suggested in one of my messages, giving an idea of how long it takes to digest various sizes of zones given commodity hardware would be a good start. Going on and talking about the ratio of that time to the typical update frequency of the zone (e.g. zone digest 5 minutes, transfer time of 10 minutes, zone update 24 hours - ratios of 1:288 and 1:144 are probably acceptable; zone digest of 30 minutes, transfer time of 2 hours and an update of every 4 hours - ratios of 1:8 and 1:2 are probably stretching it) > Would text like this address your concern? > > 7. Performance Considerations > > This section is provided to make zone publishers aware of the > performance requirements and implications of including ZONEMD RRs in > a zone. > > 7.1. SHA384-SIMPLE > > As mentioned previously, SHA384-SIMPLE may not be appropriate for use > in zones that are either large or highly dynamic. Zone publishers > should carefully consider the use of ZONEMD in such zones, since it > might cause consumers of zone data (e.g., secondary name servers) to > expend resources on digest calculation. Furthermore, for such use > cases, it is recommended that ZONEMD only be used when digest > calculation time is significnatly less than propagation times and > update intervals. > > The authors' implementation (Section 10.1) includes an option to > record and report CPU usage of its operation. The software was used > to generate digets for more than 800 TLD zones available from [CZDS]. > The table below summarizes the the results for SHA384-SIMPLE, grouped > by zone size. The Rate column is the mean amount of time per RR to > calculate the digest, running on commidity hardware at the time of > this writing. > > +---------------------+----------------+ > | Zone Size (RRs) | Rate (msec/RR) | > +---------------------+----------------+ > | 10 - 99 | 0.00683 | > | 100 - 999 | 0.00551 | > | 1000 - 9999 | 0.00505 | > | 10000 - 99999 | 0.00602 | > | 100000 - 999999 | 0.00845 | > | 1000000 - 9999999 | 0.0108 | > | 10000000 - 99999999 | 0.0148 | > +---------------------+----------------+ > > For example, based on the above table, it takes approximately 0.13 > seconds to calculate a SHA384-SIMPLE digest for a zone with 22,000 > RRs, and about 2.5 seconds for a zone with 300,000 RRs. > Hi Duane - This is sort of what I meant. Still trying to get the authors to home in a definition for small/static and large/dynamic. Reading the above table, and assuming validation takes a similar time, I'd suggest that 1M records @ ~2.3-3 hours is greater than large for your purposes. Maybe 10Min for 100K records is "large"? Assuming that churn is >> 10 minutes. I'd add "Note that processing power tends to increase over time - Moore's law suggest that time to process these data sets will decrease by half every 2 years, faster if specialized hardware is used. Implementers, publishers and consumers may extrapolate current processing times by simple math." - to deal with the "these numbers are stale when published so why publish them" comment . And - maybe given publishing time - as of December 2019 instead of "at the time of writing". Two things - Does the above include the time it takes to sort or otherwise order the zone in canonical order or are you assuming that the database is maintained in a sorted manner? And what is the average RR size? Thanks for the text. Mike ps - what I think a number of other commenters are missing is that this is guidance for implementers, zone publishers and zone consumers - not just for dns geeks. For a zone publisher to use it it has to a) be cost effective to produce, b) have some value for the zone consumer other than "just more data", and c) has to not interfere with their current business model. I actually thought about asking how much energy/electricity it would take to produce or verify the ZONEMD RR - but decided that would just be cruel. TANSTAAFL
- Re: [DNSOP] Working Group Last Call for: Message … Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for: Message … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] Working Group Last Call for: Message Dige… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Paul Vixie
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … John Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Joe Abley
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Brian Dickson
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Bob Harold
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for: Me… Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- [DNSOP] future-proofing (Re: Working Group Last C… Paul Vixie
- Re: [DNSOP] future-proofing (Re: Working Group La… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] future-proofing (Re: Working Group La… Michael StJohns
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] Working Group Last Call for: Message … Michael StJohns
- Re: [DNSOP] Working Group Last Call for: Message … John R Levine
- Re: [DNSOP] Working Group Last Call for: Message … Miek Gieben
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] Working Group Last Call for: Message … Wes Hardaker
- Re: [DNSOP] future-proofing (Re: Working Group La… Shane Kerr
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Brian Dickson
- Re: [DNSOP] future-proofing (Re: Working Group La… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Wessels, Duane
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Hoffman
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Paul Vixie
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… Michael StJohns
- Re: [DNSOP] [Ext] future-proofing (Re: Working Gr… John Levine