IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones

Michael StJohns <msj@nthpermutation.com> Wed, 08 January 2020 19:18 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAB8012012A for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:18:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j91APkEsI8jk for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:18:48 -0800 (PST)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 472961200E9 for <dnsop@ietf.org>; Wed, 8 Jan 2020 11:18:48 -0800 (PST)
Received: by mail-qv1-xf36.google.com with SMTP id n8so1889504qvg.11 for <dnsop@ietf.org>; Wed, 08 Jan 2020 11:18:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=DNeW4ZpB6eopeeFPi/fT7QMgm6qCUqu6Tlhf2ZxYRLw=; b=uXuOfLg6Ht5r9TZiMGEnhrnnLbVCkTPn0GrYl1DCkpnsafbmgdL8VbQ5I2RVPjZZ3Q 7raPxsS2o0MRQd5rSjjUQbd2fjIrP9aveqjp4rOpFf5AKSbNedUCdNim8KSyZuRWMMaV ioEFHMvJHV1mmcQIskW/m3k7F4XwPg6vz032OyUSSdNe5QRtdrcg9oEK+3l+sxMhUYzf gEqicQScijrOLmGTlmTNUimM0TmDBhmLVLr1F3Joi3JiiePWx9figFZ/0QBftdCg8wDE dHecrba91yGXjKiH0ywj/mL02pb+MUEWNLKRJWMN8bToZtE6l7UyXmWVxbkcVeTwqoVc CMjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=DNeW4ZpB6eopeeFPi/fT7QMgm6qCUqu6Tlhf2ZxYRLw=; b=Ro63UQ21e50jLpZGJS9g88Ks6EXL6r7k2wLn2lxf6TKSraV2t5KwCrP7VASp85oJ2y AD+SfKGnhIqJv9cgsWJ3M/gfa25MAT6jpQ5dgXTlql+XMf+InELVYnrryVRs1ELrQ9av NnAPGgnlMiOdm6UYU6UOf1tHnMnMfvjuQKD73JZQewIkLK8JUQNbe7xCk6NAL118/VGs ApekpbtnxeLjsQczitt9bTgxkfvhoNzn1v2SOJQCLB0/E4wESVSE/dzAeVzB6rY3Vecj m+ay96Clcg9L916hOrZCIHJ23Ol6tW9B/l/I2TfakJ/MdMUJUhUC+rqfcGqC+p0DyL0m mGwA==
X-Gm-Message-State: APjAAAUD2UYj56+Wbv3t1XdeWfDufKvWIyM3zNYrUY5sOqE5Kd40KZsx f/svi9MGVycaEK2q9OC9/5QxenHOrlM=
X-Google-Smtp-Source: APXvYqxeSoikTvx2N+JKM4VkhKYfA9zjilsiyWBd24r7p/A1rjOzjiT1Kg5kINEuA1N3dckapcQsBQ==
X-Received: by 2002:a05:6214:8c3:: with SMTP id da3mr5329943qvb.249.1578511126910; Wed, 08 Jan 2020 11:18:46 -0800 (PST)
Received: from ?IPv6:2601:152:4400:437c:dd4:4ade:7d8:f573? ([2601:152:4400:437c:dd4:4ade:7d8:f573]) by smtp.gmail.com with ESMTPSA id t15sm1802361qkg.49.2020.01.08.11.18.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jan 2020 11:18:46 -0800 (PST)
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <84650844-1d13-9377-c913-23dcbc76dc37@nthpermutation.com> <C4EB59C4-EA83-4DBE-84D0-D8D43735B63D@verisign.com> <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com> <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <b3132d4a-8b91-27ff-83af-0204a47ec2c3@nthpermutation.com>
Date: Wed, 08 Jan 2020 14:18:45 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tpt9ruUIws9k_FA586Sez6CRjW0>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 19:18:50 -0000

On 1/7/2020 5:33 PM, Wessels, Duane wrote:
>
>> On Jan 6, 2020, at 6:15 PM, Michael StJohns <msj@nthpermutation.com> wrote:
>>
>> As I suggested in one of my messages, giving an idea of how long it takes to digest various sizes of zones given commodity hardware would be a good start.   Going on and talking about the ratio of that time to the typical update frequency of the zone  (e.g. zone digest 5 minutes, transfer time of 10 minutes, zone update 24 hours  - ratios of 1:288 and 1:144 are probably acceptable;   zone digest of 30 minutes, transfer time of 2 hours and an update of every 4 hours - ratios of 1:8 and 1:2  are probably stretching it)
> Would text like this address your concern?
>
> 7.  Performance Considerations
>
>     This section is provided to make zone publishers aware of the
>     performance requirements and implications of including ZONEMD RRs in
>     a zone.
>
> 7.1.  SHA384-SIMPLE
>
>     As mentioned previously, SHA384-SIMPLE may not be appropriate for use
>     in zones that are either large or highly dynamic.  Zone publishers
>     should carefully consider the use of ZONEMD in such zones, since it
>     might cause consumers of zone data (e.g., secondary name servers) to
>     expend resources on digest calculation.  Furthermore, for such use
>     cases, it is recommended that ZONEMD only be used when digest
>     calculation time is significnatly less than propagation times and
>     update intervals.
>
>     The authors' implementation (Section 10.1) includes an option to
>     record and report CPU usage of its operation.  The software was used
>     to generate digets for more than 800 TLD zones available from [CZDS].
>     The table below summarizes the the results for SHA384-SIMPLE, grouped
>     by zone size.  The Rate column is the mean amount of time per RR to
>     calculate the digest, running on commidity hardware at the time of
>     this writing.
>
>                   +---------------------+----------------+
>                   |     Zone Size (RRs) | Rate (msec/RR) |
>                   +---------------------+----------------+
>                   |             10 - 99 |        0.00683 |
>                   |           100 - 999 |        0.00551 |
>                   |         1000 - 9999 |        0.00505 |
>                   |       10000 - 99999 |        0.00602 |
>                   |     100000 - 999999 |        0.00845 |
>                   |   1000000 - 9999999 |         0.0108 |
>                   | 10000000 - 99999999 |         0.0148 |
>                   +---------------------+----------------+
>
>     For example, based on the above table, it takes approximately 0.13
>     seconds to calculate a SHA384-SIMPLE digest for a zone with 22,000
>     RRs, and about 2.5 seconds for a zone with 300,000 RRs.
>
Hi Duane -

This is sort of what I meant.  Still trying to get the authors to home 
in a definition for small/static and large/dynamic.   Reading the above 
table, and assuming validation takes a similar time, I'd suggest that 1M 
records @ ~2.3-3 hours is greater than large for your purposes.   Maybe  
10Min  for 100K records is "large"? Assuming that churn is >> 10 minutes.

I'd add "Note that processing power tends to increase over time - 
Moore's law suggest that time to process these data sets will decrease 
by half every 2 years, faster if specialized hardware is used.  
Implementers, publishers and consumers may extrapolate current 
processing times by simple math."  - to deal with the "these numbers are 
stale when published so why publish them" comment .  And - maybe given 
publishing time - as of December 2019 instead of "at the time of writing".

Two things -  Does the above include the time it takes to sort or 
otherwise order the zone in canonical order or are you assuming that the 
database is maintained in a sorted manner?    And what is the average RR 
size?

Thanks for the text.  Mike

ps - what I think a number of other commenters are missing is that this 
is guidance for implementers, zone publishers and zone consumers - not 
just for dns geeks.  For a zone publisher to use it it has to a) be cost 
effective to produce, b) have some value for the zone consumer other 
than "just more data", and c) has to not interfere with their current 
business model.    I actually thought about asking how much 
energy/electricity it would take to produce or verify the ZONEMD RR - 
but decided that would just be cruel.  TANSTAAFL

v2.23.0 | Report a Bug | By Email