Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-digest-04.txt

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 01 November 2018 19:07 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9C2C1298C5 for <dnsop@ietfa.amsl.com>; Thu, 1 Nov 2018 12:07:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3vgap-gKFLZY for <dnsop@ietfa.amsl.com>; Thu, 1 Nov 2018 12:07:02 -0700 (PDT)
Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01D51294D0 for <dnsop@ietf.org>; Thu, 1 Nov 2018 12:07:01 -0700 (PDT)
Received: by mail-ua1-x936.google.com with SMTP id c89so7597492uac.10 for <dnsop@ietf.org>; Thu, 01 Nov 2018 12:07:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5k4eBvj+uvV/5CdWEaACaATRkvEYfw7fUlD51mEjP7M=; b=hVuFUOdwyA2p5iNkJy94RG7Lu94BQCZSMNwk2ICyJgtwH+HERTT+TAQ+5ZtiUZkKoe nuvg6AHiAMhfVZUEaL1rgovdclhypBH/orieMoCS4fzYf5in0UEYVb4aOv7DEzxgUbMU DQ/BNBDR5OzWiekCyYJnoLSoa2Ir0t8CqiLWExvzJqgVJ3C9HTaqWnwL1K5mdZubgCkE tjiJVO3MCjxHjmxkNeBKmH21dDFmVpd9yelJZM38lu9stUmrzV6zCIzsmPsgv2Yg4yeF BmDBwr17FTMihRrb5vw2aWRdwK01epNPqRfEUoN3/7JyI0gg0lwbTYcDq6oNjC2wlVGk aoFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5k4eBvj+uvV/5CdWEaACaATRkvEYfw7fUlD51mEjP7M=; b=NB0Ubsl5mwomF8AncjUouqi1vrbGPqJGP+gQYmOoGrHd5b8SFdZtz9lUJto63O+dLd R+kxXeveIC20Xo258QJ3MPQGoUDGH71J8rijRIqDcFS6qCMNl2Fw/cctUg4kGz/fPG1l K53/1iJcFMXHTlXvtKlOfl9isTzpampKqn4Xauee8Y1U5PhWzBzqbCOC+Lrv50BR02FA NjgFb/CffuuVUaFwWDPUfDv8dTCEx+UW4j+i2arkFPAtjJeESiDfj/1ShP3WdgWIt7yl zYDmncAoA2Lp3GjrOp5aBxHKOBdlb4ik4lgmoUYPsalqITqh+CSIT3YBUrIqSJgOLy0I iwDQ==
X-Gm-Message-State: AGRZ1gJxrI7rNc5hqFloyvzXPOf6SICDhkcBwISQwhmZzM/YQOxv5nvz NpgoTJVi/sGWEIOYwQomdhFpdaZR4VQG0r/ABcVOpQ==
X-Google-Smtp-Source: AJdET5fGN0nTGxf02LLVxR4LPa62/FwAbwHZQhaDo5I5AHdYl8caOonFzUtf+I0zjIEZ8MUBi9RPKfQq/hw/uzTkEZk=
X-Received: by 2002:a9f:28c4:: with SMTP id d62mr3791066uad.42.1541099220755; Thu, 01 Nov 2018 12:07:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAH1iCipHA0Hbz6QwiHL=ZoY3y7qWvBmtLQSRPh5GEV9r++kk6w@mail.gmail.com> <3E019624-4CE9-4CE1-8987-E1792A0904E2@hopcount.ca>
In-Reply-To: <3E019624-4CE9-4CE1-8987-E1792A0904E2@hopcount.ca>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 1 Nov 2018 12:06:49 -0700
Message-ID: <CAH1iCipjwue_+jpC5e-ZXGFnd2WnnmWoZ7=JfTm6yBG0hn=kYw@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009debd605799f1f69"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ualJ4k7Bvgm_MCPOb62sAELMfD4>
Subject: Re: [DNSOP] [Ext] review: draft-wessels-dns-zone-digest-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 19:07:04 -0000

On Thu, Nov 1, 2018 at 11:52 AM Joe Abley <jabley@hopcount.ca>; wrote:

> On 1 Nov 2018, at 14:49, Brian Dickson <brian.peter.dickson@gmail.com>;
> wrote:
>
> > So, giving this some tiny bit of thought:
> > When is zonemd added to a response, is that when doing an AXFR?
>
> Construction of ZONEMD RRs and responding to AXFR are orthogonal.
>
>
Right, I just realized that... I was thinking of generation of all ZONEMD
RRs, but only returning a subset.
However, since ZONEMD RRs are DNSSEC-signed, the signature process requires
all the RRs to be included in the signature for the signature to validate.

Which means you always have to provide all of the ZONEMD records, if the
ZONEMD records are signed with the current DNSSEC method.


> > Maybe signaling the algorithm(s) for which signature(s) are
> desired/understood would do the trick?
> > I.e. in an EDNS option?
>
> I don't think so. EDNS options relate to servers exchanging DNS messages.
> ZONEMD relates to zones.
>

Hmmm... so at best it would be a one-way signal from the client to the
server, about what they support (and optionally prefer).
The server has to send all the ZONEMD records regardless.

Brian