Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt

"Wessels, Duane" <dwessels@verisign.com> Sun, 04 November 2018 04:05 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1903512777C for <dnsop@ietfa.amsl.com>; Sat, 3 Nov 2018 21:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAU4YwPqxDX0 for <dnsop@ietfa.amsl.com>; Sat, 3 Nov 2018 21:05:49 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 831D0130DCB for <dnsop@ietf.org>; Sat, 3 Nov 2018 21:05:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7691; q=dns/txt; s=VRSN; t=1541304350; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=K1Al2HJl0X/B4fObQPxGbuY1A/v6CECxzNAUhXPzbNE=; b=kvfUbzDMDU0BqufOPFfmOp1wPw4aoV+Wk0/MyjXZ8cHziYpFn9QKUTIG qhgxgsvioaG+10pSoJc76UXIin2ACelqbqkhvbDJaovbShg+haQCIKzO8 LbYDwHyUkSIsSBYRgTm7G4BxsHHguV39IaFSOz+bbiFwGtw3ORQWBt9VL xG0pJn7iBvJtTBa3XCzOFMhG01lzyZLdnCuFlUvlXjIiagz5KXUFwguTr YpHXuIWjpAlpvc+2WJvp34BIlTGnb5q+7x20NAYDqKuHctpKDQlEiHCl/ du5H5aDK+E0tGhr+mAzRKY6U7vOmJoakyrtcQPd9AcBu3kvaND5MWRqhP Q==;
X-IronPort-AV: E=Sophos; i="5.54,462,1534809600"; d="p7s'?scan'208"; a="6781030"
IronPort-PHdr: 9a23:fuy5BBR7nEHaE5rtMz8xqX634Npsv+yvbD5Q0YIujvd0So/mwa67ZBaCt8tkgFKBZ4jH8fUM07OQ7/i/HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9wIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlDkIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZAo2ycZYBD/YPM+hboYnypVoOogexCgS3C+Pj1jpIi2Xq0aEmzegsFxzN0gw6H9IJtXTZtNv5O6cMXuCu16nH0zHDb+hO1Tzg5obIbwouofeSUr5+bMHczlQgFg3bgVWLsozqITeV1v8WvmiF8eVgT+Ovi3UmqwF+pDij3Nsjio7Mho8MzF3P6Ct3wIEwJdKiSU57Z8apEJRRtyGGN4t2X9gtT3t0tyY9z70Lv4OwcisSyJk/2hLTd+aLf5WK7x/tTuqdPDd1iXx/dL+whBu+6VWsxvHmWsWp0ltGsjBJnsTDu30OzRDf98uKRuNz/ki/2juDywXe5+ReLk03kafUMJssz7AumpUOsEnOGzT5lUH3gaKUc0gp9Oal5ub6bbjgu5SSLZV7ihvkPaQrgsG/BOM4PRUQUGWD4uS80aHj/VX+QLVXkv06iqnZv47eJcQcvqO0HhNb3J4+5xm/Fzmo39UXkWUaIF5fZhKIk4/pO0vWIPziF/iwnk6gkClxx/DdOL3tGInCLn/GkLv5fLZ97VBTyBYrwNxC+55YEKwNLfD9V0PrqdDVDhE0Pxa7zuvkENl905kRWWOLAq+XKqPStlqI6/oyLOiCeoAVoy39JOYh5/71lnI5h0ESfbOo3ZsMaXC4EfJmL1+Fbnrrh9cNCX0KsRYmTOz2lF2CViZeZniwX6I84DE7E5+qAJzDRo+3mryOwT20Hp5IaWBcEVCAC3HoeJuYW/0UciKdPtdhkiAYVbimU4IhzQuhtBL+y7Z9LurU/SMYtZzm1Ndv4e3ejhAy+iBuAMSb1WGBVWZ0nnkHRzUuxqBwvVR9ykuf0ah/m/FXCNpT5+hOUgciLpPczvJ1C8z8Wg7bedeJUlmmEZ2aBmQOQ8l549YUb09+Fs/q2g/B3yyxWpcVnqaHDZ856Lma2XXtcZVT0XHDgeMegkI9T89UcSWKm6d5+kKbU4LWnl6CmqKxXboRxi/W9WiFi2GJuRcLA0ZLTazZUCVHNQPtptPj6xaHFuf2BA==
X-IPAS-Result: A2EcAADsbt5b/zCZrQpjHAEBAQQBAQcEAQGBUQcBAQsBgmqBJwqMBI4jly2BPzsIBAEjC4Q+AoNhNA0NAQMBAQEBAQECAQECgQUMgjYkAQsESzswAQEBAQEBAQEBAQEBAQEBGgINYwEBAQECAWwNBQsCAQgOCi4CMCUCBA4FDoMTAYF5F6d4hTyETAoFgm2JIIFCPoERJx+CTIMbAoUWgiYCiQ6VUFQDBgKEF4FwZYo7kGCNCIoXAgQCBAUCFIFDgg5wFTsqAYJBgiYYEoM3ilJvjGqBHwEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Sun, 4 Nov 2018 00:05:44 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1531.003; Sun, 4 Nov 2018 00:05:44 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Wes Hardaker <wjhns1@hardakers.net>
CC: Paul Hoffman <paul.hoffman@icann.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt
Thread-Index: AQHUcz8yx3DM3gbwSkixkqsHED6UGqU/VKKA
Date: Sun, 04 Nov 2018 04:05:44 +0000
Message-ID: <4A093ABC-3AE4-4E70-B24C-E27447D66DDE@verisign.com>
References: <154020795105.15126.7681204022160033203@ietfa.amsl.com> <3AED6137-0957-4EEE-B317-7178B00AB7CF@icann.org> <528A0D4B-B06F-42A6-B133-39E96FD5C902@verisign.com> <C3B46772-A0C9-4DB6-B403-E6F7ED8D4EF9@icann.org> <yblpnvmvfep.fsf@wu.hardakers.net>
In-Reply-To: <yblpnvmvfep.fsf@wu.hardakers.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_62C78FCA-D4DB-4A9E-9A38-923A8F02212E"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wik_9IR_lzEfZwN63r89OKI1k-0>
Subject: Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2018 04:05:52 -0000


> On Nov 3, 2018, at 1:33 PM, Wes Hardaker <wjhns1@hardakers.net> wrote:
> 
> Paul Hoffman <paul.hoffman@icann.org> writes:
> 
>> From the earlier list discussion and your presentation at DNS-OARC,
>> processing dynamic zones is hard, and you might make different choices
>> based on different amounts of dynamicness (dynamicity?). This should
>> cause developers concern about implementing ZONEMD now because there
>> will be an expectation that they will have to implement the changes in
>> the future.
> 
> I also look at it in terms of implementation complexity and where in the
> code base decisions are made.  EG, if you have different RRTYPEs for
> signaling things, then the logic is straight forward:
> 
>    if (rrtype == ZONEMD) {
>       do_ZONEMD_stuff();
>    } else if (rrtype == ZONEMDMERKLE) {
>       do_fancy_new_hashtree_stuff();
>    } ...
> 
> On the other hand, with a reserved field we end up here:
> 
>    if (rrtype == ZONEMD) {
>       do_ZONEMD_stuff();
>    } ...
> 
> 
>    do_ZONEMD_stuff() {
>        if (reserved_field != 0) {
>            do_fancy_new_hashtree_stuff();
>        } else {
>            do_ZONEMD_stuff();
>        }
>    }
> 
> Now, if do_ZONEMD_stuff() and do_fancy_new_hashtree_stuff() are likely
> to be sufficiently different in implementation (and I suspect they will
> be), then the first code above with two RRTYPEs is likely to be
> cleaner.  The only advantage gained in the second type is if you can put
> the brunt of the code for both do_fancy_new_hashtree_stuff() and
> do_ZONEMD_stuff() pretty much inline because there is sufficient
> overlap.
> 
> It's hard to predict what the best route is advance without knowing now
> how much the resulting double implementation will overlap.

So there is an implementation of ZONEMD, and even an implementation of "fancy hashtree stuff".  You can find it at https://github.com/verisign/ldns-zone-digest

One of the reasons I think the variable-depth hash tree is attractive is because when depth = 0 then it simplifies exactly to the case as though there is no fancy hashtree.  

In my proof-of-concept implementation, most of the added complexity from fancy hashtree stuff comes in the form of how the zone data is stored.  For example:

    #if !ZONEMD_INCREMENTAL
    ldns_rr_list *the_rrlist = 0;
    #endif

    #if ZONEMD_INCREMENTAL
    typedef struct _zonemd_tree {
        unsigned int depth;
        unsigned int branch;    // only for debugging?
        ldns_rr_list *rrlist;
        struct _zonemd_tree *parent;
        struct _zonemd_tree **kids;
        unsigned char digest[EVP_MAX_MD_SIZE];
        bool dirty;
    } zonemd_tree;
    #endif

But the actual digest calculation is not that much more complex for fancy hashtree sutff, IMO.  The only difference is what you feed as input to the hash function.  At the non-leaf nodes the input is hash values of the child nodes.  At the leaf nodes the input is the RRs wire format data.

DW