Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones

Michael StJohns <msj@nthpermutation.com> Wed, 08 January 2020 19:29 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9871812012A for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:29:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aSpFlunS0y_r for <dnsop@ietfa.amsl.com>; Wed, 8 Jan 2020 11:29:28 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A5D31200CC for <dnsop@ietf.org>; Wed, 8 Jan 2020 11:29:28 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id x1so3684009qkl.12 for <dnsop@ietf.org>; Wed, 08 Jan 2020 11:29:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=uPmiATSCSi4BlT3cAG0Dt9lS19XL6RpLMf4ri+RDaFo=; b=i9zL8urE13LWI44P3QHsuV3bYXKe1OSdBLZe/pYmOjkoiX8LPzUuuMpbBx/S8oQKXk 0U4yx4/O5u3KyLZcuCxu2ByW6P1un7Rv7tfCWimPAz46o9y/96StKg6hGsoc16LT03Dd 8mAEhnj47ZRQCc/cxX1ro62n+d5/APLuINV74HPKi9+B+RZdT1K0cyXZueIjb5Dy/zK4 AFz2bntI7kZmReTq6O+uEswnjLgBIshjvMd+mfcf/rFE52QWZQ118OAebfYLP1S38zKk L8YYgguDJpQwF5UkIBB00bpi32ePPKrl/WR/ijGeo1t/LNAq2A8P8UlIGCdbBgV/AwTv /wRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=uPmiATSCSi4BlT3cAG0Dt9lS19XL6RpLMf4ri+RDaFo=; b=DyPbRWBMaUsoY+luUCJzWYETh5aUqSPETmvWS80x94BnV7sGe9YnZ0hlSRGcYooLgp ux15+rsP+5K8Se+jHgjuAIvF5C76CJc0mPpYfi/IPR0FjVYyrvaESTq5wMf3ZorzgFDz JtnoDi7wi9civ3fTaCIwXGjP7hC6uOU98ZRwpLLrc7TGBGX1a8et2g0rU9lsXlrlDLw9 k3idF5zp7fJlvrQ0QlZM+ZlJvYQrZ9kr+b63tL2obBXOYCyTKgxlNixmlMpkkRiHMYSX o/4RppKmrzqC0gkwOkk4kAHxM+ZZHS4uH4Sfn+HHlTzjW29ysDqXhuFAZ8iIFiGf1AHZ ZXLQ==
X-Gm-Message-State: APjAAAUgr+gfXnn080SnqTnaxHOqG4Q3vYr0yFXDjqQF8Dc33Q1hU3Cp N/oltyA3YHf4je1WCEjmE/4GcH3zTIA=
X-Google-Smtp-Source: APXvYqxCFzeZyDOp+xP8YIgFAG2X/jLwOTp5JMvREQ6x0YuPVc08nFgfpORtcaoqUVK4Zkjl++H6cQ==
X-Received: by 2002:ae9:e519:: with SMTP id w25mr5854136qkf.260.1578511767340; Wed, 08 Jan 2020 11:29:27 -0800 (PST)
Received: from ?IPv6:2601:152:4400:437c:dd4:4ade:7d8:f573? ([2601:152:4400:437c:dd4:4ade:7d8:f573]) by smtp.gmail.com with ESMTPSA id 4sm1834689qkv.44.2020.01.08.11.29.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jan 2020 11:29:26 -0800 (PST)
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <84650844-1d13-9377-c913-23dcbc76dc37@nthpermutation.com> <C4EB59C4-EA83-4DBE-84D0-D8D43735B63D@verisign.com> <7f298591-09b5-dd7c-0dab-afc60def874b@nthpermutation.com> <A61A5E45-F694-4FAC-BF22-1C0AAB510FD1@verisign.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <9facad07-6671-b4d4-caff-73104a80398a@nthpermutation.com>
Date: Wed, 8 Jan 2020 14:29:25 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <A61A5E45-F694-4FAC-BF22-1C0AAB510FD1@verisign.com>
Content-Type: multipart/alternative; boundary="------------127062FCC9257F43F92BD2C2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wsBJrG491qJ7vb9LuwkSu4VXjgs>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 19:29:31 -0000

On 1/7/2020 6:01 PM, Wessels, Duane wrote:
>
>> On Jan 6, 2020, at 6:15 PM, Michael StJohns <msj@nthpermutation.com> wrote:
>>
>>>
>>>> 5) 3.1.2 - This is I believe different than how DNSSEC does it?  If it's the same, then this is fine, otherwise this protocol should be calculating the RRSet wire representation the same as DNSSEC does it.
>>> In my experience, duplicates are suppressed either when a zone is loaded or when it is signed.  ZONEMD matches DNSSEC.
>>>
>>>
>>> Here's how named-checkzone behaves:
>>>
>>> $ named-checkzone -i none -o /dev/fd/1 example.com /dev/fd/0
>>> $ORIGIN example.com.
>>> @ 60 SOA a b 1 2 3 4 5
>>> @ 60 NS ns
>>> NS 60 A 192.168.1.1
>>> @ 60 A 127.0.0.1
>>> @ 60 A 127.0.0.1
>>> zone example.com/IN: loaded serial 1
>>> example.com.                                  60 IN SOA         a.example.com. b.example.com. 1 2 3 4 5
>>> example.com.                                  60 IN NS          ns.example.com.
>>> example.com.                                  60 IN A           127.0.0.1
>>> NS.example.com.                               60 IN A           192.168.1.1
>>> OK
>>>
>>>
>>> And in ldns_dnssec_rrs_add_rr() at https://github.com/NLnetLabs/ldns/blob/develop/dnssec_zone.c#L46 you can see at the end that equal RRs are silently ignored.
>>>
>> Can you provide a cite?  Not disagreeing - just curious if its been written down in an RFC somewhere.
>>
>
> RFC2181 (cited in ZONEMD) says:
>
>     Each DNS Resource Record (RR) has a label, class, type, and data.  It
>     is meaningless for two records to ever have label, class, type and
>     data all equal - servers should suppress such duplicates if
>     encountered.
>
> DW
>
>
And then you have RFC4034 which has

> [RFC2181] specifies that an RRset is not allowed to contain duplicate
>     records (multiple RRs with the same owner name, class, type, and
>     RDATA).  Therefore, if an implementation detects duplicate RRs when
>     putting the RRset in canonical form, it MUST treat this as a protocol
>     error.  If the implementation chooses to handle this protocol error
>     in the spirit of the robustness principle (being liberal in what it
>     accepts), it MUST remove all but one of the duplicate RR(s) for the
>     purposes of calculating the canonical form of the RRset.

Which I think is the better cite.  So basically, the RRSet encoding for 
ZONEMD is the same RRSet encoding for DNSSEC.  Which answers my question.

Thanks - Mike