Re: [DNSOP] Fwd: New Version Notification for draft-wessels-dns-zone-digest-00.txt
"Wessels, Duane" <dwessels@verisign.com> Wed, 04 April 2018 16:32 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B4D4127869 for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 09:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsW_56GxVVuk for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 09:32:36 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCBF112DA4B for <dnsop@ietf.org>; Wed, 4 Apr 2018 09:32:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1810; q=dns/txt; s=VRSN; t=1522859553; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=SSROGvVmN20Qv3GU9AOIXFL7MXBGXtxi8JU5I0LtU70=; b=chbm5zS5TOCGAqsAjsYFTKkNXFT9gS2lEsE/b58Rjkag7VInPcfPf0dO ciRPWut1nT38mabn1KZU1/dM2dmGo1HVqRZeOTfy0EWOkqWtCatafJVgT ABy/VNX3ylOWnFZ7bY0jvxuGRq5yXMXXzphRX8ROvjjtqLZPMRoRXsOpq bZiX3M9Wj7ejDfYKvA3WpEi44xk36WPb23nG5/gwlqsPovFSrp3qYjtA6 +qc1xjXST3FDwy0tj96BrUDxYh6MSx9uobvccISFnOKWWuy0hcu+V/nMm SH4t9epzmtZMbgEgljfVUteUXaaZMFH9en2Z/UswEX+eFjFD/GePPnu/R Q==;
X-IronPort-AV: E=Sophos;i="5.48,407,1517875200"; d="scan'208";a="4289376"
IronPort-PHdr: 9a23:AWG0GxUygPsBITEnhAIN7gjmesbV8LGtZVwlr6E/grcLSJyIuqrYbRaGt8tkgFKBZ4jH8fUM07OQ7/i7HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba98IRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlDkIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZAo2ycZYBD/YPM+hboYnypVoOogexCwajH+7v1iZIhnrq0aEmz+gtDwfL1xEgEdIUt3TUqc34OKkSXu+r16nI1ivMb/dN2Tvl9YPGfA0hruuKXb1uf8ba1E4iGB7Lj1qOsozlJC2a1uAWs2WA8epvS/ivi288qwFwrTivwN0ghZXOhoIQ013J8zhyzoUtJdCgVUJ3fcSoHIZSuiyULYd6X8MvTm9ytCokxbALuYa3cDUWxJg92hLSafKKf5KV7h/jWuudOzh1iXFjdbminRi961Kgxff5VsSs1VZKqTdKncfUu3AW0hzT9tCHSvxg/ke9wTqP1x7c6uVDIU0sjqXbMZghzqM0lpsctETMBC72mEHxjK+LakUo5vak5/75Yrr4vJ+cNpR0igDxMqQogMCwHeM4Mg0WU2ia/+SzyqHj8FXkTLlWlPE6j6vUvZ7AKcgGpqO0DRVZ3pgs5hu/Fzum1c4XnXgDLFJLYhKHiI3pNknTL/H2E/i/mE+snylvx/DdJbDhHIvCLmLCkLf6fLZ95EhcxBAvwtBY4pJYEqsBL+7rWk/tqNzYCQc0PBGyw+b8D9V9zpgTWWORDa+FPqPeq1iI5vggI+OUfo8apC79K+Q55/7plXI5gl8dcrOv3ZQJc324AvVmI0CHbnb1ntcBC30FvhQgQ+zujF2NTyRTZ22oU6I7/DE7B5qsDZ3fSYC1nLyBwCC7E4VLaWBBFlCBCmrnd4KYW/gWdCKeONVukiBXHYSmHrMm0wDmmg78wLoveubT5gUUso7qyJ58+7uAuws18Gk+MMmGyGyJVCU8sn4BQTJ8lPRzvkFm0VqHyoBmjuZZDt1c4bVCVQJsZs2U9PBzF92nAlGJRdyOUlvzB4z+WTw=
X-IPAS-Result: A2FuAAA6/cRa//WZrQpcGQEBAQEBAQEBAQEBAQcBAQEBAYU6CotVjlshEX6SVYF6C4UDAoRiNBgBAgEBAQEBAQIBAQKBEII1JAGCSQEBAQECATo9AgULAgEIDQEKHhAyJQIEDgUehGeuGohCgiWJNz6BDCIMglaEb4MwgiQClz4DBQKaa49WAgQLAhMBgSUcggtwFWQBghiCSI4Gb4xagRcBAQ
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id w34GWVPJ004446 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 4 Apr 2018 12:32:31 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Wed, 4 Apr 2018 12:32:30 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Tony Finch <dot@dotat.at>
CC: Shane Kerr <shane@time-travellers.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Fwd: New Version Notification for draft-wessels-dns-zone-digest-00.txt
Thread-Index: AQHTzDKGKPw82+2X40GOFn3iTT/wqg==
Date: Wed, 04 Apr 2018 16:32:29 +0000
Message-ID: <B6F7E35D-FFCF-4F67-8115-906E52D17A74@verisign.com>
References: <152277670738.22791.3511791082557717517.idtracker@ietfa.amsl.com> <88E182D8-64C4-4FFE-961C-AA3571F8A86B@verisign.com> <4cd3191a-e53c-87ad-1a6d-cbeee414b62f@time-travellers.org> <alpine.DEB.2.11.1804041354230.20829@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.11.1804041354230.20829@grey.csi.cam.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.153.48]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C6F9B7386504E14094A01786667449EE@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xb-juchWYSy0nJT_5oePtNgEWDo>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-wessels-dns-zone-digest-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 16:32:38 -0000
> On Apr 4, 2018, at 6:15 AM, Tony Finch <dot@dotat.at> wrote: > > A couple of thoughts/questions: > > The sorting algorithm specifies CLASS as part of the sort key. This is > fine, but slightly redundant since all records in a zone have the same > class :-) Okay. I managed to convince myself that zone files could contain multiple classes, but looking now I see in 1035 it says "All RRs in the file should have the same class." > > Regarding efficiency, I wonder if there would be much win from giving it a > bit more of a tree structure, e.g. > > ; similar ordering to RRSIG calculation > digest_RRset(n,r) = digest_algorithm( RRsig(i,1) | ... | RRsig(i,si) | > RR(i,1) | ... | RR(i,ri) ) > > digest_owner(n) = digest_algorithm( digest_RRset(n,1) | ... ) > > digest = digest_algorithm( digest_owner(1) | ... ) > > So when updating a zone, you can just recalculate the digests for the > affected owner names, then re-digest the string of digests. This should be > faster for signed zones, but it might not be a win for unsigned zones (a > SHA256 is about the same size as an A record). > > (Following the hierarcial structure of owner names is probably not worth > it given the flatness of most zones.) > >> Is it worth exploring the possibility of including multiple ZONEMD in a >> zone at different names, which digest the part of the zone up to that >> point? > > Also a good idea :-) It probably needs to look a bit more like NSEC to > make it explicit which owners are covered. My initial reaction is that I'm not fond of the complexity, but would like to hear if people think zone digest is useful for the types of zones where recalculation is a significant concern. DW
- [DNSOP] Fwd: New Version Notification for draft-w… Wessels, Duane
- Re: [DNSOP] Fwd: New Version Notification for dra… Shane Kerr
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Wessels, Duane
- Re: [DNSOP] Fwd: New Version Notification for dra… Wessels, Duane
- Re: [DNSOP] Fwd: New Version Notification for dra… Shane Kerr
- Re: [DNSOP] Fwd: New Version Notification for dra… 神明達哉