Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

"John R Levine" <johnl@taugh.com> Sun, 29 July 2018 04:50 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8E1A130E08 for <dnsop@ietfa.amsl.com>; Sat, 28 Jul 2018 21:50:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=NcymXi9u; dkim=pass (1536-bit key) header.d=taugh.com header.b=DqZ+4WDn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ktDD_vUyPX7u for <dnsop@ietfa.amsl.com>; Sat, 28 Jul 2018 21:50:21 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 786CA130E04 for <dnsop@ietf.org>; Sat, 28 Jul 2018 21:50:21 -0700 (PDT)
Received: (qmail 15996 invoked from network); 29 Jul 2018 04:50:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=3e7a.5b5d478b.k1807; bh=osnxW29k0WjiK8wn9mlxNSp65Z1m9U565scz72n0nDc=; b=NcymXi9uKBMpDxgutquDWTzm6mWBAcCHCgnxtYsSWU27YvAM+fXubxUIal1H32y0XIfnQV0FZhHPnpw4x+xda69o+JA6DKk/drM4FnsagQGz+Q65O0WI8d6PwdYLFy1lLVGbSFZqohNq01pf0N83pP84hD/xi/6d0KdazbLNjW5VHKz88IW08sJs3HGYItdUx2CL7ef9sqijHUttswp38TK07asxH7X3wNunzdzXoeUheLQedQER2rsEauXisHyv
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=3e7a.5b5d478b.k1807; bh=osnxW29k0WjiK8wn9mlxNSp65Z1m9U565scz72n0nDc=; b=DqZ+4WDnlxJbsgh9wbUlsPME0cX4TugoGPyszEcoYPmQB3h0begW7YHBtcN9mGYJRod7jg298IZC8cz0h9RjIllQrgrhypUqFAZAqLzimD1yN4z1V1S9ZSbKPHwszdheG8O07cbaqrZDEszzoommrLTAsK+pz/KUO/igbFg25by2OSTGKrIlK34kLoFjP1y5/T3z3fdz49l4ZPKGdzFg47DQWrN/WQxwUADC5yrXzapB1KJlfXDSLfv/6eTYH6VT
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 29 Jul 2018 04:50:19 -0000
Date: Sun, 29 Jul 2018 00:50:18 -0400
Message-ID: <alpine.OSX.2.21.1807290047300.46393@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Ondřej Surý <ondrej@isc.org>
Cc: dnsop@ietf.org
In-Reply-To: <FC43CF7A-9653-4EF3-BFF5-79600DC940AD@isc.org>
References: <20180728215805.E60F020030A8E0@ary.qy> <FC43CF7A-9653-4EF3-BFF5-79600DC940AD@isc.org>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/y2X3YP8_YPHot2_OUQCw-NZDADU>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jul 2018 04:50:25 -0000

> Therefore either you need to exclude the data that changes (hash and its RRSIG) when computing the hash for the BitTorrent and the receiving side would have to reassemble this. Or you would need OOB mechanism to distribute the hash (different part of the tree, CDN, ...).

Of course you exclude the hash record from the hash.  Look at the way we 
do DKIM signatures -- the header hash includes all the headers including 
the signature header, but it pretends there's no hash field in it.

I'm also thinking the hash wouldn't need to include the RRSIG records, 
since those are mechanically derived from the underlying records and the 
ZSK.


Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly