Re: [DNSOP] Rough notes for an incremental zone digest
"Wessels, Duane" <dwessels@verisign.com> Thu, 29 August 2019 19:56 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CBD2120B48 for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2019 12:56:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uaGtRD9FdAK9 for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2019 12:56:11 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 565D4120B46 for <dnsop@ietf.org>; Thu, 29 Aug 2019 12:56:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10703; q=dns/txt; s=VRSN; t=1567108571; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=20Y5535HanfEfZZaVgChN9qDYdE386Am+ZwKLR/TH1I=; b=qCCD4NIOR4CTZjUDV/G2+aLGo/ZUmpooZg1DEaYLDV4L4CCrbt/IfOoU fpoTw7Oe7vzOGMxNlYq6GGuOIkyubowyIA32NxFRAwBHctyzONr0Yh1pj DLXcj7RYPZOIctsrC6/jKCyLJM2cls1HCPfkYFO6Xfj/FoSfyQwk8m/qF P6l9j7g3UZmHpnHf8F2PEWQowqmf3dnERZX0xy/tiUFBTBtOpAD7rzrIq vEWuhIKSrY2tHcDOhyyPzxv/sS6S627CUd5ZlhiAGX9gal1so4GAISRvF wlw2gnV3z1FXVito5Ysm5DWPGEuWJS69Ztu/pJajbDhtwHgyhbNNwrRab Q==;
X-IronPort-AV: E=Sophos; i="5.64,444,1559534400"; d="p7s'?scan'208"; a="8312747"
IronPort-PHdr: 9a23:YaWvLB0bUlY+Rlb7smDT+DRfVm0co7zxezQtwd8ZseMQLfad9pjvdHbS+e9qxAeQG9mCsbQd1bCd6vuwEUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCejbb9oMRm7rBvdusYLjYZsKas61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzocOjUn7G/YlNB/jKNDoBKguRN/xZLUYJqIP/Z6Z6/RYM8WSXZEUstXSidPAJ6zb5EXAuQBI+hWspX9qVUNoxuwBwaiA+LvxSNHiXLt0q02z+EhHBvG3AA8Ad4DtmnfotXvNKcVVOC41KfEwjXdYPNNwjfy9ozIcgs5rfqRU7xwbNDeyU8xGA/Lk16drpHqPj2L2eQWqGiU8e5gVfm0hm45tQ5xuDmvxtwtionGgIIZ0EzL9SJ8wIssI9CzVUB1YdmhEJRKtiGaMZN7QsI8TGF0tiY20LoGuYS0fCUM1Z8pxAbfZuSaf4SU+B7vSeScLDliiH54eL+yiQy+/Eekx+HkS8W4zExGojdHn9XQrHwByhPe58udRvdg/UqtwTiP2B7Q5+1YJE05kLDUJp0lz7Erk5cev1rPETL3lUjzl6CbckQp9+qt5unpbLjrpIKTOolpgQ/kKKsugNawAeEgPwgLWGiU5Pqz2aX4/U38XLVKlvo2krTFsJzCJcQUuKq5AwhN34s+9xixFyqq39QAk3cILV1JZAyLg5L3O17SJ/D4F++/j062nzh23fzGIKfhAo7LLnTZjLjherN951ZdyAo1099f+4pZBqwdLP7pR0P8ttLVAgUkPwG0zevrEtpw24cGVWKKGKCZMafSsVGS5uIoJumBfJIauTjjJPg+/P7hk3s5mUQGcKm3w5QXcnG4Hu9nI0WWZ3rgmMsOEWAPvgYmVuzllEWCUSJPZ3a1R6884yw7CIG9DYrYQ4Ctnb+B3Dq9HpJLfGxGDUqMEXjwfYWeR/gMcD6SItNmkjEcSLehTZQh1Ra2tALhyrpoMPbU+iMCuZLkzth16L6bqRZn0CF3EsKRm1qMUWhul2YBQXdi2b18umR411Se16Q+hOZXQ499/fRMB00FOIXHwuhhT5jeRwvHc53BHFq5T869DDUqZsw82d4VYkl7Xd6li0aQjGKRH7YJmunTV9QP+aXG0i20fp4lxg==
X-IPAS-Result: A2G7AACQLWhd/zGZrQpmGwEBAQEDAQEBBwMBAQGBZ4FugReBLwqVL4NqlyEICQEBAQEBAQEBAQMEARgLDAEBAoQ9AoJ9OBMCCwEBAQQBAQEBAQYDAQEBAoYXDII6KQEUTWsBAQEBAQEjAkQsAQEBAQIBAQFsCwULAgEIDgouAiULJQIEDgUOgklLAYF7Hq1chUqEawoGgTSBUYhjgVuBQT6BEAEnH4IeLj6CYQEBgSobCBM7gwOCJgSUYF6WSgMGAoIegzeCJ4YXiHmCMpFqhEGPJZNygw8CBAIEBQIVgWeBenAVOyoBgkE+gg8YiGOFP3KNOgGBMIEjAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 29 Aug 2019 15:55:58 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Thu, 29 Aug 2019 15:55:58 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Mukund Sivaraman <muks@mukund.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Rough notes for an incremental zone digest
Thread-Index: AQHVXmzyB4uFI4sC3UKP6Rr0AKc8B6cSzcoA
Date: Thu, 29 Aug 2019 19:55:58 +0000
Message-ID: <361D1032-C437-4E54-A639-B9774164AE3B@verisign.com>
References: <20190829132126.GA2835@jurassic.lan.banu.com>
In-Reply-To: <20190829132126.GA2835@jurassic.lan.banu.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.9.1)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_1FFD9AA8-7B73-4B7E-BA9D-410B3633C37D"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yyjVP7QUe9pr8QBEEjLD_gCTQmE>
Subject: Re: [DNSOP] Rough notes for an incremental zone digest
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 19:56:14 -0000
Thanks Mukund. For everyone else's benefit, what Mukund and I were discussing is ways to make the ZONEMD algorithm more efficient for large dynamic zones. The authors are intending for that to be future work, and not a part of the current proposal, which has this to say about such zones: As specified at this time, ZONEMD is not designed for use in large, dynamic zones due to the time and resources required for digest calculation. The ZONEMD record described in this document includes fields reserved for future work to support large, dynamic zones. DW > On Aug 29, 2019, at 6:21 AM, Mukund Sivaraman <muks@mukund.org> wrote: > > See the attached figure. These are rough notes of a proposal. I sent > this to Duane Wessels a few days ago, but this is probably something for > dnsop@ readers to see too as there has been discussion about an > incremental design for zone digest before. Performing a hash tree using > an existing name tree like BIND's RBT does not appear to be simple. If > such a structure is specified as the canonical structure, it also won't > be appealing across implementations. > > --- > > All the names in the zone are hashed using a suitable hash function > (need not be a crypto hash) into N hashtable buckets where N = 1<<M. > > M is variable dependent on the number of names in the zone. M is > ceil(log2(number of names in the zone / LOAD_FACTOR)) where an example > value for LOAD_FACTOR is 8. Then, an average of 8 names can exist in any > hash bucket. > > Each item in the hash table bucket is a SHA-384 hash value and a pointer > to an ordered collection of names. This example uses RBTs for the > collections for fast insertion/deletion, but even a sorted linked list > should be ok, as the average number of names in a bucket is LOAD_FACTOR, > so insertion and lookup are O(1). The choice of collection data > structure does not matter as long as they are scanned in defined order. > > The SHA-384 hash value stored in a bucket is the SHA-384 hash performed > in order over all the names and RDATA of the DNS nodes in that bucket > (by scanning the RBT or ordered linked list). This operation is O(1). > > So there are N SHA-384 hash values where N is a power of 2. Using a > Merkle tree over it, you get the overall ZONEMD. > > --- > > When inserting, hash the name into the appropriate bucket, recompute the > SHA-384 value for that hash bucket (by scanning the RBT or ordered > linked list) which is an O(1) operation. Then update the hashtree > upwards to get the ZONEMD as a O(log N) operation. > > The hashtree is shown as a binary tree. Instead of 2 degrees, the parent > hashes can be computed for 4, 8, 16, 32, or 64 child hashes at a time to > reduce storage of intermediate SHA-384 hash values in the hashtree. It > would be faster too. > > --- > > When inserting, if the total number of names in the zone is greater than > N * load_factor, then N is doubled and all the names in the zone are > rehashed. This is an O(total_number_of_names) event and occurs very > rarely in the lifetime of existing(loaded) zones. > > --- > > In existing implementation data structures, one would have to add two > pointers and a color to every DNS node structure if using the RBT > structure hanging off the hash bucket, or 1 pointer if using ordered > singly linked list. Such a linked list can be insertion sorted, and the > bucket array + list would be simple to implement. > > The main tree structure would have pointers to the hash bucket array and > the merkle tree. > > LOAD_FACTOR can be tuned suitably to adjust memory utilization of the > bucket array vs. rate of update. > > Mukund > <zonemd.jpg>_______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Rough notes for an incremental zone digest Mukund Sivaraman
- Re: [DNSOP] Rough notes for an incremental zone d… Wessels, Duane