Re: [DNSOP] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)

"Wessels, Duane" <dwessels@verisign.com> Mon, 13 January 2020 18:26 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E86431209F1 for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 10:26:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jRwIlth_e8LR for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 10:26:13 -0800 (PST)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517281209F0 for <dnsop@ietf.org>; Mon, 13 Jan 2020 10:26:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8607; q=dns/txt; s=VRSN; t=1578939974; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=ivx5DCG5Yl5+urZTZgMAeaH5NYIOPxcapSMEwVQqfho=; b=jifdoz0Ci/xy4eVQej0NCsQS9hxry7Wrwu4qZ/gpiUC3C0hji7IQ9dJm cWFlsyswDaP3YbgOnc+SbUlefkLdAQ+1OyxOPr80lIykWqvSsp6P2hlgi boBBQjOzh63aOj3uccgHxMsjs8VIuwnpGQEA5nAMmtDlPsBUN7UXbwMmE Gzkpj4cvkT8kVi73vtQjMbkCXsjnEoiykSdqndyn2QVIZg4tJG1dl07ib FMGC5ATLrqKLBWLGFjb2h3puuPgBvKTwBfh7OevGN5fovCCTJYCu+harH LLmOjAp7pUOqqEgPldPMmGnS6Oekbp4M/4bTDUbyFTAUE368QsZ50aRiP A==;
IronPort-SDR: kl9Scz8TyPRrwMRg9qJU8luQdns5Y5JLmUwh+IFvWt8vRtsNCNq+UUWKOAzOxX4pTP0UWHdN9W x9fdj09VGu5Vu6jN6XCc5pg8G6FQn6qvyl9FWw7zbnRvc82RIOb3Qn4AYFteJuwEGsS8ul8v9d wbAYixoRJ1an7aV9eTEuJWlZWHp4dml8A1xB3JJJsEvu1jGc1WGdjwMJFiFJ2gkP0EkXp6dqQY 5Sd900WX4anbVTML38sBPfNaEoK7xCrh0ZfY5IktCnKuXU+Ehlqpwe6bvBKPo5z99jnytAyKhO z3o=
X-IronPort-AV: E=Sophos;i="5.69,429,1571716800"; d="p7s'?scan'208";a="423707"
IronPort-PHdr: =?us-ascii?q?9a23=3APxN8why6IrsoXojXCy+O+j09IxM/srCxBDY+r6?= =?us-ascii?q?Qd2usUIJqq85mqBkHD//Il1AaPAdyAragb06GP6/GocFdDyK7JiGoFfp1IWk?= =?us-ascii?q?1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBA?= =?us-ascii?q?j0OxZrKeTpAI7SiNm82/yv95HJbAhEmTSwbalsIBi0sQndudQajZdmJ60s1h?= =?us-ascii?q?bHv3xEdvhMy2h1P1yThRH85smx/J5n7Stdvu8q+tBDX6vnYak2VKRUAzs6PW?= =?us-ascii?q?874s3rrgTDQhCU5nQASGUWkwFHDBbD4RrnQ5r+qCr6tu562CmHIc37SK0/VD?= =?us-ascii?q?q+46t3ThLjlSEKPCM7/m7KkMx9lKJVrgy8qRxjzYDaY4+VO/h5cKPcYdwVSn?= =?us-ascii?q?FMXslNWyxEGI68b5cDA/QHMO1Fr4f9vVwOrR6mCAWiBOzg1CRIhmTo0q0+yO?= =?us-ascii?q?QtCRzN0gI9H90UtnTbstv5P7oVXO+owqjH0y7Db+hI1jf584jFaQ4hru+WXb?= =?us-ascii?q?JxasrRyEYvFwXfglqMrozlOiqY2+IQuGaY9+ptTf+jh3I9pw1soDWiyN0ghp?= =?us-ascii?q?TJi48b0FzJ+iZ0zJ4oKdGkUkJ3fNypHIdKuy2HOIZ7QdkuT3xrtSoixL0Jp5?= =?us-ascii?q?22cDQPxZki3RHSaPiKfJON7x/tSuqePDZ1iXd+d7+7hhu/802tx+PyW8S2zV?= =?us-ascii?q?lHqDdOnMPWuXAXzRPT79CKSv56/ki8xzmCzxvT6uRYIUAskqrbNoIhzqYwlp?= =?us-ascii?q?UNtUTDGTf7lVjqgqGOa0kr+vCm5evmbbn6u5OQLZF0hR35MqQ0gsyzG/43PR?= =?us-ascii?q?UUU2iF4+S8z7vj8VflT7VNi/06iqjZsJbEKsQHvqO1HhNZ3pw+5xu9ATqqys?= =?us-ascii?q?kUkHkJIV5fdx+KjJDlO1TUL/D5Cfe/jU6skDBux/3eI7LgDIvCLmPYkLj/eb?= =?us-ascii?q?Z98FVRyBQtwtBF5pJUEbABIP31WkPrqNPYCRo5PxSuw+n7ENV9yp8eWWWXD6?= =?us-ascii?q?+cK6PSs0SF5uQzI+mMfI8apiz9K/045/7yl3A5hV4dfa6v3ZcNdH+4GfFmKV?= =?us-ascii?q?2DYXXwmtcBDXsKvg0mQeP3jl2CSjlTZ26pUqI9+D47FIymAZ3ERoC3j7zSlB?= =?us-ascii?q?u8S7hXbWBPB1TEKmvKcIWCQL9YbTmQCsl9kiQJT728V4Y91Bao8gT9zuw0AP?= =?us-ascii?q?DT/3hSip/4z9Vx/KmbuQw78zE+R5CRzGyWVGxwhUsWSiU3x6Fwpwp2zVLVgv?= =?us-ascii?q?swuOBRCdEGv6ABaQw9L5OJl+E=3D?=
X-IPAS-Result: =?us-ascii?q?A2H0BQCYtRxe/zCZrQplHQEBAQkBEQUFAYF7AoM+gQYKl?= =?us-ascii?q?S+DbpdICQEBAQEBAQEBAQMEAS8BAYRAAoIdOQUNAgMBAQsBAQEEAQEBAQEFA?= =?us-ascii?q?wEBAQKGLII7IoNXAQQBHQpSBQsCAQg7CwIwJQIEDgUOgxgBglsRrAAzijoQg?= =?us-ascii?q?TaBU4pggUI+gREnIIJMPoRIg0OCLASvPAMHgjeDZII4kCyCR4gBkCSmJoMrA?= =?us-ascii?q?gQCBAUCFYFqgXpwFWUBgkE+EhgNiDmODnSMDoEQAQE?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Mon, 13 Jan 2020 13:26:12 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Mon, 13 Jan 2020 13:26:12 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Michael StJohns <msj@nthpermutation.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)
Thread-Index: AQHVyj7vu0D7lZf7cU2j6BFic+8LHg==
Date: Mon, 13 Jan 2020 18:26:12 +0000
Message-ID: <C34B2364-13D8-461A-B15C-090C1C2F6200@verisign.com>
References: <CADyWQ+G1w9_vcU3oO9MsKcP4hTLPXKFb+xY7LJGExbAfjzsDMw@mail.gmail.com> <D9E20677-B76F-4028-A283-6FA5DEEC22AE@verisign.com> <b3132d4a-8b91-27ff-83af-0204a47ec2c3@nthpermutation.com> <28189634.PH2fhW1m7e@linux-9daj> <57C19AE6-CE64-42F4-BFF1-7FD5C442CD4A@verisign.com> <4c9cee8f-c05f-1cb4-6a2d-4e61371bf045@nthpermutation.com>
In-Reply-To: <4c9cee8f-c05f-1cb4-6a2d-4e61371bf045@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_F4260363-F352-4A82-9E4D-87C91EB2D63E"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/znbaF6CI7ndvQxUBzDgKJbU6WrA>
Subject: Re: [DNSOP] future-proofing (Re: Working Group Last Call for: Message Digest for DNS Zones)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 18:26:15 -0000


> On Jan 8, 2020, at 3:55 PM, Michael StJohns <msj@nthpermutation.com> wrote:


Mike,


Thank you for these suggestions.  The authors have discussed them.

> If the above is what you intended, then sections 3 and 4 should be labeled "Calculating/Verifying the DIGEST for the SIMPLE scheme", and there should be some description elsewhere indicating that later schemes will provide replacements for section 3 and 4 at a minimum.

This requires fairly large structural changes to the document. It isn't just relabeling the sections because some portions (duplicate RRs, RR ordering) are global, and some are scheme specific -- as it is a Working Group document, we'd like to see support from the WG to make them.

WG, please let us know by the end of the week if you would like us to make these changes.


> There's also the case that future ZONEMD schemes may need a different format for the digest field.   E.g. one approach to dealing with incremental changes is to have a NSEC like ZONEMD record which covers hashes only across a range of names.
> 


We think that the currently documented RR format will solve most use cases - since the digest field is variable length, it already provides a lot of flexibility for future uses, by defining additional Digest Types.  Anything which cannot be solved with this format seems like it would be a sufficiently different protocol that it would deserve a new RRtype and document. 

> So instead maybe change Digest Type -> Scheme type and   Parameter & Digest -> Scheme data (which is for this scheme just the digest data).
> 


Thank you, there are great suggestions, and we think make the document more readable / understandable.

DW