Bonjour,
I decided to implement draft-wessels-dns-zone-digest-02 at the IETF 102
Hackathon. As expected, it is fairly straightforward. You can see the
code on GitHub:
https://github.com/shane-kerr/ZoneDigestHackathon
It seems to work, although since I have no other implementation to
compare against I can't be sure that the digest values are in any way
correct.
In proper hackathon style there are no tests. Bugs surely abound. If you
use it in production please keep a fire extinguisher handy.
I found the draft to be clear and fairly complete, although I have a few
suggestions:
* It might be worth mentioning that names are expected to be
uncompressed. It's kind of obvious, but it might trick up some
implementations.
* The TTL of the ZONEMD record has to come from somewhere. It can either
come from configuration or pulled from somewhere else (I used the TTL
of the SOA record). This should be documented.
* It might be worthwhile giving some recommendations or even
requirements about what to do with failures. For example, something
like "secondary servers who receive a zone that fails a digest
validation SHOULD NOT serve the zone".
* Having some example zones and the expected digest values would be very
useful for implementers.
As a final note, while it is awesome to have dnspython available to do
such projects, dnspython is not a joy to work with. I had a brief
discussion with some other hackathon attendees and it seems to be a
shared experience. I was encouraged to look at the getdns Python API,
which has apparently had quite some thought in making it Pythonic. I may
look at that or making a pure Python version of it at some point in the
future. If you have other suggestions for DNS in Python feel free to
contact me off-list (since this isn't a software development list).
Cheers,
--
Shane
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
