On Mon, Mar 25, 2019 at 2:54 PM Matthew Pounsett <m...@conundrum.com> wrote: > >
> > Section 3.2. discussion: Unless there's a potential benefit to non-apex > ZONEMD records that I'm not seeing, I think it makes sense to forbid them. > Was there a particular thing that could be enabled by that, which prompted > the suggestion? I agree with this. I believe it would create unnecessary complexity. For example, which records would such a digest cover? Would the apex record cover also the records covered by this subdigest? > In 3.4.1 would it make sense to include a sentence explaining the catch-22 > that would result if the RRSIG covering the ZONEMD record were included in > the digest? > > In section 4, I suggest replacing all of the instances of "provably > [un]signed" with "provably [in]secure". To me, a zone is provably signed if > it has DNSKEYs and RRSIGs that validate from those DNSKEYs. What the draft > is interested in is whether those signatures link up to a trust anchor > somewhere, and the term for that is "secure".. But maybe there are > definitions somewhere that I haven't read that make "signed" and "secure" > equivalent, which would make this a silly suggestion. Does it matter for this feature that the trust chain verifies? If so, does it mean that it's provably secure? Maybe the private key was leaked but not yet revoked, thus it's provably properly signed and verifies, but it's not provably secure. Perhaps we could add some wording to define what we mean by that (either). > Section 2 discussion: I was initially ambivalent about whether multiple > ZONEMD records should be allowed with different digest types. Having gone > back and re-read some of the discussion, I'm persuaded that it would be > beneficial to allow multiple digest types to be used on the same zone > instance. I think we'd want to have a bunch of discussion about the details > in order to keep code complexity under control, though. > Section 5 discussion: I can't remember if I commented on this bit before or > not, but just in case.. I support keeping the reserved field. It seems to me > that if we have to get a new type for an incremental-friendly version of > ZONEMD that we're going to have implementation fragmentation and a migration > issue. Especially if we don't allow multiple ZONEMD records, I can imagine > it being difficult to have both in the zone at once, and that it could be > hard to specify what should happen if an operator wants to migrate from > ZONEMD v1 to ZONEMD v2 without knowing which one the consumers of their zone > support > It think it would make sense to allow multiple ZONEMD records at the *apex* level. That would allow one to support multiple different hash functions as well as to migrate to a new hash function without breaking the existing clients. I'm not sure if there would be any benefit of supporting multiple functions initially. Would someone possibly say they need function x to be supported for perf reasons? Or perhaps just that some other function x is natively available in some system but the SHA384 isn't. Like I said before, I'm already operating a system that is internally doing something very close to this. The major difference is just that I'm using a different hash function but that's only because this draft didn't exist when I made that decision and I think SHA384 would be better fit. I think, I will try to compare the differences soon(ish) and hopefully make my implementation compatible with this draft. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
