On 3/9/2020 4:46 PM, Wessels, Duane wrote:
Michael StJohns pointed out (Feb 25) that a verifier that does not
recognise a particular
ZONEMD Scheme and/or Hash Algorithm may be unable to create the
required placeholders,
and therefore unable to perform a verification using any
(Scheme,Algorithm) at all.
I don't believe that to be the case. For the unknown schemes/algorithms
the recipient simply replaces how ever many octets the received ZONEMD digest
had with all zeros.
As of right now, I don't believe the current format is future proofed.
Current encoding:
0x01 - simple
0x01 - SHA384
48 bytes of digest.
0x01 - simple
0x02 - SHA512
64 bytes of digest.
0x02 - Complex
0x00 - Ignored - mainly because I'm forced to have it here because of
the SIMPLE scheme - it doesn't specify a digest type.
[Opaque values that describe the complex scheme - e.g. btree
description, partial hashes, selection matrix of RRs I actually care
about etc]
[More opaque values that are the various digest(s)]
These are OPAQUE from a receiver that only understands SIMPLE.
For the latter scheme, I want to include the first part of the opaque
values in the various hash calculations. But the SIMPLE scheme will
set them to zero for its own calculations? And I have to do special
things for scheme 1 to do my calculations. AND I have to know that
digest 0x02 requires 64 bytes of zero for the calculation even if I'm
only able to verify SHA384 digests. Any error in the formation of the
digest 0x02 digest field or scheme 0x02 data field means that the 0x01
digest won't verify. Ditto for any formation for the scheme 2 complex
digest relative to the Scheme 1 digests. This makes all digests
interdependent which I believe was not desired.
I see no benefit to including the ZONEMD RR in any digest calculation
with our without placeholdering it.
Just omit any ZONEMD RR from the calculation and be done with it. Make
ALL ZONEMD RRs independent from each other.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
