> On Jul 15, 2018, at 11:37 AM, Shane Kerr <sh...@time-travellers.org> wrote: > > Bonjour, > > I decided to implement draft-wessels-dns-zone-digest-02 at the IETF 102 > Hackathon. As expected, it is fairly straightforward. You can see the code on > GitHub: > > https://github.com/shane-kerr/ZoneDigestHackathon
Thanks Shane! > It seems to work, although since I have no other implementation to compare > against I can't be sure that the digest values are in any way correct. My own implementation, alluded to in the draft, is here: https://github.com/verisign/draft-dns-zone-digest/tree/master/impl I have a few test cases in the Tests directory. > > In proper hackathon style there are no tests. Bugs surely abound. If you use > it in production please keep a fire extinguisher handy. > > I found the draft to be clear and fairly complete, although I have a few > suggestions: > > * It might be worth mentioning that names are expected to be > uncompressed. It's kind of obvious, but it might trick up some > implementations. The draft says "It also adopts DNSSEC's canonical RR form (Section 6.2 of [RFC4034])" in one place and "calculated by concatenating the canonical on-the-wire form of all RRs" later. I wouldn't object to being more explicit. Do you want to propose some text or shall I take a stab? > > * The TTL of the ZONEMD record has to come from somewhere. It can either > come from configuration or pulled from somewhere else (I used the TTL > of the SOA record). This should be documented. I also used the SOA TTL in my implementation. I can make that a recommendation in the draft. > > * It might be worthwhile giving some recommendations or even > requirements about what to do with failures. For example, something > like "secondary servers who receive a zone that fails a digest > validation SHOULD NOT serve the zone". Happy to add something like that. > > * Having some example zones and the expected digest values would be very > useful for implementers. Agreed. I would like to have some examples as an appendix in the document. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop